diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-02-25 00:51:41 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-02-25 00:51:41 +0000 |
| commit | 9c2b222571f70cce8b5c1c6c469e3266535b2fc1 (patch) | |
| tree | 1554e8dbb02724a9f3b525276a7475f34c1f60c9 /pki/base | |
| parent | f1afa835f94b7d5a60396aba77ee11cca93aef88 (diff) | |
| download | pki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.tar.gz pki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.tar.xz pki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.zip | |
Bugzilla Bug #485859 - port separation for RA and TPS.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@243 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
| -rw-r--r-- | pki/base/ra/apache/conf/nss.conf | 100 | ||||
| -rw-r--r-- | pki/base/ra/doc/CS.cfg | 1 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/DonePanel.pm | 4 | ||||
| -rwxr-xr-x | pki/base/ra/setup/postinstall | 3 | ||||
| -rwxr-xr-x | pki/base/setup/pkicreate | 344 | ||||
| -rwxr-xr-x | pki/base/setup/pkiremove | 10 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 100 | ||||
| -rw-r--r-- | pki/base/tps/doc/CS.cfg | 1 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm | 4 | ||||
| -rwxr-xr-x | pki/base/tps/setup/postinstall | 3 |
10 files changed, 438 insertions, 132 deletions
diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf index 02c50509..42085a60 100644 --- a/pki/base/ra/apache/conf/nss.conf +++ b/pki/base/ra/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none </VirtualHost> +<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]> + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars +ExportCertData +</Files> +<Directory "/cgi-bin"> + NSSOptions +StdEnvVars +</Directory> + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg index 3602addc..831f91a0 100644 --- a/pki/base/ra/doc/CS.cfg +++ b/pki/base/ra/doc/CS.cfg @@ -104,6 +104,7 @@ cs.type=RA service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] service.instanceID=[INSTANCE_ID] logging._000=######################################### diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index b44f9db8..4bd04cf7 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -304,15 +304,11 @@ sub display system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while (<NSS_CONF>) { - if (/NSSVerifyClient none/) { - print TMP_NSS_CONF "NSSVerifyClient optional\n"; - } else { if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; } else { print TMP_NSS_CONF $_; } - } } close(NSS_CONF); close(TMP_NSS_CONF); diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall index 0d1462f2..517c6e44 100755 --- a/pki/base/ra/setup/postinstall +++ b/pki/base/ra/setup/postinstall @@ -44,6 +44,7 @@ fi PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" SECURE_PORT=12889 +NON_CLIENTAUTH_SECURE_PORT=12890 UNSECURE_PORT=12888 @@ -53,7 +54,7 @@ UNSECURE_PORT=12888 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} fi diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index 3313d9f6..f99fa577 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -25,20 +25,19 @@ # # Sample Invocation (for CA): # -# ./pkicreate -# -pki_instance_root=/var/lib -# -pki_instance_name=pki-ca1 -# -subsystem_type=ca -# -secure_port=9543 || -agent_secure_port=9543 -# -ee_secure_port=9544 -# -admin_secure_port=9545 -# -unsecure_port=9580 -# -tomcat_server_port=9801 -# -user=pkiuser -# -group=pkiuser -# -redirect conf=/export/pki/pki-ca1/conf -# -redirect logs=/export/pki/pki-ca1/logs -# -verbose +# ./pkicreate -pki_instance_root=/var/lib +# -pki_instance_name=pki-ca1 +# -subsystem_type=ca +# -agent_secure_port=9543 +# -ee_secure_port=9544 +# -admin_secure_port=9545 +# -unsecure_port=9580 +# -tomcat_server_port=9801 +# -user=pkiuser +# -group=pkiuser +# -redirect conf=/etc/pki-ca1 +# -redirect logs=/var/log/pki-ca1 +# -verbose # ############################################################## @@ -317,6 +316,7 @@ my $OBJ_EXT = "OBJ_EXT"; my $PORT = "PORT"; my $PROCESS_ID = "PROCESS_ID"; my $SECURE_PORT = "SECURE_PORT"; +my $NON_CLIENTAUTH_SECURE_PORT = "NON_CLIENTAUTH_SECURE_PORT"; my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; my $SERVER_NAME = "SERVER_NAME"; my $SERVER_ROOT = "SERVER_ROOT"; @@ -395,6 +395,7 @@ my $pki_instance_root = ""; my $pki_instance_name = ""; my $subsystem_type = ""; my $secure_port = -1; +my $non_clientauth_secure_port = -1; my $unsecure_port = -1; my $tomcat_server_port = -1; @@ -702,107 +703,186 @@ if( -l $jaas_link ) { # no return value sub usage() { + print( STDOUT "\n" ); print( STDOUT - "Usage: pkicreate -pki_instance_root=<pki_instance_root> " - . "# Instance root\n" - . " " - . "# directory\n" - . " " + "###############################################################################\n" + . "### USAGE: CA, KRA, OCSP, or TKS subsystem instance creation (Tomcat) ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=<pki_instance_root> " + . "# Instance root directory\n" + . " " . "# destination\n\n" - . " -pki_instance_name=<pki_instance_id> " - . "# Unique PKI\n" - . " " - . "# subsystem\n" - . " " + . " -pki_instance_name=<pki_instance_id> " + . "# Unique PKI subsystem\n" + . " " . "# instance name\n\n" - . " -subsystem_type=<subsystem_type> " + . " -subsystem_type=<subsystem_type> " . "# Subsystem type\n" - . " " - . "# [ca | kra | ocsp |\n" - . " " - . "# tks | ra | tps]\n\n" - . " -secure_port=<secure_port> " - . "# Secure port\n\n" - . " -unsecure_port=<unsecure_port> " - . "#Unsecure port\n\n" - . "###################### Optional separate ports ############\n\n" - . " -agent_secure_port=<agent_secure_port> " - . "#Agent secure port, Same as 'secure_port'\n\n" - . " -ee_secure_port=<ee_secure_port> " + . " " + . "# [ca | kra | ocsp | tks]\n\n" + . " #####################################################################\n" + . " ### SELECT separate secure ports for AGENT, EE, and ADMIN: ###\n" + . " #####################################################################\n\n" + . " -agent_secure_port=<agent_secure_port> " + . "# Agent secure port\n\n" + . " -ee_secure_port=<ee_secure_port> " . "# EE secure port\n\n" - . " -admin_secure_port=<admin_secure_port> " - . "# Admin secureport\n\n" - . "###################### End Optional separate ports ########\n\n" - . " -tomcat_server_port=<tomcat_server_port> " - . "# Unique port\n" - . " " + . " -admin_secure_port=<admin_secure_port> " + . "# Admin secure port\n\n" + . " #####################################################################\n" + . " ### OR a single secure port shared by AGENT, EE, and ADMIN: ###\n" + . " #####################################################################\n\n" + . " -secure_port=<secure_port> " + . "# Secure port\n" + . " " + . "# (shared by Agent,\n" + . " " + . "# EE, and Admin)\n\n" + . " #####################################################################\n" + . " ### END secure port SELECTION ###\n" + . " #####################################################################\n\n" + . " -unsecure_port=<unsecure_port> " + . "# Unsecure port\n\n" + . " -tomcat_server_port=<tomcat_server_port> " + . "# Unique port for each\n" + . " " + . "# Tomcat instance\n\n" + . " [-user=<username>] " + . "# User ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# group ownership)\n" + . " " + . "#\n" + . " " + . "# [Default=pkiuser]\n\n" + . " [-group=<groupname>] " + . "# Group ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# user ownership)\n" + . " " + . "#\n" + . " " + . "# [Default=pkiuser]\n\n" + . " [-redirect conf=<real conf dir path>] " + . "# Redirection of\n" + . " " + . "# 'conf' directory\n\n" + . " [-redirect logs=<real logs dir path>] " + . "# Redirection of\n" + . " " + . "# 'logs' directory\n\n" + . " [-verbose] " + . "# Print out liberal info\n" + . " " + . "# during 'pkicreate'\n\n" + . " [-help] " + . "# Print out this screen\n\n\n" + . "###############################################################################\n" + . "### USAGE: RA or TPS subsystem instance creation (Apache) ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=<pki_instance_root> " + . "# Instance root directory\n" + . " " + . "# destination\n\n" + . " -pki_instance_name=<pki_instance_id> " + . "# Unique PKI subsystem\n" + . " " + . "# instance name\n\n" + . " -subsystem_type=<subsystem_type> " + . "# Subsystem type\n" + . " " + . "# [ra | tps]\n\n" + . " -secure_port=<secure_port> " + . "# Secure port\n" + . " " + . "# (clientauth)\n" + . " " + . "# for each\n" + . " " + . "# Apache instance\n\n" + . " -non_clientauth_secure_port=<non_clientauth_secure_port>\n\n" + . " " + . "# Secure port\n" + . " " + . "# (non-clientauth)\n" + . " " . "# for each\n" - . " " - . "# tomcat instance\n" - . " " - . "# [ca | kra | ocsp |\n" - . " " - . "# tks] ONLY\n\n" - . " [-user=<username>] " - . "# user ownership\n" - . " " - . "# [must ALSO specify\n" - . " " - . "# group ownership]\n" - . " " + . " " + . "# Apache instance\n\n" + . " -unsecure_port=<unsecure_port> " + . "# Unsecure port\n\n" + . " [-user=<username>] " + . "# User ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# group ownership)\n" + . " " . "#\n" - . " " - . "# (Default=pkiuser)\n\n" - . " [-group=<groupname>] " - . "# group ownership\n" - . " " - . "# [must ALSO specify\n" - . " " - . "# user ownership]\n" - . " " + . " " + . "# [Default=pkiuser]\n\n" + . " [-group=<groupname>] " + . "# Group ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# user ownership)\n" + . " " . "#\n" - . " " - . "# (Default=pkiuser)\n\n" - . " [-redirect conf=<real conf dir path>] " - . "# redirection of\n" - . " " - . "# conf directory\n\n" - . " [-redirect logs=<real logs dir path>] " - . "# redirection of\n" - . " " - . "# logs directory\n\n" - . " [-verbose] " - . "# Print out\n" - . " " - . "# liberal info\n" - . " " - . "# during pkicreate\n\n" - . " [-help] " - . "# Print out\n" - . " " - . "# this screen\n\n" ); + . " " + . "# [Default=pkiuser]\n\n" + . " [-redirect conf=<real conf dir path>] " + . "# Redirection of\n" + . " " + . "# 'conf' directory\n\n" + . " [-redirect logs=<real logs dir path>] " + . "# Redirection of\n" + . " " + . "# 'logs' directory\n\n" + . " [-verbose] " + . "# Print out liberal info\n" + . " " + . "# during 'pkicreate'\n\n" + . " [-help] " + . "# Print out this screen\n\n\n" ); + + print( STDOUT + "###############################################################################\n" + . "### EXAMPLE: PKI (Apache) subsystem instance creation of a TPS ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=/var/lib \\\n" + . " -pki_instance_name=$pki_flavor-tps1 \\\n" + . " -subsystem_type=tps \\\n" + . " -secure_port=7989 \\\n" + . " -non_clientauth_secure_port=7990 \\\n" + . " -unsecure_port=7988 \\\n" + . " -user=pkiuser \\\n" + . " -group=pkiuser \\\n" + . " -redirect conf=/etc/$pki_flavor-tps1 \\\n" + . " -redirect logs=/var/log/$pki_flavor-tps1 \\\n" + . " -verbose\n\n" ); print( STDOUT - "Example: pkicreate -pki_instance_root=/var/lib\n" - . " -pki_instance_name=$pki_flavor-ca1\n" - . " -subsystem_type=ca\n" - . "[Either mandatory: \n" - . " -secure_port=9543\n" - . "] or\n" - . "[ Optional separate ports:\n" - . " -agent_secure_port=9543\n" - . " -ee_secure_port=9544\n" - . " -admin_secure_port=9545\n" - . "]\n" - . " -unsecure_port=9580\n" - . " -tomcat_server_port=9801\n" - . " -user=pkiuser\n" - . " -group=pkiuser\n" - . " -redirect conf=/export/pki/$pki_flavor-ca1/" - . "conf\n" - . " -redirect logs=/export/pki/$pki_flavor-ca1/" - . "logs\n" - . " -verbose\n\n" ); + "###############################################################################\n" + . "### EXAMPLE: PKI (Tomcat) subsystem instance creation of a CA ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=/var/lib \\\n" + . " -pki_instance_name=$pki_flavor-ca1 \\\n" + . " -subsystem_type=ca \\\n" + . " -agent_secure_port=9543 \\\n" + . " -ee_secure_port=9544 \\\n" + . " -admin_secure_port=9545 \\\n" + . " -unsecure_port=9580 \\\n" + . " -tomcat_server_port=9801 \\\n" + . " -user=pkiuser \\\n" + . " -group=pkiuser \\\n" + . " -redirect conf=/etc/$pki_flavor-ca1 \\\n" + . " -redirect logs=/var/log/$pki_flavor-ca1 \\\n" + . " -verbose\n\n" ); print( STDOUT "IMPORTANT: Must be run as root!\n\n" ); @@ -835,6 +915,7 @@ sub pki_instance_already_exists sub parse_arguments() { my $l_secure_port = -1; + my $l_non_clientauth_secure_port = -1; my $l_unsecure_port = -1; my $l_tomcat_server_port = -1; my $l_agent_secure_port = -1; @@ -847,6 +928,7 @@ sub parse_arguments() "pki_instance_name=s" => \$pki_instance_name, "subsystem_type=s" => \$subsystem_type, "secure_port:i" => \$l_secure_port, + "non_clientauth_secure_port:i" => \$l_non_clientauth_secure_port, "unsecure_port:i" => \$l_unsecure_port, "agent_secure_port:i" => \$l_agent_secure_port, "ee_secure_port:i" => \$l_ee_secure_port, @@ -982,7 +1064,42 @@ sub parse_arguments() } } + ## Mandatory "-non_clientauth_secure_port=<non_clientauth_secure_port>" + ## option/exclusion + if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { + if( $l_non_clientauth_secure_port >= 0 ) { + $non_clientauth_secure_port = $l_non_clientauth_secure_port; + emit( " non_clientauth_secure_port " + . "$non_clientauth_secure_port\n" ); + } else { + if( $l_non_clientauth_secure_port == -1) + { + emit( "Must include value for non_clientauth_secure_port!\n", + "error" ); + usage(); + return 0; + } + } + + if( $l_agent_secure_port > 0 || + $l_ee_secure_port > 0 || + $l_admin_secure_port > 0) { + emit( "Must NOT include values for any agent|admin|ee ports!\n", + "error"); + usage(); + return 0; + } + } else { + ## Mandatory EXCLUSION for CA, KRA, OCSP, and TKS subsystems + if( $l_non_clientauth_secure_port != -1 ) { + emit( "Must NOT include value for non_clientauth_secure_port!\n", + "error" ); + usage(); + return 0; + } + } + ## Mandatory "-unsecure_port=<unsecure_port>" option if( $l_unsecure_port >= 0 ) { $unsecure_port = $l_unsecure_port; @@ -1016,19 +1133,6 @@ sub parse_arguments() } } - if( ($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - ## Don't do port separation for RA or TPS - - if( $l_agent_secure_port > 0 || $l_ee_secure_port > 0 - || $l_admin_secure_port > 0) { - - emit( "Must NOT include separate ports for RA or TPS!