Bug 712931
| Summary: | CS requires too many ports to be open in the FW. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> | ||||||||
| Component: | ipa-pki-theme | Assignee: | Ade Lee <alee> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 6.1 | CC: | alee, ayoung, jgalipea, kchamart, nsoman, syeghiay | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | ipa-pki-theme-9.0.3-7.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 726526 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2011-12-06 18:56:01 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 726526 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Dmitri Pal
2011-06-13 16:12:36 UTC
This is something we need to align with IPA 2.2. Created attachment 519210 [details]
patch to fix
Comment on attachment 519210 [details]
patch to fix
CAVEATS:
(1) fix 'base/selinux/src/pki.if' line to use subsystem variable rather than 'pki_ca_t'
(2) clone bug to provide 'proxy.conf' file for KRA, OCSP, and TKS subsystems
tip: [vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW" Sending base/ca/shared/conf/CS.cfg.in Adding base/ca/shared/conf/proxy.conf Sending base/ca/shared/conf/server.xml Sending base/ca/shared/webapps/ca/WEB-INF/web.xml Sending base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java Sending base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java Sending base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java Sending base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java Sending base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java Sending base/common/src/com/netscape/cmscore/apps/CMSEngine.java Sending base/kra/shared/conf/CS.cfg.in Sending base/kra/shared/conf/server.xml Sending base/kra/shared/webapps/kra/WEB-INF/web.xml Sending base/ocsp/shared/conf/CS.cfg.in Sending base/ocsp/shared/conf/server.xml Sending base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicommon.pm Sending base/setup/pkicreate Sending base/tks/shared/conf/CS.cfg.in Sending base/tks/shared/conf/server.xml Sending base/tks/shared/webapps/tks/WEB-INF/web.xml Sending dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template Sending dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template Sending dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html Sending dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template Sending dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html Sending dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template Sending dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template Sending dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template Sending dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template Transmitting file data ....................................................... Committed revision 2160. 6.2: [vakwetu@goofy-vm6 pki]$ svn ci -m "svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW, base changes" base Sending pki/base/ca/shared/conf/CS.cfg.in Adding pki/base/ca/shared/conf/proxy.conf Sending pki/base/ca/shared/conf/server.xml Sending pki/base/ca/shared/webapps/ca/WEB-INF/web.xml Sending pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java Sending pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java Sending pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java Sending pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java Sending pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java Sending pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java Sending pki/base/kra/shared/conf/CS.cfg.in Sending pki/base/kra/shared/conf/server.xml Sending pki/base/kra/shared/webapps/kra/WEB-INF/web.xml Sending pki/base/ocsp/shared/conf/CS.cfg.in Sending pki/base/ocsp/shared/conf/server.xml Sending pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml Sending pki/base/selinux/src/pki.if Sending pki/base/selinux/src/pki.te Sending pki/base/setup/pkicommon.pm Sending pki/base/setup/pkicreate Sending pki/base/tks/shared/conf/CS.cfg.in Sending pki/base/tks/shared/conf/server.xml Sending pki/base/tks/shared/webapps/tks/WEB-INF/web.xml Sending pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template Sending pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template Sending pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html Sending pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template Sending pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html Sending pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template Sending pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template Sending pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template Sending pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template Transmitting file data ....................................................... Committed revision 2161. Created attachment 519983 [details]
patch to add proxy-ipa.conf
Reviewed and tested by ayoung
proxy-ipa patch: tip: [vakwetu@dhcp231-121 base]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. added proxy-ipa.conf" Adding base/ca/shared/conf/proxy-ipa.conf Sending base/setup/pkicreate Transmitting file data .. Committed revision 2179. 6.2: [vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" base Adding base/ca/shared/conf/proxy-ipa.conf Sending base/setup/pkicreate Transmitting file data .. Committed revision 2183. [vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" patches specs Adding patches/pki-core-9.0.3-r2183.patch Sending specs/pki-core.spec Transmitting file data .. Committed revision 2184. Decided to revert changes . proxy-ipa.conf will be generated and maintained by IPA: tip: [vakwetu@dhcp231-121 base]$ svn ci -m "Remove proxy-ipa.conf changes" Deleting base/ca/shared/conf/proxy-ipa.conf Sending base/setup/pkicreate Transmitting file data . Committed revision 2187. 8.1: [vakwetu@goofy-vm6 pki]$ svn ci -m "Revert proxy-ipa.conf changes" base specs patches Deleting base/ca/shared/conf/proxy-ipa.conf Sending base/setup/pkicreate Deleting patches/pki-core-9.0.3-r2183.patch Sending specs/pki-core.spec Transmitting file data .. Committed revision 2188. Can you please define what was changed? Steps to verify? Thanks Jenny,
It is now possible to run the CS behind a proxy apache server. By default, this apache proxy server will serve pages on ports 443 and 80.
The CA continues to use the same ports - in fact an additional ajp port has been opened - but none of these ports need to be exposed outside of the local machine.
This is the current configuration in IPA.
To verify:
0. Install httpd. Start it and make sure you can get to the test page.
1. Use pkicreate to create a CA instance. Be sure to use the relevant proxy flags:
[-enable_proxy] #enable proxy configuration
[-ajp_port=<ajp_port>] #AJP port, default 9447
[-proxy_secure_port=<proxy_secure_port>] # Proxy secure port,
# default 443
[-proxy_unsecure_port=<unsecure_port>] # Proxy unsecure port,
# default 80
3. Configure the CA, and restart it.
4. Configure httpd to be able to connect use https. Use the CA to issue your server cert. Confirm that you can connect to the apache proxy using https.
5. Copy the /var/lib/<instance_name>/conf/proxy.conf file to /etc/httpd/conf.d and set permissions/ownership. Also ensure that NSSRenegotiation is allowed and safe renegotiation is permitted. (nss.conf)
6. Restart httpd.
7. You should be able to browse to the ca ee and agent pages through the proxy ports.
For example (for standard ports): https://test.example.com/ca/ee/ca
https://test.example.com/ca/agent/ca
and be able to submit cert requests and get certificates etc. You should also be able to access the ca using the console - and be able to install other CS subsystems.
Note; Some operations may fail -- specifically when ee profiles that require client auth are submitted, and possibly renewal. This is being investigated.
FWIW, ipa does all the setup for this - and this is how IPA currently runs.
Jenny, So another way to verify this - is to confirm that all ipa functionality related to certs still works correctly. Kashyap is helping me with verifying this bug. Got to step 7, but the pages come up blank. He suspects - the pki-ca in RHEL6 doesn't yet expose the profiles info. Needinfo - how to proceed? Created attachment 532368 [details]
steps taken to verify
Kashyap went through the steps above, while i watched, took notes, which i will attach here. also IPA certs tests are looking good.
Verified using ipa-pki-common-theme-9.0.3-7.el6, ipa-pki-ca-theme-9.0.3-7.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1754.html |