patch for review - https://bugzilla.redhat.com/show_bug.cgi?id=739708
by Ade Lee
https://bugzilla.redhat.com/show_bug.cgi?id=739708 - pki-selinux lacks
rules in F16
This patch adds two of the three rules.
The remaining one:
allow pki_ca_t unreserved_port_t:tcp_socket name_connect;
is still under investigation. I have no idea why tomcat would be trying to
connect to an ephemeral port (and I have not been able to reproduce on my
system). As far as I can tell, this happens on startup on Alexander's system
-- but it does not affect the startup of the server.
I'll keep looking for it.
Please review.
Ade
11 years, 8 months
Generating CSR in the Browser
by Adam Young
How are people using the Certificates that they generate from the
Browser? Say I use the code at
/ca/ee/ca/profileSelect?profileId=caUserCert
To generate a new Cert Signing Request, the key pair for that CSR is in
my browsers NSS Database, but in order to even get to this point, I need
to have a Certificate allowing me to talk to the server, so I am
guessing I can't do this from the end users browser. I'm guessing the
workflow goes something like this:
1. A new member of an organization needs a certificate, so they go to
their supervisor
2. Supervisor fills out the form above and submites the CSR.
3. Someone in higher echelons approves the request and generates the
corresponding certificate
4. The Supervisor then gets the certificate to the end user.
How does the private key get to the end users browser? Does it go by
way of the CRM subsystem, and, if so, isn't there a chicken/egg problem
in getting it?
11 years, 8 months
Upgrading a machine to use the proxy.
by Adam Young
To convert an older build where the PKI system wasn't proxied:
awk '{print $0} /Define an AJP 1.3 Connector on port/ {print
"<Connector port=\"9447\" protocol=\"AJP/1.3\" redirectPort=\"9444\"
/>}" }' /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new
/etc/pki-ca/server.xml
sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e
"s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf >
/etc/pki-ca/proxy.conf
I've used the default ports here. Adjest is you've altered yours.
IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it.
You can do the same thing by hand.
I'm not sure if this should go into PKI or IPA.
11 years, 8 months
The Why's of PKI
by Adam Young
The Layout of the PKI project is very unusual for a Java Server
application. I'm trying to understand the rationale for some of the
things that were done.
Why do we create a separate server instance for each subsystem? Is a
reason to continue doing so?
Is using different ports for CA and DRM (an so forth) merely an
artifact of using multiple servers, or is there an additional reason to
do so?
Do we expect the same user to have and user different certificates for
different servers, such that the certificate then becomes a union of
authentication and authorization?
Is there a reason to separate the CA and DRM Directory servers? Is it
a "best practice" to do so? What would be the implications of using a
single instance for both?
Is there any reason why the CA uses an LDAP server instead of a
Relational Database? Do we expect people to make queries dircetyl
against the CA DirSrv, or is the Database best hidden from public view?
Why do we split the build process up into multiple Source RPMS? Is
there a reason to maintain this split?
Are there design documents or discussions for these decisions?
11 years, 8 months
