712931 – CS requires too many ports to be open in the FW.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 712931 - CS requires too many ports to be open in the FW.

Summary: CS requires too many ports to be open in the FW.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa-pki-theme
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ade Lee
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	726526
TreeView+	depends on / blocked

Reported:	2011-06-13 16:12 UTC by Dmitri Pal
Modified:	2015-07-23 17:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-pki-theme-9.0.3-7.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	726526 (view as bug list)
Environment:
Last Closed:	2011-12-06 18:56:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch to fix (67.18 KB, patch) 2011-08-22 01:34 UTC, Ade Lee	mharmsen: review+ ayoung: review+	Details \| Diff
patch to add proxy-ipa.conf (4.66 KB, patch) 2011-08-25 21:30 UTC, Ade Lee	no flags	Details \| Diff
steps taken to verify (6.50 KB, text/plain) 2011-11-08 19:54 UTC, Namita Soman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1754	0	normal	SHIPPED_LIVE	ipa-pki-theme bug fix update	2011-12-06 01:01:44 UTC

Description Dmitri Pal 2011-06-13 16:12:36 UTC

Reduce number of ports that CA is using. There are too many holes one needs to provide in the firewall for IPA to work.

See also the mail thread on the freeipa-users list:

https://www.redhat.com/archives/freeipa-users/2011-June/msg00100.html

Here is a follow up discussion on IRC:

<alee> simo: responded .. the error occurs before then - it looks like
his replica cannot resolve or contact the relevant port on the master
<simo> alee, I guess firewall then
<simo> this is one of the worst disadvantages of having a separate
instance for CS ...
<simo> alee, but wht do you need all those ports on a server anyway ?
<simo> alee, what are they used for ? why multiple ports and not simply
different URLs ?
<alee> simo: originally - the cs server ran with just a couple of ports
(secure and unsecure), but there was a customer request to separate
roles to different ports
<simo> rcrit, ^^ I think we will need to add a truckload of ports to the
documentation
<simo> rcrit, I think it is a *very* good idea that we decide to limit
CA replicas going forward as this is going to be a major issue in many
places
<alee> simo: so admin stuff happens on one port, agent stuff on another
port, ee stuff on another port
<simo> alee, ah the famous customer that gets everythnig they ask for
even when it makes no sense whatsoever? :-)
<alee> simo: yes well - money talks :/
<simo> alee, and this is now hardcoded that way ? It is not possible to
re-consolidate everything in one port ?
<simo> having to ask network admins to open that many ports is going to
have *a lot* of push back in most customer sites
<alee> simo: it is still possible to use a single port (secure and
unsecure) but we have not really tested that configuration well lately
<simo> even just the replication ports are going to be frowned on I
think :/
<simo> alee, is there any documentation on how to do that ?
<alee> simo: its not the standard config - but it is docuemnted in the
cs docs
<simo> alee, is it difficult to change the config to do that after
install ?
<alee> simo: you select that as an option during pkicreate
<simo> alee, yes but I need to find out if we can do that as an upgrade
option
<alee> simo: its much more difficult to change post-install .. ie, you
have to parse a server.xml file pretty much
<simo> sigh ...
<alee> but its possible

Comment 2 Dmitri Pal 2011-06-13 16:13:46 UTC

This is something we need to align with IPA 2.2.

Comment 5 Ade Lee 2011-08-22 01:34:33 UTC

Created attachment 519210 [details]
patch to fix

Comment 6 Matthew Harmsen 2011-08-22 19:12:36 UTC

Comment on attachment 519210 [details]
patch to fix

CAVEATS:
(1) fix 'base/selinux/src/pki.if' line to use subsystem variable rather than 'pki_ca_t'
(2) clone bug to provide 'proxy.conf' file for KRA, OCSP, and TKS subsystems

Comment 7 Ade Lee 2011-08-23 18:41:55 UTC

tip:

[vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW" 
Sending        base/ca/shared/conf/CS.cfg.in
Adding         base/ca/shared/conf/proxy.conf
Sending        base/ca/shared/conf/server.xml
Sending        base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending        base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
Sending        base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        base/kra/shared/conf/CS.cfg.in
Sending        base/kra/shared/conf/server.xml
Sending        base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending        base/ocsp/shared/conf/CS.cfg.in
Sending        base/ocsp/shared/conf/server.xml
Sending        base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/setup/pkicommon.pm
Sending        base/setup/pkicreate
Sending        base/tks/shared/conf/CS.cfg.in
Sending        base/tks/shared/conf/server.xml
Sending        base/tks/shared/webapps/tks/WEB-INF/web.xml
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
Sending        dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
Transmitting file data .......................................................
Committed revision 2160.

