Bug 1473272
| Summary: | Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | enewland, ipa-maint, ksiddiqu, lmiksik, mbabinsk, mbasti, mkosek, ovasik, pvoborni, rcritten, salmy, spoore, toneata, tscherf |
| Target Milestone: | rc | Keywords: | FutureFeature, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-21.el7.1 | Doc Type: | Enhancement |
| Doc Text: |
Previously, the ipa-advise "config-server-for-smart-card-auth" and "ipa-advise config-client-for-smart-card-auth" commands did not fully configure the IdM server and client for smart card authentication. As a consequence, after running the script that the ipa-advise tool generated, smart card authentication failed. With this update, the tools' support for smart card authentication has been improved, and the described problem no longer occurs.
|
Story Points: | --- |
| Clone Of: | 1455946 | Environment: | |
| Last Closed: | 2017-09-05 11:23:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1455946 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2017-07-20 11:37:09 UTC
Patches are listed in parent bug. Martin, pcscd does not appear to be running on the client after running the client script. I have to restart it in order to make it work on my local VM. Could this be a side effect of either something that runs after the systemctl start? Here's what I saw: [root@client ~]# ./client_setup.sh /etc/ipa/jitc-root-ca-3.crt /etc/ipa/jitc-ca-41.crt Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 08/01/2017 12:56:00 08/02/2017 12:55:58 krbtgt/TESTRELM.TEST Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package dconf.x86_64 0:0.26.0-2.el7 will be installed ---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed --> Processing Dependency: pcsc-lite for package: opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 --> Processing Dependency: pcsc-lite-libs(x86-64) for package: opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 --> Running transaction check ---> Package pcsc-lite.x86_64 0:1.8.8-6.el7 will be installed --> Processing Dependency: pcsc-ifd-handler for package: pcsc-lite-1.8.8-6.el7.x86_64 ---> Package pcsc-lite-libs.x86_64 0:1.8.8-6.el7 will be installed --> Running transaction check ---> Package pcsc-lite-ccid.x86_64 0:1.4.10-12.el7 will be installed --> Processing Dependency: libusb-1.0.so.0()(64bit) for package: pcsc-lite-ccid-1.4.10-12.el7.x86_64 --> Running transaction check ---> Package libusbx.x86_64 0:1.0.20-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Installing: dconf x86_64 0.26.0-2.el7 rhel-7.4-z-candidate 106 k opensc x86_64 0.16.0-5.20170227git777e2a3.el7 rhel-7.4-z-candidate 1.0 M Installing for dependencies: libusbx x86_64 1.0.20-1.el7 rhel-7.4-z-candidate 60 k pcsc-lite x86_64 1.8.8-6.el7 rhel-7.4-z-candidate 189 k pcsc-lite-ccid x86_64 1.4.10-12.el7 rhel-7.4-z-candidate 156 k pcsc-lite-libs x86_64 1.8.8-6.el7 rhel-7.4-z-candidate 33 k Transaction Summary ======================================================================================================= Install 2 Packages (+4 Dependent packages) Total download size: 1.6 M Installed size: 4.7 M Downloading packages: dconf-0.26.0-2.el7.x86_64.rpm | 106 kB 00:00:00 libusbx-1.0.20-1.el7.x86_64.rpm | 60 kB 00:00:00 opensc-0.16.0-5.20170227git777e2a3.el7.x86_64.rpm | 1.0 MB 00:00:01 pcsc-lite-1.8.8-6.el7.x86_64.rpm | 189 kB 00:00:00 pcsc-lite-ccid-1.4.10-12.el7.x86_64.rpm | 156 kB 00:00:00 pcsc-lite-libs-1.8.8-6.el7.x86_64.rpm | 33 kB 00:00:00 ------------------------------------------------------------------------------------------------------- Total 323 kB/s | 1.6 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : pcsc-lite-libs-1.8.8-6.el7.x86_64 1/6 Installing : libusbx-1.0.20-1.el7.x86_64 