Bug 726526 - Reduce number of ports used by CS in IPA by default
Summary: Reduce number of ports used by CS in IPA by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 712931
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-28 22:22 UTC by Dmitri Pal
Modified: 2015-01-04 23:50 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: A number of ports needed to be opened in the firewall for dogtag to operate properly. Consequence: Some administrators balked at the number of ports that needed to be open between IPA replicas, and managing this required planning because new rules were needed for each replication agreement. Fix: Dogtag is now proxied via the existing Apache web server on ports 80 and 443 which already need to be open. Result: Ports 944[3-6] no longer need to be open in the firewall.
Clone Of: 712931
Environment:
Last Closed: 2011-12-06 18:25:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Comment 1 Dmitri Pal 2011-07-28 22:26:19 UTC
https://fedorahosted.org/freeipa/ticket/1545

Comment 2 Martin Kosek 2011-08-31 06:45:32 UTC
Fixed upstream:
master: 5ee93349f6700d024fa4db68c960951d9964504b
ipa-2-1: d32b44be6a1dd73e514a6063cad2c8c84aaed360

Comment 4 Rob Crittenden 2011-11-01 00:37:13 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: A number of ports needed to be opened in the firewall for dogtag to operate properly.
Consequence: Some administrators balked at the number of ports that needed to be open between IPA replicas, and managing this required planning because new rules were needed for each replication agreement.
Fix: Dogtag is now proxied via the existing Apache web server on ports 80 and 443 which already need to be open.
Result: Ports 944[3-6] no longer need to be open in the firewall.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 11:13:49 UTC
SERVER: Only ssh port is opened initially.

[root@decepticons ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@decepticons ~]# 


SLAVE: As expected the ipa-replica-conncheck fails.
[root@sideswipe ~]# ipa-replica-conncheck --master=decepticons.lab.eng.pnq.redhat.com
Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): FAILED
   Directory Service: Secure port (636): FAILED
   Kerberos KDC: TCP (88): FAILED
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): FAILED
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): FAILED
   HTTP Server: port 443(https) (443): FAILED
Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443
[root@sideswipe ~]# 


SERVER: Opening relevant ports. Ports 944[3-6] are not opened in firewall.
[root@decepticons ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:464 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:464 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:636 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:636 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:88 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:88 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@decepticons ~]# 


SLAVE: Performing ipa-replica-conncheck now works as expected.
[root@sideswipe ~]# ipa-replica-conncheck --master=decepticons.lab.eng.pnq.redhat.com
Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Listeners are started. Use CTRL+C to terminate the listening part after the test.

Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica bumblebee.lab.eng.pnq.redhat.com
^C
Cleaning up...
[root@sideswipe ~]#


SERVER:
[root@decepticons ~]# ipa-replica-prepare sideswipe.lab.eng.pnq.redhat.com
Directory Manager (existing master) password: 

Preparing replica for sideswipe.lab.eng.pnq.redhat.com from decepticons.lab.eng.pnq.redhat.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg


[root@decepticons ~]# scp /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg sideswipe.lab.eng.pnq.redhat.com:/var/lib/ipa/
root@sideswipe.lab.eng.pnq.redhat.com's password: 
replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg                                                                                  100%   29KB  29.0KB/s   00:00    
[root@decepticons ~]# 


SLAVE:
[root@sideswipe ~]# ipa-replica-install /var/lib/ipa/replica-info-sideswipe.lab.eng.pnq.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@LAB.ENG.PNQ.REDHAT.COM password: 

Execute check on remote master
Check connection from master to remote replica 'sideswipe.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 31 minutes
  [1/29]: creating directory server user
  [2/29]: creating directory server instance
  [3/29]: adding default schema
  [4/29]: enabling memberof plugin
  [5/29]: enabling referential integrity plugin
  [6/29]: enabling winsync plugin
  [7/29]: configuring replication version plugin
  [8/29]: enabling IPA enrollment plugin
  [9/29]: enabling ldapi
  [10/29]: configuring uniqueness plugin
  [11/29]: configuring uuid plugin
  [12/29]: configuring modrdn plugin
  [13/29]: enabling entryUSN plugin
  [14/29]: configuring lockout plugin
  [15/29]: creating indices
  [16/29]: configuring ssl for ds instance
  [17/29]: configuring certmap.conf
  [18/29]: configure autobind for root
  [19/29]: configure new location for managed entries
  [20/29]: restarting directory server
  [21/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/29]: adding replication acis
  [23/29]: setting Auto Member configuration
  [24/29]: initializing group membership
  [25/29]: adding master entry
  [26/29]: configuring Posix uid/gid generation
  [27/29]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [28/29]: tuning directory server
  [29/29]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 minutes 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 31 minutes
  [1/12]: disabling mod_ssl in httpd
  [2/12]: setting mod_nss port to 443
  [3/12]: setting mod_nss password file
  [4/12]: enabling mod_nss renegotiate
  [5/12]: adding URL rewriting rules
  [6/12]: configuring httpd
  [7/12]: setting up ssl
  [8/12]: publish CA cert
  [9/12]: creating a keytab for httpd
  [10/12]: configuring SELinux for httpd
  [11/12]: restarting httpd
  [12/12]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
[root@sideswipe ~]# 


[root@sideswipe ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
HTTP Service: RUNNING
[root@sideswipe ~]# 


[root@sideswipe ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Mon 07 Nov 2011 04:31:58 PM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 6 errata-xmlrpc 2011-12-06 18:25:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.