|
 |
f7c668 |
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
|
|
|
f7c668 |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
f7c668 |
Date: Mon, 15 Jun 2020 18:38:35 -0400
|
|
|
f7c668 |
Subject: [PATCH] Clarify AJP connector creation process
|
|
|
f7c668 |
|
|
|
f7c668 |
We do two things:
|
|
|
f7c668 |
|
|
|
f7c668 |
1. Fix the xpath for AJP connector verification. An AJP connector is
|
|
|
f7c668 |
one which has protocol="AJP/1.3", NOT one that has port="8009". An
|
|
|
f7c668 |
AJP connector can exist on any port and port 8009 can have any
|
|
|
f7c668 |
protocol. Secrets only make sense on AJP connectors, so make the
|
|
|
f7c668 |
xpath match the existing comment.
|
|
|
f7c668 |
|
|
|
f7c668 |
2. Add some background in-line documentation about AJP secret
|
|
|
f7c668 |
provisioning. This should help future developers understand why this
|
|
|
f7c668 |
was added to IPA and what limitations there are in what PKI or IPA
|
|
|
f7c668 |
can do. Most notably, explain why Dogtag can't upgrade the AJP
|
|
|
f7c668 |
connector to have a secret in the general case.
|
|
|
f7c668 |
|
|
|
f7c668 |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
f7c668 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f7c668 |
---
|
|
|
f7c668 |
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
|
|
|
f7c668 |
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
f7c668 |
|
|
|
f7c668 |
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
index 42c9db3fb..aa3baeb7c 100644
|
|
|
f7c668 |
--- a/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
+++ b/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
|
|
|
f7c668 |
doc = server_xml.getroot()
|
|
|
f7c668 |
|
|
|
f7c668 |
# no AJP connector means no need to update anything
|
|
|
f7c668 |
- connectors = doc.xpath('//Connector[@port="8009"]')
|
|
|
f7c668 |
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
|
|
|
f7c668 |
if len(connectors) == 0:
|
|
|
f7c668 |
return
|
|
|
f7c668 |
|
|
|
f7c668 |
- # AJP connector is set on port 8009. Use non-greedy search to find it
|
|
|
f7c668 |
+ # AJP protocol is at version 1.3. Assume there is only one as
|
|
|
f7c668 |
+ # Dogtag only provisions one.
|
|
|
f7c668 |
connector = connectors[0]
|
|
|
f7c668 |
|
|
|
f7c668 |
# Detect tomcat version and choose the right option name
|
|
|
f7c668 |
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
|
|
|
f7c668 |
rewrite = False
|
|
|
f7c668 |
else:
|
|
|
f7c668 |
if oldattr in connector.attrib:
|
|
|
f7c668 |
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
|
|
|
f7c668 |
+ # upgrade for us; we need only to ensure that we're not both
|
|
|
f7c668 |
+ # attempting to upgrade server.xml at the same time.
|
|
|
f7c668 |
+ # Hopefully this is guaranteed for us.
|
|
|
f7c668 |
self.ajp_secret = connector.attrib[oldattr]
|
|
|
f7c668 |
connector.attrib[secretattr] = self.ajp_secret
|
|
|
f7c668 |
del connector.attrib[oldattr]
|
|
|
f7c668 |
else:
|
|
|
f7c668 |
- # Generate password, don't use special chars to not break XML
|
|
|
f7c668 |
+ # Generate password, don't use special chars to not break XML.
|
|
|
f7c668 |
+ #
|
|
|
f7c668 |
+ # If we hit this case, pkispawn was run on an older Dogtag
|
|
|
f7c668 |
+ # version and we're stuck migrating, choosing a password
|
|
|
f7c668 |
+ # ourselves. Dogtag can't generate one randomly because a
|
|
|
f7c668 |
+ # Dogtag administrator might've configured AJP and might
|
|
|
f7c668 |
+ # not be using IPA.
|
|
|
f7c668 |
+ #
|
|
|
f7c668 |
+ # Newer Dogtag versions will generate a random password
|
|
|
f7c668 |
+ # during pkispawn.
