From 9c2b222571f70cce8b5c1c6c469e3266535b2fc1 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Wed, 25 Feb 2009 00:51:41 +0000 Subject: Bugzilla Bug #485859 - port separation for RA and TPS. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@243 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- pki/base/ra/apache/conf/nss.conf | 100 ++++++++- pki/base/ra/doc/CS.cfg | 1 + pki/base/ra/lib/perl/PKI/RA/DonePanel.pm | 4 - pki/base/ra/setup/postinstall | 3 +- pki/base/setup/pkicreate | 344 +++++++++++++++++++---------- pki/base/setup/pkiremove | 10 + pki/base/tps/apache/conf/nss.conf | 100 ++++++++- pki/base/tps/doc/CS.cfg | 1 + pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm | 4 - pki/base/tps/setup/postinstall | 3 +- pki/dogtag/ra/pki-ra.spec | 4 +- pki/dogtag/setup/pki-setup.spec | 4 +- pki/dogtag/tps/pki-tps.spec | 4 +- 13 files changed, 447 insertions(+), 135 deletions(-) (limited to 'pki') diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf index 02c50509..42085a60 100644 --- a/pki/base/ra/apache/conf/nss.conf +++ b/pki/base/ra/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none + + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + + NSSOptions +StdEnvVars +ExportCertData + + + NSSOptions +StdEnvVars + + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg index 3602addc..831f91a0 100644 --- a/pki/base/ra/doc/CS.cfg +++ b/pki/base/ra/doc/CS.cfg @@ -104,6 +104,7 @@ cs.type=RA service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] service.instanceID=[INSTANCE_ID] logging._000=######################################### diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index b44f9db8..4bd04cf7 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -304,15 +304,11 @@ sub display system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while () { - if (/NSSVerifyClient none/) { - print TMP_NSS_CONF "NSSVerifyClient optional\n"; - } else { if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; } else { print TMP_NSS_CONF $_; } - } } close(NSS_CONF); close(TMP_NSS_CONF); diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall index 0d1462f2..517c6e44 100755 --- a/pki/base/ra/setup/postinstall +++ b/pki/base/ra/setup/postinstall @@ -44,6 +44,7 @@ fi PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" SECURE_PORT=12889 +NON_CLIENTAUTH_SECURE_PORT=12890 UNSECURE_PORT=12888 @@ -53,7 +54,7 @@ UNSECURE_PORT=12888 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} fi diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index 3313d9f6..f99fa577 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -25,20 +25,19 @@ # # Sample Invocation (for CA): # -# ./pkicreate -# -pki_instance_root=/var/lib -# -pki_instance_name=pki-ca1 -# -subsystem_type=ca -# -secure_port=9543 || -agent_secure_port=9543 -# -ee_secure_port=9544 -# -admin_secure_port=9545 -# -unsecure_port=9580 -# -tomcat_server_port=9801 -# -user=pkiuser -# -group=pkiuser -# -redirect conf=/export/pki/pki-ca1/conf -# -redirect logs=/export/pki/pki-ca1/logs -# -verbose +# ./pkicreate -pki_instance_root=/var/lib +# -pki_instance_name=pki-ca1 +# -subsystem_type=ca +# -agent_secure_port=9543 +# -ee_secure_port=9544 +# -admin_secure_port=9545 +# -unsecure_port=9580 +# -tomcat_server_port=9801 +# -user=pkiuser +# -group=pkiuser +# -redirect conf=/etc/pki-ca1 +# -redirect logs=/var/log/pki-ca1 +# -verbose # ############################################################## @@ -317,6 +316,7 @@ my $OBJ_EXT = "OBJ_EXT"; my $PORT = "PORT"; my $PROCESS_ID = "PROCESS_ID"; my $SECURE_PORT = "SECURE_PORT"; +my $NON_CLIENTAUTH_SECURE_PORT = "NON_CLIENTAUTH_SECURE_PORT"; my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; my $SERVER_NAME = "SERVER_NAME"; my $SERVER_ROOT = "SERVER_ROOT"; @@ -395,6 +395,7 @@ my $pki_instance_root = ""; my $pki_instance_name = ""; my $subsystem_type = ""; my $secure_port = -1; +my $non_clientauth_secure_port = -1; my $unsecure_port = -1; my $tomcat_server_port = -1; @@ -702,107 +703,186 @@ if( -l $jaas_link ) { # no return value sub usage() { + print( STDOUT "\n" ); print( STDOUT - "Usage: pkicreate -pki_instance_root= " - . "# Instance root\n" - . " " - . "# directory\n" - . " " + "###############################################################################\n" + . "### USAGE: CA, KRA, OCSP, or TKS subsystem instance creation (Tomcat) ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root= " + . "# Instance root directory\n" + . " " . "# destination\n\n" - . " -pki_instance_name= " - . "# Unique PKI\n" - . " " - . "# subsystem\n" - . " " + . " -pki_instance_name= " + . "# Unique PKI subsystem\n" + . " " . "# instance name\n\n" - . " -subsystem_type= " + . " -subsystem_type= " . "# Subsystem type\n" - . " " - . "# [ca | kra | ocsp |\n" - . " " - . "# tks | ra | tps]\n\n" - . " -secure_port= " - . "# Secure port\n\n" - . " -unsecure_port= " - . "#Unsecure port\n\n" - . "###################### Optional separate ports ############\n\n" - . " -agent_secure_port= " - . "#Agent secure port, Same as 'secure_port'\n\n" - . " -ee_secure_port= " + . " " + . "# [ca | kra | ocsp | tks]\n\n" + . " #####################################################################\n" + . " ### SELECT separate secure ports for AGENT, EE, and ADMIN: ###\n" + . " #####################################################################\n\n" + . " -agent_secure_port= " + . "# Agent secure port\n\n" + . " -ee_secure_port= " . "# EE secure port\n\n" - . " -admin_secure_port= " - . "# Admin secureport\n\n" - . "###################### End Optional separate ports ########\n\n" - . " -tomcat_server_port= " - . "# Unique port\n" - . " " + . " -admin_secure_port= " + . "# Admin secure port\n\n" + . " #####################################################################\n" + . " ### OR a single secure port shared by AGENT, EE, and ADMIN: ###\n" + . " #####################################################################\n\n" + . " -secure_port= " + . "# Secure port\n" + . " " + . "# (shared by Agent,\n" + . " " + . "# EE, and Admin)\n\n" + . " #####################################################################\n" + . " ### END secure port SELECTION ###\n" + . " #####################################################################\n\n" + . " -unsecure_port= " + . "# Unsecure port\n\n" + . " -tomcat_server_port= " + . "# Unique port for each\n" + . " " + . "# Tomcat instance\n\n" + . " [-user=] " + . "# User ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# group ownership)\n" + . " " + . "#\n" + . " " + . "# [Default=pkiuser]\n\n" + . " [-group=] " + . "# Group ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# user ownership)\n" + . " " + . "#\n" + . " " + . "# [Default=pkiuser]\n\n" + . " [-redirect conf=] " + . "# Redirection of\n" + . " " + . "# 'conf' directory\n\n" + . " [-redirect logs=] " + . "# Redirection of\n" + . " " + . "# 'logs' directory\n\n" + . " [-verbose] " + . "# Print out liberal info\n" + . " " + . "# during 'pkicreate'\n\n" + . " [-help] " + . "# Print out this screen\n\n\n" + . "###############################################################################\n" + . "### USAGE: RA or TPS subsystem instance creation (Apache) ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root= " + . "# Instance root directory\n" + . " " + . "# destination\n\n" + . " -pki_instance_name= " + . "# Unique PKI subsystem\n" + . " " + . "# instance name\n\n" + . " -subsystem_type= " + . "# Subsystem type\n" + . " " + . "# [ra | tps]\n\n" + . " -secure_port= " + . "# Secure port\n" + . " " + . "# (clientauth)\n" + . " " + . "# for each\n" + . " " + . "# Apache instance\n\n" + . " -non_clientauth_secure_port=\n\n" + . " " + . "# Secure