Bug 1460599

Summary: please obtain the Katello CA securely
Product: Red Hat Satellite Reporter: Evgeni Golov <egolov>
Component: Docs API GuideAssignee: Sergei Petrosian <spetrosi>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.10CC: adahms, egolov
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-16 09:58:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Evgeni Golov 2017-06-12 07:16:59 UTC 
Document URL:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/api_guide/authenticating_api_calls#Authenticating_API_Calls-Using_SSL_Authentication

Section Number and Name: 
3.1. Using SSL Authentication

Describe the issue:
The section currently suggests to fetch katello-server-ca.crt from the Satellite using an unencrypted and unsecured HTTP connection. Doing so permits an attacker to serve whatever CA certificate they want and then hijack the encrypted sessions too.

Suggestions for improvement: 
Given this is a chicken-and-egg problem, I would suggest obtaining the CA certificate via SSH instead. Or if the curl commands are executed directly on the Satellite, use the locally available copy (/var/www/html/pub/katello-server-ca.crt aka /etc/pki/katello/certs/katello-server-ca.crt).

Fetching the cert via HTTP should be the last resort and marked with a security warning.

Additional information: 
Why are we fetching the cert using wget, and then using curl though the rest of the guide? curl can fetch stuff fine too (curl -O) :)
Comment 1 Andrew Dahms 2017-06-12 08:31:51 UTC 
Assigning to Sergei for review.

Sergei - it looks like we'll need to do three things here:

1. Add an example of how to retrieve the certificate using SSH (scp <user>@<
   address>:/var/www/html/pub/katello-server-ca.crt <destination>

2. Add an example of how to retrieve the certificate using curl, and 
   mentioning that this method is ok when run directly on the Satellite Server

3. Add a 'Warning' admonition to the example of using 'wget' to outline the 
   issue about security.

The first step in the procedure should therefore be a single step with three step alternatives ('To download the certificate using SSH:', etc.)

Let me know if you have any questions!
Comment 18 Sergei Petrosian 2017-06-16 09:58:09 UTC 
These changes are now live on the Custom Portal.

Thank you