Hide Forgot
Description of problem: When user authenticates against Web application with client SSL certificate, for example when Apache is configured with mod_ssl using SSLVerifyClient require it is possible to use directive SSLUserName to put certain attribute from the client certificate to r->user structure, aka REMOTE_USER. Having some unique identifier of the user there is useful for example when subsequent authorization/access check needs to be performed or the application needs to have a way to identify the user, not just ensure that some user has authenticated. Sometimes the certificate attributes can be used just fine but sometimes deriving the username solely based on the certificate content is not possible. IdM RFE in bug 1072383 and SSSD RFE bug 1202724 will make it possible to store the user certificates in IPA's user records, whatever the content of that certificate is, and have SSSD lookup user based on the certificate. We need that ability extended to Apache HTTP Server setups. Hence a proposal for mod_lookup_identity to find the username using the new org.freedesktop.sssd.infopipe.Users.FindByCertificate SSSD D-Bus method. Version-Release number of selected component (if applicable): 0.9.2. How reproducible: Determinisic. Steps to Reproduce: 1. Have IPA-enrolled machine with Apache setup with SSL client authentication. 2. Enable PAM access control using mod_authnz_pam. 3. Configure Apache in such a way that when client certificate is stored in user record in IPA directory, PAM will be able to run the access check for that user. IOW, we need to be able to lookup the user based on the certificate, even if the username cannot be derived from the certificate content itself. Actual results: Currently it is not possible. Expected results: It should be possible. Additional info:
Upstream ticket https://fedorahosted.org/webauthinfra/ticket/5.
Rebased to 0.9.3.
Build mod_lookup_identity-0.9.3-1.el7.
The typical configuration would be SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On which causes the certificate to be put to r->user, and then used by mod_lookup_identity as input for org.freedesktop.sssd.infopipe.Users.FindByCertificate call when LookupUserByCertificate On is enabled.
Verified. Version :: mod_lookup_identity-0.9.3-1.el7.x86_64 Results :: blade01 is client and httpd server blade05 is IPA master ############### ON WEB server ############### [root@blade01 conf.d]# vi /etc/httpd/conf.d/ssl.conf ...change this... SSLCertificateFile /etc/pki/tls/certs/server.pem SSLCertificateKeyFile /etc/pki/tls/private/server.key SSLCACertificateFile /etc/ipa/ca.crt ... [root@blade01 conf.d]# ipa service-add HTTP/$(hostname) --force ipa: ERROR: service with name "HTTP/blade01.my.fqdn.test" already exists [root@blade01 conf.d]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \ > -k /etc/pki/tls/private/server.key \ > -K HTTP/$(hostname) New signing request "20150921211340" added. [root@blade01 conf.d]# cat /var/www/app.cgi #!/usr/bin/perl # Copyright 2014 Jan Pazdziora # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. use strict; use warnings FATAL => 'all'; use CGI (); my $LOGIN = '/login'; my $LOGOUT = '/logout'; my $AUTH_COOKIE = 'the-test-cookie'; my $q = new CGI; my $cookie = $q->cookie($AUTH_COOKIE); my ($user, $name); if ($cookie and $cookie =~ /^ok:(.+)$/) { $user = $1; $name = CGI::escapeHTML($user); } my @nav; print "Content-Type: text/html; charset=UTF-8\n"; print "Pragma: no-cache\n"; my $title = "Application"; my $body = "This is a test application; public view, not much to see."; if (defined $user) { $title .= " authenticated ($name)"; $body = "Test application; logged in as user $name." . " There is much more content for authenticated users." x 10; } sub logout { print "Set-Cookie: $AUTH_COOKIE=xx; path=$ENV{SCRIPT_NAME}\n"; print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = "Logged out"; $body = 'Successfully logged out. You will be redirected to the ' . qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!; } sub login { if (defined $user) { print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = "Already logged in"; $body = "You are already logged in as user $name.\n"; return; } $title = "Log in to application"; my $login = $q->param('login'); my $password = $q->param('password'); my $error = ''; if (defined $ENV{REMOTE_USER}) { $login = $ENV{REMOTE_USER}; if (defined $ENV{REMOTE_USER_EMAIL}) { $login .= ": $ENV{REMOTE_USER_EMAIL}"; } my $n = join ' ', grep defined $_, map $ENV{$_}, 'REMOTE_USER_FIRSTNAME', 'REMOTE_USER_LASTNAME'; if ($n ne '') { $login = "$n ($login)"; } } elsif (defined $login) { my $re = qr/^[-a-zA-Z0-9_.]