11 a.m.
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
2. Do your IPA cert tests and confirm that it works ok.
3. Try installing a replica. Make sure to pass https://hostname:443
That is - do not leave out the 443 part as the installation code will
not recognize 443 as a default port. Actually, now that I think about
it - there will be more changes needed in the Installation Panel code to
get all this to work. So I'll get to this when I can.
Thanks,
Ade
2:13 p.m.
Cross posting to the freeipa devel list, as I think this is where people
are going to be most interested.
On 08/15/2011 12:00 PM, Ade Lee wrote:
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
2. Do your IPA cert tests and confirm that it works ok.
3. Try installing a replica. Make sure to pass https://hostname:443
That is - do not leave out the 443 part as the installation code will
not recognize 443 as a default port. Actually, now that I think about
it - there will be more changes needed in the Installation Panel code to
get all this to work. So I'll get to this when I can.
Thanks,
Ade
9:10 p.m.
On 08/15/2011 12:00 PM, Ade Lee wrote:
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
service ipa stop
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp
port,
and have it redirect for SSL to the EE port (9444)
[root@f15server ~]# diff /etc/pki-ca/server.xml.orig /etc/pki-ca/server.xml
216a217
<Connector port="8009" protocol="AJP/1.3"
redirectPort="9444" />
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
[root@f15server WEB-INF]# git diff web.xml.orig web.xml
diff --git a/web.xml.orig b/web.xml
index 7f757bd..affa315 100644
--- a/web.xml.orig
+++ b/web.xml
@@ -12,7 +12,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -25,7 +25,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -42,7 +42,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -55,7 +55,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
mv ~/dogtag.conf /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
service ipa
start
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
diff
/usr/lib/python2.7/site-packages/ipalib/constants.py.orig
/usr/lib/python2.7/site-packages/ipalib/constants.py
140c140
< ('ca_agent_port', 9443),
---
('ca_agent_port', 443),
2. Do your IPA cert tests and confirm that it works ok.
service
ipa restart
....
cannot connect to
'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial':
''
5029
days inactive
5030
days old
2 comments
2 participants
participants (2)
-
Adam Young -
Ade Lee