Move SSL certificates to more convenient place
This commit is contained in:
parent
440e6f7554
commit
5ac8065071
@ -4,7 +4,7 @@
|
||||
The Red Hat tog-pegasus package is built with support for SSL
|
||||
(the Secure Socket Layer).
|
||||
Note: the upstream documentation for SSL is located here:
|
||||
/usr/share/doc/tog-pegasus-%{version}/PegasusSSLGuidelines.htm
|
||||
/usr/share/doc/tog-pegasus/PegasusSSLGuidelines.htm
|
||||
However, because the upstream documentation for SSL is not up-to-date
|
||||
(it was last updated in March, 2006, around the time of the
|
||||
OpenPegasus-2.5.1 release), nor accurate, we are providing this short
|
||||
@ -17,31 +17,30 @@
|
||||
|
||||
PEGASUS_CONFIG_DIR = /etc/Pegasus
|
||||
|
||||
PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
|
||||
(= /etc/Pegasus)
|
||||
PEGASUS_PEM_DIR = /etc/pki/Pegasus
|
||||
|
||||
PEGASUS_SSL_KEY_FILE = file.pem
|
||||
PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
|
||||
(= /etc/Pegasus/file.pem)
|
||||
(= /etc/pki/Pegasus/file.pem)
|
||||
o Contains the private key for the CIM Server SSL Certificate.
|
||||
|
||||
PEGASUS_SSL_CERT_FILE = server.pem
|
||||
PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
|
||||
(= /etc/Pegasus/server.pem)
|
||||
(= /etc/pki/Pegasus/server.pem)
|
||||
o Contains the CIM Server SSL Certificate.
|
||||
|
||||
PEGASUS_SSL_TRUSTSTORE = client.pem
|
||||
PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
|
||||
(= /etc/Pegasus/client.pem)
|
||||
(= /etc/pki/Pegasus/client.pem)
|
||||
PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust
|
||||
(= /etc/Pegasus/cimserver_trust)
|
||||
(= /etc/pki/Pegasus/cimserver_trust)
|
||||
o Specifies the location of the OpenSSL truststore. Consistent with the
|
||||
OpenSSL implementation, a truststore can be either a file or directory.
|
||||
If the truststore is a directory, then all certificates within the
|
||||
directory are considered trusted.
|
||||
|
||||
PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl
|
||||
(= /etc/Pegasus/crl)
|
||||
(= /etc/pki/Pegasus/crl)
|
||||
o This is where the CRL (Certificate Revocation List) store resides.
|
||||
|
||||
Tips Following Package Installation:
|
||||
@ -49,17 +48,18 @@
|
||||
|
||||
o CIM Server default SSL certificates are generated when you run the
|
||||
tog-pegasus daemon (for example, by issuing the command
|
||||
"service tog-pegasus start") for the first time, which includes the
|
||||
following files, which are created in /etc/Pegasus: client.pem, file.pem,
|
||||
server.pem and ssl.cnf.
|
||||
"systemctl start tog-pegasus") for the first time, which includes the
|
||||
following files, which are created in /etc/pki/Pegasus: ca.crt, ca.srl,
|
||||
client.pem, file.pem, server.pem and in /etc/Pegasus: ssl-ca.cnf,
|
||||
ssl-service.cnf.
|
||||
Important: simply running the "cimserver" binary (/usr/sbin/cimserver)
|
||||
does NOT create the certificates or abovementioned files.
|
||||
Note: if you want to use your own certificates, simply overwrite the ones
|
||||
in /etc/Pegasus.
|
||||
in /etc/pki/Pegasus.
|
||||
|
||||
o to enable/disable HTTPS port 5989 (the official WBEM secure port),
|
||||
use cimconfig.
|
||||
|
||||
o the wbemcli command (from the sblim-wbemcli package)
|
||||
uses /etc/Pegasus/client.pem by default (see man wbemcli).
|
||||
uses /etc/pki/Pegasus/client.pem by default (see man wbemcli).
