Blob Blame History Raw
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 15 Jun 2020 18:38:35 -0400
Subject: [PATCH] Clarify AJP connector creation process

We do two things:

 1. Fix the xpath for AJP connector verification. An AJP connector is
    one which has protocol="AJP/1.3", NOT one that has port="8009". An
    AJP connector can exist on any port and port 8009 can have any
    protocol. Secrets only make sense on AJP connectors, so make the
    xpath match the existing comment.

 2. Add some background in-line documentation about AJP secret
    provisioning. This should help future developers understand why this
    was added to IPA and what limitations there are in what PKI or IPA
    can do. Most notably, explain why Dogtag can't upgrade the AJP
    connector to have a secret in the general case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 42c9db3fb..aa3baeb7c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
         doc = server_xml.getroot()
 
         # no AJP connector means no need to update anything
-        connectors = doc.xpath('//Connector[@port="8009"]')
+        connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
         if len(connectors) == 0:
             return
 
-        # AJP connector is set on port 8009. Use non-greedy search to find it
+        # AJP protocol is at version 1.3. Assume there is only one as
+        # Dogtag only provisions one.
         connector = connectors[0]
 
         # Detect tomcat version and choose the right option name
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
             rewrite = False
         else:
             if oldattr in connector.attrib:
+                # Sufficiently new Dogtag versions (10.9.0-a2) handle the
+                # upgrade for us; we need only to ensure that we're not both
+                # attempting to upgrade server.xml at the same time.
+                # Hopefully this is guaranteed for us.
                 self.ajp_secret = connector.attrib[oldattr]
                 connector.attrib[secretattr] = self.ajp_secret
                 del connector.attrib[oldattr]
             else:
-                # Generate password, don't use special chars to not break XML
+                # Generate password, don't use special chars to not break XML.
+                #
+                # If we hit this case, pkispawn was run on an older Dogtag
+                # version and we're stuck migrating, choosing a password
+                # ourselves. Dogtag can't generate one randomly because a
+                # Dogtag administrator might've configured AJP and might
+                # not be using IPA.
+                #
+                # Newer Dogtag versions will generate a random password
+                # during pkispawn.
                 self.ajp_secret = ipautil.ipa_generate_password(special=None)
                 connector.attrib[secretattr] = self.ajp_secret
 
-- 
2.26.2

From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 17 Jun 2020 16:00:25 -0400
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret

By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/share/ipaca_customize.ini   | 1 +
 install/share/ipaca_default.ini     | 2 ++
 ipaserver/install/dogtaginstance.py | 4 +++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
index 6d58579af..948734241 100644
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -12,6 +12,7 @@
 #
 # Predefined variables
 #  - ipa_ca_subject
+#  - ipa_ajp_secret
 #  - ipa_fqdn
 #  - ipa_subject_base
 #  - pki_admin_password
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 2b9900286..a51256116 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
 
 ## dynamic values
 # ipa_ca_subject=
+# ipa_ajp_secret=
 # ipa_subject_base=
 # ipa_fqdn=
 # ipa_ocsp_uri=
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
 pki_replication_password=
 
 pki_enable_proxy=True
+pki_ajp_secret=%(ipa_ajp_secret)s
 pki_restart_configured_instance=False
 pki_security_domain_hostname=%(ipa_fqdn)s
 pki_security_domain_https_port=443
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index aa3baeb7c..361d80a8c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -840,7 +840,9 @@ class PKIIniLoader:
             pki_subsystem_type=subsystem.lower(),
             home_dir=os.path.expanduser("~"),
             # for softhsm2 testing
-            softhsm2_so=paths.LIBSOFTHSM2_SO
+            softhsm2_so=paths.LIBSOFTHSM2_SO,
+            # Configure a more secure AJP password by default
+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
         )
 
     @classmethod
-- 
2.26.2