2/6 Installing : pcsc-lite-1.8.8-6.el7.x86_64 3/6 Installing : pcsc-lite-ccid-1.4.10-12.el7.x86_64 4/6 Installing : opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 5/6 Installing : dconf-0.26.0-2.el7.x86_64 6/6 Verifying : dconf-0.26.0-2.el7.x86_64 1/6 Verifying : pcsc-lite-ccid-1.4.10-12.el7.x86_64 2/6 Verifying : libusbx-1.0.20-1.el7.x86_64 3/6 Verifying : pcsc-lite-1.8.8-6.el7.x86_64 4/6 Verifying : opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 5/6 Verifying : pcsc-lite-libs-1.8.8-6.el7.x86_64 6/6 Installed: dconf.x86_64 0:0.26.0-2.el7 opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 Dependency Installed: libusbx.x86_64 0:1.0.20-1.el7 pcsc-lite.x86_64 0:1.8.8-6.el7 pcsc-lite-ccid.x86_64 0:1.4.10-12.el7 pcsc-lite-libs.x86_64 0:1.8.8-6.el7 Complete! Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package krb5-pkinit.x86_64 0:1.15.1-8.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Installing: krb5-pkinit x86_64 1.15.1-8.el7 rhel-7.4-z-candidate 159 k Transaction Summary ======================================================================================================= Install 1 Package Total download size: 159 k Installed size: 124 k Downloading packages: krb5-pkinit-1.15.1-8.el7.x86_64.rpm | 159 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : krb5-pkinit-1.15.1-8.el7.x86_64 1/1 Verifying : krb5-pkinit-1.15.1-8.el7.x86_64 1/1 Installed: krb5-pkinit.x86_64 0:1.15.1-8.el7 Complete! WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "OpenSC" added to database. trying https://master.testrelm.test/ipa/json [try 1]: Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful [root@client ~]# systemctl status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: inactive (dead) since Tue 2017-08-01 13:01:53 CDT; 58s ago Process: 22207 ExecStart=/usr/sbin/pcscd --foreground --auto-exit (code=exited, status=0/SUCCESS) Main PID: 22207 (code=exited, status=0/SUCCESS) Aug 01 13:00:24 client.testrelm.test systemd[1]: Started PC/SC Smart Card Daemon. Aug 01 13:00:24 client.testrelm.test systemd[1]: Starting PC/SC Smart Card Daemon... Aug 01 13:00:24 client.testrelm.test pcscd[22207]: 00000000 utils.c:53:GetDaemonPid() Can't open ...ory Hint: Some lines were ellipsized, use -l to show in full. After manually starting it, I see: [root@client ~]# systemctl status pcscd -l ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: active (running) since Tue 2017-08-01 13:17:29 CDT; 31s ago Main PID: 22395 (pcscd) CGroup: /system.slice/pcscd.service └─22395 /usr/sbin/pcscd --foreground --auto-exit Aug 01 13:17:29 client.testrelm.test systemd[1]: Started PC/SC Smart Card Daemon. Aug 01 13:17:29 client.testrelm.test systemd[1]: Starting PC/SC Smart Card Daemon... Aug 01 13:17:29 client.testrelm.test pcscd[22395]: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory Not sure if the pid file thing is related. Aug 1 12:59:07 client systemd: Started System Security Services Daemon. Aug 1 13:00:24 client systemd: Started PC/SC Smart Card Daemon. Aug 1 13:00:24 client systemd: Starting PC/SC Smart Card Daemon... Aug 1 13:00:24 client pcscd: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory Petr, Is there someone else that can look at this? Thanks, Scott Moving this back to assigned while this is reviewed. Flo provided some help looking into the issue I saw. I believe pcscd.service isn't running afterwards because of the --auto-exit option.
From the man page:
-x, --auto-exit
Cause pcscd to quit after 60 seconds of inactivity
It's entirely possible that I didn't access the host for 60 seconds or more after running the client advise script. pcscd.socket though should still have been running to start the pcscd.service as needed.
