From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Mon, 15 Jun 2020 18:38:35 -0400 Subject: [PATCH] Clarify AJP connector creation process We do two things: 1. Fix the xpath for AJP connector verification. An AJP connector is one which has protocol="AJP/1.3", NOT one that has port="8009". An AJP connector can exist on any port and port 8009 can have any protocol. Secrets only make sense on AJP connectors, so make the xpath match the existing comment. 2. Add some background in-line documentation about AJP secret provisioning. This should help future developers understand why this was added to IPA and what limitations there are in what PKI or IPA can do. Most notably, explain why Dogtag can't upgrade the AJP connector to have a secret in the general case. Signed-off-by: Alexander Scheel Reviewed-By: Alexander Bokovoy --- ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 42c9db3fb..aa3baeb7c 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -308,11 +308,12 @@ class DogtagInstance(service.Service): doc = server_xml.getroot() # no AJP connector means no need to update anything - connectors = doc.xpath('//Connector[@port="8009"]') + connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]') if len(connectors) == 0: return - # AJP connector is set on port 8009. Use non-greedy search to find it + # AJP protocol is at version 1.3. Assume there is only one as + # Dogtag only provisions one. connector = connectors[0] # Detect tomcat version and choose the right option name @@ -331,11 +332,24 @@ class DogtagInstance(service.Service): rewrite = False else: if oldattr in connector.attrib: + # Sufficiently new Dogtag versions (10.9.0-a2) handle the + # upgrade for us; we need only to ensure that we're not both + # attempting to upgrade server.xml at the same time. + # Hopefully this is guaranteed for us. self.ajp_secret = connector.attrib[oldattr] connector.attrib[secretattr] = self.ajp_secret del connector.attrib[oldattr] else: - # Generate password, don't use special chars to not break XML + # Generate password, don't use special chars to not break XML. + # + # If we hit this case, pkispawn was run on an older Dogtag + # version and we're stuck migrating, choosing a password + # ourselves. Dogtag can't generate one randomly because a + # Dogtag administrator might've configured AJP and might + # not be using IPA. + # + # Newer Dogtag versions will generate a random password + # during pkispawn. self.ajp_secret = ipautil.ipa_generate_password(special=None) connector.attrib[secretattr] = self.ajp_secret -- 2.26.2 From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 17 Jun 2020 16:00:25 -0400 Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret By default, PKI's AJP secret is generated as a 75-bit password. By generating it in IPA, we can guarantee the strength of the AJP secret. It makes sense to use a stronger AJP secret because it typically isn't rotated; access to AJP allows an attacker to impersonate an admin while talking to PKI. Fixes: https://pagure.io/freeipa/issue/8372 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447 Related: https://github.com/dogtagpki/pki/pull/437 Signed-off-by: Alexander Scheel Reviewed-By: Alexander Bokovoy --- install/share/ipaca_customize.ini | 1 + install/share/ipaca_default.ini | 2 ++ ipaserver/install/dogtaginstance.py | 4 +++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini index 6d58579af..948734241 100644 --- a/install/share/ipaca_customize.ini +++ b/install/share/ipaca_customize.ini @@ -12,6 +12,7 @@ # # Predefined variables # - ipa_ca_subject +# - ipa_ajp_secret # - ipa_fqdn # - ipa_subject_base # - pki_admin_password diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini index 2b9900286..a51256116 100644 --- a/install/share/ipaca_default.ini +++ b/install/share/ipaca_default.ini @@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt ## dynamic values # ipa_ca_subject= +# ipa_ajp_secret= # ipa_subject_base= # ipa_fqdn= # ipa_ocsp_uri= @@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s pki_replication_password= pki_enable_proxy=True +pki_ajp_secret=%(ipa_ajp_secret)s pki_restart_configured_instance=False pki_security_domain_hostname=%(ipa_fqdn)s pki_security_domain_https_port=443 diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index aa3baeb7c..361d80a8c 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -840,7 +840,9 @@ class PKIIniLoader: pki_subsystem_type=subsystem.lower(), home_dir=os.path.expanduser("~"), # for softhsm2 testing - softhsm2_so=paths.LIBSOFTHSM2_SO + softhsm2_so=paths.LIBSOFTHSM2_SO, + # Configure a more secure AJP password by default + ipa_ajp_secret=ipautil.ipa_generate_password(special=None) ) @classmethod -- 2.26.2