Move SSL certificates to more convenient place

2016-03-17 12:29:54 +01:00 · 2016-03-17 12:29:54 +01:00 · 5ac8065071
commit 5ac8065071
parent 440e6f7554
4 changed files with 55 additions and 31 deletions
--- a/README.RedHat.SSL
+++ b/README.RedHat.SSL
@ -4,7 +4,7 @@
   The Red Hat tog-pegasus package is built with support for SSL
   (the Secure Socket Layer).
   Note: the upstream documentation for SSL is located here:
-   /usr/share/doc/tog-pegasus-%{version}/PegasusSSLGuidelines.htm
+   /usr/share/doc/tog-pegasus/PegasusSSLGuidelines.htm
   However, because the upstream documentation for SSL is not up-to-date
   (it was last updated in March, 2006, around the time of the
   OpenPegasus-2.5.1 release), nor accurate, we are providing this short
@ -17,31 +17,30 @@

   PEGASUS_CONFIG_DIR = /etc/Pegasus

-   PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
-                  (= /etc/Pegasus)
+   PEGASUS_PEM_DIR = /etc/pki/Pegasus

   PEGASUS_SSL_KEY_FILE = file.pem
   PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
-                  (= /etc/Pegasus/file.pem)
+                  (= /etc/pki/Pegasus/file.pem)
   o Contains the private key for the CIM Server SSL Certificate.

   PEGASUS_SSL_CERT_FILE = server.pem
   PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
-                             (= /etc/Pegasus/server.pem)
+                             (= /etc/pki/Pegasus/server.pem)
   o Contains the CIM Server SSL Certificate.

   PEGASUS_SSL_TRUSTSTORE = client.pem
   PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
-                                (= /etc/Pegasus/client.pem)
+                                (= /etc/pki/Pegasus/client.pem)
   PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust
-                                (= /etc/Pegasus/cimserver_trust)
+                                (= /etc/pki/Pegasus/cimserver_trust)
   o Specifies the location of the OpenSSL truststore. Consistent with the
     OpenSSL implementation, a truststore can be either a file or directory.
     If the truststore is a directory, then all certificates within the
     directory are considered trusted.

   PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl
-                         (= /etc/Pegasus/crl)
+                         (= /etc/pki/Pegasus/crl)
   o This is where the CRL (Certificate Revocation List) store resides.

 Tips Following Package Installation:
@ -49,17 +48,18 @@

   o CIM Server default SSL certificates are generated when you run the
     tog-pegasus daemon (for example, by issuing the command
-     "service tog-pegasus start") for the first time, which includes the
-     following files, which are created in /etc/Pegasus: client.pem, file.pem,
-     server.pem and ssl.cnf.
+     "systemctl start tog-pegasus") for the first time, which includes the
+     following files, which are created in /etc/pki/Pegasus: ca.crt, ca.srl,
+     client.pem, file.pem, server.pem and in /etc/Pegasus: ssl-ca.cnf,
+     ssl-service.cnf.
     Important: simply running the "cimserver" binary (/usr/sbin/cimserver)
     does NOT create the certificates or abovementioned files.
     Note: if you want to use your own certificates, simply overwrite the ones
-     in /etc/Pegasus.
+     in /etc/pki/Pegasus.

   o to enable/disable HTTPS port 5989 (the official WBEM secure port),
     use cimconfig.

   o the wbemcli command (from the sblim-wbemcli package)
-     uses /etc/Pegasus/client.pem by default (see man wbemcli).
+     uses /etc/pki/Pegasus/client.pem by default (see man wbemcli).

--- a/6
+++ b/6
@ -1,13 +1,13 @@
 #!/bin/bash
 cd /etc/Pegasus

-if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||
-     [ ! -e /etc/Pegasus/file.pem ]  || [ ! -e /etc/Pegasus/client.pem ]; then
+if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/pki/Pegasus/server.pem ] ||
+     [ ! -e /etc/pki/Pegasus/file.pem ]  || [ ! -e /etc/pki/Pegasus/client.pem ]; then
         if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
            # Create self-signed certificates for initial usage
            /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
            # Add the self-signed certificate to the local trust store
-            cp /etc/Pegasus/ca.crt \
+            cp /etc/pki/Pegasus/ca.crt \
               /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
            /usr/bin/update-ca-trust extract
         fi;
--- a/pegasus-2.14.1-ssl-cert-path.patch
+++ b/pegasus-2.14.1-ssl-cert-path.patch
@ -0,0 +1,12 @@
+diff -up pegasus/env_var_Linux.status.orig pegasus/env_var_Linux.status
+--- pegasus/env_var_Linux.status.orig	2016-02-18 12:06:51.571515464 +0100
+++ pegasus/env_var_Linux.status	2016-02-18 12:07:02.946568247 +0100
+@@ -133,7 +133,7 @@ PEGASUS_LOCAL_DOMAIN_SOCKET_DIR = $(PEGA
+ PEGASUS_LOCAL_DOMAIN_SOCKET_PATH = \
+      $(PEGASUS_LOCAL_DOMAIN_SOCKET_DIR)/cimxml.socket
+ 
+-PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
+PEGASUS_PEM_DIR = /etc/pki/Pegasus
+ PEGASUS_SSL_KEY_FILE = file.pem
+ PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
+ PEGASUS_SSL_CERT_FILE = server.pem
--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@ -8,7 +8,7 @@

