freeipa

Clone
Source Code
GIT

#8372 FreeIPA - Utilize 256-bit AJP connector passwords
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by cipherboy.

Closed: fixed
Reopen Issue

Request for enhancement

As an admin, I wish all passwords utilized in an IPA environment to be at least 128 or 256 bits. Importantly, this should include the AJP connector secret shared by Tomcat and httpd.

Issue

Currently, when Dogtag PKI 10.9 generates an AJP secret (during the initial pkispawn), we generate a ~75 bit password. Because this is static and not rotated, it probably makes sense to use a more secure AJP connector password. PKI has exposed the pki_ajp_secret configuration value that allows IPA to generate and specify their preferred password.

Steps to Reproduce

  1. Grab Dogtag 10.9.
  2. Install a fresh IPA server.
  3. Realize that the password is 12 alpha-numeric-with-punctation characters.

Actual behavior

75 bit password.

Expected behavior

256-bit password.

Version/Release/Distribution

All branches prior to https://github.com/freeipa/freeipa/pull/4819

Additional info:

Metadata Update from @cheimes:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1849914
3 years ago

Issue linked to Bugzilla: Bug 1849914

master:

  • c5e9bd6 Clarify AJP connector creation process
  • 3ecea78 Configure PKI AJP Secret with 256-bit secret

ipa-4-8:

  • be48983 Clarify AJP connector creation process
  • 1e804bf Configure PKI AJP Secret with 256-bit secret

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1849914
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.