[Freeipa-devel] testing pki-ca behind apache for ipa
Adam Young
ayoung at redhat.com
Tue Aug 16 02:50:05 UTC 2011
Just to keep the lists informed:
We found a couple more things out after that last posting:
The suburl /ca/ee/ca/ works fine, so mod_proxcy_ajp does work in some
cases.
Calling the CA from IPA does not work as we get the error:
[Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418):
Re-negotation request failed: returned error -12176
You can see this by making the changes to logging:
diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf
95c95,96
< LogLevel warn
---
> #LogLevel warn
> LogLevel debug
On 08/15/2011 10:10 PM, Adam Young wrote:
> On 08/15/2011 12:00 PM, Ade Lee wrote:
>> Adam,
>>
>> As you know, I have been testing putting a dogtag CA behind an apache
>> instance - and using the standard ports to contact the CA. The basic
>> idea is to let apache handle the client authentication required, and
>> then to pass the relevant parameters to tomcat using AJP.
>>
>> What this means is there will be a dogtag.conf file placed
>> under /etc/httpd/httpd.conf - and this file will contain Location
>> elements with ProxyPass directives. Some of these (agent pages) will
>> require client authentication, and some will not.
>>
>> I had run into an issue with my browser where when switching from
>> non-client-auth to client-auth, renegotiations were being disallowed.
>> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
>> where "unsafe" legacy renegotiations will be disallowed. Attempts to
>> pass the relevant environment parameters to NSS failed to alter this
>> result. I'll continue to work with Rob on this.
>>
>> However, I believe that this problem will not affect the installation/
>> interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
>> using the latest NSS under the covers - which uses the new safe
>> regotiation protocol.
>>
>> My initial testing seems to indicate that this is in fact the case.
>> However, as I have been pulled into fips issues, I was hoping you could
>> continue the testing. Once we have a working setup, we can worry about
>> the code changes to pkicreate/pkisilent to do most of the
>> configuration.
>>
>> Here is what you need to do:
>>
>> 1. Install ipa with dogtag
>> 2. Stop the CA (service pki-cad stop pki-ca)
> service ipa stop
>> 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
>> and have it redirect for SSL to the EE port (9444)
>
> [root at f15server ~]# diff /etc/pki-ca/server.xml.orig
> /etc/pki-ca/server.xml
> 216a217
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
>
>> 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
>> turn off the filtering mechanism. You will see stanzas like the
>> following for ee, agent and admin ports. Make sure that active is set
>> to false for all.
>>
>> <filter>
>> <filter-name>AgentRequestFilter</filter-name>
>> <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
>> <init-param>
>> <param-name>https_port</param-name>
>> <param-value>9203</param-value>
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> </filter>
> [root at f15server WEB-INF]# git diff web.xml.orig web.xml
> diff --git a/web.xml.orig b/web.xml
> index 7f757bd..affa315 100644
> --- a/web.xml.orig
> +++ b/web.xml
> @@ -12,7 +12,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -25,7 +25,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -42,7 +42,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
> @@ -55,7 +55,7 @@
> </init-param>
> <init-param>
> <param-name>active</param-name>
> - <param-value>true</param-value>
> + <param-value>false</param-value>
> </init-param>
> </filter>
>
>
>
>
>> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
> mv ~/dogtag.conf /etc/httpd/conf.d/
>
>
>> 6. restart the ca. (service pki-cad start pki-ca)
> service ipa start
>
>>
>> We are now ready to do some testing.
>>
>> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
> diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig
> /usr/lib/python2.7/site-packages/ipalib/constants.py
> 140c140
> < ('ca_agent_port', 9443),
> ---
> > ('ca_agent_port', 443),
>
>> 2. Do your IPA cert tests and confirm that it works ok.
> service ipa restart
>
>
> ....
>
> cannot connect to
> 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial':
> ''
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list