port\n" + . " " + . "# (non-clientauth)\n" + . " " . "# for each\n" - . " " - . "# tomcat instance\n" - . " " - . "# [ca | kra | ocsp |\n" - . " " - . "# tks] ONLY\n\n" - . " [-user=] " - . "# user ownership\n" - . " " - . "# [must ALSO specify\n" - . " " - . "# group ownership]\n" - . " " + . " " + . "# Apache instance\n\n" + . " -unsecure_port= " + . "# Unsecure port\n\n" + . " [-user=] " + . "# User ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# group ownership)\n" + . " " . "#\n" - . " " - . "# (Default=pkiuser)\n\n" - . " [-group=] " - . "# group ownership\n" - . " " - . "# [must ALSO specify\n" - . " " - . "# user ownership]\n" - . " " + . " " + . "# [Default=pkiuser]\n\n" + . " [-group=] " + . "# Group ownership\n" + . " " + . "# (must ALSO specify\n" + . " " + . "# user ownership)\n" + . " " . "#\n" - . " " - . "# (Default=pkiuser)\n\n" - . " [-redirect conf=] " - . "# redirection of\n" - . " " - . "# conf directory\n\n" - . " [-redirect logs=] " - . "# redirection of\n" - . " " - . "# logs directory\n\n" - . " [-verbose] " - . "# Print out\n" - . " " - . "# liberal info\n" - . " " - . "# during pkicreate\n\n" - . " [-help] " - . "# Print out\n" - . " " - . "# this screen\n\n" ); + . " " + . "# [Default=pkiuser]\n\n" + . " [-redirect conf=] " + . "# Redirection of\n" + . " " + . "# 'conf' directory\n\n" + . " [-redirect logs=] " + . "# Redirection of\n" + . " " + . "# 'logs' directory\n\n" + . " [-verbose] " + . "# Print out liberal info\n" + . " " + . "# during 'pkicreate'\n\n" + . " [-help] " + . "# Print out this screen\n\n\n" ); + + print( STDOUT + "###############################################################################\n" + . "### EXAMPLE: PKI (Apache) subsystem instance creation of a TPS ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=/var/lib \\\n" + . " -pki_instance_name=$pki_flavor-tps1 \\\n" + . " -subsystem_type=tps \\\n" + . " -secure_port=7989 \\\n" + . " -non_clientauth_secure_port=7990 \\\n" + . " -unsecure_port=7988 \\\n" + . " -user=pkiuser \\\n" + . " -group=pkiuser \\\n" + . " -redirect conf=/etc/$pki_flavor-tps1 \\\n" + . " -redirect logs=/var/log/$pki_flavor-tps1 \\\n" + . " -verbose\n\n" ); print( STDOUT - "Example: pkicreate -pki_instance_root=/var/lib\n" - . " -pki_instance_name=$pki_flavor-ca1\n" - . " -subsystem_type=ca\n" - . "[Either mandatory: \n" - . " -secure_port=9543\n" - . "] or\n" - . "[ Optional separate ports:\n" - . " -agent_secure_port=9543\n" - . " -ee_secure_port=9544\n" - . " -admin_secure_port=9545\n" - . "]\n" - . " -unsecure_port=9580\n" - . " -tomcat_server_port=9801\n" - . " -user=pkiuser\n" - . " -group=pkiuser\n" - . " -redirect conf=/export/pki/$pki_flavor-ca1/" - . "conf\n" - . " -redirect logs=/export/pki/$pki_flavor-ca1/" - . "logs\n" - . " -verbose\n\n" ); + "###############################################################################\n" + . "### EXAMPLE: PKI (Tomcat) subsystem instance creation of a CA ###\n" + . "###############################################################################\n\n" + . "pkicreate -pki_instance_root=/var/lib \\\n" + . " -pki_instance_name=$pki_flavor-ca1 \\\n" + . " -subsystem_type=ca \\\n" + . " -agent_secure_port=9543 \\\n" + . " -ee_secure_port=9544 \\\n" + . " -admin_secure_port=9545 \\\n" + . " -unsecure_port=9580 \\\n" + . " -tomcat_server_port=9801 \\\n" + . " -user=pkiuser \\\n" + . " -group=pkiuser \\\n" + . " -redirect conf=/etc/$pki_flavor-ca1 \\\n" + . " -redirect logs=/var/log/$pki_flavor-ca1 \\\n" + . " -verbose\n\n" ); print( STDOUT "IMPORTANT: Must be run as root!