From 5ac8065071d735a410156b88eb8bf58a7f54d60b Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Thu, 17 Mar 2016 12:29:54 +0100 Subject: [PATCH] Move SSL certificates to more convenient place --- README.RedHat.SSL | 26 +++++++++--------- generate-certs | 6 ++--- pegasus-2.14.1-ssl-cert-path.patch | 12 +++++++++ tog-pegasus.spec | 42 +++++++++++++++++++----------- 4 files changed, 55 insertions(+), 31 deletions(-) create mode 100644 pegasus-2.14.1-ssl-cert-path.patch diff --git a/README.RedHat.SSL b/README.RedHat.SSL index f768f88..cd8eeaa 100644 --- a/README.RedHat.SSL +++ b/README.RedHat.SSL @@ -4,7 +4,7 @@ The Red Hat tog-pegasus package is built with support for SSL (the Secure Socket Layer). Note: the upstream documentation for SSL is located here: - /usr/share/doc/tog-pegasus-%{version}/PegasusSSLGuidelines.htm + /usr/share/doc/tog-pegasus/PegasusSSLGuidelines.htm However, because the upstream documentation for SSL is not up-to-date (it was last updated in March, 2006, around the time of the OpenPegasus-2.5.1 release), nor accurate, we are providing this short @@ -17,31 +17,30 @@ PEGASUS_CONFIG_DIR = /etc/Pegasus - PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR) - (= /etc/Pegasus) + PEGASUS_PEM_DIR = /etc/pki/Pegasus PEGASUS_SSL_KEY_FILE = file.pem PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE) - (= /etc/Pegasus/file.pem) + (= /etc/pki/Pegasus/file.pem) o Contains the private key for the CIM Server SSL Certificate. PEGASUS_SSL_CERT_FILE = server.pem PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE) - (= /etc/Pegasus/server.pem) + (= /etc/pki/Pegasus/server.pem) o Contains the CIM Server SSL Certificate. PEGASUS_SSL_TRUSTSTORE = client.pem PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE) - (= /etc/Pegasus/client.pem) + (= /etc/pki/Pegasus/client.pem) PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust - (= /etc/Pegasus/cimserver_trust) + (= /etc/pki/Pegasus/cimserver_trust) o Specifies the location of the OpenSSL truststore. Consistent with the OpenSSL implementation, a truststore can be either a file or directory. If the truststore is a directory, then all certificates within the directory are considered trusted. PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl - (= /etc/Pegasus/crl) + (= /etc/pki/Pegasus/crl) o This is where the CRL (Certificate Revocation List) store resides. Tips Following Package Installation: @@ -49,17 +48,18 @@ o CIM Server default SSL certificates are generated when you run the tog-pegasus daemon (for example, by issuing the command - "service tog-pegasus start") for the first time, which includes the - following files, which are created in /etc/Pegasus: client.pem, file.pem, - server.pem and ssl.cnf. + "systemctl start tog-pegasus") for the first time, which includes the + following files, which are created in /etc/pki/Pegasus: ca.crt, ca.srl, + client.pem, file.pem, server.pem and in /etc/Pegasus: ssl-ca.cnf, + ssl-service.cnf. Important: simply running the "cimserver" binary (/usr/sbin/cimserver) does NOT create the certificates or abovementioned files. Note: if you want to use your own certificates, simply overwrite the ones - in /etc/Pegasus. + in /etc/pki/Pegasus. o to enable/disable HTTPS port 5989 (the official WBEM secure port), use cimconfig. o the wbemcli command (from the sblim-wbemcli package) - uses /etc/Pegasus/client.pem by default (see man wbemcli). + uses /etc/pki/Pegasus/client.pem by default (see man wbemcli). diff --git a/generate-certs b/generate-certs index 58b352f..ca02982 100755 --- a/generate-certs +++ b/generate-certs @@ -1,13 +1,13 @@ #!/bin/bash cd /etc/Pegasus -if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/Pegasus/server.pem ] || - [ ! -e /etc/Pegasus/file.pem ] || [ ! -e /etc/Pegasus/client.pem ]; then +if [ ! -e /etc/Pegasus/ssl-ca.cnf ] || [ ! -e /etc/Pegasus/ssl-service.cnf ] || [ ! -e /etc/pki/Pegasus/server.pem ] || + [ ! -e /etc/pki/Pegasus/file.pem ] || [ ! -e /etc/pki/Pegasus/client.pem ]; then if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then # Create self-signed certificates for initial usage /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts # Add the self-signed certificate to the local trust store - cp /etc/Pegasus/ca.crt \ + cp /etc/pki/Pegasus/ca.crt \ /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem /usr/bin/update-ca-trust extract fi; diff --git a/pegasus-2.14.1-ssl-cert-path.patch b/pegasus-2.14.1-ssl-cert-path.patch new file mode 100644 index 0000000..82f890f --- /dev/null +++ b/pegasus-2.14.1-ssl-cert-path.patch @@ -0,0 +1,12 @@ +diff -up pegasus/env_var_Linux.status.orig pegasus/env_var_Linux.status +--- pegasus/env_var_Linux.status.orig 2016-02-18 12:06:51.571515464 +0100 ++++ pegasus/env_var_Linux.status 2016-02-18 12:07:02.946568247 +0100 +@@ -133,7 +133,7 @@ PEGASUS_LOCAL_DOMAIN_SOCKET_DIR = $(PEGA + PEGASUS_LOCAL_DOMAIN_SOCKET_PATH = \ + $(PEGASUS_LOCAL_DOMAIN_SOCKET_DIR)/cimxml.socket + +-PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR) ++PEGASUS_PEM_DIR = /etc/pki/Pegasus + PEGASUS_SSL_KEY_FILE = file.pem + PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE) + PEGASUS_SSL_CERT_FILE = server.pem diff --git a/tog-pegasus.spec b/tog-pegasus.spec index 803aa2c..0b7ebab 100644 --- a/tog-pegasus.spec +++ b/tog-pegasus.spec @@ -8,7 +8,7 @@ Name: tog-pegasus Version: %{major_ver}.1 -Release: 35%{?dist} +Release: 36%{?dist} Epoch: 2 Summary: OpenPegasus WBEM Services for Linux @@ -94,6 +94,8 @@ Patch38: pegasus-2.14.1-cimconfig-man-page-fixes.patch Patch39: pegasus-2.14.1-fix-setup-sdk-ppc64le.patch # 40: removes Beaker conflicting env variable Patch40: pegasus-2.14.1-tesid.patch +# 41: moves SSL certificates to /etc/pki/Pegasus +Patch41: pegasus-2.14.1-ssl-cert-path.patch BuildRequires: procps, libstdc++, pam-devel BuildRequires: openssl, openssl-devel @@ -192,7 +194,7 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm. %global PEGASUS_ARCH_LIB %{_lib} %global OPENSSL_HOME /usr %global OPENSSL_BIN /usr/bin -%global PEGASUS_PEM_DIR /etc/Pegasus +%global PEGASUS_PEM_DIR /etc/pki/Pegasus %global PEGASUS_SSL_CERT_FILE server.pem %global PEGASUS_SSL_KEY_FILE file.pem %global PEGASUS_SSL_TRUSTSTORE client.pem @@ -245,6 +247,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0 %patch38 -p1 -b .cimconfig-man-page-fixes %patch39 -p1 -b .fix-setup-sdk-ppc64le %patch40 -p1 -b .testid +%patch41 -p1 -b .ssl-cert-path %build @@ -278,6 +281,9 @@ make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release repository %install +# Create directory for SSL certificates +mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus + export PEGASUS_ROOT=%PEGASUS_RPM_ROOT export PEGASUS_HOME=%PEGASUS_RPM_HOME export PEGASUS_PLATFORM=%PEGASUS_HARDWARE_PLATFORM @@ -304,6 +310,10 @@ install -p -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_tmpfilesdir}/tog-pegasus.conf # Install script to generate SSL certificates at startup mkdir -p $RPM_BUILD_ROOT/usr/share/Pegasus/scripts install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/usr/share/Pegasus/scripts/generate-certs +# Remove unused ssl.cnf file +rm -f $RPM_BUILD_ROOT/etc/Pegasus/ssl.cnf +# Create certificate revocation list dir (see bz#1032046) +mkdir -p $RPM_BUILD_ROOT/etc/pki/Pegasus/crl # remove SysV initscript, install .service file rm -f $RPM_BUILD_ROOT/etc/init.d/tog-pegasus @@ -340,9 +350,6 @@ install -p %{SOURCE11} $RPM_BUILD_ROOT/usr/share/Pegasus/test/snmptrapd.conf # Install missing mof file for makeSDK install -p Schemas/CIM238/DMTF/Core/CIM_AbstractComponent.mof $RPM_BUILD_ROOT/usr/share/Pegasus/samples/Providers/Load/CIM238/DMTF/Core/ -# create certificate revocation list dir (see bz#1032046) -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/Pegasus/crl - # install man page mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man1/ cp %SOURCE12 ${RPM_BUILD_ROOT}/%{_mandir}/man1/ @@ -371,6 +378,7 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0 %dir /var/lib/Pegasus/log %defattr(0640, root, pegasus, 0750) %dir /etc/Pegasus +%dir /etc/pki/Pegasus %{_tmpfilesdir}/tog-pegasus.conf %ghost /var/run/tog-pegasus %ghost %attr(0640, root, pegasus) /var/run/tog-pegasus/cimserver.pid @@ -382,19 +390,18 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0 %ghost %config(noreplace) /etc/Pegasus/cimserver_planned.conf %config(noreplace) /etc/Pegasus/access.conf %config(noreplace) /etc/pam.d/wbem -%ghost /etc/Pegasus/ssl.cnf -%ghost /etc/Pegasus/client.pem -%ghost /etc/Pegasus/server.pem -%ghost /etc/Pegasus/file.pem -%ghost /etc/Pegasus/ca.crt -%ghost /etc/Pegasus/ca.srl -%ghost /etc/Pegasus/client.srl +%ghost /etc/pki/Pegasus/client.pem +%ghost /etc/pki/Pegasus/server.pem +%ghost /etc/pki/Pegasus/file.pem +%ghost /etc/pki/Pegasus/ca.crt +%ghost /etc/pki/Pegasus/ca.srl +%ghost /etc/pki/Pegasus/client.srl %ghost /etc/Pegasus/ssl-ca.cnf %ghost /etc/Pegasus/ssl-service.cnf %ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem -%ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust -%ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust -%dir %attr(0640, root, pegasus) /etc/Pegasus/crl +%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/cimserver_trust +%ghost %attr(0640, root, pegasus) /etc/pki/Pegasus/indication_trust +%dir %attr(0640, root, pegasus) /etc/pki/Pegasus/crl %ghost %verify(not md5 size mtime) /var/lib/Pegasus/log/install.log %ghost %attr(0640, root, pegasus) %verify(not md5 size mtime) /var/lib/Pegasus/cache/trace/cimserver.trc %defattr(0755, root, pegasus, 0755) @@ -536,6 +543,11 @@ fi %changelog +* Thu Mar 17 2016 Vitezslav Crhonek - 2:2.14.1-36 +- Move SSL certificates to more convenient place, update related scripts + and README.RedHat.SSL + Related: #1308809 + * Fri Feb 05 2016 Fedora Release Engineering - 2:2.14.1-35 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild