https://bugzilla.redhat.com/show_bug.cgi?id=712931 - CS requires too
many ports to be opened in firewall.

This patch provides configuration to run the ca behind an apache proxy.

For IPA, once you apply the patch, you will need to update pki-ca,
pki-common, pki-setup, pki-selinux, pki-common-javadoc.  The UI changes
are just to remove some annoying 404's in the httpd logs.

Then, you need to call pkicreate with the additional option
-enable_proxy.  This will configure the system to run behind a proxy
with ajp port 9447, proxy secure port 443 and proxy unsecure port 80.

Pkisilent can run as before.  After pkisilent is complete, the
file /etc/<instance_name/conf/proxy.conf will exist.

Make a symbolic link of this file to /etc/httpd/conf.d/dogtag.conf
Restart httpd and you should be able to browse from httpd.

Adam, please test IPA install and also install of a replica.  Remember
that the replica security domain should be at port 443.

Ade

 


  

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
  

(1) fix 'base/selinux/src/pki.if' line to use subsystem variable rather than 'pki_ca_t'
(2) clone bug to provide 'proxy.conf' file for KRA, OCSP, and TKS subsystems