[Freeipa-devel] testing pki-ca behind apache for ipa

[Adam Young]

Cross posting to the freeipa devel list, as I think this is where people 
are going to be most interested.



On 08/15/2011 12:00 PM, Ade Lee wrote:
> Adam,
>
> As you know, I have been testing putting a dogtag CA behind an apache
> instance - and using the standard ports to contact the CA.  The basic
> idea is to let apache handle the client authentication required, and
> then to pass the relevant parameters to tomcat using AJP.
>
> What this means is there will be a dogtag.conf file placed
> under /etc/httpd/httpd.conf - and this file will contain Location
> elements with ProxyPass directives.  Some of these (agent pages) will
> require client authentication, and some will not.
>
> I had run into an issue with my browser where when switching from
> non-client-auth to client-auth, renegotiations were being disallowed.
> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
> where "unsafe" legacy renegotiations will be disallowed.  Attempts to
> pass the relevant environment parameters to NSS failed to alter this
> result.  I'll continue to work with Rob on this.
>
> However, I believe that this problem will not affect the installation/
> interaction of IPA with dogtag.  Why?  Because the ipa-ra-plugin is
> using the latest NSS under the covers - which uses the new safe
> regotiation protocol.
>
> My initial testing seems to indicate that this is in fact the case.
> However, as I have been pulled into fips issues, I was hoping you could
> continue the testing.  Once we have a working setup, we can worry about
> the code changes to pkicreate/pkisilent to do most of the
> configuration.
>
> Here is what you need to do:
>
> 1. Install ipa with dogtag
> 2. Stop the CA (service pki-cad stop pki-ca)
> 3. Modify /etc/pki-ca/server.xml.  You need to uncomment the ajp port,
> and have it redirect for SSL to the EE port (9444)
> 4. Modify the web.xml in  /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
> turn off the filtering mechanism.  You will see stanzas like the
> following for ee, agent and admin ports.  Make sure that active is set
> to false for all.
>
>      <filter>
>          <filter-name>AgentRequestFilter</filter-name>
>          <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
>          <init-param>
>              <param-name>https_port</param-name>
>              <param-value>9203</param-value>
>          </init-param>
>          <init-param>
>              <param-name>active</param-name>
>              <param-value>false</param-value>
>          </init-param>
>      </filter>
> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
> 6. restart the ca. (service pki-cad start pki-ca)
>
> We are now ready to do some testing.
>
> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
> 2. Do your IPA cert tests and confirm that it works ok.
> 3. Try installing a replica.  Make sure to pass https://hostname:443
>     That is - do not leave out the 443 part as the installation code will
> not recognize 443 as a default port.  Actually, now that I think about
> it - there will be more changes needed in the Installation Panel code to
> get all this to work.  So I'll get to this when I can.
>
> Thanks,
>
> Ade
>
>
>