diff options
-rw-r--r-- | pki/base/ca/shared/conf/proxy-ipa.conf | 26 | ||||
-rwxr-xr-x | pki/base/setup/pkicreate | 14 |
2 files changed, 40 insertions, 0 deletions
diff --git a/pki/base/ca/shared/conf/proxy-ipa.conf b/pki/base/ca/shared/conf/proxy-ipa.conf new file mode 100644 index 000000000..b619b551d --- /dev/null +++ b/pki/base/ca/shared/conf/proxy-ipa.conf @@ -0,0 +1,26 @@ +ProxyRequests Off + +# matches for ee port +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for admin port +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for agent port and eeca port +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index da6f3c478..ed069e361 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -222,6 +222,7 @@ my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, T my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS my $profile_select_base_name = "ProfileSelect.template"; # CA my $proxy_conf_base_name = "proxy.conf"; # CA +my $proxy_ipa_conf_base_name = "proxy-ipa.conf"; # CA my $registry_template_base_name = "registry_instance"; # CA, KRA, OCSP, TKS, RA, TPS my $pki_apache_initscript_base_name = "pki_apache_initscript"; # RA, TPS @@ -549,6 +550,8 @@ my $profile_select_template_subsystem_file_path = undef; #CA my $profile_select_template_instance_file_path = undef; #CA my $proxy_conf_subsystem_file_path = undef; #CA my $proxy_conf_instance_file_path = undef; #CA +my $proxy_ipa_conf_subsystem_file_path = undef; #CA +my $proxy_ipa_conf_instance_file_path = undef; #CA # PKI init script variables my $pki_registry_initscript = undef; # CA, KRA, OCSP, TKS, RA, TPS @@ -1612,6 +1615,8 @@ sub initialize_subdirectory_paths $proxy_conf_subsystem_file_path = $conf_subsystem_path . "/" . $proxy_conf_base_name; + $proxy_ipa_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $proxy_ipa_conf_base_name; } ## Initialize subdirectory paths (RA, TPS subsystems) @@ -1968,6 +1973,8 @@ sub process_pki_directories . "/" . $pki_cfg_base_name; $proxy_conf_instance_file_path = $conf_instance_path . "/" . $proxy_conf_base_name; + $proxy_ipa_conf_instance_file_path = $conf_instance_path + . "/" . $proxy_ipa_conf_base_name; $catalina_properties_instance_file_path = $conf_instance_path . "/" . $catalina_properties_base_name; @@ -2017,6 +2024,8 @@ sub process_pki_directories . "/" . $pki_cfg_base_name; $proxy_conf_instance_file_path = $redirected_conf_path . "/" . $proxy_conf_base_name; + $proxy_ipa_conf_instance_file_path = $redirected_conf_path + . "/" . $proxy_ipa_conf_base_name; $catalina_properties_instance_file_path = $redirected_conf_path . "/" . $catalina_properties_base_name; @@ -2570,6 +2579,11 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $proxy_conf_subsystem_file_path, $proxy_conf_instance_file_path, \%slot_hash); + # process proxy-ipa.conf file + return 0 if !process_file_template("proxy_ipa_conf", + $proxy_ipa_conf_subsystem_file_path, + $proxy_ipa_conf_instance_file_path, + \%slot_hash); } |