1241089 – RFE: add ability to lookup user based on certificate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1241089 - RFE: add ability to lookup user based on certificate

Summary: RFE: add ability to lookup user based on certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_lookup_identity
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Pazdziora (Red Hat)
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1202724
Blocks:	1127787 1169972 1181710
TreeView+	depends on / blocked

Reported:	2015-07-08 12:17 UTC by Jan Pazdziora (Red Hat)
Modified:	2015-11-19 14:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mod_lookup_identity-0.9.3-1.el7
Doc Type:	Rebase: Enhancements Only
Doc Text:	The mod_lookup_identity packages have been upgraded to upstream version 0.9.3, which provides the ability to look up a user based on a certificate.
Clone Of:
Environment:
Last Closed:	2015-11-19 14:47:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:2451	0	normal	SHIPPED_LIVE	mod_lookup_identity enhancement update	2015-11-19 11:44:48 UTC

Description Jan Pazdziora (Red Hat) 2015-07-08 12:17:13 UTC

Description of problem:

When user authenticates against Web application with client SSL certificate, for example when Apache is configured with mod_ssl using

SSLVerifyClient require

it is possible to use directive SSLUserName to put certain attribute from the client certificate to r->user structure, aka REMOTE_USER. Having some unique identifier of the user there is useful for example when subsequent authorization/access check needs to be performed or the application needs to have a way to identify the user, not just ensure that some user has authenticated.

Sometimes the certificate attributes can be used just fine but sometimes deriving the username solely based on the certificate content is not possible. IdM RFE in bug 1072383 and SSSD RFE bug 1202724 will make it possible to store the user certificates in IPA's user records, whatever the content of that certificate is, and have SSSD lookup user based on the certificate.

We need that ability extended to Apache HTTP Server setups.

Hence a proposal for mod_lookup_identity to find the username using the new org.freedesktop.sssd.infopipe.Users.FindByCertificate SSSD D-Bus method.

Version-Release number of selected component (if applicable):

0.9.2.

How reproducible:

Determinisic.

Steps to Reproduce:
1. Have IPA-enrolled machine with Apache setup with SSL client authentication.
2. Enable PAM access control using mod_authnz_pam.
3. Configure Apache in such a way that when client certificate is stored in user record in IPA directory, PAM will be able to run the access check for that user. IOW, we need to be able to lookup the user based on the certificate, even if the username cannot be derived from the certificate content itself.

Actual results:

Currently it is not possible.

Expected results:

It should be possible.

Additional info:

Comment 1 Jan Pazdziora (Red Hat) 2015-07-08 12:18:34 UTC

Upstream ticket https://fedorahosted.org/webauthinfra/ticket/5.

Comment 2 Jan Pazdziora (Red Hat) 2015-08-03 08:58:39 UTC

Rebased to 0.9.3.

Comment 3 Jan Pazdziora (Red Hat) 2015-08-03 09:48:06 UTC

Build mod_lookup_identity-0.9.3-1.el7.

Comment 5 Jan Pazdziora (Red Hat) 2015-08-03 11:11:28 UTC

The typical configuration would be

    SSLVerifyClient require
    SSLUserName SSL_CLIENT_CERT
    LookupUserByCertificate On

which causes the certificate to be put to r->user, and then used by mod_lookup_identity as input for org.freedesktop.sssd.infopipe.Users.FindByCertificate call when LookupUserByCertificate On is enabled.

Comment 7 Scott Poore 2015-09-21 21:37:57 UTC

Verified.

Version ::

mod_lookup_identity-0.9.3-1.el7.x86_64

Results ::

blade01 is client and httpd server
blade05 is IPA master


############### ON WEB server ###############
[root@blade01 conf.d]# vi /etc/httpd/conf.d/ssl.conf
...change this...
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCACertificateFile /etc/ipa/ca.crt
...

[root@blade01 conf.d]# ipa service-add HTTP/$(hostname) --force
ipa: ERROR: service with name "HTTP/blade01.my.fqdn.test" already exists

[root@blade01 conf.d]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \
>      -k /etc/pki/tls/private/server.key \
>      -K HTTP/$(hostname)
New signing request "20150921211340" added.

