diff options
18 files changed, 1030 insertions, 850 deletions
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 7e1f40a1a..0b44bc9ee 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -83,25 +83,18 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) IP address of the remote client. --> - <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> - - - +<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> +[PKI_UNSECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true"/> - <!-- Shared Ports: Unsecure Port --> - [PKI_OPEN_SHARED_PORTS_SERVER_COMMENT] - <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true" /> - [PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT] -<!-- Port Separation: Agent Secure Port --> -<!-- OR --> -<!-- Shared Ports: Agent, EE, and Admin Secure Port --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> +[PKI_SECURE_PORT_SERVER_COMMENT] <!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" +<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" @@ -117,6 +110,40 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) certdbDir="[PKI_INSTANCE_PATH]/alias"/> <!-- DO NOT REMOVE - End define PKI secure port --> +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> @@ -408,88 +435,4 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) </Service> -<!-- Port Separation: Admin Secure Port --> -<!-- Port Separation: Unsecure Port --> -<!-- Port Separation: EE Secure Port --> -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] - -<Service name="CatalinaAdmin"> - -<Connector port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaAdmin" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.admin" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> - - -<Service name="CatalinaEE"> - -<Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - -<Connector port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaEE" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.ee" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] </Server> diff --git a/pki/base/ca/shared/etc/init.d/httpd b/pki/base/ca/shared/etc/init.d/httpd index dddcc9374..566ede955 100755 --- a/pki/base/ca/shared/etc/init.d/httpd +++ b/pki/base/ca/shared/etc/init.d/httpd @@ -296,7 +296,7 @@ get_pki_secure_port() # establish well-known strings begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector port=\"" + connector_statement="<Connector name=\"" # initialize looping variables ssl_comment_found=0 @@ -331,10 +331,15 @@ get_pki_secure_port() if [ "$head" == "$connector_statement" ] ; then # once the Connector statement has been found, tail=`echo $line | cut -b18-` - # extract the numeric port information - port=`echo $tail | cut -d\" -f1` - PKI_SECURE_PORT=$port - return 0 + # extract the name of the connector + name=`echo $tail | cut -d\" -f1` + if [ "$name" == "Agent" ] || + [ "$name" == "Secure" ] ; then + # extract the numeric port information + port=`echo $tail | cut -d\" -f3` + PKI_SECURE_PORT=$port + return 0 + fi fi fi done diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index d902b5f30..22408756d 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -3,6 +3,42 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> <web-app> + <filter> + <filter-name>PassThroughRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.PassThroughRequestFilter</filter-class> + </filter> + + <filter> + <filter-name>AgentRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_AGENT_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>AdminRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>EERequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> + <init-param> + <param-name>http_port</param-name> + <param-value>[PKI_UNSECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_EE_SECURE_PORT]</param-value> + </init-param> + </filter> + <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -1953,6 +1989,58 @@ <param-value> /agent/ca/doRevoke </param-value> </init-param> </servlet> +[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + <filter-mapping> + <filter-name> PassThroughRequestFilter </filter-name> + <url-pattern> /agent/ca/updateDomainXML </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> + <url-pattern> /agent/ca/getOCSPInfo </url-pattern> + <url-pattern> /agent/ca/updateDir </url-pattern> + <url-pattern> /agent/ca/profileSelect </url-pattern> + <url-pattern> /agent/ca/monitor </url-pattern> + <url-pattern> /agent/ca/reasonToRevoke </url-pattern> + <url-pattern> /agent/ca/listRequests.html </url-pattern> + <url-pattern> /agent/ca/searchReqs </url-pattern> + <url-pattern> /agent/ca/profileApprove </url-pattern> + <url-pattern> /agent/ca/updateDir.html </url-pattern> + <url-pattern> /agent/ca/profileReview </url-pattern> + <url-pattern> /agent/ca/srchCerts </url-pattern> + <url-pattern> /agent/header </url-pattern> + <url-pattern> /agent/ca/listCerts </url-pattern> + <url-pattern> /agent/ca/queryReq </url-pattern> + <url-pattern> /agent/ca/processReq </url-pattern> + <url-pattern> /agent/ca/srchCert.html </url-pattern> + <url-pattern> /agent/ca/profileList </url-pattern> + <url-pattern> /agent/ca/displayBySerial </url-pattern> + <url-pattern> /agent/ca/srchRevokeCert.html </url-pattern> + <url-pattern> /agent/ca/doUnrevoke </url-pattern> + <url-pattern> /agent/ca/doRevoke </url-pattern> + <url-pattern> /agent/ca/profileProcess </url-pattern> + <url-pattern> /agent/ca/processCertReq </url-pattern> + <url-pattern> /agent/ca/bulkissuance </url-pattern> + <url-pattern> /agent/ca/queryBySerial.html </url-pattern> + <url-pattern> /agent/ca/updateCRL </url-pattern> + <url-pattern> /agent/ca/displayCRL </url-pattern> + <url-pattern> /agent/ca/getInfo </url-pattern> + <url-pattern> /agent/ca/getStats </url-pattern> + <url-pattern> /agent/bulkissuance </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AdminRequestFilter </filter-name> + <url-pattern> /admin/* </url-pattern> + <url-pattern> /auths </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> EERequestFilter </filter-name> + <url-pattern> /ee/* </url-pattern> + </filter-mapping> +[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] + <servlet-mapping> <servlet-name> caacl </servlet-name> <url-pattern> /acl </url-pattern> @@ -2033,12 +2121,10 @@ <url-pattern> /registry </url-pattern> </servlet-mapping> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> caauths </servlet-name> <url-pattern> /auths </url-pattern> </servlet-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> castart </servlet-name> diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java new file mode 100644 index 000000000..1a94cb295 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class AdminRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "Admin"; + + private FilterConfig config; + + /* Create a new AdminRequestFilter */ + public AdminRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java new file mode 100644 index 000000000..542ca4232 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class AgentRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "Agent"; + + private FilterConfig config; + + /* Create a new AgentRequestFilter */ + public AgentRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java new file mode 100644 index 000000000..1f93e080f --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java @@ -0,0 +1,131 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class EERequestFilter implements Filter +{ + private static final String HTTP_SCHEME = "http"; + private static final String HTTP_PORT = "http_port"; + private static final String HTTP_ROLE = "EE"; + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "EE"; + + private FilterConfig config; + + /* Create a new EERequestFilter */ + public EERequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_http_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is either "http" or "https" + scheme = request.getScheme(); + if( ( ! scheme.equals( HTTP_SCHEME ) ) && + ( ! scheme.equals( HTTPS_SCHEME ) ) ) { + msg = "The scheme MUST be either '" + HTTP_SCHEME + + "' or '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain either an "http" or an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "http" port passed in as a parameter + param_http_port = config.getInitParameter( HTTP_PORT ); + if( param_http_port == null ) { + msg = "The <param-name> '" + HTTP_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // If the scheme is "http", compare + // the request and param "http" ports; + // otherwise, if the scheme is "https", compare + // the request and param "https" ports + if( scheme.equals( HTTP_SCHEME ) ) { + if( ! param_http_port.equals( request_port ) ) { + msg = "Use HTTP port '" + param_http_port + + "' instead of '" + request_port + + "' when performing " + HTTP_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } else if( scheme.equals( HTTPS_SCHEME ) ) { + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java new file mode 100644 index 000000000..a47888442 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java @@ -0,0 +1,78 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class PassThroughRequestFilter implements Filter +{ + /* Create a new PassThroughRequestFilter */ + public PassThroughRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + // Simply pass-through this request without filtering it . . . + // + // NOTE: This "do-nothing" filter is ONLY provided since + // individual servlets can not be "excluded" from within + // the <url-pattern></url-pattern> parameters, thus + // disallowing the use of a '*' wildcard parameter + // on certain filters. + // + // Therefore, since servlets MUST be specified individually + // by such filters, this pass-through filter was created to + // contain those servlets which would otherwise simply be + // "excluded". Although this could also be accomplished + // by merely performing "exclusion by lack of inclusion", + // the existance of a pass-through filter allows the + // EXPLICIT identification of servlets which MUST NOT + // have any filters run against them. + // + + String filterName = getClass().getName(); + + String servlet = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletRequest req = ( HttpServletRequest ) request; + + servlet = req.getServletPath(); + msg = "Excluding filtering on servlet called '" + servlet + "'!"; + CMS.debug( filterName + ": " + msg ); + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index 05309f379..f99cedb58 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -262,7 +262,7 @@ public class CMSEngine implements ICMSEngine { if ((state == 1) && (sd.equals("existing"))) { mSDTimer.cancel(); } - + // initialize the PasswordReader and PasswordWriter String pwdPath = config.getString("passwordFile"); String pwdClass = config.getString("passwordClass"); @@ -282,7 +282,7 @@ public class CMSEngine implements ICMSEngine { if (tsClass != null) { try { mTimeSource = (ITimeSource) - Class.forName(tsClass).newInstance(); + Class.forName(tsClass).newInstance(); } catch (Exception e) { // nothing to do } @@ -293,7 +293,7 @@ public class CMSEngine implements ICMSEngine { } instanceDir = config.getString("instanceRoot"); - + loadDynSubsystems(); java.security.Security.addProvider( @@ -453,7 +453,7 @@ public class CMSEngine implements ICMSEngine { parser.parse(path); NodeList nodes = parser.getDocument().getElementsByTagName("Connector"); String parentName=""; - boolean secure=false; + String name=""; String port=""; for (int i=0; i<nodes.getLength(); i++) { Element n = (Element)nodes.item(i); @@ -463,73 +463,76 @@ public class CMSEngine implements ICMSEngine { if(p != null) { parentName = p.getAttribute("name"); } - secure = n.hasAttribute("sslProtocol"); + name = n.getAttribute("name"); port = n.getAttribute("port"); // The "server.xml" file is parsed from top-to-bottom, and // supports BOTH "Port Separation" (the new default method) // as well as "Shared Ports" (the old legacy method). Since // both methods must be supported, the file structure MUST - // conform to the following format: - // - // <Catalina> - // Shared Ports: Unsecure Port + // conform to ONE AND ONLY ONE of the following formats: // - // Port Separation: Agent Secure Port - // OR - // Shared Ports: Agent, EE, and Admin Secure Port - // </Catalina> + // Port Separation: // - // <CatalinaAdmin> - // Port Separation: Admin Secure Port - // </CatalinaAdmin> + // <Catalina> + // ... + // <!-- Port Separation: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Port Separation: Agent Secure Port --> + // <Connector name="Agent" . . . + // ... + // <!-- Port Separation: Admin Secure Port --> + // <Connector name="Admin" . . . + // ... + // <!-- Port Separation: EE Secure Port --> + // <Connector name="EE" . . . + // ... + // </Catalina> // - // <CatalinaEE> - // Port Separation: Unsecure Port // - // Port Separation: EE Secure Port - // </CatalinaEE> + // Shared Ports: // - // NOTE: If the "Port Separation" method is being used, - // then the "Unsecure Port" specified in the - // "Catalina" section section will be commented out on - // an instance-by-instance basis. - // - // Similarly, if the "Shared Ports" method is being - // used, the entire "CatalinaAdmin" and "CatalinaEE" - // sections will be commented out on an - // instance-by-instance basis. + // <Catalina> + // ... + // <!