Bug 726526
Summary: | Reduce number of ports used by CS in IPA by default | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 6.1 | CC: | benl, grajaiya, jgalipea, mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.1-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: A number of ports needed to be opened in the firewall for dogtag to operate properly.
Consequence: Some administrators balked at the number of ports that needed to be open between IPA replicas, and managing this required planning because new rules were needed for each replication agreement.
Fix: Dogtag is now proxied via the existing Apache web server on ports 80 and 443 which already need to be open.
Result: Ports 944[3-6] no longer need to be open in the firewall.
|
Story Points: | --- |
Clone Of: | 712931 | Environment: | |
Last Closed: | 2011-12-06 18:25:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 712931 | ||
Bug Blocks: |
Comment 1
Dmitri Pal
2011-07-28 22:26:19 UTC
Fixed upstream: master: 5ee93349f6700d024fa4db68c960951d9964504b ipa-2-1: d32b44be6a1dd73e514a6063cad2c8c84aaed360 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: A number of ports needed to be opened in the firewall for dogtag to operate properly. Consequence: Some administrators balked at the number of ports that needed to be open between IPA replicas, and managing this required planning because new rules were needed for each replication agreement. Fix: Dogtag is now proxied via the existing Apache web server on ports 80 and 443 which already need to be open. Result: Ports 944[3-6] no longer need to be open in the firewall. SERVER: Only ssh port is opened initially. [root@decepticons ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@decepticons ~]# SLAVE: As expected the ipa-replica-conncheck fails. [root@sideswipe ~]# ipa-replica-conncheck --master=decepticons.lab.eng.pnq.redhat.com Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): FAILED Directory Service: Secure port (636): FAILED Kerberos KDC: TCP (88): FAILED Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): FAILED HTTP Server: port 443(https) (443): FAILED Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443 [root@sideswipe ~]# SERVER: Opening relevant ports. Ports 944[3-6] are not opened in firewall. [root@decepticons ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:464 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:464 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:636 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:636 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:88 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:88 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@decepticons ~]# SLAVE: Performing ipa-replica-conncheck now works as expected. [root@sideswipe ~]# ipa-replica-conncheck --master=decepticons.lab.eng.pnq.redhat.com Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. Start listening on required ports for remote master check Listeners are started. Use CTRL+C to terminate the listening part after the test. Please run the following command on remote master: /usr/sbin/ipa-replica-conncheck --replica bumblebee.lab.eng.pnq.redhat.com ^C Cleaning up... [root@sideswipe ~]# SERVER: [root@decepticons ~]# ipa-replica-prepare sideswipe.lab.eng.pnq.redhat.com Directory Manager (existing master) password: Preparing replica for sideswipe.lab.eng.pnq.redhat.com from decepticons.lab.eng.pnq.redhat.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg [root@decepticons ~]# scp /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg sideswipe.lab.eng.pnq.redhat.com:/var/lib/ipa/ root.eng.pnq.redhat.com's password: replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg 100% 29KB 29.0KB/s 00:00 [root@decepticons ~]# SLAVE: [root@sideswipe ~]# ipa-replica-install /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.PNQ.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'sideswipe.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 31 minutes [1/29]: creating directory server user [2/29]: creating directory server instance [3/29]: adding default schema [4/29]: enabling memberof plugin [5/29]: enabling referential integrity plugin [6/29]: enabling winsync plugin [7/29]: configuring replication version plugin [8/29]: enabling IPA enrollment plugin [9/29]: enabling ldapi [10/29]: configuring uniqueness plugin [11/29]: configuring uuid plugin [12/29]: configuring modrdn plugin [13/29]: enabling entryUSN plugin [14/29]: configuring lockout plugin [15/29]: creating indices [16/29]: configuring ssl for ds instance [17/29]: configuring certmap.conf [18/29]: configure autobind for root [19/29]: configure new location for managed entries [20/29]: restarting directory server [21/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update succeeded [22/29]: adding replication acis [23/29]: setting Auto Member configuration [24/29]: initializing group membership [25/29]: adding master entry [26/29]: configuring Posix uid/gid generation [27/29]: enabling compatibility plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. [28/29]: tuning directory server [29/29]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 minutes 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot done configuring krb5kdc. Configuring ipa_kpasswd [1/2]: starting ipa_kpasswd [2/2]: configuring ipa_kpasswd to start on boot done configuring ipa_kpasswd. Configuring the web interface: Estimated time 31 minutes [1/12]: disabling mod_ssl in httpd [2/12]: setting mod_nss port to 443 [3/12]: setting mod_nss password file [4/12]: enabling mod_nss renegotiate [5/12]: adding URL rewriting rules [6/12]: configuring httpd [7/12]: setting up ssl [8/12]: publish CA cert [9/12]: creating a keytab for httpd [10/12]: configuring SELinux for httpd [11/12]: restarting httpd [12/12]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. [root@sideswipe ~]# [root@sideswipe ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING HTTP Service: RUNNING [root@sideswipe ~]# [root@sideswipe ~]# rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Mon 07 Nov 2011 04:31:58 PM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |