[Freeipa-devel] testing pki-ca behind apache for ipa
Adam Young
ayoung at redhat.com
Mon Aug 15 19:13:36 UTC 2011
Cross posting to the freeipa devel list, as I think this is where people
are going to be most interested.
On 08/15/2011 12:00 PM, Ade Lee wrote:
> Adam,
>
> As you know, I have been testing putting a dogtag CA behind an apache
> instance - and using the standard ports to contact the CA. The basic
> idea is to let apache handle the client authentication required, and
> then to pass the relevant parameters to tomcat using AJP.
>
> What this means is there will be a dogtag.conf file placed
> under /etc/httpd/httpd.conf - and this file will contain Location
> elements with ProxyPass directives. Some of these (agent pages) will
> require client authentication, and some will not.
>
> I had run into an issue with my browser where when switching from
> non-client-auth to client-auth, renegotiations were being disallowed.
> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
> where "unsafe" legacy renegotiations will be disallowed. Attempts to
> pass the relevant environment parameters to NSS failed to alter this
> result. I'll continue to work with Rob on this.
>
> However, I believe that this problem will not affect the installation/
> interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
> using the latest NSS under the covers - which uses the new safe
> regotiation protocol.
>
> My initial testing seems to indicate that this is in fact the case.
> However, as I have been pulled into fips issues, I was hoping you could
> continue the testing. Once we have a working setup, we can worry about
> the code changes to pkicreate/pkisilent to do most of the
> configuration.
>
> Here is what you need to do:
>
> 1. Install ipa with dogtag
> 2. Stop the CA (service pki-cad stop pki-ca)
> 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
> and have it redirect for SSL to the EE port (9444)
> 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
> turn off the filtering mechanism. You will see stanzas like the
> following for ee, agent and admin ports. Make sure that active is set
> to false for all.
>
> <filter>
> <filter-name>AgentRequestFilter</filter-name>
> <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> <init-param>
> <param-name>https_port</param-name>
> <param-value>9203</param-value>
> </init-param>
> <init-param>
> <param-name>active</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
> 6. restart the ca. (service pki-cad start pki-ca)
>
> We are now ready to do some testing.
>
> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
> 2. Do your IPA cert tests and confirm that it works ok.
> 3. Try installing a replica. Make sure to pass https://hostname:443
> That is - do not leave out the 443 part as the installation code will
> not recognize 443 as a default port. Actually, now that I think about
> it - there will be more changes needed in the Installation Panel code to
> get all this to work. So I'll get to this when I can.
>
> Thanks,
>
> Ade
>
>
>
More information about the Freeipa-devel
mailing list