diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-01-09 08:45:33 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-02-15 17:54:36 +0100 |
commit | 0b9b6b52d7f2e64a52ef8fd570839711311fa254 (patch) | |
tree | 0061d7761947cd784ed7219c279cb1eb3411dddd | |
parent | ff6e701b0077d9c8e2aacdcaecf70f885018db92 (diff) | |
download | freeipa-0b9b6b52d7f2e64a52ef8fd570839711311fa254.tar.gz freeipa-0b9b6b52d7f2e64a52ef8fd570839711311fa254.tar.xz freeipa-0b9b6b52d7f2e64a52ef8fd570839711311fa254.zip |
Add FIPS-token password of HTTPD NSS database
This change is required for httpd to function properly in FIPS
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
-rw-r--r-- | ipaserver/install/httpinstance.py | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7317fbacc..6383e27e3 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -329,14 +329,19 @@ class HTTPInstance(service.Service): This is the format of mod_nss pin files. """ pwd_conf = paths.HTTPD_PASSWORD_CONF - ipautil.backup_file(pwd_conf) - f = open(pwd_conf, "w") - f.write("internal:") - pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')) - f.write(pwdfile.read()) - f.close() - pwdfile.close() + + passwd_fname = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt') + with open(passwd_fname, 'r') as pwdfile: + password = pwdfile.read() + + with open(pwd_conf, "w") as f: + f.write("internal:") + f.write(password) + f.write("\nNSS FIPS 140-2 Certificate DB:") + f.write(password) + # make sure other processes can access the file contents ASAP + f.flush() pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(pwd_conf, pent.pw_uid, pent.pw_gid) os.chmod(pwd_conf, 0o400) |