[root@blade01 conf.d]# cat /var/www/app.cgi
#!/usr/bin/perl

#  Copyright 2014 Jan Pazdziora
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.

use strict;
use warnings FATAL => 'all';
use CGI ();

my $LOGIN = '/login';
my $LOGOUT = '/logout';
my $AUTH_COOKIE = 'the-test-cookie';

my $q = new CGI;
my $cookie = $q->cookie($AUTH_COOKIE);
my ($user, $name);
if ($cookie and $cookie =~ /^ok:(.+)$/) {
	$user = $1;
	$name = CGI::escapeHTML($user);
}
my @nav;

print "Content-Type: text/html; charset=UTF-8\n";
print "Pragma: no-cache\n";

my $title = "Application";
my $body = "This is a test application; public view, not much to see.";
if (defined $user) {
	$title .= " authenticated ($name)";
	$body = "Test application; logged in as user $name."
		 . " There is  much more content for authenticated users." x 10;
}

sub logout {
	print "Set-Cookie: $AUTH_COOKIE=xx; path=$ENV{SCRIPT_NAME}\n";
	print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n";
	$title = "Logged out";
	$body = 'Successfully logged out. You will be redirected to the '
		. qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!;
}
sub login {
	if (defined $user) {
		print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n";
		$title = "Already logged in";
		$body = "You are already logged in as user $name.\n";
		return;
	}
	$title = "Log in to application";
	my $login = $q->param('login');
	my $password = $q->param('password');
	my $error = '';
	if (defined $ENV{REMOTE_USER}) {
		$login = $ENV{REMOTE_USER};
		if (defined $ENV{REMOTE_USER_EMAIL}) {
			$login .= ": $ENV{REMOTE_USER_EMAIL}";
		}
		my $n = join ' ', grep defined $_, map $ENV{$_},
			'REMOTE_USER_FIRSTNAME', 'REMOTE_USER_LASTNAME';
		if ($n ne '') {
			$login = "$n ($login)";
		}
	} elsif (defined $login) {
		my $re = qr/^[-a-zA-Z0-9_.]+$/;
		if ($login eq '' or not $login =~ $re) {
			$error = '<p>Login has to be nonempty, full characters</p>';
		} elsif (not defined $password or not $password =~ $re) {
			$error = '<p>Password has to be nonempty</p>';
		} elsif ($password ne reverse($login)) {
			$error = '<p>Password has to be reverse login</p>';
		}
	}
	if (defined $login and $error eq '') {
		print "Set-Cookie: $AUTH_COOKIE=ok:$login; path=$ENV{SCRIPT_NAME}\n";
		print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n";
		$title = 'Logged in as ' . CGI::escapeHTML($login);
		$body = 'You will be redirected to the '
			. qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!;
		return;
	}
	no warnings 'uninitialized';
	$body = <<"EOS";
	$error
	<form method="POST">
	  <dl>
	    <dt>Login:</dt>
	      <dd><input type="text" name="login" value="@{[ CGI::escapeHTML($login) ]}" />
	    <dt>Password:</dt>
	      <dd><input type="password" name="password" />
	    <dt><input type="submit" name="go" value="Log in" /></dt>
	  </dl>
	</form>
EOS
}

if (defined $ENV{PATH_INFO}) {
	if (substr($ENV{PATH_INFO}, 0, length($LOGIN)) eq $LOGIN) {
		login();
		push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!;
	} elsif ($ENV{PATH_INFO} eq $LOGOUT) {
		logout();
		push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!;
	}
}

if (not @nav) {
	push @nav, (defined $user
		? qq!<a href="$ENV{SCRIPT_NAME}$LOGOUT">Log out</a>!
		: qq!<a href="$ENV{SCRIPT_NAME}$LOGIN">Log in</a>!);
}

print <<"EOS";

