[Freeipa-devel] testing pki-ca behind apache for ipa

Adam Young ayoung at redhat.com
Tue Aug 16 21:45:01 UTC 2011 

Success with these additional changes:

[root at ipa-server-3 python2.7]# diff /etc/httpd/conf.d/nss.conf.orig 
/etc/httpd/conf.d/nss.conf
74c74
< NSSRenegotiation off
---
 > NSSRenegotiation on


[root at ipa-server-3 python2.7]# diff -u 
./site-packages/ipapython/nsslib.py.orig ./site-packages/ipapython/nsslib.py
--- ./site-packages/ipapython/nsslib.py.orig    2011-08-16 
17:19:53.000000000 -0400
+++ ./site-packages/ipapython/nsslib.py    2011-08-16 17:35:17.000000000 
-0400
@@ -213,7 +213,10 @@
          self.sock = ssl.SSLSocket(family=self.family)
          self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
          self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+    #ssl.define  SSL_REQUIRE_SAFE_NEGOTIATION   21
+    self.sock.set_ssl_option(21, False)
+        #ssl.h define SSL_ENABLE_RENEGOTIATION       20
+    self.sock.set_ssl_option(20, 2)
          # Provide a callback which notifies us when the SSL handshake 
is complete
          self.sock.set_handshake_callback(self.handshake_callback)





On 08/15/2011 10:50 PM, Adam Young wrote:
> Just to keep the lists informed:
>
> We found a couple more things out after that last posting:
>
> The suburl   /ca/ee/ca/  works fine, so mod_proxcy_ajp does work in 
> some cases.
>
> Calling the CA  from IPA does not work as we get the error:
>
> [Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418): 
> Re-negotation request failed: returned error -12176
>
> You can see this by making the changes to logging:
>
>  diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf
> 95c95,96
> < LogLevel warn
> ---
> > #LogLevel warn
> > LogLevel debug
>
>
>
> On 08/15/2011 10:10 PM, Adam Young wrote:
>> On 08/15/2011 12:00 PM, Ade Lee wrote:
>>> Adam,
>>>
>>> As you know, I have been testing putting a dogtag CA behind an apache
>>> instance - and using the standard ports to contact the CA.  The basic
>>> idea is to let apache handle the client authentication required, and
>>> then to pass the relevant parameters to tomcat using AJP.
>>>
>>> What this means is there will be a dogtag.conf file placed
>>> under /etc/httpd/httpd.conf - and this file will contain Location
>>> elements with ProxyPass directives.  Some of these (agent pages) will
>>> require client authentication, and some will not.
>>>
>>> I had run into an issue with my browser where when switching from
>>> non-client-auth to client-auth, renegotiations were being disallowed.
>>> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
>>> where "unsafe" legacy renegotiations will be disallowed.  Attempts to
>>> pass the relevant environment parameters to NSS failed to alter this
>>> result.  I'll continue to work with Rob on this.
>>>
>>> However, I believe that this problem will not affect the installation/
>>> interaction of IPA with dogtag.  Why?  Because the ipa-ra-plugin is
>>> using the latest NSS under the covers - which uses the new safe
>>> regotiation protocol.
>>>
>>> My initial testing seems to indicate that this is in fact the case.
>>> However, as I have been pulled into fips issues, I was hoping you could
>>> continue the testing.  Once we have a working setup, we can worry about
>>> the code changes to pkicreate/pkisilent to do most of the
>>> configuration.
>>>
>>> Here is what you need to do:
>>>
>>> 1. Install ipa with dogtag
>>> 2. Stop the CA (service pki-cad stop pki-ca)
>> service ipa stop
>>> 3. Modify /etc/pki-ca/server.xml.  You need to uncomment the ajp port,
>>> and have it redirect for SSL to the EE port (9444)
>>
>> [root at f15server ~]# diff /etc/pki-ca/server.xml.orig 
>> /etc/pki-ca/server.xml
>> 216a217
>> > <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
>>
>>> 4. Modify the web.xml in  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
>>> turn off the filtering mechanism.  You will see stanzas like the
>>> following for ee, agent and admin ports.  Make sure that active is set
>>> to false for all.
>>>
>>> <filter>
>>> <filter-name>AgentRequestFilter</filter-name>
>>> <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> 
>>>
>>> <init-param>
>>> <param-name>https_port</param-name>
>>> <param-value>9203</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>active</param-name>
>>> <param-value>false</param-value>
>>> </init-param>
>>> </filter>
>> [root at f15server WEB-INF]# git diff web.xml.orig web.xml
>> diff --git a/web.xml.orig b/web.xml
>> index 7f757bd..affa315 100644
>> --- a/web.xml.orig
>> +++ b/web.xml
>> @@ -12,7 +12,7 @@
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> - <param-value>true</param-value>
>> + <param-value>false</param-value>
>> </init-param>
>> </filter>
>>
>> @@ -25,7 +25,7 @@
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> - <param-value>true</param-value>
>> + <param-value>false</param-value>
>> </init-param>
>> </filter>
>>
>> @@ -42,7 +42,7 @@
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> - <param-value>true</param-value>
>> + <param-value>false</param-value>
>> </init-param>
>> </filter>
>>
>> @@ -55,7 +55,7 @@
>> </init-param>
>> <init-param>
>> <param-name>active</param-name>
>> - <param-value>true</param-value>
>> + <param-value>false</param-value>
>> </init-param>
>> </filter>
>>
>>
>>
>>
>>> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
>> mv ~/dogtag.conf /etc/httpd/conf.d/
>>
>>
>>> 6. restart the ca. (service pki-cad start pki-ca)
>>  service ipa start
>>
>>>
>>> We are now ready to do some testing.
>>>
>>> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
>>  diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig 
>> /usr/lib/python2.7/site-packages/ipalib/constants.py
>> 140c140
>> <     ('ca_agent_port', 9443),
>> ---
>> >     ('ca_agent_port', 443),
>>
>>> 2. Do your IPA cert tests and confirm that it works ok.
>> service ipa restart
>>
>>
>> ....
>>
>> cannot connect to 
>> 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial': 
>> ''
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list