diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2007-10-19 10:14:30 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2007-10-19 10:14:30 -0400 |
| commit | ba0adcffb1a12b1aedc982c801268f5d9556c835 (patch) | |
| tree | 39483d503eab5d3d43affcba206db84e3d1b1f06 | |
| parent | 086193af0a375908b619116ca80de6dc4410d1a2 (diff) | |
| download | freeipa-ba0adcffb1a12b1aedc982c801268f5d9556c835.tar.gz freeipa-ba0adcffb1a12b1aedc982c801268f5d9556c835.tar.xz freeipa-ba0adcffb1a12b1aedc982c801268f5d9556c835.zip | |
Require SSL for the XML-RPC interface
| -rw-r--r-- | ipa-python/krbtransport.py | 2 | ||||
| -rw-r--r-- | ipa-python/rpcclient.py | 2 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-setupssl | 44 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/ipa.conf | 7 |
4 files changed, 53 insertions, 2 deletions
diff --git a/ipa-python/krbtransport.py b/ipa-python/krbtransport.py index ff2671d0e..95d3bc64f 100644 --- a/ipa-python/krbtransport.py +++ b/ipa-python/krbtransport.py @@ -24,7 +24,7 @@ import xmlrpclib import kerberos from kerberos import GSSError -class KerbTransport(xmlrpclib.Transport): +class KerbTransport(xmlrpclib.SafeTransport): """Handles Kerberos Negotiation authentication to an XML-RPC server.""" def get_host_info(self, host): diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py index c18405ad3..df3d01386 100644 --- a/ipa-python/rpcclient.py +++ b/ipa-python/rpcclient.py @@ -40,7 +40,7 @@ class RPCClient: def server_url(self): """Build the XML-RPC server URL from our configuration""" - return "http://" + config.config.get_server() + "/ipa" + return "https://" + config.config.get_server() + "/ipa" def setup_server(self): """Create our XML-RPC server connection using kerberos diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl index 37e10583e..1774f214d 100644 --- a/ipa-server/ipa-install/ipa-server-setupssl +++ b/ipa-server/ipa-install/ipa-server-setupssl @@ -133,6 +133,50 @@ if [ -n "$prefix" ] ; then mv $secdir/${prefix}key3.db $secdir/key3.db fi +modnssdir=/etc/httpd/alias + +# Setup SSL in Apache +if [ -e $modnssdir ]; then + mkdir ${modnssdir}.ipa + mv $modnssdir/cert8.db ${modnssdir}.ipa + mv $modnssdir/key3.db ${modnssdir}.ipa +fi + +# Create a new database for mod_nss +echo -e "\n" > $modnssdir/pw.txt +certutil -N -d $modnssdir -f $modnssdir/pw.txt + +# Add the CA we created +certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc + +# Request a new server cert +certutil -R -d $modnssdir \ + -s "cn=$myhost,ou=Apache Web Server" \ + -o $modnssdir/tmpcertreq \ + -g 1024 \ + -z $secdir/noise.txt \ + -f $modnssdir/pw.txt + +# Have the FDS CA issue the cert +echo -e "2\n9\nn\n1\n9\nn\n" | \ +certutil -C -d $secdir \ + -c "CA certificate" \ + -i $modnssdir/tmpcertreq \ + -o $modnssdir/tmpcert.der \ + -m 1002 \ + -v 120 \ + -f $secdir/pwdfile.txt \ + -1 \ + -5 + +# Now add this cert to the Apache database +certutil -A -d $modnssdir -n "Server-Cert"\ + -t u,u,u \ + -i $modnssdir/tmpcert.der \ + -f $modnsdir/tmpcert.der + +rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der + # enable SSL in the directory server ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf index 359fe2233..2f9c82e06 100644 --- a/ipa-server/xmlrpc-server/ipa.conf +++ b/ipa-server/xmlrpc-server/ipa.conf @@ -2,6 +2,13 @@ ProxyRequests Off +# Make all requests use SSL except for Kerberos authentication errors +RewriteEngine on + +RewriteCond %{SERVER_PORT} !^443$$ +RewriteCond %{REQUEST_URI} !^/(errors)/ +RewriteRule ^/(.*) https://%{SERVER_NAME}/$$1 [L,R,NC] + <Proxy *> AuthType Kerberos AuthName "Kerberos Login" |