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
#!/bin/bash
|
||||
cd /etc/Pegasus
|
||||
|
||||
if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||
|
||||
[ ! -e /etc/Pegasus/file.pem ] || [ ! -e /etc/Pegasus/client.pem ]; then
|
||||
if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/pki/Pegasus/server.pem ] ||
|
||||
[ ! -e /etc/pki/Pegasus/file.pem ] || [ ! -e /etc/pki/Pegasus/client.pem ]; then
|
||||
if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
|
||||
# Create self-signed certificates for initial usage
|
||||
/usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
|
||||
# Add the self-signed certificate to the local trust store
|
||||
cp /etc/Pegasus/ca.crt \
|
||||
cp /etc/pki/Pegasus/ca.crt \
|
||||
/etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
|
||||
/usr/bin/update-ca-trust extract
|
||||
fi;
|
||||
|
12
pegasus-2.14.1-ssl-cert-path.patch
Normal file
12
pegasus-2.14.1-ssl-cert-path.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up pegasus/env_var_Linux.status.orig pegasus/env_var_Linux.status
|
||||
--- pegasus/env_var_Linux.status.orig 2016-02-18 12:06:51.571515464 +0100
|
||||
+++ pegasus/env_var_Linux.status 2016-02-18 12:07:02.946568247 +0100
|
||||
@@ -133,7 +133,7 @@ PEGASUS_LOCAL_DOMAIN_SOCKET_DIR = $(PEGA
|
||||
PEGASUS_LOCAL_DOMAIN_SOCKET_PATH = \
|
||||
$(PEGASUS_LOCAL_DOMAIN_SOCKET_DIR)/cimxml.socket
|
||||
|
||||
-PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
|
||||
+PEGASUS_PEM_DIR = /etc/pki/Pegasus
|
||||
PEGASUS_SSL_KEY_FILE = file.pem
|
||||
PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
|
||||
PEGASUS_SSL_CERT_FILE = server.pem
|
@ -8,7 +8,7 @@
|
||||
|
||||
Name: tog-pegasus
|
||||
Version: %{major_ver}.1
|
||||
Release: 35%{?dist}
|
||||
Release: 36%{?dist}
|
||||
Epoch: 2
|
||||
Summary: OpenPegasus WBEM Services for Linux
|
||||
|
||||
@ -94,6 +94,8 @@ Patch38: pegasus-2.14.1-cimconfig-man-page-fixes.patch
|
||||
Patch39: pegasus-2.14.1-fix-setup-sdk-ppc64le.patch
|
||||
# 40: removes Beaker conflicting env variable
|
||||
Patch40: pegasus-2.14.1-tesid.patch
|
||||
# 41: moves SSL certificates to /etc/pki/Pegasus
|
||||
Patch41: pegasus-2.14.1-ssl-cert-path.patch
|
||||
|
||||
BuildRequires: procps, libstdc++, pam-devel
|
||||
BuildRequires: openssl, openssl-devel
|
||||
@ -192,7 +194,7 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm.
|
||||
%global PEGASUS_ARCH_LIB %{_lib}
|
||||
%global OPENSSL_HOME /usr
|
||||
%global OPENSSL_BIN /usr/bin
|
||||
%global PEGASUS_PEM_DIR /etc/Pegasus
|
||||
%global PEGASUS_PEM_DIR /etc/pki/Pegasus
|
||||
%global PEGASUS_SSL_CERT_FILE server.pem
|
||||
%global PEGASUS_SSL_KEY_FILE file.pem
|
||||
%global PEGASUS_SSL_TRUSTSTORE client.pem
|
||||
@ -245,6 +247,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
|
||||
%patch38 -p1 -b .cimconfig-man-page-fixes
|
||||
%patch39 -p1 -b .fix-setup-sdk-ppc64le
|
||||
%patch40 -p1 -b .testid
|
||||
%patch41 -p1 -b .ssl-cert-path
|
||||
|
||||
|
||||
%build
|
||||
@ -278,6 +281,9 @@ make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release repository
|
||||
|
||||
|
||||
%install
|
||||
# Create directory for SSL certificates
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus
|
||||
|
||||
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
|
||||
export PEGASUS_HOME=%PEGASUS_RPM_HOME
|
||||
export PEGASUS_PLATFORM=%PEGASUS_HARDWARE_PLATFORM
|
||||
@ -304,6 +310,10 @@ install -p -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_tmpfilesdir}/tog-pegasus.conf
