diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-29 03:53:19 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-29 03:53:19 +0000 |
| commit | 6c20ba0ca3f1eba1ebe9483f21143f37b54e3197 (patch) | |
| tree | 7d667ce6c2c9630872773455312b7e49b13f1635 /pki/base | |
| parent | ea9e8b305e9a50f45d79738389aca4df6bf52aaf (diff) | |
| download | pki-6c20ba0ca3f1eba1ebe9483f21143f37b54e3197.tar.gz pki-6c20ba0ca3f1eba1ebe9483f21143f37b54e3197.tar.xz pki-6c20ba0ca3f1eba1ebe9483f21143f37b54e3197.zip | |
Bugzilla Bug #492503 - Integrate "mod_revocator" as a runtime dependency for
RA and TPS
Bugzilla Bug #492180 - Security officer: token recovery for a security officer
throws error 28 'connection to server lost'.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@348 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
| -rw-r--r-- | pki/base/ra/apache/conf/httpd.conf | 2 | ||||
| -rw-r--r-- | pki/base/ra/apache/conf/revocator.conf | 19 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/DonePanel.pm | 6 | ||||
| -rwxr-xr-x | pki/base/setup/pkicreate | 47 | ||||
| -rw-r--r-- | pki/base/tps/Makefile.am | 11 | ||||
| -rw-r--r-- | pki/base/tps/Makefile.in | 11 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/httpd.conf | 2 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/revocator.conf | 19 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm | 6 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm | 6 |
10 files changed, 119 insertions, 10 deletions
diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf index b3e36d27..e3b244b5 100644 --- a/pki/base/ra/apache/conf/httpd.conf +++ b/pki/base/ra/apache/conf/httpd.conf @@ -254,6 +254,8 @@ LoadModule negotiation_module [FORTITUDE_LIB_DIR]/modules/mod_negotiation.so LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so # Required module for commands in nss.conf: [FORTITUDE_NSS_MODULES] +# Required module for commands in revocator.conf: +[FORTITUDE_REVOCATOR_MODULES] <Location /nk_service> SetHandler nk_service diff --git a/pki/base/ra/apache/conf/revocator.conf b/pki/base/ra/apache/conf/revocator.conf new file mode 100644 index 00000000..dda30132 --- /dev/null +++ b/pki/base/ra/apache/conf/revocator.conf @@ -0,0 +1,19 @@ +# CRL Engine Switch: +# Enable/Disable CRL retrieval + +CRLEngine on + +# CRL Age Check Switch: +# Shut the server down if a CRL expires +CRLAgeCheck off + +# CRL Update Critical Switch: +# Shut the server down if a CRL cannot be retrieved +CRLUpdateCritical off + +# CRL URLs: +# A space delimited list of URLs to retrieve and install. +# protocol://urldata;update_interval;max_age +#CRLFile "ldap://ldap.example.com:5000/o=example.net?usercertificate%3binary?sub?(sn=Jensen)??;30;30" +#CRLFile "exec:///usr/sbin/ldapget|ldap://ldap.example.com:3389/o=example.com?userCertificate%3bbinary?sub?(uid=crl)??;30;30" +#CRLFile "https://ca.example.com:1025/getCRL?op=getCRL&issuepoint=MasterCRL;30;30" diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index 727181df..eda7745c 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -327,6 +327,12 @@ sub display system( "rm $instDir/conf/nss.conf.tmp" ); } + # Append security domain getCRL URL to end of "revocator.conf" + open(REVOCATOR_CONF, ">>$instDir/conf/revocator.conf"); + print REVOCATOR_CONF "CRLFile \"" . $sdom + . "/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;60;60\"\n"; + close(REVOCATOR_CONF); + &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index 3564bbca..cb5c7c18 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -262,6 +262,7 @@ my $noise_base_name = "noise"; # CA, KRA, OCSP, TKS, # RA, TPS my $nss_conf_base_name = "nss.conf"; # RA, TPS my $perl_conf_base_name = "perl.conf"; # RA, TPS +my $revocator_conf_base_name = "revocator.conf"; # RA, TPS my $osutil_jar_base_name = "osutil.jar"; # CA, KRA, OCSP, TKS my $password_conf_base_name = "password.conf"; # CA, KRA, OCSP, TKS, # RA, TPS @@ -313,6 +314,7 @@ my $NSS_CONF = "NSS_CONF"; my $OBJ_EXT = "OBJ_EXT"; my $PORT = "PORT"; my $PROCESS_ID = "PROCESS_ID"; +my $REVOCATOR_CONF = "REVOCATOR_CONF"; my $SECURE_PORT = "SECURE_PORT"; my $NON_CLIENTAUTH_SECURE_PORT = "NON_CLIENTAUTH_SECURE_PORT"; my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; @@ -330,6 +332,7 @@ my $FORTITUDE_MODULE = "FORTITUDE_MODULE"; my $FORTITUDE_LIB_DIR = "FORTITUDE_LIB_DIR"; my $FORTITUDE_AUTH_MODULES = "FORTITUDE_AUTH_MODULES"; my $FORTITUDE_NSS_MODULES = "FORTITUDE_NSS_MODULES"; +my $FORTITUDE_REVOCATOR_MODULES = "FORTITUDE_REVOCATOR_MODULES"; # Template slot constants (CA, KRA, OCSP, TKS) my $INSTALL_TIME = "INSTALL_TIME"; @@ -523,6 +526,8 @@ my $nss_conf_instance_file_path = ""; # RA, TPS my $nss_conf_subsystem_file_path = ""; # RA, TPS my $perl_conf_instance_file_path = ""; # RA, TPS my $perl_conf_subsystem_file_path = ""; # RA, TPS +my $revocator_conf_instance_file_path = ""; # RA, TPS +my $revocator_conf_subsystem_file_path = ""; # RA, TPS my $osutil_jar_file_path = ""; # CA, KRA, OCSP, TKS my $osutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS my $password_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS, @@ -1566,6 +1571,9 @@ sub initialize_subdirectory_paths() . "/" . $nss_conf_base_name; $perl_conf_subsystem_file_path = $conf_subsystem_path . "/" . $perl_conf_base_name; + $revocator_conf_subsystem_file_path = $conf_subsystem_path + . "/" + . $revocator_conf_base_name; $perl_instance_symlink_path = $lib_instance_path . "/" . $perl_base_instance_symlink; @@ -1723,6 +1731,9 @@ sub process_pki_directories() . "/" . $perl_conf_base_name; $pwcache_conf_instance_file_path = $conf_instance_path . "/" . $pwcache_conf_base_name; + $revocator_conf_instance_file_path = "$conf_instance_path" + . "/" + . $revocator_conf_base_name; # create instance directory $result = create_directory( $conf_instance_path ); @@ -1793,6 +1804,9 @@ sub process_pki_directories() . "/" . $perl_conf_base_name; $pwcache_conf_instance_file_path = $redirected_conf_path . "/" . $pwcache_conf_base_name; + $revocator_conf_instance_file_path = "$redirected_conf_path" + . "/" + . $revocator_conf_base_name; # create redirected instance directory $result = create_directory( $redirected_conf_path ); @@ -2201,6 +2215,7 @@ sub process_pki_templates() $slot_hash{$PROCESS_ID} = $$; $slot_hash{$SECURE_PORT} = $secure_port; $slot_hash{$NON_CLIENTAUTH_SECURE_PORT} = $non_clientauth_secure_port; + $slot_hash{$REVOCATOR_CONF} = $revocator_conf_instance_file_path; $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; $slot_hash{$SERVER_NAME} = $host; $slot_hash{$SERVER_ROOT} = $pki_instance_path; @@ -2229,6 +2244,10 @@ LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so " LoadModule nss_module /etc/httpd/modules/libmodnss.so "; + $slot_hash{$FORTITUDE_REVOCATOR_MODULES} = +" +LoadModule rev_module /etc/httpd/modules/mod_rev.so +"; } else { $slot_hash{$FORTITUDE_APACHE} = "Apache"; @@ -2244,6 +2263,10 @@ LoadModule access_module /opt/fortitude/modules/mod_access.so " LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so "; + $slot_hash{$FORTITUDE_REVOCATOR_MODULES} = +" +LoadModule nss_module /opt/fortitude/modules.local/mod_rev.so +"; } } else { # Setup templates (CA, KRA, OCSP, TKS) @@ -2553,6 +2576,30 @@ my $PKI_SECURE_PORT_NAME = "Secure"; chmod( $default_file_permissions, $perl_conf_instance_file_path ); + + # process "revocator.conf" template + $result = process_file_template( $revocator_conf_subsystem_file_path, + $revocator_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # fix ownership for revocator.conf + $result = give_file_to( $revocator_conf_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of " + . "$revocator_conf_instance_file_path.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $revocator_conf_instance_file_path ); + + # process "nss_pcache" template $result = process_file_template( $nss_pcache_subsystem_file_path, $nss_pcache_instance_file_path, diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index 629058da..523e2caa 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -153,11 +153,12 @@ cgibin_sow_SCRIPTS = $(srcdir)/forms/esc/cgi-bin/sow/ajax-list.cgi \ $(srcdir)/forms/esc/cgi-bin/sow/seturl.cgi \ $(srcdir)/forms/esc/cgi-bin/sow/welcome.cgi -conf_DATA = $(srcdir)/apache/conf/httpd.conf \ - $(srcdir)/apache/conf/magic \ - $(srcdir)/apache/conf/mime.types \ - $(srcdir)/apache/conf/nss.conf \ - $(srcdir)/apache/conf/perl.conf \ +conf_DATA = $(srcdir)/apache/conf/httpd.conf \ + $(srcdir)/apache/conf/magic \ + $(srcdir)/apache/conf/mime.types \ + $(srcdir)/apache/conf/nss.conf \ + $(srcdir)/apache/conf/perl.conf \ + $(srcdir)/apache/conf/revocator.conf \ $(srcdir)/doc/CS.cfg docroot_DATA = $(srcdir)/forms/index.html diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index 0c7b22a1..c020a377 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -643,11 +643,12 @@ cgibin_sow_SCRIPTS = $(srcdir)/forms/esc/cgi-bin/sow/ajax-list.cgi \ $(srcdir)/forms/esc/cgi-bin/sow/seturl.cgi \ $(srcdir)/forms/esc/cgi-bin/sow/welcome.cgi -conf_DATA = $(srcdir)/apache/conf/httpd.conf \ - $(srcdir)/apache/conf/magic \ - $(srcdir)/apache/conf/mime.types \ - $(srcdir)/apache/conf/nss.conf \ - $(srcdir)/apache/conf/perl.conf \ +conf_DATA = $(srcdir)/apache/conf/httpd.conf \ + $(srcdir)/apache/conf/magic \ + $(srcdir)/apache/conf/mime.types \ + $(srcdir)/apache/conf/nss.conf \ + $(srcdir)/apache/conf/perl.conf \ + $(srcdir)/apache/conf/revocator.conf \ $(srcdir)/doc/CS.cfg docroot_DATA = $(srcdir)/forms/index.html diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf index d3ec8e05..d1a4d486 100644 --- a/pki/base/tps/apache/conf/httpd.conf +++ b/pki/base/tps/apache/conf/httpd.conf @@ -254,6 +254,8 @@ LoadModule negotiation_module [FORTITUDE_LIB_DIR]/modules/mod_negotiation.so LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so # Required module for commands in nss.conf: [FORTITUDE_NSS_MODULES] +# Required module for commands in revocator.conf: +[FORTITUDE_REVOCATOR_MODULES] # Required module for command 'TPSConfigPathFile': LoadModule tps_module [FORTITUDE_MODULE]/mod_tps.so # Required module for command 'TokendbConfigPathFile': diff --git a/pki/base/tps/apache/conf/revocator.conf b/pki/base/tps/apache/conf/revocator.conf new file mode 100644 index 00000000..dda30132 --- /dev/null +++ b/pki/base/tps/apache/conf/revocator.conf @@ -0,0 +1,19 @@ +# CRL Engine Switch: +# Enable/Disable CRL retrieval + +CRLEngine on + +# CRL Age Check Switch: +# Shut the server down if a CRL expires +CRLAgeCheck off + +# CRL Update Critical Switch: +# Shut the server down if a CRL cannot be retrieved +CRLUpdateCritical off + +# CRL URLs: +# A space delimited list of URLs to retrieve and install. +# protocol://urldata;update_interval;max_age +#CRLFile "ldap://ldap.example.com:5000/o=example.net?usercertificate%3binary?sub?(sn=Jensen)??;30;30" +#CRLFile "exec:///usr/sbin/ldapget|ldap://ldap.example.com:3389/o=example.com?userCertificate%3bbinary?sub?(uid=crl)??;30;30" +#CRLFile "https://ca.example.com:1025/getCRL?op=getCRL&issuepoint=MasterCRL;30;30" diff --git a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm index d9876073..2533a12d 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm @@ -101,6 +101,8 @@ sub update $::config->put("conn.tks1.serverKeygen", "true"); $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true"); $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); + $::config->put("op.enroll.soKey.keyGen.encryption.serverKeygen.enable", "true"); + $::config->put("op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); } else { # no keygen $::config->put("conn.tks1.serverKeygen", "false"); @@ -110,6 +112,10 @@ sub update $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme", "GenerateNewKey"); $::config->put("conn.drm1.clientNickname", ""); $::config->put("conn.drm1.hostport", ""); + $::config->put("op.enroll.soKey.keyGen.encryption.serverKeygen.enable", "false"); + $::config->put("op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable", "false"); + $::config->put("op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme", "GenerateNewKey"); + $::config->put("op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme", "GenerateNewKey"); } $::config->commit(); diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index d76ba775..a172a51e 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -340,6 +340,12 @@ sub display system( "rm $instDir/conf/nss.conf.tmp" ); } + # Append security domain getCRL URL to end of "revocator.conf" + open(REVOCATOR_CONF, ">>$instDir/conf/revocator.conf"); + print REVOCATOR_CONF "CRLFile \"" . $sdom + . "/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;60;60\"\n"; + close(REVOCATOR_CONF); + &PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); |