[Freeipa-devel] testing pki-ca behind apache for ipa

Adam Young ayoung at redhat.com
Tue Aug 16 02:50:05 UTC 2011 

Just to keep the lists informed:

We found a couple more things out after that last posting:

The suburl   /ca/ee/ca/  works fine, so mod_proxcy_ajp does work in some 
cases.

Calling the CA  from IPA does not work as we get the error:

[Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418): 
Re-negotation request failed: returned error -12176

You can see this by making the changes to logging:

  diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf
95c95,96
< LogLevel warn
---
 > #LogLevel warn
 > LogLevel debug



On 08/15/2011 10:10 PM, Adam Young wrote:
> On 08/15/2011 12:00 PM, Ade Lee wrote:
>> Adam,
>>
>> As you know, I have been testing putting a dogtag CA behind an apache
>> instance - and using the standard ports to contact the CA.  The basic
>> idea is to let apache handle the client authentication required, and
>> then to pass the relevant parameters to tomcat using AJP.
>>
>> What this means is there will be a dogtag.conf file placed
>> under /etc/httpd/httpd.conf - and this file will contain Location
>> elements with ProxyPass directives.  Some of these (agent pages) will
>> require client authentication, and some will not.
>>
>> I had run into an issue with my browser where when switching from
>> non-client-auth to client-auth, renegotiations were being disallowed.
>> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
>> where "unsafe" legacy renegotiations will be disallowed.  Attempts to
>> pass the relevant environment parameters to NSS failed to alter this
>> result.  I'll continue to work with Rob on this.
>>
>> However, I believe that this problem will not affect the installation/
>> interaction of IPA with dogtag.  Why?  Because the ipa-ra-plugin is
>> using the latest NSS under the covers - which uses the new safe
>> regotiation protocol.
>>
>> My initial testing seems to indicate that this is in fact the case.
>> However, as I have been pulled into fips issues, I was hoping you could
>> continue the testing.  Once we have a working setup, we can worry about
>> the code changes to pkicreate/pkisilent to do most of the
>> configuration.
>>
>> Here is what you need to do:
>>
>> 1. Install ipa with dogtag
>> 2. Stop the CA (service pki-cad stop pki-ca)
> service ipa stop
>> 3. Modify /etc/pki-ca/server.xml.  You need to uncomment the ajp port,
>> and have it redirect for SSL to the EE port (9444)
>
> [root at f15server ~]# diff /etc/pki-ca/server.xml.orig 
> /etc/pki-ca/server.xml
> 216a217
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
>
>> 4. Modify the web.xml in  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
>> turn off the filtering mechanism.  You will see stanzas like the
>> following for ee, agent and admin ports.  Make sure that active is set
>> to false for all.
>>
>> <filter>
>> <filter-name>AgentRequestFilter</filter-name>
>> <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
>> <init-param>
>> <param-name>https_port</param-name>
>> <param-value>9203</param-value>
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> </filter>
> [root at f15server WEB-INF]# git diff web.xml.orig web.xml
> diff --git a/web.xml.orig b/web.xml
> index 7f757bd..affa315 100644
> --- a/web.xml.orig
> +++ b/web.xml
> @@ -12,7 +12,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -25,7 +25,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -42,7 +42,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -55,7 +55,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
>
>
>
>> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
> mv ~/dogtag.conf /etc/httpd/conf.d/
>
>
>> 6. restart the ca. (service pki-cad start pki-ca)
>  service ipa start
>
>>
>> We are now ready to do some testing.
>>
>> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
>  diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig 
> /usr/lib/python2.7/site-packages/ipalib/constants.py
> 140c140
> <     ('ca_agent_port', 9443),
> ---
> >     ('ca_agent_port', 443),
>
>> 2. Do your IPA cert tests and confirm that it works ok.
> service ipa restart
>
>
> ....
>
> cannot connect to 
> 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial': 
> ''
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list