On 11/22/2011 03:35 PM, Steven Jones wrote: > Now the ipa-client-install script is on 443 and I have no firewall engineer > today....and maybe not until Monday....
Feel free to add more to it. https://bugzilla.redhat.com/show_bug.cgi?id=756163 > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Steven Jones [[email protected]] > Sent: Wednesday, 23 November 2011 9:24 a.m. > To: [email protected] > Subject: Re: [Freeipa-users] Improvement to documentaion needed for > firewalling pls. > > Hi, > > I dont find out until I run the script.....its a bit late. I then have to > raise more change controls and wait. Also for any application deployment I > have to do a [security] design and say what is opened, why and if any > sensitive data is transmitted, so I really need this info before I touch a > server at all. For instance a user id and password is classed as sensitive, > so it has to be encrypted.....by some acceptable standard method and it has > to be adequately encrypted.... So the security portion of the design can > take weeks to get signed off.....if I've missed anything serious I may have > to re-write and submit.. We end up doing this frequently.....sometimes we > even reject a vendor's product because we find it has a fundamental security > flaw....like its transmitting plain text passwords or even storing/caching > them locally in plain text....not that un-common.... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Dmitri Pal [[email protected]] > Sent: Wednesday, 23 November 2011 9:04 a.m. > To: [email protected] > Subject: Re: [Freeipa-users] Improvement to documentaion needed for > firewalling pls. > > On 11/22/2011 02:58 PM, Steven Jones wrote: >> Hi, >> >> 2.1.3.4 page 10 lists ports but not what happens with them... >> >> For instance I am now in a very secure environment and find when I do a >> ipa-client-install the client connects to port 80 and retrieves a >> ca.crt........now I have to wait 3 days to get port 80 opened up...to the >> IPA server(s). >> >> If I had better docs then I can make the request before hand.... >> >> This of course is the first failure.....if say I find that the >> ipa-client-install script uses 443 next I will have to wait another 3 >> days......if I find there are 4 un-documented port calls to get an client >> install to work......well its a week to 2 weeks wait.... >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > When you install IPA the output of the installation lists all the ports > that you need to open and for what service: DNS, Kerberos, LDAP etc. > Is this not enough? What level of details you are looking for? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
