Bug 1323437
Summary: | Satellite 6 web interface trying to use smartcard authentication | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | dgupte |
Component: | Authentication | Assignee: | Marek Hulan <mhulan> |
Status: | CLOSED WONTFIX | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1.8 | CC: | bkearney, cylopez, dgupte, dhlavacd, jpazdziora, mhulan, rajukuma, slukasik, walden |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-04 18:06:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
dgupte
2016-04-03 03:35:43 UTC
Moving 6.2 bugs out to sat-backlog. Could you please let us know, how the satellite was installed? Was it configured to allow external authentication using IDM as described at https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication-Using_Identity_Management.html ? Or is the LDAP authentication, which was mentioned in the report, configured via External Auth source as described in https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/chap-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication.html#sect-Red_Hat_Satellite-User_Guide-Using_LDAP ? Additionaly please check with the customer whether they modified any file under /etc/httpd manually and ask them to send all files from there in a tarball. Also please ask them what is the value of security.default_personal_cert in about:config in their Firefox. It might also help if they append their smart card vendor CA to /etc/pki/katello/certs/katello-default-ca.crt, after restarting the Apache, we could trust client certificate but it wouldn't be used for authentication. If they experiment with this, make sure they make a backup before they start. More background: By default we set SSLVerifyClient to optional so it can be used on some URLs where we authenticate capsules using x509 certificates. For some reason, the certificate from smart card is used by the client and the authentication fails because Apache is not configured to trust the issuer. Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you. |