So, I'll go ahead and post verification for this one as this looks like a non-issue.
Verified. Version :: ipa-server-4.5.0-21.el7_4.1.x86_64 Results :: [root@master ~]# ipa-advise config-server-for-smart-card-auth > server_setup.sh trying https://master.testrelm.test/ipa/session/json [root@master ~]# chmod 755 server_setup.sh [root@master ~]# ./server_setup.sh /etc/ipa/jitc-root-ca-3.crt /etc/ipa/jitc-ca-41.crt Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 08/03/2017 08:12:35 08/04/2017 08:12:32 HTTP/master.testrelm.test 08/03/2017 08:12:34 08/04/2017 08:12:32 krbtgt/TESTRELM.TEST -------------------- 1 IPA server matched -------------------- Server name: master.testrelm.test Min domain level: 0 Max domain level: 1 ---------------------------- Number of entries returned 1 ---------------------------- Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Package 32:bind-utils-9.9.4-51.el7.x86_64 already installed and latest version Nothing to do The ipa-pkinit-manage command was successful PKINIT already enabled Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful trying https://master.testrelm.test/ipa/json [try 1]: Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful [root@master ~]# certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Smart Card CA 4eb6a210-f3f4-4f61-beb6-a0d2bd12d5ca CT,C,C Smart Card CA 96d6f498-b04a-4e87-8ae0-d2b270aa0a88 CT,C,C [root@master ~]# certutil -d /etc/pki/nssdb -L -n "Smart Card CA 4eb6a210-f3f4-4f61-beb6-a0d2bd12d5ca"|grep Subject: Subject: "CN=DoD JITC Root CA 3,OU=PKI,OU=DoD,O=U.S. Government,C=US" [root@master ~]# ipa-advise config-client-for-smart-card-auth > client_setup.sh trying https://master.testrelm.test/ipa/session/json [root@client ~]# scp root.test:/root/client_setup.sh . Password: client_setup.sh 100% 2175 3.4MB/s 00:00 [root@client ~]# chmod 755 client_setup.sh [root@client ~]# kinit admin Password for admin: [root@client ~]# ./client_setup.sh /etc/ipa/jitc-root-ca-3.crt /etc/ipa/jitc-ca-41.crt Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 08/03/2017 08:26:21 08/04/2017 08:26:19 krbtgt/TESTRELM.TEST Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package dconf.x86_64 0:0.26.0-2.el7 will be installed ---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed --> Processing Dependency: pcsc-lite for package: opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 --> Processing Dependency: pcsc-lite-libs(x86-64) for package: opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 --> Running transaction check ---> Package pcsc-lite.x86_64 0:1.8.8-6.el7 will be installed --> Processing Dependency: pcsc-ifd-handler for package: pcsc-lite-1.8.8-6.el7.x86_64 ---> Package pcsc-lite-libs.x86_64 0:1.8.8-6.el7 will be installed --> Running transaction check ---> Package pcsc-lite-ccid.x86_64 0:1.4.10-12.el7 will be installed --> Processing Dependency: libusb-1.0.so.0()(64bit) for package: pcsc-lite-ccid-1.4.10-12.el7.x86_64 --> Running transaction check ---> Package libusbx.x86_64 0:1.0.20-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Installing: dconf x86_64 0.26.0-2.el7 rhel-7.4-z-candidate 106 k opensc x86_64 0.16.0-5.20170227git777e2a3.el7 rhel-7.4-z-candidate 1.0 M Installing for dependencies: libusbx x86_64 1.0.20-1.el7 rhel-7.4-z-candidate 60 k pcsc-lite x86_64 1.8.8-6.el7 rhel-7.4-z-candidate 189 k pcsc-lite-ccid x86_64 1.4.10-12.el7 rhel-7.4-z-candidate 156 k pcsc-lite-libs x86_64 1.8.8-6.el7 rhel-7.4-z-candidate 33 k Transaction Summary ======================================================================================================= Install 2 