Smartcard_authentication_ipa-advise_recipes#
Overview#
Smartcard authentication requires additional settings to work properly
(both PKINIT and Login to WebUI). That setting might not be really
straight forward and mainly it has to be done on all FreeIPA servers. As
FreeIPA doesn’t have any way how to change settings on all servers
remotely, we need to create script, which will be then run on all
servers. For those purposes ipa has ipa-advise command, which can
generate scripts.
Use Cases#
As an administrator I want to be able to configure Smartcard certificate authentication to FreeIPA WebUI and KDC using minimum manual intervention, ideally via a provided command-line tool
As an administrator I want to configure OCSP client certificate checking in a robust way that checks whether my environment will support IPA CA-supplied OCSP responder querying.
As an administrator I want to be able to enable PKINIT feature after install/upgrade with minimum effort
As an administrator I expect these tools to be easily re-usable in configuration management platforms such as Chef and Ansible
Design#
Each use case can be solved by running a dedicated recipe generated by
querying a corresponding topic in ipa-advise command. Each script
should be able to check whether the environment supports the desired
configuration (e.g. all DNS records are resolvable, especially ipa-ca)
and should also be idempotent so that it can be safely used in an
Ansible playbook. It should also provide information message that the
step was successful or provide steps how to solve the issue. In case
that a script fails it has to be rerun after fixing described issue.
Smartcard Login activation#
The main purpose of this script is to obtain all master’s hostnames which are in topology and for each of them call ‘ipa service-mod –ok-auth-as-delegate=True’. As the script needs to use ipa CLI it needs to be called with authenticated user. Whether there is a correct ticket or not is the first check (step) of the script.
OCSP#
The script for turning on the OSCP has to be sure that the
ipa-ca.domain.com is resolvable because otherwise the issuing of
certificates (in CA-full installation) and installing replica (in all
installations) will be broken. If the ipa-ca records prove to be
unresolvable, the script will emit an error and also provide the list of
records for the user to add into their DNS infrastructure. Once the DNS
works correctly, the script will continue with subsequent steps.
Steps:
Check whether the ipa-ca.domain.com is resolvable. If so, it can continue to next steps. If not it generates DNS records which need to be added into DNS system.
Set trust flags of server certificate (usually called Server-Cert) in /etc/httpd/alias NSS DB to “P,,”. The “P” flag in SSL section means that the cert is trusted even if we don’t know the issuer.
Set NSSOCSP directive to ‘on’ in /etc/httpd/conf.d/nss.conf in VirtualHost section. For this step, Augeas might be used as it has Lens for HTTPD configuration files.
The OCSP configuration status will be written to sysupgrade file, so that subsequent upgrades of FreeIPA deployments do not break the configuration requested by the system admin.
The reversal script for turning of OSCP check will do steps above in reversal order. The only thing which will be skipped is step 1.
PKINIT#
The script will check the PKINIT status on the master (e.g. by running
ipa pkinit-status --server FQDN) and if it is not configured, will
then use IPA CA to issue PKINIT key pair for KDC.
Implementation#
TBD
Feature Management#
After calling ipa-advise with the specified topic, the output can be
piped to a shell script that will configure the desired functionality on
the master.
UI
No UI required.
CLI
ipa-advise has new topics:
enable_client_certificate_logins_on_server#
Checks the status of PKINIT, OCSP and HTTP principal flags on the master and then configures the individual components required to enable SmartCard authentication against IPA master
Command |
Topic |
|---|---|
ipa-advise |
enable_client_certificate_logins_on_server |
enable_client_certificate_logins_on_clients#
This recipe will configure the client-side of Smart Card authentication (pam, gdm, Kerberos client library, etc.)
Command |
Topic |
|---|---|
ipa-advise |
enable_client_certificate_logins_on_clients |
Configuration#
No configuration required.
Upgrade#
In the case of OCSP configuration, the script must be able to store the state of the feature in upgrade files so that subsequent updates do not revert the existing configuration.
How to Use#
Example 1: configure smart card auth on master.example.com:
# kinit admin
# ipa-advise enable_client_certificate_logins_on_server > configure_smart_cards.sh
trying https://master1.ipa.test/ipa/session/json
...
# chmod +x configure_smart_cards.sh && ./configure_smart_cards.sh
...
Test Plan#
It should be straightforward to incorporate the newly developed functionality into existing SmartCard login auth test scenarios since much of the implemented enhancements can actually replace the existing manual setup steps required.