-- Shared Ports: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Shared Ports: Agent, EE, and Admin Secure Port --> + // <Connector name="Secure" . . . + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // </Catalina> // if ( parentName.equals("Catalina")) { - - if (secure) { - mServerCertNickname = n.getAttribute("serverCert"); - // Port Separation: Agent Secure Port + if( name.equals( "Unsecure" ) ) { + // Port Separation: Unsecure Port // OR - // Shared Ports: Agent, EE, and Admin Secure Port + // Shared Ports: Unsecure Port + info[EE_NON_SSL][PORT] = port; + } else if( name.equals( "Agent" ) ) { + // Port Separation: Agent Secure Port + info[AGENT][PORT] = port; + } else if( name.equals( "Admin" ) ) { + // Port Separation: Admin Secure Port + info[ADMIN][PORT] = port; + } else if( name.equals( "EE" ) ) { + // Port Separation: EE Secure Port + info[EE_SSL][PORT] = port; + } else if( name.equals( "Secure" ) ) { + // Shared Ports: Agent, EE, and Admin Secure Port info[AGENT][PORT] = port; info[ADMIN][PORT] = port; info[EE_SSL][PORT] = port; - } else { - // Shared Ports: Unsecure Port - info[EE_NON_SSL][PORT] = port; } } - if( parentName.equals("CatalinaEE")) { - if (secure) { - // Port Separation: EE Secure Port - // (overwrites value obtained from Catalina section) - info[EE_SSL][PORT] = port; - } else { - // Port Separation: Unsecure Port - info[EE_NON_SSL][PORT] = port; - } - } - if( parentName.equals("CatalinaAdmin")) { - // Port Separation: Admin Secure Port - // (overwrites value obtained from Catalina section) - info[ADMIN][PORT] = port; - } } } catch (Exception e) { @@ -787,7 +790,7 @@ public class CMSEngine implements ICMSEngine { ISubsystem ss = null; try { - ss = (ISubsystem) Class.forName(classname).newInstance(); + ss = (ISubsystem) Class.forName(classname).newInstance(); } catch (InstantiationException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_LOAD_FAILED_1", id, e.toString())); diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index ed0a8371f..0b44bc9ee 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -83,25 +83,18 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) IP address of the remote client. --> - <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> - - - +<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> +[PKI_UNSECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true"/> - <!-- Shared Ports: Unsecure Port --> - [PKI_OPEN_SHARED_PORTS_SERVER_COMMENT] - <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true" /> - [PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT] -<!-- Port Separation: Agent Secure Port --> -<!-- OR --> -<!-- Shared Ports: Agent, EE, and Admin Secure Port --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> +[PKI_SECURE_PORT_SERVER_COMMENT] <!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" +<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" @@ -117,6 +110,40 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) certdbDir="[PKI_INSTANCE_PATH]/alias"/> <!-- DO NOT REMOVE - End define PKI secure port --> +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> @@ -408,88 +435,4 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) </Service> -<!-- Port Separation: Admin Secure Port --> -<!-- Port Separation: Unsecure Port --> -<!-- Port Separation: EE Secure Port --> -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] - -<Service name="CatalinaAdmin"> - -<Connector port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaAdmin" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.admin" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> - - -<Service name="CatalinaEE"> - -<Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - -<Connector port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaEE" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.ee" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] </Server> diff --git a/pki/base/kra/shared/etc/init.d/httpd b/pki/base/kra/shared/etc/init.d/httpd index 1cda47903..7fa60e661 100755 --- a/pki/base/kra/shared/etc/init.d/httpd +++ b/pki/base/kra/shared/etc/init.d/httpd @@ -296,7 +296,7 @@ get_pki_secure_port() # establish well-known strings begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector port=\"" + connector_statement="<Connector name=\"" # initialize looping variables ssl_comment_found=0 @@ -331,10 +331,15 @@ get_pki_secure_port() if [ "$head" == "$connector_statement" ] ; then # once the Connector statement has been found, tail=`echo $line | cut -b18-` - # extract the numeric port information - port=`echo $tail | cut -d\" -f1` - PKI_SECURE_PORT=$port - return 0 + # extract the name of the connector + name=`echo $tail | cut -d\" -f1` + if [ "$name" == "Agent" ] || + [ "$name" == "Secure" ] ; then + # extract the numeric port information + port=`echo $tail | cut -d\" -f3` + PKI_SECURE_PORT=$port + return 0 + fi fi fi done diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml index d19383465..109b796c4 100644 --- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -3,6 +3,42 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> <web-app> + <filter> + <filter-name>PassThroughRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.PassThroughRequestFilter</filter-class> + </filter> + + <filter> + <filter-name>AgentRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_AGENT_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>AdminRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>EERequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> + <init-param> + <param-name>http_port</param-name> + <param-value>[PKI_UNSECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_EE_SECURE_PORT]</param-value> + </init-param> + </filter> + <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -812,6 +848,24 @@ <param-value> ee </param-value> </init-param> </servlet> +[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> + <url-pattern> /agent/* </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AdminRequestFilter </filter-name> + <url-pattern> /admin/* </url-pattern> + <url-pattern> /auths </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> EERequestFilter </filter-name> + <url-pattern> /ee/* </url-pattern> + </filter-mapping> +[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] + <servlet-mapping> <servlet-name> kraserver </servlet-name> <url-pattern> /server </url-pattern> @@ -848,12 +902,10 @@ <url-pattern> /acl </url-pattern> </servlet-mapping> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> kraauths </servlet-name> <url-pattern> /auths </url-pattern> </servlet-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> krajobsScheduler </servlet-name> diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index ed0a8371f..0b44bc9ee 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -83,25 +83,18 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) IP address of the remote client. --> - <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> - - - +<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> +[PKI_UNSECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true"/> - <!