From 0b9b6b52d7f2e64a52ef8fd570839711311fa254 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipaserver/install/httpinstance.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7317fbacc..6383e27e3 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -329,14 +329,19 @@ class HTTPInstance(service.Service):
         This is the format of mod_nss pin files.
         """
         pwd_conf = paths.HTTPD_PASSWORD_CONF
-
         ipautil.backup_file(pwd_conf)
-        f = open(pwd_conf, "w")
-        f.write("internal:")
-        pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
-        f.write(pwdfile.read())
-        f.close()
-        pwdfile.close()
+
+        passwd_fname = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
+        with open(passwd_fname, 'r') as pwdfile:
+            password = pwdfile.read()
+
+        with open(pwd_conf, "w") as f:
+            f.write("internal:")
+            f.write(password)
+            f.write("\nNSS FIPS 140-2 Certificate DB:")
+            f.write(password)
+            # make sure other processes can access the file contents ASAP
+            f.flush()
         pent = pwd.getpwnam(constants.HTTPD_USER)
         os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
         os.chmod(pwd_conf, 0o400)
-- 
cgit