Packages (+4 Dependent packages) Total download size: 1.6 M Installed size: 4.7 M Downloading packages: dconf-0.26.0-2.el7.x86_64.rpm | 106 kB 00:00:00 libusbx-1.0.20-1.el7.x86_64.rpm | 60 kB 00:00:00 opensc-0.16.0-5.20170227git777e2a3.el7.x86_64.rpm | 1.0 MB 00:00:01 pcsc-lite-1.8.8-6.el7.x86_64.rpm | 189 kB 00:00:00 pcsc-lite-ccid-1.4.10-12.el7.x86_64.rpm | 156 kB 00:00:00 pcsc-lite-libs-1.8.8-6.el7.x86_64.rpm | 33 kB 00:00:00 ------------------------------------------------------------------------------------------------------- Total 370 kB/s | 1.6 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : pcsc-lite-libs-1.8.8-6.el7.x86_64 1/6 Installing : libusbx-1.0.20-1.el7.x86_64 2/6 Installing : pcsc-lite-1.8.8-6.el7.x86_64 3/6 Installing : pcsc-lite-ccid-1.4.10-12.el7.x86_64 4/6 Installing : opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 5/6 Installing : dconf-0.26.0-2.el7.x86_64 6/6 Verifying : dconf-0.26.0-2.el7.x86_64 1/6 Verifying : pcsc-lite-ccid-1.4.10-12.el7.x86_64 2/6 Verifying : libusbx-1.0.20-1.el7.x86_64 3/6 Verifying : pcsc-lite-1.8.8-6.el7.x86_64 4/6 Verifying : opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 5/6 Verifying : pcsc-lite-libs-1.8.8-6.el7.x86_64 6/6 Installed: dconf.x86_64 0:0.26.0-2.el7 opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 Dependency Installed: libusbx.x86_64 0:1.0.20-1.el7 pcsc-lite.x86_64 0:1.8.8-6.el7 pcsc-lite-ccid.x86_64 0:1.4.10-12.el7 pcsc-lite-libs.x86_64 0:1.8.8-6.el7 Complete! Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package krb5-pkinit.x86_64 0:1.15.1-8.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Installing: krb5-pkinit x86_64 1.15.1-8.el7 rhel-7.4-z-candidate 159 k Transaction Summary ======================================================================================================= Install 1 Package Total download size: 159 k Installed size: 124 k Downloading packages: krb5-pkinit-1.15.1-8.el7.x86_64.rpm | 159 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : krb5-pkinit-1.15.1-8.el7.x86_64 1/1 Verifying : krb5-pkinit-1.15.1-8.el7.x86_64 1/1 Installed: krb5-pkinit.x86_64 0:1.15.1-8.el7 Complete! WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "OpenSC" added to database. trying https://master.testrelm.test/ipa/json [try 1]: Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful [root@client ~]# ps -ef|grep pcsc root 11858 1 0 08:26 ? 00:00:00 /usr/sbin/pcscd --foreground --auto-exit root 12020 1061 0 08:26 pts/0 00:00:00 grep --color=auto pcsc [root@client ~]# certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Smart Card CA fb13f3b7-fbab-4d03-b919-69adb519a2bb CT,C,C Smart Card CA 1c7a3438-10e2-4b56-be9f-ff22959c05d0 CT,C,C [root@client ~]# certutil -d /etc/pki/nssdb -L -n "Smart Card CA fb13f3b7-fbab-4d03-b919-69adb519a2bb"|grep Subject: Subject: "CN=DoD JITC Root CA 3,OU=PKI,OU=DoD,O=U.S. Government,C=US" [root@client ~]# certutil -d /etc/pki/nssdb -L -n "Smart Card CA 1c7a3438-10e2-4b56-be9f-ff22959c05d0"|grep Subject: Subject: "CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US" [root@client ~]# ipa user-add certuser --first=cert --last=user --password Password: Enter Password again to verify: --------------------- Added user "certuser" --------------------- User login: certuser First name: cert Last name: user Full name: cert user Display name: cert user Initials: cu Home directory: /home/certuser GECOS: cert user Login shell: /bin/sh Principal name: certuser Principal alias: certuser Email address: certuser UID: 402800001 GID: 402800001 Password: True Member of groups: ipausers Kerberos keys