6.2:

[vakwetu@goofy-vm6 pki]$ svn ci -m "svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW, base changes" base
Sending        pki/base/ca/shared/conf/CS.cfg.in
Adding         pki/base/ca/shared/conf/proxy.conf
Sending        pki/base/ca/shared/conf/server.xml
Sending        pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending        pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
Sending        pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        pki/base/kra/shared/conf/CS.cfg.in
Sending        pki/base/kra/shared/conf/server.xml
Sending        pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending        pki/base/ocsp/shared/conf/CS.cfg.in
Sending        pki/base/ocsp/shared/conf/server.xml
Sending        pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending        pki/base/selinux/src/pki.if
Sending        pki/base/selinux/src/pki.te
Sending        pki/base/setup/pkicommon.pm
Sending        pki/base/setup/pkicreate
Sending        pki/base/tks/shared/conf/CS.cfg.in
Sending        pki/base/tks/shared/conf/server.xml
Sending        pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
Sending        pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
Transmitting file data .......................................................
Committed revision 2161.

Comment 9 Ade Lee 2011-08-25 21:30:23 UTC

Created attachment 519983 [details]
patch to add proxy-ipa.conf

Reviewed and tested by ayoung

Comment 10 Ade Lee 2011-08-25 21:31:22 UTC

proxy-ipa patch:

tip:

[vakwetu@dhcp231-121 base]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. added proxy-ipa.conf"
Adding         base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2179.

Comment 11 Ade Lee 2011-08-26 15:54:05 UTC

6.2:

[vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" base
Adding         base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2183.

[vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" patches specs
Adding         patches/pki-core-9.0.3-r2183.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2184.

Comment 12 Ade Lee 2011-08-26 21:34:37 UTC

Decided to revert changes . proxy-ipa.conf will be generated and maintained by IPA:

tip:
[vakwetu@dhcp231-121 base]$ svn ci -m "Remove proxy-ipa.conf changes"
Deleting       base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data .
Committed revision 2187.

8.1:

[vakwetu@goofy-vm6 pki]$ svn ci -m "Revert proxy-ipa.conf changes" base specs patches
Deleting       base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Deleting       patches/pki-core-9.0.3-r2183.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2188.

Comment 13 Jenny Severance 2011-10-17 16:43:01 UTC

Can you please define what was changed? Steps to verify?
Thanks

Comment 14 Ade Lee 2011-10-26 18:13:17 UTC

Jenny,

It is now possible to run the CS behind a proxy apache server. By default, this apache proxy server will serve pages on ports 443 and 80.

The CA continues to use the same ports - in fact an additional ajp port has been opened - but none of these ports need to be exposed outside of the local machine.

This is the current configuration in IPA.

To verify:

0. Install httpd. Start it and make sure you can get to the test page.
1. Use pkicreate to create a CA instance. Be sure to use the relevant proxy flags:

[-enable_proxy] #enable proxy configuration
[-ajp_port=<ajp_port>] #AJP port, default 9447
[-proxy_secure_port=<proxy_secure_port>] # Proxy secure port,
# default 443

[-proxy_unsecure_port=<unsecure_port>] # Proxy unsecure port,
# default 80

3. Configure the CA, and restart it.

4. Configure httpd to be able to connect use https. Use the CA to issue your server cert. Confirm that you can connect to the apache proxy using https.

5. Copy the /var/lib/<instance_name>/conf/proxy.conf file to /etc/httpd/conf.d and set permissions/ownership. Also ensure that NSSRenegotiation is allowed and safe renegotiation is permitted. (nss.conf)

6. Restart httpd.

7. You should be able to browse to the ca ee and agent pages through the proxy ports.

For example (for standard ports): https://test.example.com/ca/ee/ca
https://test.example.com/ca/agent/ca

and be able to submit cert requests and get certificates etc. You should also be able to access the ca using the console - and be able to install other CS subsystems.

Note; Some operations may fail -- specifically when ee profiles that require client auth are submitted, and possibly renewal. This is being investigated.

FWIW, ipa does all the setup for this - and this is how IPA currently runs.

Comment 15 Ade Lee 2011-10-26 18:14:25 UTC

Jenny, 

So another way to verify this - is to confirm that all ipa functionality related to certs still works correctly.

Comment 16 Namita Soman 2011-11-07 15:50:29 UTC

Kashyap is helping me with verifying this bug. Got to step 7, but the pages come up blank. He suspects -  the pki-ca in RHEL6 doesn't yet expose the profiles info. 

Needinfo - how to proceed?

Comment 17 Namita Soman 2011-11-08 19:54:02 UTC

Created attachment 532368 [details]
steps taken to verify

Kashyap went through the steps above, while i watched, took notes, which i will attach here. also IPA certs tests are looking good. 
Verified using ipa-pki-common-theme-9.0.3-7.el6, ipa-pki-ca-theme-9.0.3-7.el6

Comment 18 errata-xmlrpc 2011-12-06 18:56:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1754.html

Note You need to log in before you can comment on or make changes to this bug.