-- Shared Ports: Unsecure Port --> - [PKI_OPEN_SHARED_PORTS_SERVER_COMMENT] - <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true" /> - [PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT] -<!-- Port Separation: Agent Secure Port --> -<!-- OR --> -<!-- Shared Ports: Agent, EE, and Admin Secure Port --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> +[PKI_SECURE_PORT_SERVER_COMMENT] <!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" +<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" @@ -117,6 +110,40 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) certdbDir="[PKI_INSTANCE_PATH]/alias"/> <!-- DO NOT REMOVE - End define PKI secure port --> +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> @@ -408,88 +435,4 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) </Service> -<!-- Port Separation: Admin Secure Port --> -<!-- Port Separation: Unsecure Port --> -<!-- Port Separation: EE Secure Port --> -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] - -<Service name="CatalinaAdmin"> - -<Connector port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaAdmin" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.admin" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> - - -<Service name="CatalinaEE"> - -<Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - -<Connector port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaEE" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.ee" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] </Server> diff --git a/pki/base/ocsp/shared/etc/init.d/httpd b/pki/base/ocsp/shared/etc/init.d/httpd index 04b381937..27005a6fb 100755 --- a/pki/base/ocsp/shared/etc/init.d/httpd +++ b/pki/base/ocsp/shared/etc/init.d/httpd @@ -296,7 +296,7 @@ get_pki_secure_port() # establish well-known strings begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector port=\"" + connector_statement="<Connector name=\"" # initialize looping variables ssl_comment_found=0 @@ -331,10 +331,15 @@ get_pki_secure_port() if [ "$head" == "$connector_statement" ] ; then # once the Connector statement has been found, tail=`echo $line | cut -b18-` - # extract the numeric port information - port=`echo $tail | cut -d\" -f1` - PKI_SECURE_PORT=$port - return 0 + # extract the name of the connector + name=`echo $tail | cut -d\" -f1` + if [ "$name" == "Agent" ] || + [ "$name" == "Secure" ] ; then + # extract the numeric port information + port=`echo $tail | cut -d\" -f3` + PKI_SECURE_PORT=$port + return 0 + fi fi fi done diff --git a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index 9c22d49fa..a7768b889 100644 --- a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -7,6 +7,42 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> <web-app> + <filter> + <filter-name>PassThroughRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.PassThroughRequestFilter</filter-class> + </filter> + + <filter> + <filter-name>AgentRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_AGENT_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>AdminRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>EERequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> + <init-param> + <param-name>http_port</param-name> + <param-value>[PKI_UNSECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_EE_SECURE_PORT]</param-value> + </init-param> + </filter> + <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -453,6 +489,24 @@ <param-value> ee </param-value> </init-param> </servlet> +[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> + <url-pattern> /agent/* </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AdminRequestFilter </filter-name> + <url-pattern> /admin/* </url-pattern> + <url-pattern> /auths </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> EERequestFilter </filter-name> + <url-pattern> /ee/* </url-pattern> + </filter-mapping> +[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] + <servlet-mapping> <servlet-name> ocspregistry </servlet-name> <url-pattern> /registry </url-pattern> @@ -482,14 +536,12 @@ <servlet-name> ocsplog </servlet-name> <url-pattern> /log </url-pattern> </servlet-mapping> - -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + <servlet-mapping> <servlet-name> ocspauths </servlet-name> <url-pattern> /auths </url-pattern> </servlet-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] - + <servlet-mapping> <servlet-name> ocspstart </servlet-name> <url-pattern> /start </url-pattern> diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index dba9e9239..3564bbca0 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -285,9 +285,6 @@ my $signed_audit_base_instance_dir = "signedAudit"; # CA, KRA, OCSP, TKS, TPS my $webapps_root_base_instance_dir = "ROOT"; # CA, KRA, OCSP, TKS my $webapps_root_base_subsystem_dir = "ROOT"; # CA, KRA, OCSP, TKS my $webinf_base_instance_dir = "WEB-INF"; # CA, KRA, OCSP, TKS -my $agent_base_ui_instance_dir = "agent"; # CA, KRA, OCSP, TKS -my $ee_base_ui_instance_dir = "ee"; # CA, KRA, OCSP, TKS -my $admin_base_ui_instance_dir = "admin"; # CA, KRA, OCSP, TKS # Defaults my $default_apache_pids_path = "/var/run"; @@ -354,12 +351,30 @@ my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT"; my $PKI_USER_SLOT = "PKI_USER"; my $TOMCAT_SERVER_PORT_SLOT = "TOMCAT_SERVER_PORT"; my $PKI_FLAVOR_SLOT = "PKI_FLAVOR"; +my $PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_UNSECURE_PORT_CONNECTOR_NAME"; +my $PKI_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_SECURE_PORT_CONNECTOR_NAME"; +my $PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME"; +my $PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_EE_SECURE_PORT_CONNECTOR_NAME"; +my $PKI_UNSECURE_PORT_COMMENT_SERVER_SLOT = "PKI_UNSECURE_PORT_SERVER_COMMENT"; +my $PKI_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_SECURE_PORT_SERVER_COMMENT"; +my $PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_ADMIN_SECURE_PORT_SERVER_COMMENT"; +my $PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_EE_SECURE_PORT_SERVER_COMMENT"; my $PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT"; my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT"; -my $PKI_OPEN_SHARED_PORTS_COMMENT_SERVER_SLOT = "PKI_OPEN_SHARED_PORTS_SERVER_COMMENT"; -my $PKI_CLOSE_SHARED_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT"; my $PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT"; my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT"; +my $PKI_UNSECURE_PORT_NAME = "Unsecure"; +my $PKI_AGENT_SECURE_PORT_NAME = "Agent"; +my $PKI_ADMIN_SECURE_PORT_NAME = "Admin"; +my $PKI_EE_SECURE_PORT_NAME = "EE"; +my $PKI_SECURE_PORT_NAME = "Secure"; +my $PKI_UNUSED_SECURE_PORT_NAME = "Unused"; +my $PKI_UNSECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Unsecure Port Connector -->"; +my $PKI_AGENT_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Agent Secure Port Connector -->"; +my $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Admin Secure Port Connector -->"; +my $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: EE Secure Port Connector -->"; +my $PKI_UNSECURE_SHARED_PORTS_COMMENT = "<!