Bug 712931 - CS requires too many ports to be open in the FW.
Summary: CS requires too many ports to be open in the FW.
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa-pki-theme
Version: 6.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Ade Lee
QA Contact:
Depends On:
Blocks: 726526
TreeView+ depends on / blocked
Reported: 2011-06-13 16:12 UTC by Dmitri Pal
Modified: 2015-07-23 17:26 UTC (History)
6 users (show)

Fixed In Version: ipa-pki-theme-9.0.3-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 726526 (view as bug list)
Last Closed: 2011-12-06 18:56:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch to fix (67.18 KB, patch)
2011-08-22 01:34 UTC, Ade Lee
mharmsen: review+
ayoung: review+
Details | Diff
patch to add proxy-ipa.conf (4.66 KB, patch)
2011-08-25 21:30 UTC, Ade Lee
no flags Details | Diff
steps taken to verify (6.50 KB, text/plain)
2011-11-08 19:54 UTC, Namita Soman
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1754 0 normal SHIPPED_LIVE ipa-pki-theme bug fix update 2011-12-06 01:01:44 UTC

Description Dmitri Pal 2011-06-13 16:12:36 UTC
Reduce number of ports that CA is using. There are too many holes one needs to provide in the firewall for IPA to work.

See also the mail thread on the freeipa-users list:


Here is a follow up discussion on IRC:

<alee> simo: responded .. the error occurs before then - it looks like
his replica cannot resolve or contact the relevant port on the master
<simo> alee, I guess firewall then
<simo> this is one of the worst disadvantages of having a separate
instance for CS ...
<simo> alee, but wht do you need all those ports on a server anyway ?
<simo> alee, what are they used for ? why multiple ports and not simply
different URLs ?
<alee> simo: originally - the cs server ran with just a couple of ports
(secure and unsecure), but there was a customer request to separate
roles to different ports
<simo> rcrit, ^^ I think we will need to add a truckload of ports to the
<simo> rcrit, I think it is a *very* good idea that we decide to limit
CA replicas going forward as this is going to be a major issue in many
<alee> simo: so admin stuff happens on one port, agent stuff on another
port, ee stuff on another port
<simo> alee, ah the famous customer that gets everythnig they ask for
even when it makes no sense whatsoever? :-)
<alee> simo: yes well - money talks :/
<simo> alee, and this is now hardcoded that way ? It is not possible to
re-consolidate everything in one port ?
<simo> having to ask network admins to open that many ports is going to
have *a lot* of push back in most customer sites
<alee> simo: it is still possible to use a single port (secure and
unsecure) but we have not really tested that configuration well lately
<simo> even just the replication ports are going to be frowned on I
think :/
<simo> alee, is there any documentation on how to do that ?
<alee> simo: its not the standard config - but it is docuemnted in the
cs docs
<simo> alee, is it difficult to change the config to do that after
install ?
<alee> simo: you select that as an option during pkicreate
<simo> alee, yes but I need to find out if we can do that as an upgrade
<alee> simo: its much more difficult to change post-install .. ie, you
have to parse a server.xml file pretty much
<simo> sigh ...
<alee> but its possible

Comment 2 Dmitri Pal 2011-06-13 16:13:46 UTC
This is something we need to align with IPA 2.2.

Comment 5 Ade Lee 2011-08-22 01:34:33 UTC
Created attachment 519210 [details]
patch to fix

Comment 6 Matthew Harmsen 2011-08-22 19:12:36 UTC
Comment on attachment 519210 [details]
patch to fix

(1) fix 'base/selinux/src/pki.if' line to use subsystem variable rather than 'pki_ca_t'
(2) clone bug to provide 'proxy.conf' file for KRA, OCSP, and TKS subsystems

Comment 7 Ade Lee 2011-08-23 18:41:55 UTC

[vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW" 
Sending        base/ca/shared/conf/CS.cfg.in
Adding         base/ca/shared/conf/proxy.conf
Sending        base/ca/shared/conf/server.xml
Sending        base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending        base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
Sending        base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
Sending        base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        base/kra/shared/conf/CS.cfg.in
Sending        base/kra/shared/conf/server.xml
Sending        base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending        base/ocsp/shared/conf/CS.cfg.in
Sending        base/ocsp/shared/conf/server.xml
Sending        base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/setup/pkicommon.pm
Sending        base/setup/pkicreate
Sending        base/tks/shared/conf/CS.cfg.in
Sending        base/tks/shared/conf/server.xml
Sending        base/tks/shared/webapps/tks/WEB-INF/web.xml
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
Sending        dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
Sending        dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
Sending        dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
Sending        dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
Sending        dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
Transmitting file data .......................................................
Committed revision 2160.


