Move SSL certificates to more convenient place

This commit is contained in:
Vitezslav Crhonek 2016-03-17 12:29:54 +01:00
parent 440e6f7554
commit 5ac8065071
4 changed files with 55 additions and 31 deletions

View File

@ -4,7 +4,7 @@
The Red Hat tog-pegasus package is built with support for SSL
(the Secure Socket Layer).
Note: the upstream documentation for SSL is located here:
/usr/share/doc/tog-pegasus-%{version}/PegasusSSLGuidelines.htm
/usr/share/doc/tog-pegasus/PegasusSSLGuidelines.htm
However, because the upstream documentation for SSL is not up-to-date
(it was last updated in March, 2006, around the time of the
OpenPegasus-2.5.1 release), nor accurate, we are providing this short
@ -17,31 +17,30 @@
PEGASUS_CONFIG_DIR = /etc/Pegasus
PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
(= /etc/Pegasus)
PEGASUS_PEM_DIR = /etc/pki/Pegasus
PEGASUS_SSL_KEY_FILE = file.pem
PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
(= /etc/Pegasus/file.pem)
(= /etc/pki/Pegasus/file.pem)
o Contains the private key for the CIM Server SSL Certificate.
PEGASUS_SSL_CERT_FILE = server.pem
PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
(= /etc/Pegasus/server.pem)
(= /etc/pki/Pegasus/server.pem)
o Contains the CIM Server SSL Certificate.
PEGASUS_SSL_TRUSTSTORE = client.pem
PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
(= /etc/Pegasus/client.pem)
(= /etc/pki/Pegasus/client.pem)
PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust
(= /etc/Pegasus/cimserver_trust)
(= /etc/pki/Pegasus/cimserver_trust)
o Specifies the location of the OpenSSL truststore. Consistent with the
OpenSSL implementation, a truststore can be either a file or directory.
If the truststore is a directory, then all certificates within the
directory are considered trusted.
PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl
(= /etc/Pegasus/crl)
(= /etc/pki/Pegasus/crl)
o This is where the CRL (Certificate Revocation List) store resides.
Tips Following Package Installation:
@ -49,17 +48,18 @@
o CIM Server default SSL certificates are generated when you run the
tog-pegasus daemon (for example, by issuing the command
"service tog-pegasus start") for the first time, which includes the
following files, which are created in /etc/Pegasus: client.pem, file.pem,
server.pem and ssl.cnf.
"systemctl start tog-pegasus") for the first time, which includes the
following files, which are created in /etc/pki/Pegasus: ca.crt, ca.srl,
client.pem, file.pem, server.pem and in /etc/Pegasus: ssl-ca.cnf,
ssl-service.cnf.
Important: simply running the "cimserver" binary (/usr/sbin/cimserver)
does NOT create the certificates or abovementioned files.
Note: if you want to use your own certificates, simply overwrite the ones
in /etc/Pegasus.
in /etc/pki/Pegasus.
o to enable/disable HTTPS port 5989 (the official WBEM secure port),
use cimconfig.
o the wbemcli command (from the sblim-wbemcli package)
uses /etc/Pegasus/client.pem by default (see man wbemcli).
uses /etc/pki/Pegasus/client.pem by default (see man wbemcli).

View File

@ -1,13 +1,13 @@
#!/bin/bash
cd /etc/Pegasus
if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||
[ ! -e /etc/Pegasus/file.pem ] || [ ! -e /etc/Pegasus/client.pem ]; then
if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/pki/Pegasus/server.pem ] ||
[ ! -e /etc/pki/Pegasus/file.pem ] || [ ! -e /etc/pki/Pegasus/client.pem ]; then
if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
# Create self-signed certificates for initial usage
/usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
# Add the self-signed certificate to the local trust store
cp /etc/Pegasus/ca.crt \
cp /etc/pki/Pegasus/ca.crt \
/etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
/usr/bin/update-ca-trust extract
fi;

View File

@ -0,0 +1,12 @@
diff -up pegasus/env_var_Linux.status.orig pegasus/env_var_Linux.status
--- pegasus/env_var_Linux.status.orig 2016-02-18 12:06:51.571515464 +0100
+++ pegasus/env_var_Linux.status 2016-02-18 12:07:02.946568247 +0100
@@ -133,7 +133,7 @@ PEGASUS_LOCAL_DOMAIN_SOCKET_DIR = $(PEGA
PEGASUS_LOCAL_DOMAIN_SOCKET_PATH = \
$(PEGASUS_LOCAL_DOMAIN_SOCKET_DIR)/cimxml.socket
-PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
+PEGASUS_PEM_DIR = /etc/pki/Pegasus
PEGASUS_SSL_KEY_FILE = file.pem
PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
PEGASUS_SSL_CERT_FILE = server.pem