-- Shared Ports: Unsecure Port Connector -->"; +my $PKI_SECURE_SHARED_PORTS_COMMENT = "<!-- Shared Ports: Agent, EE, and Admin Secure Port Connector -->"; my $PKI_OPEN_COMMENT = "<!--"; my $PKI_CLOSE_COMMENT = "-->"; my $PKI_WEBAPPS_NAME = "PKI_WEBAPPS_NAME"; @@ -955,15 +970,15 @@ sub parse_arguments() ## Mandatory "-pki_instance_root=s" option if( $pki_instance_root eq "" ) { - emit( "Must have value for -pki_instance_root!\n", "error" ); usage(); + emit( "Must have value for -pki_instance_root!\n", "error" ); return 0; } if( $pki_instance_root eq "/" ) { + usage(); emit( "Don't even think about making root the pki_instance_root! " . "Try again.\n", "error" ); - usage(); return 0; } @@ -971,32 +986,32 @@ sub parse_arguments() $pki_instance_root =~ s/\/+$//; if( !is_path_valid( $pki_instance_root ) ) { + usage(); emit( "Target directory $pki_instance_root is not a " . "legal directory try again.\n", "error" ); - usage(); return 0; } ## Mandatory "-pki_instance_name=s" option if( $pki_instance_name eq "" ) { - emit( "Must have value for -pki_instance_name!\n", "error" ); usage(); + emit( "Must have value for -pki_instance_name!\n", "error" ); return 0; } if( !is_name_valid( $pki_instance_name ) ) { + usage(); emit( "Illegal Value => $pki_instance_name for -pki_instance_name!\n", "error" ); - usage(); return 0; } if( pki_instance_already_exists( $pki_instance_name ) ) { + usage(); emit( "An instance named $pki_instance_name " . "already exists; please try again.\n", "error" ); - usage(); return 0; } @@ -1004,10 +1019,10 @@ sub parse_arguments() . "/" . $pki_instance_name; if( directory_exists( $pki_instance_path ) ) { + usage(); emit( "Target directory $pki_instance_path " . "already exists; clean up and " . "try again.\n", "error" ); - usage(); return 0; } @@ -1037,9 +1052,9 @@ sub parse_arguments() $subsystem_type ne $TKS && $subsystem_type ne $RA && $subsystem_type ne $TPS ) { + usage(); emit( "Illegal value => $subsystem_type : for -subsystem_type!\n", "error" ); - usage(); return 0; } @@ -1047,10 +1062,10 @@ sub parse_arguments() . "/" . $subsystem_type; if( !( -d "$pki_subsystem_path" ) ) { + usage(); emit( "$pki_subsystem_path not present. " . "Please install the corresponding subsystem RPM first!\n", "error" ); - usage(); return 0; } else { emit( " subsystem_type $subsystem_type\n" ); @@ -1064,8 +1079,8 @@ sub parse_arguments() } else { if( $l_agent_secure_port == -1) { - emit( "Must include value for secure_port!\n", "error" ); usage(); + emit( "Must include value for secure_port!\n", "error" ); return 0; } } @@ -1081,9 +1096,9 @@ sub parse_arguments() } else { if( $l_non_clientauth_secure_port == -1) { + usage(); emit( "Must include value for non_clientauth_secure_port!\n", "error" ); - usage(); return 0; } } @@ -1091,17 +1106,17 @@ sub parse_arguments() if( $l_agent_secure_port > 0 || $l_ee_secure_port > 0 || $l_admin_secure_port > 0) { + usage(); emit( "Must NOT include values for any agent|admin|ee ports!\n", "error"); - usage(); return 0; } } else { ## Mandatory EXCLUSION for CA, KRA, OCSP, and TKS subsystems if( $l_non_clientauth_secure_port != -1 ) { + usage(); emit( "Must NOT include value for non_clientauth_secure_port!\n", "error" ); - usage(); return 0; } } @@ -1112,8 +1127,8 @@ sub parse_arguments() emit( " unsecure_port $unsecure_port\n" ); } else { - emit( "Must include value for unsecure_port!\n", "error" ); usage(); + emit( "Must include value for unsecure_port!\n", "error" ); return 0; } @@ -1121,8 +1136,8 @@ sub parse_arguments() if( !($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { ## Mandatory OPTION for CA, KRA, OCSP, and TKS subsystems if( $l_tomcat_server_port < 0 ) { - emit( "Must include value for tomcat_server_port!\n", "error" ); usage(); + emit( "Must include value for tomcat_server_port!\n", "error" ); return 0; } @@ -1132,9 +1147,9 @@ sub parse_arguments() } else { ## Mandatory EXCLUSION for RA and TPS subsystems if( $l_tomcat_server_port != -1 ) { + usage(); emit( "Must NOT include value for tomcat_server_port!\n", "error" ); - usage(); return 0; } } @@ -1175,8 +1190,8 @@ sub parse_arguments() if (!AreConnectorPortsValid($secure_port,$unsecure_port,$agent_secure_port, $ee_secure_port,$admin_secure_port ) ) { - emit( "Invalid port numbers submitted!\n","error" ); usage(); + emit( "Invalid port numbers submitted!\n","error" ); return 0; } @@ -1184,16 +1199,16 @@ sub parse_arguments() ## Optional "-user=<username>" option if( $username ne "" ) { if( $groupname eq "" ) { + usage(); emit( "Must ALSO specify group ownership using -group!\n", "error" ); - usage(); return 0; } if( !user_exists( $username ) ) { + usage(); emit( "The user '$username' is invalid on this machine!\n", "error" ); - usage(); return 0; } @@ -1205,16 +1220,16 @@ sub parse_arguments() ## Optional "-group=<groupname>" option if( $groupname ne "" ) { if( $username eq "" ) { + usage(); emit( "Must ALSO specify user ownership using -user!\n", "error" ); - usage(); return 0; } if( !group_exists( $groupname ) ) { + usage(); emit( "The group '$groupname' is invalid on this machine!\n", "error" ); - usage(); return 0; } @@ -1230,9 +1245,9 @@ sub parse_arguments() # requiring $pki_user to be a member of $pki_group . . . # # if( !user_is_a_member_of_group( $pki_user, $pki_group ) ) { + # usage(); # emit( "The user '$pki_user' is NOT a member of group '$pki_group'!