1127787 – [RFE] Satellite 6: x509 Support for Satellite 6

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1127787 - [RFE] Satellite 6: x509 Support for Satellite 6

Summary: [RFE] Satellite 6: x509 Support for Satellite 6

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Authentication
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Nikhil Kathole
Docs Contact:
URL:
Whiteboard:
Depends On:	1202724 1241089
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-07 14:40 UTC by Jamie Duncan
Modified:	2023-12-15 15:47 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-24 16:14:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1127791	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Bugzilla	1323437	0	unspecified	CLOSED	Satellite 6 web interface trying to use smartcard authentication	2023-03-24 13:40:45 UTC

Internal Links: 1127791 1323437

Description Jamie Duncan 2014-08-07 14:40:52 UTC

1. Proposed title of this feature request  

x509 / DoD CAC Card Authentication for Satellite 5/6      
      
2. Who is the customer behind the request?  
    Account: name (acct #) 932836
    TAM customer: yes  
    SRM customer: yes  
    Strategic: yes  
      
3. What is the nature and description of the request?  

Many customers using PIV (like DoD CAC) have requested the ability to use the certificate on their cards as an authentication mechanism.
      

4. Why does the customer need this? (List the business requirements here)  

More secure authentication
      
5. How would the customer like to achieve this? (List the functional requirements here)  

Use their DoD CAC card to authenticate to Satellite

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Use a test card in the lab to confirm full functionality.
      
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  

None found.
     
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

Satellite 5 and 6.
      
9. Is the sales team involved in this request and do they have any additional input?  

yes
      
10. List any affected packages or components.  

RHSS
      
11. Would the customer be able to assist in testing this functionality if implemented?  

yes

Comment 1 RHEL Program Management 2014-08-07 14:44:23 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 5 Xixi 2014-08-13 23:45:00 UTC

Satellte 5 BZ for same request is at RFE Bug 1127809

Comment 25 Jan Pazdziora (Red Hat) 2015-03-17 10:21:20 UTC

Adding the sssd bug 1202724 where lookup of user identities in IdM based on CAC is discussed as a blocker.

Comment 26 Jan Pazdziora (Red Hat) 2015-03-17 10:31:07 UTC

Also, the mod_lookup_identity part is currently tracked in upstream ticket https://fedorahosted.org/webauthinfra/ticket/5.

Comment 27 Jan Pazdziora (Red Hat) 2015-07-08 12:24:18 UTC

(In reply to Jan Pazdziora from comment #26)
> Also, the mod_lookup_identity part is currently tracked in upstream ticket
> https://fedorahosted.org/webauthinfra/ticket/5.

Downstream bug 1241089.

Comment 31 Bryan Kearney 2016-07-08 20:20:32 UTC

Per 6.3 planning, moving out non acked bugs to the backlog

Comment 37 Jan Pazdziora (Red Hat) 2017-04-06 08:48:26 UTC

For the record: mod_lookup_identity-0.9.5-1.el7 which is in RHEL 7.3 has support for user lookup via SSSD when the certificate used for authentication is attached to user record in IdM. The configuration of Apache HTTP Server would then be along the lines

SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
LookupUserByCertificate On

Comment 38 Marek Hulan 2017-08-02 19:43:39 UTC

The x509 certificates support was added to hammer in 0.10.0 - http://projects.theforeman.org/issues/12401, Tomas could you please provide setup instructions or link to docs? Then we could check whether it could be used also with cards.

Comment 39 Tomas Strachota 2017-08-04 13:13:31 UTC

The relevant setting is documented in hammer's config template:
https://github.com/theforeman/hammer-cli/blob/master/config/cli_config.template.yml#L35

I'm adding some more details about the config values here:
https://github.com/theforeman/hammer-cli/pull/248/files

Hammer itself should be ready for usage with certificates/cards when you configure :ssl_client_cert: and :ssl_client_key:. At the same time :ssl_with_basic_auth: should be set to false to disable basic authentication.

There's additional setup of mod_ssl that needs to be done in apache to enable certificate authentication for the API. SSLUserName must be set to SSL_CLIENT_S_DN_CN for the API locations, which can be both <SAT_URL>/api and <SAT_URL>/<PLUGIN_NAME>/api 

Following setting would probably do the trick (I didn't test it):
<LocationMatch "^(?<plugin>/[^/]*)?/api">
  SSLUserName SSL_CLIENT_S_DN_CN
</LocationMatch>

Alternatively we could probably set SSLUserName for the whole virtual host and switch SSLVerifyClient to optional so that certs are verified only when they're sent:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient

Unfortunately installer doesn't support any of the mentioned alternatives yet and it needs to be configured manually.

Comment 49 Sean O'Keeffe 2020-04-24 16:14:05 UTC

Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support.

Note You need to log in before you can comment on or make changes to this bug.

aeladawy
ajambhul
akarimi
awestbro
bkearney
cylopez
degts
dpal
dsirrine
ifloodmu
jpazdziora
mark.parsons.ctr
mhulan
mmccune
momran
nkinder
pmutha
rajukuma
rkarimpa
satellite6-bugs
saydas
sokeeffe
sthirugn
tbrisker