View File

@ -8,7 +8,7 @@
Name: tog-pegasus
Version: %{major_ver}.1
Release: 35%{?dist}
Release: 36%{?dist}
Epoch: 2
Summary: OpenPegasus WBEM Services for Linux
@ -94,6 +94,8 @@ Patch38: pegasus-2.14.1-cimconfig-man-page-fixes.patch
Patch39: pegasus-2.14.1-fix-setup-sdk-ppc64le.patch
# 40: removes Beaker conflicting env variable
Patch40: pegasus-2.14.1-tesid.patch
# 41: moves SSL certificates to /etc/pki/Pegasus
Patch41: pegasus-2.14.1-ssl-cert-path.patch
BuildRequires: procps, libstdc++, pam-devel
BuildRequires: openssl, openssl-devel
@ -192,7 +194,7 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm.
%global PEGASUS_ARCH_LIB %{_lib}
%global OPENSSL_HOME /usr
%global OPENSSL_BIN /usr/bin
%global PEGASUS_PEM_DIR /etc/Pegasus
%global PEGASUS_PEM_DIR /etc/pki/Pegasus
%global PEGASUS_SSL_CERT_FILE server.pem
%global PEGASUS_SSL_KEY_FILE file.pem
%global PEGASUS_SSL_TRUSTSTORE client.pem
@ -245,6 +247,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
%patch38 -p1 -b .cimconfig-man-page-fixes
%patch39 -p1 -b .fix-setup-sdk-ppc64le
%patch40 -p1 -b .testid
%patch41 -p1 -b .ssl-cert-path
%build
@ -278,6 +281,9 @@ make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release repository
%install
# Create directory for SSL certificates
mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
export PEGASUS_HOME=%PEGASUS_RPM_HOME
export PEGASUS_PLATFORM=%PEGASUS_HARDWARE_PLATFORM
@ -304,6 +310,10 @@ install -p -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_tmpfilesdir}/tog-pegasus.conf
# Install script to generate SSL certificates at startup
mkdir -p $RPM_BUILD_ROOT/usr/share/Pegasus/scripts
install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/usr/share/Pegasus/scripts/generate-certs
# Remove unused ssl.cnf file
rm -f $RPM_BUILD_ROOT/etc/Pegasus/ssl.cnf
# Create certificate revocation list dir (see bz#1032046)
mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus/crl
# remove SysV initscript, install .service file
rm -f $RPM_BUILD_ROOT/etc/init.d/tog-pegasus
@ -340,9 +350,6 @@ install -p %{SOURCE11} $RPM_BUILD_ROOT/usr/share/Pegasus/test/snmptrapd.conf
# Install missing mof file for makeSDK
install -p Schemas/CIM238/DMTF/Core/CIM_AbstractComponent.mof $RPM_BUILD_ROOT/usr/share/Pegasus/samples/Providers/Load/CIM238/DMTF/Core/
# create certificate revocation list dir (see bz#1032046)
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/Pegasus/crl
# install man page
mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man1/
cp %SOURCE12 ${RPM_BUILD_ROOT}/%{_mandir}/man1/
@ -371,6 +378,7 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
%dir /var/lib/Pegasus/log
%defattr(0640, root, pegasus, 0750)
%dir /etc/Pegasus
%dir /etc/pki/Pegasus
%{_tmpfilesdir}/tog-pegasus.conf
%ghost /var/run/tog-pegasus
%ghost %attr(0640, root, pegasus) /var/run/tog-pegasus/cimserver.pid
@ -382,19 +390,18 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
%ghost %config(noreplace) /etc/Pegasus/cimserver_planned.conf
%config(noreplace) /etc/Pegasus/access.conf
%config(noreplace) /etc/pam.d/wbem
%ghost /etc/Pegasus/ssl.cnf
%ghost /etc/Pegasus/client.pem
%ghost /etc/Pegasus/server.pem
%ghost /etc/Pegasus/file.pem
%ghost /etc/Pegasus/ca.crt
%ghost /etc/Pegasus/ca.srl
%ghost /etc/Pegasus/client.srl
%ghost /etc/pki/Pegasus/client.pem
%ghost /etc/pki/Pegasus/server.pem
%ghost /etc/pki/Pegasus/file.pem
%ghost /etc/pki/Pegasus/ca.crt
%ghost /etc/pki/Pegasus/ca.srl
%ghost /etc/pki/Pegasus/client.srl
%ghost /etc/Pegasus/ssl-ca.cnf
%ghost /etc/Pegasus/ssl-service.cnf
%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
%ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
%ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
%dir %attr(0640, root, pegasus) /etc/Pegasus/crl
%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/cimserver_trust
%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/indication_trust
%dir %attr(0640, root, pegasus) /etc/pki/Pegasus/crl
%ghost %verify(not md5 size mtime) /var/lib/Pegasus/log/install.log
%ghost %attr(0640, root, pegasus) %verify(not md5 size mtime) /var/lib/Pegasus/cache/trace/cimserver.trc
%defattr(0755, root, pegasus, 0755)
@ -536,6 +543,11 @@ fi
%changelog
* Thu Mar 17 2016 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-36
- Move SSL certificates to more convenient place, update related scripts
and README.RedHat.SSL
Related: #1308809
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-35
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild