diff options
Diffstat (limited to 'base')
-rw-r--r-- | base/ca/shared/conf/acl.ldif | 3 | ||||
-rw-r--r-- | base/ca/shared/conf/server.xml | 2 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/auth.properties | 9 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 35 | ||||
-rw-r--r-- | base/common/shared/conf/context.xml | 4 | ||||
-rw-r--r-- | base/common/shared/conf/server.xml | 3 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 14 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/slot_substitution.py | 12 | ||||
-rwxr-xr-x | base/setup/pki | 1 | ||||
-rwxr-xr-x | base/setup/pkicreate | 2 |
10 files changed, 80 insertions, 5 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index ceea1f27a..aec1447e5 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -51,3 +51,6 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group= resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. +resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations +resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml index 4056fbbb7..60317d2fa 100644 --- a/base/ca/shared/conf/server.xml +++ b/base/ca/shared/conf/server.xml @@ -84,7 +84,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties new file mode 100644 index 000000000..ebb1c6c3f --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -0,0 +1,9 @@ +# Restful API auth/authz mapping info +# +# Format: +# <Rest API URL> = <ACL Resource ID>,<ACL resource operation> +# ex: /ca/pki/users = certServer.ca.users,read + +/ca/rest/admin/users = certServer.ca.users,execute +/ca/rest/admin/groups = certServer.ca.groups,execute +/ca/rest/agent/certs = certServer.ca.certs,execute diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 7ec3932c9..af474872e 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2382,5 +2382,40 @@ <session-config> <session-timeout>30</session-timeout> </session-config> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Agent Services</web-resource-name> + <url-pattern>/rest/agent/certs/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Certificate Authority</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + </web-app> diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml index 4b00dbe3c..b28f1bd20 100644 --- a/base/common/shared/conf/context.xml +++ b/base/common/shared/conf/context.xml @@ -39,4 +39,8 @@ <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> --> + <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" /> + + <Realm className="com.netscape.cmscore.realm.PKIRealm" /> + </Context> diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml index d3c781a6b..596b7e356 100644 --- a/base/common/shared/conf/server.xml +++ b/base/common/shared/conf/server.xml @@ -117,7 +117,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" @@ -186,7 +186,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspTimeout="10" strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" - clientauth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 5674cf87a..66c1e4085 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -400,6 +400,9 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_source_server_xml'] =\ os.path.join(config.pki_master_dict['pki_source_shared_path'], "server.xml") + config.pki_master_dict['pki_source_context_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_shared_path'], + "context.xml") config.pki_master_dict['pki_source_tomcat_conf'] =\ os.path.join(config.pki_master_dict['pki_source_shared_path'], "tomcat.conf") @@ -984,6 +987,10 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_instance_configuration_path'], "server.xml") + config.pki_master_dict['pki_target_context_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "context.xml") config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ config.pki_master_dict['pki_root_prefix'] +\ "/etc/sysconfig/" +\ @@ -997,6 +1004,11 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_root_path'], "index.jsp") # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_auth_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "auth.properties") config.pki_master_dict['pki_target_velocity_properties'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], @@ -1131,7 +1143,7 @@ def compose_pki_master_dictionary(): ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ "" config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ - "agent" + "want" config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 3467596e8..482d1d9cb 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -54,6 +54,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_server_xml'], overwrite_flag=True) util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], uid=0, gid=0, overwrite_flag=True) @@ -66,6 +70,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_index_jsp'], overwrite_flag=True) util.file.apply_slot_substitution( + master['pki_target_auth_properties']) + util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) @@ -109,6 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_server_xml'], overwrite_flag=True) util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], uid=0, gid=0, overwrite_flag=True) @@ -121,6 +131,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_index_jsp'], overwrite_flag=True) util.file.apply_slot_substitution( + master['pki_target_auth_properties']) + util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) diff --git a/base/setup/pki b/base/setup/pki index a2d5a69d6..90c863f35 100755 --- a/base/setup/pki +++ b/base/setup/pki @@ -75,6 +75,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:" . "/usr/share/java/${PRODUCT}/pki-cms.jar:" . "/usr/share/java/${PRODUCT}/pki-nsutil.jar:" . "/usr/share/java/apache-commons-cli.jar:" + . "/usr/share/java/apache-commons-codec.jar:" . "/usr/share/java/apache-commons-lang.jar:" . "/usr/share/java/apache-commons-logging.jar:" . "/usr/share/java/commons-httpclient.jar:" diff --git a/base/setup/pkicreate b/base/setup/pkicreate index 6abb73755..cc4ee703f 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -2560,7 +2560,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT} = ""; # Set appropriate "clientAuth" parameter for "Shared Ports" - $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent"; + $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "want"; # Comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT; |