|
||||
# Install script to generate SSL certificates at startup
|
||||
mkdir -p $RPM_BUILD_ROOT/usr/share/Pegasus/scripts
|
||||
install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/usr/share/Pegasus/scripts/generate-certs
|
||||
# Remove unused ssl.cnf file
|
||||
rm -f $RPM_BUILD_ROOT/etc/Pegasus/ssl.cnf
|
||||
# Create certificate revocation list dir (see bz#1032046)
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus/crl
|
||||
|
||||
# remove SysV initscript, install .service file
|
||||
rm -f $RPM_BUILD_ROOT/etc/init.d/tog-pegasus
|
||||
@ -340,9 +350,6 @@ install -p %{SOURCE11} $RPM_BUILD_ROOT/usr/share/Pegasus/test/snmptrapd.conf
|
||||
# Install missing mof file for makeSDK
|
||||
install -p Schemas/CIM238/DMTF/Core/CIM_AbstractComponent.mof $RPM_BUILD_ROOT/usr/share/Pegasus/samples/Providers/Load/CIM238/DMTF/Core/
|
||||
|
||||
# create certificate revocation list dir (see bz#1032046)
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/Pegasus/crl
|
||||
|
||||
# install man page
|
||||
mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man1/
|
||||
cp %SOURCE12 ${RPM_BUILD_ROOT}/%{_mandir}/man1/
|
||||
@ -371,6 +378,7 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
|
||||
%dir /var/lib/Pegasus/log
|
||||
%defattr(0640, root, pegasus, 0750)
|
||||
%dir /etc/Pegasus
|
||||
%dir /etc/pki/Pegasus
|
||||
%{_tmpfilesdir}/tog-pegasus.conf
|
||||
%ghost /var/run/tog-pegasus
|
||||
%ghost %attr(0640, root, pegasus) /var/run/tog-pegasus/cimserver.pid
|
||||
@ -382,19 +390,18 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
|
||||
%ghost %config(noreplace) /etc/Pegasus/cimserver_planned.conf
|
||||
%config(noreplace) /etc/Pegasus/access.conf
|
||||
%config(noreplace) /etc/pam.d/wbem
|
||||
%ghost /etc/Pegasus/ssl.cnf
|
||||
%ghost /etc/Pegasus/client.pem
|
||||
%ghost /etc/Pegasus/server.pem
|
||||
%ghost /etc/Pegasus/file.pem
|
||||
%ghost /etc/Pegasus/ca.crt
|
||||
%ghost /etc/Pegasus/ca.srl
|
||||
%ghost /etc/Pegasus/client.srl
|
||||
%ghost /etc/pki/Pegasus/client.pem
|
||||
%ghost /etc/pki/Pegasus/server.pem
|
||||
%ghost /etc/pki/Pegasus/file.pem
|
||||
%ghost /etc/pki/Pegasus/ca.crt
|
||||
%ghost /etc/pki/Pegasus/ca.srl
|
||||
%ghost /etc/pki/Pegasus/client.srl
|
||||
%ghost /etc/Pegasus/ssl-ca.cnf
|
||||
%ghost /etc/Pegasus/ssl-service.cnf
|
||||
%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
|
||||
%ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
|
||||
%ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
|
||||
%dir %attr(0640, root, pegasus) /etc/Pegasus/crl
|
||||
%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/cimserver_trust
|
||||
%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/indication_trust
|
||||
%dir %attr(0640, root, pegasus) /etc/pki/Pegasus/crl
|
||||
%ghost %verify(not md5 size mtime) /var/lib/Pegasus/log/install.log
|
||||
%ghost %attr(0640, root, pegasus) %verify(not md5 size mtime) /var/lib/Pegasus/cache/trace/cimserver.trc
|
||||
%defattr(0755, root, pegasus, 0755)
|
||||
@ -536,6 +543,11 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Mar 17 2016 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-36
|
||||
- Move SSL certificates to more convenient place, update related scripts
|
||||
and README.RedHat.SSL
|
||||
Related: #1308809
|
||||
|
||||
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-35
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user