\n", # "error" ); - # usage(); # return 0; # } @@ -1240,9 +1255,9 @@ sub parse_arguments() ## Optional "-redirect <dir_name>=<real dir path> ..." option while( my ($key, $value) = each( %redirects ) ) { if( !is_path_valid( $value ) ) { + usage(); emit( "Illegal redirect directory value: key=$key value=" . "$value\n", "error" ); - usage(); return 0; } @@ -1253,9 +1268,9 @@ sub parse_arguments() $redirected_logs_path = $value; emit( "setting logs_path $redirected_logs_path\n" ); } else { + usage(); emit( "Illegal redirect directory key: key=$key value=" . "$value\n", "error" ); - usage(); return 0; } @@ -1674,12 +1689,6 @@ sub process_pki_directories() my $result = 0; my $remove_dir=""; - my $do_port_separation = 0; - if( $agent_secure_port >= 0 && ( $subsystem_type ne $RA ) && - ( $subsystem_type ne $TPS ) ) { - $do_port_separation = 1; - } - emit( "Processing PKI directories for '$pki_instance_path' ...\n" ); ## Populate instance directory paths (instance independent) @@ -2059,102 +2068,7 @@ sub process_pki_directories() emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); return 0; } - ## Take care of port separation directory manipulation here. - if( $do_port_separation ) { - # Make 2 more copies of the webapps directory - # One for ee and one for admin, existing webapps is for agent - - $result = copy_directory( $webapps_instance_path , $webapps_instance_path . ".ee" ); - - if( !$result ) { - emit( "Failed to copy directory $webapps_subsystem_path for port separation ...\n" ); - return 0; - } - - $result = copy_directory( $webapps_instance_path , $webapps_instance_path . ".admin" ); - - if( !$result ) { - emit( "Failed to copy directory $webapps_subsystem_path for port separation ...\n" ); - return 0; - } - - # Remove unwanted content from the agent, webapps directory - - $remove_dir = $webapps_instance_path . "/" . - $subsystem_type . "/" . $ee_base_ui_instance_dir; - - $result = remove_directory( $remove_dir ); - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - - # In this case for the agent port , we still need the webapps/$subsystem_type/admin/console directory - # for the configuration wizard to still run. - # Only remove the $subsystem_type portion of this directory. - - $remove_dir = $webapps_instance_path . "/" . - $subsystem_type . "/" . $admin_base_ui_instance_dir . "/" . $subsystem_type; - - $result = remove_directory( $remove_dir ); - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - - - # Remove unwanted content from the ee, webapps directory - # In this case for the ee port , we still need the webapps/$subsystem_type/admin/console directory - # for the security domain requests from other subsystems. - # Only remove the $subsystem_type portion of this directory. - - - $remove_dir = $webapps_instance_path . - ".ee" . "/" . $subsystem_type . "/" . $agent_base_ui_instance_dir; - - $result = remove_directory( $remove_dir ); - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - - $remove_dir = $webapps_instance_path . - ".ee" ."/" . $subsystem_type . "/" . $admin_base_ui_instance_dir . "/" . $subsystem_type; - - $result = remove_directory( $remove_dir ); - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - - # Remove unwanted content from the admin, webapps directory - - $remove_dir = $webapps_instance_path . - ".admin" . "/" . $subsystem_type . "/" . $agent_base_ui_instance_dir; - - $result = remove_directory( $remove_dir ); - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - - $remove_dir = $webapps_instance_path . - ".admin" . "/" . $subsystem_type . "/" . $ee_base_ui_instance_dir; - - $result = remove_directory( $remove_dir ); - - - if( !$result ) { - emit( "Failed to delete directory $remove_dir for port separation ...\n" ); - return 0; - } - } ## # Tomcat Specific $result = copy_directory( $shared_subsystem_path, @@ -2264,11 +2178,11 @@ sub process_file_template # return 0 - failure sub process_pki_templates() { - #Are we doing port separation?,If so, we have enough info to set the PKI_SECURE_PORT here. - my $do_port_separation = 0; - if( $agent_secure_port >= 0 && ( $subsystem_type ne $RA ) && + my $use_port_separation = 0; + if( $agent_secure_port >= 0 && + ( $subsystem_type ne $RA ) && ( $subsystem_type ne $TPS ) ) { - $do_port_separation = 1; + $use_port_separation = 1; } my %slot_hash = (); @@ -2346,39 +2260,62 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; $slot_hash{$PKI_UNSECURE_PORT_SLOT} = $unsecure_port; - # Define "Port Separation" versus "Shared Ports" - if( $do_port_separation) + # Define "Port Separation" (default) versus "Shared Ports" (legacy) + if( $use_port_separation) { + # Establish "Port Separation" Connector Names + $slot_hash{$PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNSECURE_PORT_NAME; + $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_AGENT_SECURE_PORT_NAME; + $slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_ADMIN_SECURE_PORT_NAME; + $slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_EE_SECURE_PORT_NAME; +my $PKI_SECURE_PORT_NAME = "Secure"; + + # Establish "Port Separation" Connector Ports $slot_hash{$PKI_SECURE_PORT_SLOT} = $agent_secure_port; $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $agent_secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $ee_secure_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $admin_secure_port; - # Do NOT comment out the Admin/EE/Unsecure Ports - # used by Port Separation + + # Comment "Port Separation" appropriately + $slot_hash{$PKI_UNSECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_UNSECURE_SEPARATE_PORTS_COMMENT; + $slot_hash{$PKI_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_AGENT_SECURE_SEPARATE_PORTS_COMMENT; + $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT; + $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT; + + # Do NOT comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = ""; $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = ""; - # Comment out the Secure/Unsecure Ports used by Shared Ports - $slot_hash{$PKI_OPEN_SHARED_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT; - $slot_hash{$PKI_CLOSE_SHARED_PORTS_COMMENT_SERVER_SLOT} = $PKI_CLOSE_COMMENT; - # Comment out the Authentication Servlet for the non-Admin Ports + + # Do NOT comment out the "Admin/Agent/EE" Filters # used by Port Separation - $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_OPEN_COMMENT; - $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT; + $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; + $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; } else { + # Establish "Shared Ports" Connector Names + $slot_hash{$PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNSECURE_PORT_NAME; + $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_SECURE_PORT_NAME; + $slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNUSED_SECURE_PORT_NAME; + $slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNUSED_SECURE_PORT_NAME; + + # Establish "Shared Ports" Connector Ports $slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $secure_port; - # Comment