2 files changed, 4 insertions, 14 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f31bdc6d..69921a33 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca"
 AGENT_SECURE_PORT=9443
 EE_SECURE_PORT=9444
 ADMIN_SECURE_PORT=9445
+EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701
 
@@ -482,6 +483,7 @@ class CAInstance(service.Service):
                 '-agent_secure_port', str(AGENT_SECURE_PORT),
                 '-ee_secure_port', str(EE_SECURE_PORT),
                 '-admin_secure_port', str(ADMIN_SECURE_PORT),
+                '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
                 '-unsecure_port', str(UNSECURE_PORT),
                 '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                 '-redirect', 'conf=/etc/pki-ca',
@@ -518,18 +520,6 @@ class CAInstance(service.Service):
         pent = pwd.getpwnam(self.pki_user)
         os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
-        # Update the servlet mapping to so we use the agent interface rather
-        # than the end-user interface. The agent interface always requires
-        # client auth which lets us work work around the NSS change which
-        # disallows renegotation (CVE-2009-3555)
-        #
-        # The spaces here, while ugly, are required because update_file()
-        # escapes the incoming string.
-        installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
-            '      <url-pattern>   /ee/ca/profileSubmitSSLClient  </url-pattern>',
-            '      <url-pattern>   /agent/ca/profileSubmitSSLClient  </url-pattern>'
-)
-
         logging.debug("restarting ca instance")
         try:
             self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4b8a57e9..05c9213b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,7 +570,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \
@@ -657,7 +657,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")