\n\n" ); @@ -835,6 +915,7 @@ sub pki_instance_already_exists sub parse_arguments() { my $l_secure_port = -1; + my $l_non_clientauth_secure_port = -1; my $l_unsecure_port = -1; my $l_tomcat_server_port = -1; my $l_agent_secure_port = -1; @@ -847,6 +928,7 @@ sub parse_arguments() "pki_instance_name=s" => \$pki_instance_name, "subsystem_type=s" => \$subsystem_type, "secure_port:i" => \$l_secure_port, + "non_clientauth_secure_port:i" => \$l_non_clientauth_secure_port, "unsecure_port:i" => \$l_unsecure_port, "agent_secure_port:i" => \$l_agent_secure_port, "ee_secure_port:i" => \$l_ee_secure_port, @@ -982,7 +1064,42 @@ sub parse_arguments() } } + ## Mandatory "-non_clientauth_secure_port=" + ## option/exclusion + if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { + if( $l_non_clientauth_secure_port >= 0 ) { + $non_clientauth_secure_port = $l_non_clientauth_secure_port; + emit( " non_clientauth_secure_port " + . "$non_clientauth_secure_port\n" ); + } else { + if( $l_non_clientauth_secure_port == -1) + { + emit( "Must include value for non_clientauth_secure_port!\n", + "error" ); + usage(); + return 0; + } + } + + if( $l_agent_secure_port > 0 || + $l_ee_secure_port > 0 || + $l_admin_secure_port > 0) { + emit( "Must NOT include values for any agent|admin|ee ports!\n", + "error"); + usage(); + return 0; + } + } else { + ## Mandatory EXCLUSION for CA, KRA, OCSP, and TKS subsystems + if( $l_non_clientauth_secure_port != -1 ) { + emit( "Must NOT include value for non_clientauth_secure_port!\n", + "error" ); + usage(); + return 0; + } + } + ## Mandatory "-unsecure_port=" option if( $l_unsecure_port >= 0 ) { $unsecure_port = $l_unsecure_port; @@ -1016,19 +1133,6 @@ sub parse_arguments() } } - if( ($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - ## Don't do port separation for RA or TPS - - if( $l_agent_secure_port > 0 || $l_ee_secure_port > 0 - || $l_admin_secure_port > 0) { - - emit( "Must NOT include separate ports for RA or TPS!\n", - "error"); - usage(); - return 0; - } - } - if( $l_agent_secure_port >= 0 ) { $agent_secure_port = $l_agent_secure_port; @@ -2174,6 +2278,7 @@ sub process_pki_templates() $slot_hash{$PORT} = $unsecure_port; $slot_hash{$PROCESS_ID} = $$; $slot_hash{$SECURE_PORT} = $secure_port; + $slot_hash{$NON_CLIENTAUTH_SECURE_PORT} = $non_clientauth_secure_port; $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; $slot_hash{$SERVER_NAME} = $host; $slot_hash{$SERVER_ROOT} = $pki_instance_path; @@ -3382,6 +3487,9 @@ sub process_pki_selinux_setup() if ($secure_port != -1) { &add_selinux_port($setype_p, $secure_port); } + if ($non_clientauth_secure_port != -1) { + &add_selinux_port($setype_p, $non_clientauth_secure_port); + } if ($unsecure_port != -1) { &add_selinux_port($setype_p, $unsecure_port); } diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove index a1e8c79b..3ba93ff4 100755 --- a/pki/base/setup/pkiremove +++ b/pki/base/setup/pkiremove @@ -208,6 +208,7 @@ sub update_domain() { my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $sport; + my $ncsport; my $secport; my $secselect; my $typeval; @@ -220,6 +221,7 @@ sub update_domain() chomp($line); (my $varname, my $valname) = split(/=/, $line); if ($varname eq "service.securePort") { $sport = $valname; } + if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; } if ($varname eq "securitydomain.host") { $sechost = $valname; } if ($varname eq "securitydomain.httpsport") { $secport = $valname; } if ($varname eq "securitydomain.select") { $secselect = $valname; } @@ -283,6 +285,7 @@ sub update_domain() 'list' => $listval, 'host' => $machinename, 'sport' => $sport, + 'ncsport' => $ncsport, 'operation' => 'remove' ], ); @@ -389,6 +392,7 @@ sub remove_selinux_ports() my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $typeval; my $secure_port; + my $non_clientauth_secure_port; my $unsecure_port; my @ports = (); @@ -400,6 +404,7 @@ sub remove_selinux_ports() (my $varname, my $valname) = split(/=/, $line); if ($varname eq "cs.type") { $typeval = $valname; } if ($varname eq "service.securePort") { $secure_port = $valname; } + if ($varname eq "service.non_clientauth_securePort") { $non_clientauth_secure_port = $valname; } if ($varname eq "service.unsecurePort") { $unsecure_port = $valname; } } close(DAT); @@ -424,8 +429,13 @@ sub remove_selinux_ports() $ports[$i] = $secure_port; $i++; } + if (defined $non_clientauth_secure_port) { + $ports[$i] = $non_clientauth_secure_port; + $i++; + } if (defined $unsecure_port) { $ports[$i] = $unsecure_port; + $i++; } } diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 43f7753d..0c7b7b6c 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none + + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + + NSSOptions +StdEnvVars + + + NSSOptions +StdEnvVars + + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 7385ad00..b4866722 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -22,6 +22,7 @@ cs.type=TPS service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] service.instanceID=[INSTANCE_ID] logging._000=######################################### diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index 677ae3cd..dd505820 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -316,15 +316,11 @@ sub display system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while () { - if (/NSSVerifyClient none/) { - print TMP_NSS_CONF "NSSVerifyClient require\n"; - } else { if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; } else { print TMP_NSS_CONF $_; } - } } close(NSS_CONF); close(TMP_NSS_CONF); diff --git a/pki/base/tps/setup/postinstall b/pki/base/tps/setup/postinstall index 4ee7969a..4bab87ed 100755 --- a/pki/base/tps/setup/postinstall +++ b/pki/base/tps/setup/postinstall @@ -46,6 +46,7 @@ fi PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" SECURE_PORT=7889 +NON_CLIENTAUTH_SECURE_PORT=7890 UNSECURE_PORT=7888 @@ -55,7 +56,7 @@ UNSECURE_PORT=7888 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} fi diff --git a/pki/dogtag/ra/pki-ra.spec b/pki/dogtag/ra/pki-ra.spec index bce43db3..18177bea 100644 --- a/pki/dogtag/ra/pki-ra.spec +++ b/pki/dogtag/ra/pki-ra.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 15 +%define base_release 16 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -261,6 +261,8 @@ fi ############################################################################### %changelog +* Tue Feb 24 2009 Matthew Harmsen 1.0.0-16 +- Bugzilla Bug #485859 - port separation for RA and TPS * Mon Feb 23 2009 Matthew Harmsen 1.0.0-15 - Bugzilla Bug #486435 - clicking on configuration URL results in error * Sat Feb 14 2009 Matthew Harmsen 1.0.0-14 diff --git a/pki/dogtag/setup/pki-setup.spec b/pki/dogtag/setup/pki-setup.spec index beabb748..f966ef31 100644 --- a/pki/dogtag/setup/pki-setup.spec +++ b/pki/dogtag/setup/pki-setup.spec @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 11 +%define base_release 12 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -217,6 +217,8 @@ rm -rf ${RPM_BUILD_ROOT} ############################################################################### %changelog +* Tue Feb 24 2009 Matthew Harmsen 1.0.0-12 +- Bugzilla Bug #485859 - port separation for RA and TPS * Wed Feb 11 2009 Matthew Harmsen 1.0.0-11 - Bugzilla Bug #467155 - Change "renameTo" to "cp -p " * Mon Feb 9 2009 Ade Lee 1.0.0-10 diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index 65db01a9..f16ca5b5 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 23 +%define base_release 24 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -308,6 +308,8 @@ fi ############################################################################### %changelog +* Tue Feb 24 2009 Matthew Harmsen 1.0.0-24 +- Bugzilla Bug #485859 - port separation for RA and TPS * Mon Feb 23 2009 Matthew Harmsen 1.0.0-23 - Bugzilla Bug #486435 - clicking on configuration URL results in error * Tue Feb 17 2009 Matthew Harmsen 1.0.0-22 -- cgit