\n", - "error"); - usage(); - return 0; - } - } - if( $l_agent_secure_port >= 0 ) { $agent_secure_port = $l_agent_secure_port; @@ -2174,6 +2278,7 @@ sub process_pki_templates() $slot_hash{$PORT} = $unsecure_port; $slot_hash{$PROCESS_ID} = $$; $slot_hash{$SECURE_PORT} = $secure_port; + $slot_hash{$NON_CLIENTAUTH_SECURE_PORT} = $non_clientauth_secure_port; $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; $slot_hash{$SERVER_NAME} = $host; $slot_hash{$SERVER_ROOT} = $pki_instance_path; @@ -3382,6 +3487,9 @@ sub process_pki_selinux_setup() if ($secure_port != -1) { &add_selinux_port($setype_p, $secure_port); } + if ($non_clientauth_secure_port != -1) { + &add_selinux_port($setype_p, $non_clientauth_secure_port); + } if ($unsecure_port != -1) { &add_selinux_port($setype_p, $unsecure_port); } diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove index a1e8c79b..3ba93ff4 100755 --- a/pki/base/setup/pkiremove +++ b/pki/base/setup/pkiremove @@ -208,6 +208,7 @@ sub update_domain() { my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $sport; + my $ncsport; my $secport; my $secselect; my $typeval; @@ -220,6 +221,7 @@ sub update_domain() chomp($line); (my $varname, my $valname) = split(/=/, $line); if ($varname eq "service.securePort") { $sport = $valname; } + if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; } if ($varname eq "securitydomain.host") { $sechost = $valname; } if ($varname eq "securitydomain.httpsport") { $secport = $valname; } if ($varname eq "securitydomain.select") { $secselect = $valname; } @@ -283,6 +285,7 @@ sub update_domain() 'list' => $listval, 'host' => $machinename, 'sport' => $sport, + 'ncsport' => $ncsport, 'operation' => 'remove' ], ); @@ -389,6 +392,7 @@ sub remove_selinux_ports() my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $typeval; my $secure_port; + my $non_clientauth_secure_port; my $unsecure_port; my @ports = (); @@ -400,6 +404,7 @@ sub remove_selinux_ports() (my $varname, my $valname) = split(/=/, $line); if ($varname eq "cs.type") { $typeval = $valname; } if ($varname eq "service.securePort") { $secure_port = $valname; } + if ($varname eq "service.non_clientauth_securePort") { $non_clientauth_secure_port = $valname; } if ($varname eq "service.unsecurePort") { $unsecure_port = $valname; } } close(DAT); @@ -424,8 +429,13 @@ sub remove_selinux_ports() $ports[$i] = $secure_port; $i++; } + if (defined $non_clientauth_secure_port) { + $ports[$i] = $non_clientauth_secure_port; + $i++; + } if (defined $unsecure_port) { $ports[$i] = $unsecure_port; + $i++; } } diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 43f7753d..0c7b7b6c 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none </VirtualHost> +<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]> + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars +</Files> +<Directory "/cgi-bin"> + NSSOptions +StdEnvVars +</Directory> + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 7385ad00..b4866722 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -22,6 +22,7 @@ cs.type=TPS service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] service.instanceID=[INSTANCE_ID] logging._000=######################################### diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index 677ae3cd..dd505820 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -316,15 +316,11 @@ sub display system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while (<NSS_CONF>) { - if (/NSSVerifyClient none/) { - print TMP_NSS_CONF "NSSVerifyClient require\n"; - } else { if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; } else { print TMP_NSS_CONF $_; } - } } close(NSS_CONF); close(TMP_NSS_CONF); diff --git a/pki/base/tps/setup/postinstall b/pki/base/tps/setup/postinstall index 4ee7969a..4bab87ed 100755 --- a/pki/base/tps/setup/postinstall +++ b/pki/base/tps/setup/postinstall @@ -46,6 +46,7 @@ fi PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" SECURE_PORT=7889 +NON_CLIENTAUTH_SECURE_PORT=7890 UNSECURE_PORT=7888 @@ -55,7 +56,7 @@ UNSECURE_PORT=7888 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} fi |