 Name:           tog-pegasus
 Version:        %{major_ver}.1
-Release:        35%{?dist}
+Release:        36%{?dist}
 Epoch:          2
 Summary:        OpenPegasus WBEM Services for Linux

@ -94,6 +94,8 @@ Patch38:        pegasus-2.14.1-cimconfig-man-page-fixes.patch
 Patch39:        pegasus-2.14.1-fix-setup-sdk-ppc64le.patch
 # 40: removes Beaker conflicting env variable
 Patch40:        pegasus-2.14.1-tesid.patch
+# 41: moves SSL certificates to /etc/pki/Pegasus
+Patch41:        pegasus-2.14.1-ssl-cert-path.patch

 BuildRequires:  procps, libstdc++, pam-devel
 BuildRequires:  openssl, openssl-devel
@ -192,7 +194,7 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm.
 %global PEGASUS_ARCH_LIB %{_lib}
 %global OPENSSL_HOME /usr
 %global OPENSSL_BIN /usr/bin
-%global PEGASUS_PEM_DIR /etc/Pegasus
+%global PEGASUS_PEM_DIR /etc/pki/Pegasus
 %global PEGASUS_SSL_CERT_FILE server.pem
 %global PEGASUS_SSL_KEY_FILE file.pem
 %global PEGASUS_SSL_TRUSTSTORE client.pem
@ -245,6 +247,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
 %patch38 -p1 -b .cimconfig-man-page-fixes
 %patch39 -p1 -b .fix-setup-sdk-ppc64le
 %patch40 -p1 -b .testid
+%patch41 -p1 -b .ssl-cert-path


 %build
@ -278,6 +281,9 @@ make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release repository


 %install
+# Create directory for SSL certificates
+mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus
+
 export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
 export PEGASUS_HOME=%PEGASUS_RPM_HOME
 export PEGASUS_PLATFORM=%PEGASUS_HARDWARE_PLATFORM
@ -304,6 +310,10 @@ install -p -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_tmpfilesdir}/tog-pegasus.conf
 # Install script to generate SSL certificates at startup
 mkdir -p $RPM_BUILD_ROOT/usr/share/Pegasus/scripts
 install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/usr/share/Pegasus/scripts/generate-certs
+# Remove unused ssl.cnf file
+rm -f $RPM_BUILD_ROOT/etc/Pegasus/ssl.cnf
+# Create certificate revocation list dir (see bz#1032046)
+mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus/crl

 # remove SysV initscript, install .service file
 rm -f $RPM_BUILD_ROOT/etc/init.d/tog-pegasus
@ -340,9 +350,6 @@ install -p %{SOURCE11} $RPM_BUILD_ROOT/usr/share/Pegasus/test/snmptrapd.conf
 # Install missing mof file for makeSDK
 install -p Schemas/CIM238/DMTF/Core/CIM_AbstractComponent.mof $RPM_BUILD_ROOT/usr/share/Pegasus/samples/Providers/Load/CIM238/DMTF/Core/

-# create certificate revocation list dir (see bz#1032046)
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/Pegasus/crl
-
 # install man page
 mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man1/
 cp %SOURCE12 ${RPM_BUILD_ROOT}/%{_mandir}/man1/
@ -371,6 +378,7 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
 %dir /var/lib/Pegasus/log
 %defattr(0640, root, pegasus, 0750)
 %dir /etc/Pegasus
+%dir /etc/pki/Pegasus
 %{_tmpfilesdir}/tog-pegasus.conf
 %ghost /var/run/tog-pegasus
 %ghost %attr(0640, root, pegasus) /var/run/tog-pegasus/cimserver.pid
@ -382,19 +390,18 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
 %ghost %config(noreplace) /etc/Pegasus/cimserver_planned.conf
 %config(noreplace) /etc/Pegasus/access.conf
 %config(noreplace) /etc/pam.d/wbem
-%ghost /etc/Pegasus/ssl.cnf
-%ghost /etc/Pegasus/client.pem
-%ghost /etc/Pegasus/server.pem
-%ghost /etc/Pegasus/file.pem
-%ghost /etc/Pegasus/ca.crt
-%ghost /etc/Pegasus/ca.srl
-%ghost /etc/Pegasus/client.srl
+%ghost /etc/pki/Pegasus/client.pem
+%ghost /etc/pki/Pegasus/server.pem
+%ghost /etc/pki/Pegasus/file.pem
+%ghost /etc/pki/Pegasus/ca.crt
+%ghost /etc/pki/Pegasus/ca.srl
+%ghost /etc/pki/Pegasus/client.srl
 %ghost /etc/Pegasus/ssl-ca.cnf
 %ghost /etc/Pegasus/ssl-service.cnf
 %ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
-%ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
-%ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
-%dir %attr(0640, root, pegasus) /etc/Pegasus/crl
+%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/cimserver_trust
+%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/indication_trust
+%dir %attr(0640, root, pegasus) /etc/pki/Pegasus/crl
 %ghost %verify(not md5 size mtime) /var/lib/Pegasus/log/install.log
 %ghost %attr(0640, root, pegasus) %verify(not md5 size mtime) /var/lib/Pegasus/cache/trace/cimserver.trc
 %defattr(0755, root, pegasus, 0755)
@ -536,6 +543,11 @@ fi


 %changelog
+* Thu Mar 17 2016 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-36
+- Move SSL certificates to more convenient place, update related scripts
+  and README.RedHat.SSL
+  Related: #1308809
+
 * Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-35
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild