On 08/15/2011 12:00 PM, Ade Lee wrote:
> Adam,
>
> As you know, I have been testing putting a dogtag CA behind an apache
> instance - and using the standard ports to contact the CA. The basic
> idea is to let apache handle the client authentication required, and
> then to pass the relevant parameters to tomcat using AJP.
>
> What this means is there will be a dogtag.conf file placed
> under /etc/httpd/httpd.conf - and this file will contain Location
> elements with ProxyPass directives. Some of these (agent pages) will
> require client authentication, and some will not.
>
> I had run into an issue with my browser where when switching from
> non-client-auth to client-auth, renegotiations were being disallowed.
> This is, I strongly suspect due to the fixes in NSS for the MITM issue,
> where "unsafe" legacy renegotiations will be disallowed. Attempts to
> pass the relevant environment parameters to NSS failed to alter this
> result. I'll continue to work with Rob on this.
>
> However, I believe that this problem will not affect the installation/
> interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
> using the latest NSS under the covers - which uses the new safe
> regotiation protocol.
>
> My initial testing seems to indicate that this is in fact the case.
> However, as I have been pulled into fips issues, I was hoping you could
> continue the testing. Once we have a working setup, we can worry about
> the code changes to pkicreate/pkisilent to do most of the
> configuration.
>
> Here is what you need to do:
>
> 1. Install ipa with dogtag
> 2. Stop the CA (service pki-cad stop pki-ca)
service ipa stop
> 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
> and have it redirect for SSL to the EE port (9444)
[root at f15server ~]# diff /etc/pki-ca/server.xml.orig /etc/pki-ca/server.xml
216a217
> <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
> 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
> turn off the filtering mechanism. You will see stanzas like the
> following for ee, agent and admin ports. Make sure that active is set
> to false for all.
>
> <filter>
> <filter-name>AgentRequestFilter</filter-name>
> <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> <init-param>
> <param-name>https_port</param-name>
> <param-value>9203</param-value>
> </init-param>
> <init-param>
> <param-name>active</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
[root at f15server WEB-INF]# git diff web.xml.orig web.xml
diff --git a/web.xml.orig b/web.xml
index 7f757bd..affa315 100644
--- a/web.xml.orig
+++ b/web.xml
@@ -12,7 +12,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -25,7 +25,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -42,7 +42,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -55,7 +55,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
mv ~/dogtag.conf /etc/httpd/conf.d/
> 6. restart the ca. (service pki-cad start pki-ca)
service ipa start
>
> We are now ready to do some testing.
>
> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig
/usr/lib/python2.7/site-packages/ipalib/constants.py
140c140
< ('ca_agent_port', 9443),
---
> ('ca_agent_port', 443),
> 2. Do your IPA cert tests and confirm that it works ok.
service ipa restart
....
cannot connect to
'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial':
''