available: True [root@client ~]# kinit certuser Password for certuser: Password expired. You must change it now. Enter new password: Enter it again: [root@client ~]# kdestroy -A [root@client ~]# kinit admin Password for admin: [root@client ~]# yum -y install gnutls-utils > /tmp/yum.install.gnutls-utils [root@client ~]# URL=$(p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs|grep URL|head -1|sed 's/^[ \t]*URL: //') [root@client ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --outfile /root/card_cert0.pem --export "$URL" [root@client ~]# ipa certmaprule-add "DOD JITC ID CA-41" --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US' --domain=testrelm.test --priority=10 ----------------------------------------------------------- Added Certificate Identity Mapping Rule "DOD JITC ID CA-41" ----------------------------------------------------------- Rule name: DOD JITC ID CA-41 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: testrelm.test Priority: 10 Enabled: TRUE [root@client ~]# ipa user-add-certmapdata certuser --certificate=$(cat /root/card_cert0.pem|sed '/CERT/d'|tr -d '\r\n') --------------------------------------------- Added certificate mappings to user "certuser" --------------------------------------------- User login: certuser Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID CA-41<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=FLUORINE.JANE.F.2001441054 ### I had to increase some timeouts in sssd.conf to support the USB redirection I'm using to pass the smart card reader to the VM. [domain/testrelm.test] ... krb5_auth_timeout = 60 ... [pam] ... p11_child_timeout = 60 ... ### This is not expected to be included in the script. So it is ok to manually tune this. # resetting sssd to avoid caching issues with the test: [root@client ~]# systemctl stop sssd; rm -rf /var/lib/sssd/{db,mc}/*; systemctl start sssd [root@master ~]# systemctl stop sssd; rm -rf /var/lib/sssd/{db,mc}/*; systemctl start sssd [root@client ~]# ipa certmap-match /root/card_cert0.pem -------------- 1 user matched -------------- Domain: TESTRELM.TEST User logins: certuser ---------------------------- Number of entries returned 1 ---------------------------- ###################### SU Test for basic client functionality ############# [root@client ~]# su - admin -c "su - certuser -c whoami" su: warning: cannot change directory to /home/admin: No such file or directory PIN for PIV Card Holder pin (PIV_II) su: warning: cannot change directory to /home/certuser: No such file or directory certuser ####################### WebUI Test for server WebUI functionality ########### [root@client ~]# export SSL_DIR=/tmp/nssdb [root@client ~]# mkdir $SSL_DIR [root@client ~]# echo "passw0rd" > $SSL_DIR/password [root@client ~]# certutil -d sql:$SSL_DIR -N -f $SSL_DIR/password [root@client ~]# modutil -dbdir sql:$SSL_DIR -add smartcard -libfile /usr/lib64/opensc-pkcs11.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "smartcard" added to database. [root@client ~]# certutil -d sql:$SSL_DIR -L -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "PIV Card Holder pin (PIV_II)": PIV Card Holder pin (PIV_II):Certificate for PIV Authentication u,u,u PIV Card Holder pin (PIV_II):Certificate for Digital Signature u,u,u PIV Card Holder pin (PIV_II):Certificate for Key Management u,u,u [root@client ~]# curl -v --insecure --cert "PIV Card Holder pin (PIV_II)\:Certificate for PIV Authentication:$PIN" 'https://master.testrelm.test/ipa/session/login_x509?username=certuser' ... < HTTP/1.1 200 Success ... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2568 |