out the Admin/EE/Unsecure Ports used by Port Separation + + # Comment "Shared Ports" appropriately + $slot_hash{$PKI_UNSECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_UNSECURE_SHARED_PORTS_COMMENT; + $slot_hash{$PKI_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_SECURE_SHARED_PORTS_COMMENT; + $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; + $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; + + # Comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT; $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_CLOSE_COMMENT;; - # Do NOT comment out the Secure/Unsecure Ports used by Shared Ports - $slot_hash{$PKI_OPEN_SHARED_PORTS_COMMENT_SERVER_SLOT} = ""; - $slot_hash{$PKI_CLOSE_SHARED_PORTS_COMMENT_SERVER_SLOT} = ""; - # Do NOT comment out the Authentication Servlet for the Admin Port - # used by Shared Ports - $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; - $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; + + # Comment out the "Admin/Agent/EE" Filters + $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_OPEN_COMMENT; + $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT; } $slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir; @@ -2711,132 +2648,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so return 1; } -# no args -# return 1 - success, or -# return 0 - failure -sub process_pki_templates_for_port_separation() -{ - #re do web.xml in the case of configurable port separation - - my %slot_hash = (); - my $do_port_separation = 0; - - #for webapps.ee - my $ee_webinf_instance_path = $webapps_instance_path - . ".ee" - . "/" . $subsystem_type - . "/" . $webinf_base_instance_dir ; - - my $ee_webapps_root_instance_path = $webapps_instance_path - . ".ee" - . "/" . $webapps_root_base_instance_dir ; - - - #for webapps.admin - my $admin_webinf_instance_path = $webapps_instance_path - . ".admin" - . "/" . $subsystem_type - . "/" . $webinf_base_instance_dir ; - - - my $admin_webapps_root_instance_path = $webapps_instance_path - . ".admin" - . "/" . $webapps_root_base_instance_dir ; - - - #for webapps, use $webinf_instance_path - - if( $agent_secure_port >= 0 && ( $subsystem_type ne $RA ) && - ( $subsystem_type ne $TPS ) ) { - $do_port_separation = 1; - } - - if ( ! $do_port_separation ) { - return 1; - } - - emit( "Processing PKI templates for '$pki_instance_path' for port separation ...\n" ); - - # We need to re-establish the PKI_INSTANCE_PATH - - $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; - $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; - - # For webapps.ee and webapps, comment out the access to the admin port - - $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_OPEN_COMMENT; - $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT; - - $result = process_file_template( $web_xml_subsystem_file_path, - $ee_webinf_instance_path . "/" . $web_xml_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - - $result = process_file_template( $web_xml_subsystem_file_path, - $webinf_instance_path . "/" . $web_xml_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - - # For webapps.admin don't comment out the access to the admin port - - $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; - $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = ""; - - $result = process_file_template( $web_xml_subsystem_file_path, - $admin_webinf_instance_path . "/" . $web_xml_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - #Now massage the velocity.properties for webapps.ee and webapps.admin - - $slot_hash{$PKI_WEBAPPS_NAME}= $webapps_base_subsystem_dir . ".ee"; - - $result = process_file_template( $velocity_prop_subsystem_file_path, - $ee_webinf_instance_path . "/" . $velocity_prop_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - $slot_hash{$PKI_WEBAPPS_NAME}= $webapps_base_subsystem_dir . ".admin"; - - $result = process_file_template( $velocity_prop_subsystem_file_path, - $admin_webinf_instance_path . "/" . $velocity_prop_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - #Process the index.html file for ee and admin - - $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host ; - $slot_hash{$PKI_SECURE_PORT_SLOT} = $ee_secure_port ; - $result = process_file_template( $index_html_subsystem_file_path, - $ee_webapps_root_instance_path . "/" . $index_html_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - $result = process_file_template( $index_html_subsystem_file_path, - $admin_webapps_root_instance_path . "/" . $index_html_base_name, - \%slot_hash ); - if( !$result ) { - return 0; - } - - - return 1; -} - # no args # return 1 - success, or @@ -2844,21 +2655,6 @@ sub process_pki_templates_for_port_separation() sub process_pki_files_and_symlinks() { my $result = 0; - my $do_port_separation = 0; - my $ee_webinf_lib_instance_path = $webapps_instance_path - . ".ee" - . "/" . $subsystem_type - . "/" . $webinf_base_instance_dir . "/" . $lib_base_instance_dir; - - my $admin_webinf_lib_instance_path = $webapps_instance_path - . ".admin" - . "/" . $subsystem_type - . "/" . $webinf_base_instance_dir . "/" . $lib_base_instance_dir; - - if( $agent_secure_port >= 0 && ( $subsystem_type ne $RA ) && - ( $subsystem_type ne $TPS ) ) { - $do_port_separation = 1; - } emit( "Processing PKI files and symbolic links for " . "'$pki_instance_path' ...\n" ); @@ -3008,21 +2804,6 @@ sub process_pki_files_and_symlinks() return 0; } - if( $do_port_separation) { - # create instance "webapps.ee/$subsystem_type/WEB-INF/lib" subdirectory - $result = create_directory( $ee_webinf_lib_instance_path ); - if( !$result ) { - return 0; - } - - - # create instance "webapps.admin/$subsystem_type/WEB-INF/lib" subdirectory - $result = create_directory( $admin_webinf_lib_instance_path ); - if( !$result ) { - return 0; - } - } - # create instance symlink to "$subsystem_type.jar" $result = create_symbolic_link( $subsystem_jar_symlink_path, $subsystem_jar_file_path ); @@ -3139,50 +2920,20 @@ sub process_pki_files_and_symlinks() } - if( !$do_port_separation) { - # create instance symlink to "osutil.jar" - $result = create_symbolic_link( $osutil_jar_symlink_path, - $osutil_jar_file_path ); - if( !$result ) { - return 0; - } - - $result = give_symbolic_link_to( $osutil_jar_symlink_path, - $pki_user, - $pki_group ); - if( !$result ) { - emit( "$osutil_jar_symlink_path ownership problems!", - "error" ); - return 0; - } - - } else { # put this important file in common instead for port separation - # create instance symlink to "osutil.jar" - $result = create_symbolic_link( $common_instance_symlink_path . $osutil_jar_base_name , - $osutil_jar_file_path ); - if( !