<html>
  <head>
    <title>$title</title>
  </head>
  <body>
    <h1>$title</h1>
    <p>$body</p>
    <hr/>
    <p>@nav</p>
    <!--
    <hr/>
    <pre>@{[ join "\n", map CGI::escapeHTML("$_=$ENV{$_}"), sort keys %ENV ]}
    </pre>
    -->
  </body>
</html>
EOS


[root@blade01 conf.d]#  cat app.conf
ScriptAlias /application /var/www/app.cgi

[root@blade01 conf.d]# cat wikiapp_lookup.conf

LoadModule lookup_identity_module modules/mod_lookup_identity.so

<LocationMatch ^/application/login>
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
LookupUserByCertificate On
LookupUserAttr mail REMOTE_USER_EMAIL " "
LookupUserAttr firstname REMOTE_USER_FIRSTNAME
LookupUserAttr lastname REMOTE_USER_LASTNAME
LookupUserGroups REMOTE_USER_GROUPS ":"
LookupUserGroupsIter REMOTE_USER_GROUPS
LookupUserGroups REMOTE_USER_GROUPS ":"
LookupUserGroupsIter REMOTE_USER_GROUPS
</LocationMatch>

[root@blade01 conf.d]# rpm -qa|egrep -i "mod_nss|mod_ssl"
mod_ssl-2.4.6-40.el7.x86_64


[root@blade01 conf.d]# service httpd restart
Redirecting to /bin/systemctl restart  httpd.service


################### ON IPA MASTER ###################################

[root@blade05 ~]# ipa group-add webgroup1
-----------------------
Added group "webgroup1"
-----------------------
  Group name: webgroup1
  GID: 1690400006

[root@blade05 ~]# ipa group-add-member webgroup1 --users=bob20669
  Group name: webgroup1
  GID: 1690400006
  Member users: bob20669
-------------------------
Number of members added 1
-------------------------

[root@blade05 ~]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt
--------------------------------------------------------
Profile configuration stored in file 'caIPAuserCert.txt'
--------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@blade05 ~]# sed -i '/^profileId=.*$/d' caIPAuserCert.txt

[root@blade05 ~]# sed -i 's/^desc=.*$/desc=caIPAuserCert test profile/' caIPAuserCert.txt

[root@blade05 ~]# ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True
Profile description: caIPAuserCert test profile
--------------------------------
Imported profile "caIPAuserCert"
--------------------------------
  Profile ID: caIPAuserCert
  Profile description: caIPAuserCert test profile
  Store issued certificates: TRUE

[root@blade05 ~]# ipa caacl-add caacl_open --profilecat=all --usercat=all --hostcat=all --servicecat=all
-------------------------
Added CA ACL "caacl_open"
-------------------------
  ACL name: caacl_open
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all

[root@blade05 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=bob20669'
Generating a 2048 bit RSA private key
........................+++
...+++
writing new private key to 'private.key'
-----

[root@blade05 ~]# ipa cert-request cert.csr --principal=bob20669 --profile-id=caIPAuserCert
  Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsF...
/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN
  Subject: CN=bob20669,O=EXAMPLE.TEST
  Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
  Not Before: Mon Sep 21 21:18:04 2015 UTC
  Not After: Thu Sep 21 21:18:04 2017 UTC
  Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c
  Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9
  Serial number: 12
  Serial number (hex): 0xC


[root@blade05 ~]# ipa cert-show 0xc --out=bob20669.pem
  Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5
...
NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBF
tfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN
  Subject: CN=bob20669,O=EXAMPLE.TEST
  Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
  Not Before: Mon Sep 21 21:18:04 2015 UTC
  Not After: Thu Sep 21 21:18:04 2017 UTC
  Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c
  Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9
  Serial number (hex): 0xC
  Serial number: 12


#########################################################
#########################################################
### First Test with successful connection with Certificate
#########################################################
#########################################################

[root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login
Mon Sep 21 17:20:46 EDT 2015
HTTP/1.1 200 OK
Date: Mon, 21 Sep 2015 21:20:46 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Logged in as Robert Chase (bob20669: bob20669)</title>
  </head>
  <body>
    <h1>Logged in as Robert Chase (bob20669: bob20669)</h1>
    <p>You will be redirected to the <a href="/application">home page</a></p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02
REMOTE_PORT=41828
REMOTE_USER=bob20669
REMOTE_USER_EMAIL=bob20669
REMOTE_USER_FIRSTNAME=Robert
REMOTE_USER_GECOS=Robert Chase
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
REMOTE_USER_LASTNAME=Chase
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4
SERVER_ADMIN=root@localhost
SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_A_KEY=rsaEncryption
SSL_CLIENT_A_SIG=sha256WithRSAEncryption
SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_CLIENT_I_DN_CN=Certificate Authority
SSL_CLIENT_I_DN_O=EXAMPLE.TEST
SSL_CLIENT_M_SERIAL=0C
SSL_CLIENT_M_VERSION=3
SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST
SSL_CLIENT_S_DN_CN=bob20669
SSL_CLIENT_S_DN_O=EXAMPLE.TEST
SSL_CLIENT_VERIFY=SUCCESS
SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT
SSL_CLIENT_V_REMAIN=731
SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=true
SSL_SERVER_A_KEY=rsaEncryption
SSL_SERVER_A_SIG=sha256WithRSAEncryption
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.TEST
SSL_SERVER_M_SERIAL=0B
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST
SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com
SSL_SERVER_S_DN_O=EXAMPLE.TEST
SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT
SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT
SSL_SESSION_ID=5d49e1790cb9321285407e1a7ec8e4fdfa6cf9bbdfec3535db44ae16f1bdd694
SSL_SESSION_RESUMED=Initial
SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com
SSL_VERSION_INTERFACE=mod_ssl/2.4.6
SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips
UNIQUE_ID=VgB0rpG6VuU-xTTBlMmiIwAAAAE
    </pre>
    -->
  </body>
</html>

[root@blade01 conf.d]# cat /var/log/httpd/ssl_access_log
2620:52:0:83c:21a:64ff:fe33:ff02 - bob20669 [21/Sep/2015:17:20:46 -0400] "GET /application/login HTTP/1.1" 200 2866

#########################################################
#########################################################
### Second Test without resetting httpd
#########################################################
#########################################################

[root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjEyMTE4MDRaFw0xNzA5MjEyMTE4MDRaMCoxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDERMA8GA1UEAwwIYm9iMjA2NjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsRZW2sEvczwkF5LJ5f/3QyQFzxMYz2shUCDvzYXvSRQdosSAIcpI65tTzxvhBKn8+zslL2+IULb4ZvhycrhIoAjOKammZLiYYIpyjgkatmNu9V9UKwWsKxAgg75338ZnVGq9RrjwOtVwHhZ7oGvk0O3+k09iTsmXP8cP2QQQEh1XaNxhqB+WO2XbLLV9lefFJlZl3DQdERPQ6/M8aBKwnMuoJwFE+zFKaAda70wjmUiCCeJCIm0gpyEr71PX4eTP/b2nkANJT4LWNd8eeSuY0PL4o6FerEjoLmSLEL0/MNDY5mj1qNcqKVRC/q9mEIOvRQtFZSKexHLVjzoLa/J3AgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBQpLLhxktYerqlf4Sv2wTEeOoy+fzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDSTSIzglpbODRtGBUW6w520IimgMA0GCSqGSIb3DQEBCwUAA4IBAQBn21OvjmAFw0RDX6y8oo80FuTgCJ2hKkKt2QAhpFtirM2kNSJG7+E//Dwbs4Tyg5CSBOPXsdFi2NkRTA4/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN"
-----------------------------------------
Removed certificates from user "bob20669"
-----------------------------------------
  User login: bob20669

[root@blade05 ~]# ipa user-show
User login: bob20669
  User login: bob20669
  First name: Robert
  Last name: Chase
  Home directory: /home/bob20669
  Login shell: /bin/sh
  Email address: bob20669
  UID: 1690400001
  GID: 1690400001
  Account disabled: False
  Password: True
  Member of groups: webgroup1
  Member of HBAC rule: allow_wikiapp
  Kerberos keys available: True