[vakwetu@goofy-vm6 pki]$ svn ci -m "svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW, base changes" base
Sending        pki/base/ca/shared/conf/CS.cfg.in
Adding         pki/base/ca/shared/conf/proxy.conf
Sending        pki/base/ca/shared/conf/server.xml
Sending        pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending        pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
Sending        pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
Sending        pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        pki/base/kra/shared/conf/CS.cfg.in
Sending        pki/base/kra/shared/conf/server.xml
Sending        pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending        pki/base/ocsp/shared/conf/CS.cfg.in
Sending        pki/base/ocsp/shared/conf/server.xml
Sending        pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending        pki/base/selinux/src/pki.if
Sending        pki/base/selinux/src/pki.te
Sending        pki/base/setup/pkicommon.pm
Sending        pki/base/setup/pkicreate
Sending        pki/base/tks/shared/conf/CS.cfg.in
Sending        pki/base/tks/shared/conf/server.xml
Sending        pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
Sending        pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
Sending        pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
Sending        pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
Sending        pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
Transmitting file data .......................................................
Committed revision 2161.

Comment 9 Ade Lee 2011-08-25 21:30:23 UTC
Created attachment 519983 [details]
patch to add proxy-ipa.conf

Reviewed and tested by ayoung

Comment 10 Ade Lee 2011-08-25 21:31:22 UTC
proxy-ipa patch:


[vakwetu@dhcp231-121 base]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. added proxy-ipa.conf"
Adding         base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2179.

Comment 11 Ade Lee 2011-08-26 15:54:05 UTC

[vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" base
Adding         base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2183.

[vakwetu@goofy-vm6 pki]$ svn ci -m "Resolves #712931 - CS requires too many ports to be open in the FW. Add proxy-ipa.conf" patches specs
Adding         patches/pki-core-9.0.3-r2183.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2184.

Comment 12 Ade Lee 2011-08-26 21:34:37 UTC
Decided to revert changes . proxy-ipa.conf will be generated and maintained by IPA:

[vakwetu@dhcp231-121 base]$ svn ci -m "Remove proxy-ipa.conf changes"
Deleting       base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Transmitting file data .
Committed revision 2187.


[vakwetu@goofy-vm6 pki]$ svn ci -m "Revert proxy-ipa.conf changes" base specs patches
Deleting       base/ca/shared/conf/proxy-ipa.conf
Sending        base/setup/pkicreate
Deleting       patches/pki-core-9.0.3-r2183.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2188.

Comment 13 Jenny Severance 2011-10-17 16:43:01 UTC
Can you please define what was changed? Steps to verify?

Comment 14 Ade Lee 2011-10-26 18:13:17 UTC

It is now possible to run the CS behind a proxy apache server.  By default, this apache proxy server will serve pages on ports 443 and 80.

The CA continues to use the same ports - in fact an additional ajp port has been opened - but none of these ports need to be exposed outside of the local machine.

This is the current configuration in IPA.

To verify: 

0. Install httpd.  Start it and make sure you can get to the test page. 
1. Use pkicreate to create a CA instance.  Be sure to use the relevant proxy flags:

 [-enable_proxy]                            #enable proxy configuration
 [-ajp_port=<ajp_port>]                     #AJP port, default 9447
 [-proxy_secure_port=<proxy_secure_port>]   # Proxy secure port, 
                                            # default 443

 [-proxy_unsecure_port=<unsecure_port>]     # Proxy unsecure port,
                                            # default 80

3. Configure the CA, and restart it.

4. Configure httpd to be able to connect use https.  Use the CA to issue your server cert.  Confirm that you can connect to the apache proxy using https. 

5. Copy the /var/lib/<instance_name>/conf/proxy.conf file to /etc/httpd/conf.d and set permissions/ownership.  Also ensure that NSSRenegotiation is allowed and safe renegotiation is permitted.  (nss.conf)

6. Restart httpd.

7. You should be able to browse to the ca ee and agent pages through the proxy ports.

For example  (for standard ports): https://test.example.com/ca/ee/ca

and be able to submit cert requests and get certificates etc.  You should also be able to access the ca using the console - and be able to install other CS subsystems.

Note; Some operations may fail -- specifically when ee profiles that require client auth are submitted, and possibly renewal.  This is being investigated.

FWIW, ipa does all the setup for this - and this is how IPA currently runs.

Comment 15 Ade Lee 2011-10-26 18:14:25 UTC

So another way to verify this - is to confirm that all ipa functionality related to certs still works correctly.

Comment 16 Namita Soman 2011-11-07 15:50:29 UTC
Kashyap is helping me with verifying this bug. Got to step 7, but the pages come up blank. He suspects -  the pki-ca in RHEL6 doesn't yet expose the profiles info. 

Needinfo - how to proceed?

Comment 17 Namita Soman 2011-11-08 19:54:02 UTC
Created attachment 532368 [details]
steps taken to verify

Kashyap went through the steps above, while i watched, took notes, which i will attach here. also IPA certs tests are looking good. 
Verified using ipa-pki-common-theme-9.0.3-7.el6, ipa-pki-ca-theme-9.0.3-7.el6

Comment 18 errata-xmlrpc 2011-12-06 18:56:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.