From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001

From: Alexander Scheel <ascheel@redhat.com>

Date: Mon, 15 Jun 2020 18:38:35 -0400

Subject: [PATCH] Clarify AJP connector creation process

We do two things:

 1. Fix the xpath for AJP connector verification. An AJP connector is

    one which has protocol="AJP/1.3", NOT one that has port="8009". An

    AJP connector can exist on any port and port 8009 can have any

    protocol. Secrets only make sense on AJP connectors, so make the

    xpath match the existing comment.

 2. Add some background in-line documentation about AJP secret

    provisioning. This should help future developers understand why this

    was added to IPA and what limitations there are in what PKI or IPA

    can do. Most notably, explain why Dogtag can't upgrade the AJP

    connector to have a secret in the general case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---

 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py

index 42c9db3fb..aa3baeb7c 100644

--- a/ipaserver/install/dogtaginstance.py

+++ b/ipaserver/install/dogtaginstance.py

@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):

         doc = server_xml.getroot()

         # no AJP connector means no need to update anything

-        connectors = doc.xpath('//Connector[@port="8009"]')

+        connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')

         if len(connectors) == 0:

             return

-        # AJP connector is set on port 8009. Use non-greedy search to find it

+        # AJP protocol is at version 1.3. Assume there is only one as

+        # Dogtag only provisions one.

         connector = connectors[0]

         # Detect tomcat version and choose the right option name

@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):

             rewrite = False

         else:

             if oldattr in connector.attrib:

+                # Sufficiently new Dogtag versions (10.9.0-a2) handle the

+                # upgrade for us; we need only to ensure that we're not both

+                # attempting to upgrade server.xml at the same time.

+                # Hopefully this is guaranteed for us.

                 self.ajp_secret = connector.attrib[oldattr]

                 connector.attrib[secretattr] = self.ajp_secret

                 del connector.attrib[oldattr]

             else:

-                # Generate password, don't use special chars to not break XML

+                # Generate password, don't use special chars to not break XML.

+                #

+                # If we hit this case, pkispawn was run on an older Dogtag

+                # version and we're stuck migrating, choosing a password

+                # ourselves. Dogtag can't generate one randomly because a

+                # Dogtag administrator might've configured AJP and might

+                # not be using IPA.

+                #

+                # Newer Dogtag versions will generate a random password

+                # during pkispawn.

                 self.ajp_secret = ipautil.ipa_generate_password(special=None)

                 connector.attrib[secretattr] = self.ajp_secret

-- 

2.26.2

From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001

From: Alexander Scheel <ascheel@redhat.com>

Date: Wed, 17 Jun 2020 16:00:25 -0400

Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret

By default, PKI's AJP secret is generated as a 75-bit password. By

generating it in IPA, we can guarantee the strength of the AJP secret.

It makes sense to use a stronger AJP secret because it typically

isn't rotated; access to AJP allows an attacker to impersonate an admin

while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447

Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 install/share/ipaca_customize.ini   | 1 +

 install/share/ipaca_default.ini     | 2 ++

 ipaserver/install/dogtaginstance.py | 4 +++-

 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini

index 6d58579af..948734241 100644

--- a/install/share/ipaca_customize.ini

+++ b/install/share/ipaca_customize.ini

@@ -12,6 +12,7 @@

 #

 # Predefined variables

 #  - ipa_ca_subject

+#  - ipa_ajp_secret

 #  - ipa_fqdn

 #  - ipa_subject_base

 #  - pki_admin_password

diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini

index 2b9900286..a51256116 100644

--- a/install/share/ipaca_default.ini

+++ b/install/share/ipaca_default.ini

@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt

 ## dynamic values

 # ipa_ca_subject=

+# ipa_ajp_secret=

 # ipa_subject_base=

 # ipa_fqdn=

 # ipa_ocsp_uri=

@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s

 pki_replication_password=

 pki_enable_proxy=True

+pki_ajp_secret=%(ipa_ajp_secret)s

 pki_restart_configured_instance=False

 pki_security_domain_hostname=%(ipa_fqdn)s

 pki_security_domain_https_port=443

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py

index aa3baeb7c..361d80a8c 100644

--- a/ipaserver/install/dogtaginstance.py

+++ b/ipaserver/install/dogtaginstance.py

@@ -840,7 +840,9 @@ class PKIIniLoader:

             pki_subsystem_type=subsystem.lower(),

             home_dir=os.path.expanduser("~"),

             # for softhsm2 testing

-            softhsm2_so=paths.LIBSOFTHSM2_SO

+            softhsm2_so=paths.LIBSOFTHSM2_SO,

+            # Configure a more secure AJP password by default

+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)

         )

     @classmethod

-- 

2.26.2