[root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login
Mon Sep 21 17:23:24 EDT 2015
HTTP/1.1 200 OK
Date: Mon, 21 Sep 2015 21:23:24 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Logged in as Robert Chase (bob20669: bob20669)</title>
  </head>
  <body>
    <h1>Logged in as Robert Chase (bob20669: bob20669)</h1>
    <p>You will be redirected to the <a href="/application">home page</a></p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02
REMOTE_PORT=41838
REMOTE_USER=bob20669
REMOTE_USER_EMAIL=bob20669
REMOTE_USER_FIRSTNAME=Robert
REMOTE_USER_GECOS=Robert Chase
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
REMOTE_USER_LASTNAME=Chase
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4
SERVER_ADMIN=root@localhost
SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_A_KEY=rsaEncryption
SSL_CLIENT_A_SIG=sha256WithRSAEncryption
SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_CLIENT_I_DN_CN=Certificate Authority
SSL_CLIENT_I_DN_O=EXAMPLE.TEST
SSL_CLIENT_M_SERIAL=0C
SSL_CLIENT_M_VERSION=3
SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST
SSL_CLIENT_S_DN_CN=bob20669
SSL_CLIENT_S_DN_O=EXAMPLE.TEST
SSL_CLIENT_VERIFY=SUCCESS
SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT
SSL_CLIENT_V_REMAIN=731
SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=true
SSL_SERVER_A_KEY=rsaEncryption
SSL_SERVER_A_SIG=sha256WithRSAEncryption
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.TEST
SSL_SERVER_M_SERIAL=0B
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST
SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com
SSL_SERVER_S_DN_O=EXAMPLE.TEST
SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT
SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT
SSL_SESSION_ID=37a16ea0d534719ef8b20936bc117ad0beb7e9d5607604c305ef7214e4f35f1c
SSL_SESSION_RESUMED=Initial
SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com
SSL_VERSION_INTERFACE=mod_ssl/2.4.6
SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips
UNIQUE_ID=VgB1TAojq3yAqwqOWasdDQAAAAM
    </pre>
    -->
  </body>
</html>

#########################################################
#########################################################
### Third Test after resetting httpd
#########################################################
#########################################################

[root@blade01 conf.d]# systemctl restart httpd

[root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login
Mon Sep 21 17:34:55 EDT 2015
HTTP/1.1 401 Unauthorized
Date: Mon, 21 Sep 2015 21:34:55 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
WWW-Authenticate: Negotiate
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>

[root@blade01 conf.d]# tail -1 /var/log/httpd/ssl_access_log
2620:52:0:83c:21a:64ff:fe33:ff02 - - [21/Sep/2015:17:34:55 -0400] "GET /application/login HTTP/1.1" 401 127

Comment 9 Scott Poore 2015-09-22 15:00:30 UTC

moving back to ON_QA while I cover a few more test cases

Comment 11 Scott Poore 2015-09-22 15:38:57 UTC

################################################################################
# Test 1: clean test using certificate user lookup
################################################################################

ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login


[root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
[root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login
Tue Sep 22 11:27:30 EDT 2015
HTTP/1.1 200 OK
Date: Tue, 22 Sep 2015 15:27:30 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Logged in as Robert Chase (bob20669: bob20669)</title>
  </head>
  <body>
    <h1>Logged in as Robert Chase (bob20669: bob20669)</h1>
    <p>You will be redirected to the <a href="/application">home page</a></p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=blade01.my.scrubbed.domain.test
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02
REMOTE_PORT=42417
REMOTE_USER=bob20669
REMOTE_USER_EMAIL=bob20669
REMOTE_USER_FIRSTNAME=Robert
REMOTE_USER_GECOS=Robert Chase
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
REMOTE_USER_LASTNAME=Chase
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4
SERVER_ADMIN=root@localhost
SERVER_NAME=blade01.my.scrubbed.domain.test
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_A_KEY=rsaEncryption
SSL_CLIENT_A_SIG=sha256WithRSAEncryption
SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_CLIENT_I_DN_CN=Certificate Authority
SSL_CLIENT_I_DN_O=EXAMPLE.TEST
SSL_CLIENT_M_SERIAL=0C
SSL_CLIENT_M_VERSION=3
SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST
SSL_CLIENT_S_DN_CN=bob20669
SSL_CLIENT_S_DN_O=EXAMPLE.TEST
SSL_CLIENT_VERIFY=SUCCESS
SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT
SSL_CLIENT_V_REMAIN=731
SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=true
SSL_SERVER_A_KEY=rsaEncryption
SSL_SERVER_A_SIG=sha256WithRSAEncryption
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.TEST
SSL_SERVER_M_SERIAL=0B
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST
SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test
SSL_SERVER_S_DN_O=EXAMPLE.TEST
SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT
SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT
SSL_SESSION_ID=32086bb5d36b75c2722cc8db3e9bfa35630acf309267b0d95525425afa8a2ef0
SSL_SESSION_RESUMED=Initial
SSL_TLS_SNI=blade01.my.scrubbed.domain.test
SSL_VERSION_INTERFACE=mod_ssl/2.4.6
SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips
UNIQUE_ID=VgFzYvG3b1f9oOlfemcqmAAAAAM
    </pre>
    -->
  </body>
</html>


################################################################################
# Test 2: cached test after removing cert from user
################################################################################

ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login


[root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
[root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login
Tue Sep 22 11:27:44 EDT 2015
HTTP/1.1 200 OK
Date: Tue, 22 Sep 2015 15:27:44 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Logged in as Robert Chase (bob20669: bob20669)</title>
  </head>
  <body>
    <h1>Logged in as Robert Chase (bob20669: bob20669)</h1>
    <p>You will be redirected to the <a href="/application">home page</a></p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=blade01.my.scrubbed.domain.test
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02
REMOTE_PORT=42421
REMOTE_USER=bob20669
REMOTE_USER_EMAIL=bob20669
REMOTE_USER_FIRSTNAME=Robert
REMOTE_USER_GECOS=Robert Chase
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
REMOTE_USER_LASTNAME=Chase
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4
SERVER_ADMIN=root@localhost
SERVER_NAME=blade01.my.scrubbed.domain.test
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_A_KEY=rsaEncryption
SSL_CLIENT_A_SIG=sha256WithRSAEncryption
SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_CLIENT_I_DN_CN=Certificate Authority
SSL_CLIENT_I_DN_O=EXAMPLE.TEST
SSL_CLIENT_M_SERIAL=0C
SSL_CLIENT_M_VERSION=3
SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST
SSL_CLIENT_S_DN_CN=bob20669
SSL_CLIENT_S_DN_O=EXAMPLE.TEST
SSL_CLIENT_VERIFY=SUCCESS
SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT
SSL_CLIENT_V_REMAIN=731
SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=true
SSL_SERVER_A_KEY=rsaEncryption
SSL_SERVER_A_SIG=sha256WithRSAEncryption
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.TEST
SSL_SERVER_M_SERIAL=0B
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST
SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test
SSL_SERVER_S_DN_O=EXAMPLE.TEST
SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT
SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT
SSL_SESSION_ID=ed2d95e96b1ab4e5d1c5d01cc19fed1b2f34242f131a1c1c2687f6de60bcb889
SSL_SESSION_RESUMED=Initial
SSL_TLS_SNI=blade01.my.scrubbed.domain.test
SSL_VERSION_INTERFACE=mod_ssl/2.4.6
SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips
UNIQUE_ID=VgFzcCbtg6tovgxkbPgRMQAAAAQ
    </pre>
    -->
  </body>
</html>


################################################################################
# Test 3: failure test after clearing sssd cache
################################################################################

On Client:
sss_cache -E --
getent passwd bob20669

On Master:
date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login

[root@blade01 ~]# sss_cache -E --
[root@blade01 ~]# getent passwd bob20669
bob20669:*:1690400001:1690400001:Robert Chase:/home/bob20669:/bin/sh


[root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login
Tue Sep 22 11:28:01 EDT 2015
HTTP/1.1 401 Unauthorized
Date: Tue, 22 Sep 2015 15:28:01 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
WWW-Authenticate: Negotiate
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@blade05 ~]# 




################################################################################
# Test 4: failure test with different user with cert
################################################################################

sss_cache -E --

ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login


[root@blade01 ~]# sss_cache -E --

[root@blade05 ~]# ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
[root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login
Tue Sep 22 11:29:47 EDT 2015
HTTP/1.1 403 Forbidden
Date: Tue, 22 Sep 2015 15:29:47 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Content-Length: 219
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /application/login
on this server.</p>
</body></html>



################################################################################
# Test 5: failure test with good user with cert for different CN
################################################################################

make sure cache is clear by removing or doing getent passwd newuser1

On Master:
ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt

On Client:
sss_cache -E --
getent passwd newuser1

On Master:
ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login



[root@blade05 ~]# ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
[root@blade05 ~]# 


[root@blade01 ~]# sss_cache -E --
[root@blade01 ~]# getent passwd newuser1
newuser1:*:1690400007:1690400007:new test:/home/newuser1:/bin/sh
[root@blade01 ~]# 

[root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt
[root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login
Tue Sep 22 11:31:30 EDT 2015
HTTP/1.1 200 OK
Date: Tue, 22 Sep 2015 15:31:30 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Logged in as Robert Chase (bob20669: bob20669)</title>
  </head>
  <body>
    <h1>Logged in as Robert Chase (bob20669: bob20669)</h1>
    <p>You will be redirected to the <a href="/application">home page</a></p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=blade01.my.scrubbed.domain.test
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02
REMOTE_PORT=42433
REMOTE_USER=bob20669
REMOTE_USER_EMAIL=bob20669
REMOTE_USER_FIRSTNAME=Robert
REMOTE_USER_GECOS=Robert Chase
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
REMOTE_USER_LASTNAME=Chase
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4
SERVER_ADMIN=root@localhost
SERVER_NAME=blade01.my.scrubbed.domain.test
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_A_KEY=rsaEncryption
SSL_CLIENT_A_SIG=sha256WithRSAEncryption
SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_CLIENT_I_DN_CN=Certificate Authority
SSL_CLIENT_I_DN_O=EXAMPLE.TEST
SSL_CLIENT_M_SERIAL=0D
SSL_CLIENT_M_VERSION=3
SSL_CLIENT_S_DN=CN=newuser1,O=EXAMPLE.TEST
SSL_CLIENT_S_DN_CN=newuser1
SSL_CLIENT_S_DN_O=EXAMPLE.TEST
SSL_CLIENT_VERIFY=SUCCESS
SSL_CLIENT_V_END=Sep 22 12:53:48 2017 GMT
SSL_CLIENT_V_REMAIN=731
SSL_CLIENT_V_START=Sep 22 12:53:48 2015 GMT
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=true
SSL_SERVER_A_KEY=rsaEncryption
SSL_SERVER_A_SIG=sha256WithRSAEncryption
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.TEST
SSL_SERVER_M_SERIAL=0B
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST
SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test
SSL_SERVER_S_DN_O=EXAMPLE.TEST
SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT
SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT
SSL_SESSION_ID=1a39c6e56fb21c9412f29f8b4c73b03c15973975378b7c03ea6c36746dc161af
SSL_SESSION_RESUMED=Initial
SSL_TLS_SNI=blade01.my.scrubbed.domain.test
SSL_VERSION_INTERFACE=mod_ssl/2.4.6
SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips
UNIQUE_ID=VgF0Uqjjs90oNxHj7O05ogAAAAA
    </pre>
    -->
  </body>
</html>

Comment 12 errata-xmlrpc 2015-11-19 14:47:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2451.html

Note You need to log in before you can comment on or make changes to this bug.