|Summary:||[RFE] Satellite 6: x509 Support for Satellite 6|
|Product:||Red Hat Satellite 6||Reporter:||Jamie Duncan <jduncan>|
|Component:||Users & Roles||Assignee:||satellite6-bugs <satellite6-bugs>|
|Status:||NEW ---||QA Contact:||Radovan Drazny <rdrazny>|
|Version:||Unspecified||CC:||aeladawy, bkearney, cylopez, degts, dpal, dsirrine, ifloodmu, jpazdziora, mark.parsons.ctr, mhulan, mmccune, momran, nkinder, pmutha, rajukuma, satellite6-bugs, sthirugn|
|Target Milestone:||Unspecified||Keywords:||FieldEngineering, FutureFeature|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1202724, 1241089|
Description Jamie Duncan 2014-08-07 14:40:52 UTC
1. Proposed title of this feature request x509 / DoD CAC Card Authentication for Satellite 5/6 2. Who is the customer behind the request? Account: name (acct #) 932836 TAM customer: yes SRM customer: yes Strategic: yes 3. What is the nature and description of the request? Many customers using PIV (like DoD CAC) have requested the ability to use the certificate on their cards as an authentication mechanism. 4. Why does the customer need this? (List the business requirements here) More secure authentication 5. How would the customer like to achieve this? (List the functional requirements here) Use their DoD CAC card to authenticate to Satellite 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Use a test card in the lab to confirm full functionality. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? None found. 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? Satellite 5 and 6. 9. Is the sales team involved in this request and do they have any additional input? yes 10. List any affected packages or components. RHSS 11. Would the customer be able to assist in testing this functionality if implemented? yes
Comment 1 RHEL Product and Program Management 2014-08-07 14:44:23 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Comment 25 Jan Pazdziora 2015-03-17 10:21:20 UTC
Adding the sssd bug 1202724 where lookup of user identities in IdM based on CAC is discussed as a blocker.
Comment 26 Jan Pazdziora 2015-03-17 10:31:07 UTC
Also, the mod_lookup_identity part is currently tracked in upstream ticket https://fedorahosted.org/webauthinfra/ticket/5.
Comment 27 Jan Pazdziora 2015-07-08 12:24:18 UTC
(In reply to Jan Pazdziora from comment #26) > Also, the mod_lookup_identity part is currently tracked in upstream ticket > https://fedorahosted.org/webauthinfra/ticket/5. Downstream bug 1241089.
Comment 31 Bryan Kearney 2016-07-08 20:20:32 UTC
Per 6.3 planning, moving out non acked bugs to the backlog
Comment 37 Jan Pazdziora 2017-04-06 08:48:26 UTC
For the record: mod_lookup_identity-0.9.5-1.el7 which is in RHEL 7.3 has support for user lookup via SSSD when the certificate used for authentication is attached to user record in IdM. The configuration of Apache HTTP Server would then be along the lines SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On
Comment 38 Marek Hulan 2017-08-02 19:43:39 UTC
The x509 certificates support was added to hammer in 0.10.0 - http://projects.theforeman.org/issues/12401, Tomas could you please provide setup instructions or link to docs? Then we could check whether it could be used also with cards.
Comment 39 Tomas Strachota 2017-08-04 13:13:31 UTC
The relevant setting is documented in hammer's config template: https://github.com/theforeman/hammer-cli/blob/master/config/cli_config.template.yml#L35 I'm adding some more details about the config values here: https://github.com/theforeman/hammer-cli/pull/248/files Hammer itself should be ready for usage with certificates/cards when you configure :ssl_client_cert: and :ssl_client_key:. At the same time :ssl_with_basic_auth: should be set to false to disable basic authentication. There's additional setup of mod_ssl that needs to be done in apache to enable certificate authentication for the API. SSLUserName must be set to SSL_CLIENT_S_DN_CN for the API locations, which can be both <SAT_URL>/api and <SAT_URL>/<PLUGIN_NAME>/api Following setting would probably do the trick (I didn't test it): <LocationMatch "^(?<plugin>/[^/]*)?/api"> SSLUserName SSL_CLIENT_S_DN_CN </LocationMatch> Alternatively we could probably set SSLUserName for the whole virtual host and switch SSLVerifyClient to optional so that certs are verified only when they're sent: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient Unfortunately installer doesn't support any of the mentioned alternatives yet and it needs to be configured manually.