$result ) { - return 0; - } - - $result = give_symbolic_link_to( $common_instance_symlink_path . $osutil_jar_base_name, - $pki_user, - $pki_group ); - if( !$result ) { - emit( "$osutil_jar_symlink_path ownership problems!", - "error" ); - return 0; - } - - #Now go back and massage the web.xml templates to restrict access to the admin port - - $result = process_pki_templates_for_port_separation(); - - if( !$result) { - emit("Can't process the web.xml template files!\n", - "error"); - return 0; - } + # create instance symlink to "osutil.jar" + $result = create_symbolic_link( $osutil_jar_symlink_path, + $osutil_jar_file_path ); + if( !$result ) { + return 0; + } + $result = give_symbolic_link_to( $osutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$osutil_jar_symlink_path ownership problems!", + "error" ); + return 0; } # Tomcat Specific @@ -3208,26 +2959,7 @@ sub process_pki_files_and_symlinks() } } - #Now make copy of finished lib directory in webapps.ee and webapps.admin, if doing port separation - #Thus processing the files all at once instead of individually - - if( $do_port_separation) { - $result = copy_directory( $webinf_lib_instance_path, - $ee_webinf_lib_instance_path); - if( !$result ) { - emit( "Failed to copy directory $web_lib_instance_path ...\n" ); - return 0; - } - - $result = copy_directory( $webinf_lib_instance_path, - $admin_webinf_lib_instance_path); - if( !$result ) { - emit( "Failed to copy directory $webinf_lib_instance_path ...\n" ); - return 0; - } - - } - return 1; + return 1; } diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index ed0a8371f..0b44bc9ee 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -83,25 +83,18 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) IP address of the remote client. --> - <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> - - - +<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> +[PKI_UNSECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true"/> - <!-- Shared Ports: Unsecure Port --> - [PKI_OPEN_SHARED_PORTS_SERVER_COMMENT] - <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true" /> - [PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT] -<!-- Port Separation: Agent Secure Port --> -<!-- OR --> -<!-- Shared Ports: Agent, EE, and Admin Secure Port --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> +[PKI_SECURE_PORT_SERVER_COMMENT] <!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" +<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" @@ -117,6 +110,40 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) certdbDir="[PKI_INSTANCE_PATH]/alias"/> <!-- DO NOT REMOVE - End define PKI secure port --> +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] +<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> @@ -408,88 +435,4 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) </Service> -<!-- Port Separation: Admin Secure Port --> -<!-- Port Separation: Unsecure Port --> -<!-- Port Separation: EE Secure Port --> -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] - -<Service name="CatalinaAdmin"> - -<Connector port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaAdmin" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.admin" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> - - -<Service name="CatalinaEE"> - -<Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - -<Connector port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=true,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - - <Engine name="CatalinaEE" defaultHost="localhost"> - - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <Host name="localhost" appBase="webapps.ee" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - </Host> - - </Engine> - - </Service> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] </Server> diff --git a/pki/base/tks/shared/etc/init.d/httpd b/pki/base/tks/shared/etc/init.d/httpd index b32ccaf47..f20a59d0d 100755 --- a/pki/base/tks/shared/etc/init.d/httpd +++ b/pki/base/tks/shared/etc/init.d/httpd @@ -296,7 +296,7 @@ get_pki_secure_port() # establish well-known strings begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector port=\"" + connector_statement="<Connector name=\"" # initialize looping variables ssl_comment_found=0 @@ -331,10 +331,15 @@ get_pki_secure_port() if [ "$head" == "$connector_statement" ] ; then # once the Connector statement has been found, tail=`echo $line | cut -b18-` - # extract the numeric port information - port=`echo $tail | cut -d\" -f1` - PKI_SECURE_PORT=$port - return 0 + # extract the name of the connector + name=`echo $tail | cut -d\" -f1` + if [ "$name" == "Agent" ] || + [ "$name" == "Secure" ] ; then + # extract the numeric port information + port=`echo $tail | cut -d\" -f3` + PKI_SECURE_PORT=$port + return 0 + fi fi fi done diff --git a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml index 8f11a5932..51d541e3c 100644 --- a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -7,6 +7,42 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> <web-app> + <filter> + <filter-name>PassThroughRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.PassThroughRequestFilter</filter-class> + </filter> + + <filter> + <filter-name>AgentRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_AGENT_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>AdminRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> + </init-param> + </filter> + + <filter> + <filter-name>EERequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> + <init-param> + <param-name>http_port</param-name> + <param-value>[PKI_UNSECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_EE_SECURE_PORT]</param-value> + </init-param> + </filter> + <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -311,6 +347,24 @@ <param-value> ee </param-value> </init-param> </servlet> +[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> + <url-pattern> /agent/* </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AdminRequestFilter </filter-name> + <url-pattern> /admin/* </url-pattern> + <url-pattern> /auths </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> EERequestFilter </filter-name> + <url-pattern> /ee/* </url-pattern> + </filter-mapping> +[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] + <servlet-mapping> <servlet-name> tksstart </servlet-name> <url-pattern> /start </url-pattern> @@ -331,12 +385,10 @@ <url-pattern> /registry </url-pattern> </servlet-mapping> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> tksauths </servlet-name> <url-pattern> /auths </url-pattern> </servlet-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] <servlet-mapping> <servlet-name> tksjobsScheduler </servlet-name> |