|
|
|
f7c668 |
self.ajp_secret = ipautil.ipa_generate_password(special=None)
|
|
|
f7c668 |
connector.attrib[secretattr] = self.ajp_secret
|
|
|
f7c668 |
|
|
|
f7c668 |
--
|
|
|
f7c668 |
2.26.2
|
|
|
f7c668 |
|
|
|
f7c668 |
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
|
|
|
f7c668 |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
f7c668 |
Date: Wed, 17 Jun 2020 16:00:25 -0400
|
|
|
f7c668 |
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
|
|
|
f7c668 |
|
|
|
f7c668 |
By default, PKI's AJP secret is generated as a 75-bit password. By
|
|
|
f7c668 |
generating it in IPA, we can guarantee the strength of the AJP secret.
|
|
|
f7c668 |
It makes sense to use a stronger AJP secret because it typically
|
|
|
f7c668 |
isn't rotated; access to AJP allows an attacker to impersonate an admin
|
|
|
f7c668 |
while talking to PKI.
|
|
|
f7c668 |
|
|
|
f7c668 |
Fixes: https://pagure.io/freeipa/issue/8372
|
|
|
f7c668 |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
|
|
|
f7c668 |
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
|
|
|
f7c668 |
Related: https://github.com/dogtagpki/pki/pull/437
|
|
|
f7c668 |
|
|
|
f7c668 |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
f7c668 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f7c668 |
---
|
|
|
f7c668 |
install/share/ipaca_customize.ini | 1 +
|
|
|
f7c668 |
install/share/ipaca_default.ini | 2 ++
|
|
|
f7c668 |
ipaserver/install/dogtaginstance.py | 4 +++-
|
|
|
f7c668 |
3 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
f7c668 |
|
|
|
f7c668 |
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
|
|
|
f7c668 |
index 6d58579af..948734241 100644
|
|
|
f7c668 |
--- a/install/share/ipaca_customize.ini
|
|
|
f7c668 |
+++ b/install/share/ipaca_customize.ini
|
|
|
f7c668 |
@@ -12,6 +12,7 @@
|
|
|
f7c668 |
#
|
|
|
f7c668 |
# Predefined variables
|
|
|
f7c668 |
# - ipa_ca_subject
|
|
|
f7c668 |
+# - ipa_ajp_secret
|
|
|
f7c668 |
# - ipa_fqdn
|
|
|
f7c668 |
# - ipa_subject_base
|
|
|
f7c668 |
# - pki_admin_password
|
|
|
f7c668 |
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
|
|
|
f7c668 |
index 2b9900286..a51256116 100644
|
|
|
f7c668 |
--- a/install/share/ipaca_default.ini
|
|
|
f7c668 |
+++ b/install/share/ipaca_default.ini
|
|
|
f7c668 |
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
|
|
|
f7c668 |
|
|
|
f7c668 |
## dynamic values
|
|
|
f7c668 |
# ipa_ca_subject=
|
|
|
f7c668 |
+# ipa_ajp_secret=
|
|
|
f7c668 |
# ipa_subject_base=
|
|
|
f7c668 |
# ipa_fqdn=
|
|
|
f7c668 |
# ipa_ocsp_uri=
|
|
|
f7c668 |
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
|
|
|
f7c668 |
pki_replication_password=
|
|
|
f7c668 |
|
|
|
f7c668 |
pki_enable_proxy=True
|
|
|
f7c668 |
+pki_ajp_secret=%(ipa_ajp_secret)s
|
|
|
f7c668 |
pki_restart_configured_instance=False
|
|
|
f7c668 |
pki_security_domain_hostname=%(ipa_fqdn)s
|
|
|
f7c668 |
pki_security_domain_https_port=443
|
|
|
f7c668 |
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
index aa3baeb7c..361d80a8c 100644
|
|
|
f7c668 |
--- a/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
+++ b/ipaserver/install/dogtaginstance.py
|
|
|
f7c668 |
@@ -840,7 +840,9 @@ class PKIIniLoader:
|
|
|
f7c668 |
pki_subsystem_type=subsystem.lower(),
|
|
|
f7c668 |
home_dir=os.path.expanduser("~"),
|
|
|
f7c668 |
# for softhsm2 testing
|
|
|
f7c668 |
- softhsm2_so=paths.LIBSOFTHSM2_SO
|
|
|
f7c668 |
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
|
|
|
f7c668 |
+ # Configure a more secure AJP password by default
|
|
|
f7c668 |
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
|
|
|
f7c668 |
)
|
|
|
f7c668 |
|
|
|
f7c668 |
@classmethod
|
|
|
f7c668 |
--
|
|
|
f7c668 |
2.26.2
|
|
|
f7c668 |
|