Bugzilla Bug #485859 - port separation for RA and TPS.

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@243 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

4 files changed, 101 insertions, 7 deletions

diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf
index 02c50509..42085a60 100644
--- a/pki/base/ra/apache/conf/nss.conf
+++ b/pki/base/ra/apache/conf/nss.conf
@@ -17,6 +17,8 @@
 #
 Listen 0.0.0.0:[SECURE_PORT]
 
+Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT]
+
 ##
 ##  SSL Global Context
 ##
@@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400
 
 #   General setup for the virtual host
 #DocumentRoot "/htdocs"
-#ServerName [SERVER_NAME]:[SECURE_PORT]
+#ServerName [Server_Name]:[Secure_Port]
 #ServerAdmin you@example.com
 
 # mod_ssl logs to separate log files, you can choose to do that if you'd like
@@ -90,7 +92,7 @@ NSSCertificateDatabase  [SERVER_ROOT]/alias
 #   Client Authentication (Type):
 #   Client certificate verification type.  Types are none, optional and
 #   require.
-NSSVerifyClient none
+NSSVerifyClient require
 
 #   Access Control:
 #   With SSLRequire you can do per-directory access control based
@@ -150,3 +152,97 @@ NSSVerifyClient none
 
 </VirtualHost>                                  
 
+<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]>
+
+#   General setup for the virtual host
+#DocumentRoot "/htdocs"
+#ServerName [Server_Name]:[Non_Clientauth_Secure_Port]
+#ServerAdmin you@example.com
+
+# mod_ssl logs to separate log files, you can choose to do that if you'd like
+ErrorLog [SERVER_ROOT]/logs/error_log
+TransferLog [SERVER_ROOT]/logs/access_log
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_nss documentation for a complete list.
+NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+
+NSSProtocol SSLv3,TLSv1
+
+#   SSL Certificate Nickname:
+#   The nickname of the server certificate you are going to use.
+NSSNickname "Server-Cert cert-[INSTANCE_ID]"
+
+#   Server Certificate Database:
+#   The NSS security database directory that holds the certificates and
+#   keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+#   Provide the directory that these files exist.
+NSSCertificateDatabase  [SERVER_ROOT]/alias
+
+#   Client Authentication (Type):
+#   Client certificate verification type.  Types are none, optional and
+#   require.
+NSSVerifyClient none
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_nss documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    NSSOptions +StdEnvVars +ExportCertData
+</Files>
+<Directory "/cgi-bin">
+    NSSOptions +StdEnvVars
+</Directory>
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+#CustomLog [SERVER_ROOT]/logs/ssl_request_log \
+#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>                                  
diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg
index 3602addc..831f91a0 100644
--- a/pki/base/ra/doc/CS.cfg
+++ b/pki/base/ra/doc/CS.cfg
@@ -104,6 +104,7 @@ cs.type=RA
 service.machineName=[SERVER_NAME]
 service.instanceDir=[SERVER_ROOT]
 service.securePort=[SECURE_PORT]
+service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
 service.unsecurePort=[PORT]
 service.instanceID=[INSTANCE_ID]
 logging._000=#########################################
diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
index b44f9db8..4bd04cf7 100755
--- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
@@ -304,15 +304,11 @@ sub display
     system( "chmod 00660 $instDir/conf/nss.conf.tmp" );
     open(NSS_CONF, "<$instDir/conf/nss.conf");
     while (<NSS_CONF>) {
-      if (/NSSVerifyClient none/) {
-        print TMP_NSS_CONF "NSSVerifyClient optional\n";
-      } else {
         if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) {
             print TMP_NSS_CONF "NSSNickname \"$nickname\"\n";
         } else {
           print TMP_NSS_CONF $_;
         }
-      }
     }
     close(NSS_CONF);
     close(TMP_NSS_CONF);
diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall
index 0d1462f2..517c6e44 100755
--- a/pki/base/ra/setup/postinstall
+++ b/pki/base/ra/setup/postinstall
@@ -44,6 +44,7 @@ fi
 
 PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
 SECURE_PORT=12889
+NON_CLIENTAUTH_SECURE_PORT=12890
 UNSECURE_PORT=12888
 
 
@@ -53,7 +54,7 @@ UNSECURE_PORT=12888
 
 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
 then
-	/usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
+	/usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
 fi