80bbde
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
80bbde
From: Alexander Scheel <ascheel@redhat.com>
80bbde
Date: Mon, 15 Jun 2020 18:38:35 -0400
80bbde
Subject: [PATCH] Clarify AJP connector creation process
80bbde
80bbde
We do two things:
80bbde
80bbde
 1. Fix the xpath for AJP connector verification. An AJP connector is
80bbde
    one which has protocol="AJP/1.3", NOT one that has port="8009". An
80bbde
    AJP connector can exist on any port and port 8009 can have any
80bbde
    protocol. Secrets only make sense on AJP connectors, so make the
80bbde
    xpath match the existing comment.
80bbde
80bbde
 2. Add some background in-line documentation about AJP secret
80bbde
    provisioning. This should help future developers understand why this
80bbde
    was added to IPA and what limitations there are in what PKI or IPA
80bbde
    can do. Most notably, explain why Dogtag can't upgrade the AJP
80bbde
    connector to have a secret in the general case.
80bbde
80bbde
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
80bbde
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
80bbde
---
80bbde
 ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
80bbde
 1 file changed, 17 insertions(+), 3 deletions(-)
80bbde
80bbde
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
80bbde
index 42c9db3fb..aa3baeb7c 100644
80bbde
--- a/ipaserver/install/dogtaginstance.py
80bbde
+++ b/ipaserver/install/dogtaginstance.py
80bbde
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
80bbde
         doc = server_xml.getroot()
80bbde
 
80bbde
         # no AJP connector means no need to update anything
80bbde
-        connectors = doc.xpath('//Connector[@port="8009"]')
80bbde
+        connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
80bbde
         if len(connectors) == 0:
80bbde
             return
80bbde
 
80bbde
-        # AJP connector is set on port 8009. Use non-greedy search to find it
80bbde
+        # AJP protocol is at version 1.3. Assume there is only one as
80bbde
+        # Dogtag only provisions one.
80bbde
         connector = connectors[0]
80bbde
 
80bbde
         # Detect tomcat version and choose the right option name
80bbde
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
80bbde
             rewrite = False
80bbde
         else:
80bbde
             if oldattr in connector.attrib:
80bbde
+                # Sufficiently new Dogtag versions (10.9.0-a2) handle the
80bbde
+                # upgrade for us; we need only to ensure that we're not both
80bbde
+                # attempting to upgrade server.xml at the same time.
80bbde
+                # Hopefully this is guaranteed for us.
80bbde
                 self.ajp_secret = connector.attrib[oldattr]
80bbde
                 connector.attrib[secretattr] = self.ajp_secret
80bbde
                 del connector.attrib[oldattr]
80bbde
             else:
80bbde
-                # Generate password, don't use special chars to not break XML
80bbde
+                # Generate password, don't use special chars to not break XML.
80bbde
+                #
80bbde
+                # If we hit this case, pkispawn was run on an older Dogtag
80bbde
+                # version and we're stuck migrating, choosing a password
80bbde
+                # ourselves. Dogtag can't generate one randomly because a
80bbde
+                # Dogtag administrator might've configured AJP and might
80bbde
+                # not be using IPA.
80bbde
+                #
80bbde
+                # Newer Dogtag versions will generate a random password
80bbde
+                # during pkispawn.
80bbde
                 self.ajp_secret = ipautil.ipa_generate_password(special=None)
80bbde
                 connector.attrib[secretattr] = self.ajp_secret
80bbde
 
80bbde
-- 
80bbde
2.26.2
80bbde
80bbde
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
80bbde
From: Alexander Scheel <ascheel@redhat.com>
80bbde
Date: Wed, 17 Jun 2020 16:00:25 -0400
80bbde
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
80bbde
80bbde
By default, PKI's AJP secret is generated as a 75-bit password. By
80bbde
generating it in IPA, we can guarantee the strength of the AJP secret.
80bbde
It makes sense to use a stronger AJP secret because it typically
80bbde
isn't rotated; access to AJP allows an attacker to impersonate an admin
80bbde
while talking to PKI.
80bbde
80bbde
Fixes: https://pagure.io/freeipa/issue/8372
80bbde
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
80bbde
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
80bbde
Related: https://github.com/dogtagpki/pki/pull/437
80bbde
80bbde
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
80bbde
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
80bbde
---
80bbde
 install/share/ipaca_customize.ini   | 1 +
80bbde
 install/share/ipaca_default.ini     | 2 ++
80bbde
 ipaserver/install/dogtaginstance.py | 4 +++-
80bbde
 3 files changed, 6 insertions(+), 1 deletion(-)
80bbde
80bbde
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
80bbde
index 6d58579af..948734241 100644
80bbde
--- a/install/share/ipaca_customize.ini
80bbde
+++ b/install/share/ipaca_customize.ini
80bbde
@@ -12,6 +12,7 @@
80bbde
 #
80bbde
 # Predefined variables
80bbde
 #  - ipa_ca_subject
80bbde
+#  - ipa_ajp_secret
80bbde
 #  - ipa_fqdn
80bbde
 #  - ipa_subject_base
80bbde
 #  - pki_admin_password
80bbde
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
80bbde
index 2b9900286..a51256116 100644
80bbde
--- a/install/share/ipaca_default.ini
80bbde
+++ b/install/share/ipaca_default.ini
80bbde
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
80bbde
 
80bbde
 ## dynamic values
80bbde
 # ipa_ca_subject=
80bbde
+# ipa_ajp_secret=
80bbde
 # ipa_subject_base=
80bbde
 # ipa_fqdn=
80bbde
 # ipa_ocsp_uri=
80bbde
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
80bbde
 pki_replication_password=
80bbde
 
80bbde
 pki_enable_proxy=True
80bbde
+pki_ajp_secret=%(ipa_ajp_secret)s
80bbde
 pki_restart_configured_instance=False
80bbde
 pki_security_domain_hostname=%(ipa_fqdn)s
80bbde
 pki_security_domain_https_port=443
80bbde
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
80bbde
index aa3baeb7c..361d80a8c 100644
80bbde
--- a/ipaserver/install/dogtaginstance.py
80bbde
+++ b/ipaserver/install/dogtaginstance.py
80bbde
@@ -840,7 +840,9 @@ class PKIIniLoader:
80bbde
             pki_subsystem_type=subsystem.lower(),
80bbde
             home_dir=os.path.expanduser("~"),
80bbde
             # for softhsm2 testing
80bbde
-            softhsm2_so=paths.LIBSOFTHSM2_SO
80bbde
+            softhsm2_so=paths.LIBSOFTHSM2_SO,
80bbde
+            # Configure a more secure AJP password by default
80bbde
+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
80bbde
         )
80bbde
 
80bbde
     @classmethod
80bbde
-- 
80bbde
2.26.2
80bbde