+$/; if ($login eq '' or not $login =~ $re) { $error = '<p>Login has to be nonempty, full characters</p>'; } elsif (not defined $password or not $password =~ $re) { $error = '<p>Password has to be nonempty</p>'; } elsif ($password ne reverse($login)) { $error = '<p>Password has to be reverse login</p>'; } } if (defined $login and $error eq '') { print "Set-Cookie: $AUTH_COOKIE=ok:$login; path=$ENV{SCRIPT_NAME}\n"; print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = 'Logged in as ' . CGI::escapeHTML($login); $body = 'You will be redirected to the ' . qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!; return; } no warnings 'uninitialized'; $body = <<"EOS"; $error <form method="POST"> <dl> <dt>Login:</dt> <dd><input type="text" name="login" value="@{[ CGI::escapeHTML($login) ]}" /> <dt>Password:</dt> <dd><input type="password" name="password" /> <dt><input type="submit" name="go" value="Log in" /></dt> </dl> </form> EOS } if (defined $ENV{PATH_INFO}) { if (substr($ENV{PATH_INFO}, 0, length($LOGIN)) eq $LOGIN) { login(); push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!; } elsif ($ENV{PATH_INFO} eq $LOGOUT) { logout(); push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!; } } if (not @nav) { push @nav, (defined $user ? qq!<a href="$ENV{SCRIPT_NAME}$LOGOUT">Log out</a>! : qq!<a href="$ENV{SCRIPT_NAME}$LOGIN">Log in</a>!); } print <<"EOS"; <html> <head> <title>$title</title> </head> <body> <h1>$title</h1> <p>$body</p> <hr/> <p>@nav</p> <!-- <hr/> <pre>@{[ join "\n", map CGI::escapeHTML("$_=$ENV{$_}"), sort keys %ENV ]} </pre> --> </body> </html> EOS [root@blade01 conf.d]# cat app.conf ScriptAlias /application /var/www/app.cgi [root@blade01 conf.d]# cat wikiapp_lookup.conf LoadModule lookup_identity_module modules/mod_lookup_identity.so <LocationMatch ^/application/login> SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr firstname REMOTE_USER_FIRSTNAME LookupUserAttr lastname REMOTE_USER_LASTNAME LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS </LocationMatch> [root@blade01 conf.d]# rpm -qa|egrep -i "mod_nss|mod_ssl" mod_ssl-2.4.6-40.el7.x86_64 [root@blade01 conf.d]# service httpd restart Redirecting to /bin/systemctl restart httpd.service ################### ON IPA MASTER ################################### [root@blade05 ~]# ipa group-add webgroup1 ----------------------- Added group "webgroup1" ----------------------- Group name: webgroup1 GID: 1690400006 [root@blade05 ~]# ipa group-add-member webgroup1 --users=bob20669 Group name: webgroup1 GID: 1690400006 Member users: bob20669 ------------------------- Number of members added 1 ------------------------- [root@blade05 ~]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt -------------------------------------------------------- Profile configuration stored in file 'caIPAuserCert.txt' -------------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@blade05 ~]# sed -i '/^profileId=.*$/d' caIPAuserCert.txt [root@blade05 ~]# sed -i 's/^desc=.*$/desc=caIPAuserCert test profile/' caIPAuserCert.txt [root@blade05 ~]# ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True Profile description: caIPAuserCert test profile -------------------------------- Imported profile "caIPAuserCert" -------------------------------- Profile ID: caIPAuserCert Profile description: caIPAuserCert test profile Store issued certificates: TRUE [root@blade05 ~]# ipa caacl-add caacl_open --profilecat=all --usercat=all --hostcat=all --servicecat=all ------------------------- Added CA ACL "caacl_open" ------------------------- ACL name: caacl_open Enabled: TRUE Profile category: all User category: all Host category: all Service category: all [root@blade05 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=bob20669' Generating a 2048 bit RSA private key ........................+++ ...+++ writing new private key to 'private.key' ----- [root@blade05 ~]# ipa cert-request cert.csr --principal=bob20669 --profile-id=caIPAuserCert Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsF... /pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN Subject: CN=bob20669,O=EXAMPLE.TEST Issuer: CN=Certificate Authority,O=EXAMPLE.TEST Not Before: Mon Sep 21 21:18:04 2015 UTC Not After: Thu Sep 21 21:18:04 2017 UTC Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9 Serial number: 12 Serial number (hex): 0xC [root@blade05 ~]# ipa cert-show 0xc --out=bob20669.pem Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5 ... NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBF tfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN Subject: CN=bob20669,O=EXAMPLE.TEST Issuer: CN=Certificate Authority,O=EXAMPLE.TEST Not Before: Mon Sep 21 21:18:04 2015 UTC Not After: Thu Sep 21 21:18:04 2017 UTC Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9 Serial number (hex): 0xC Serial number: 12 ######################################################### ######################################################### ### First Test with successful connection with Certificate ######################################################### ######################################################### [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:20:46 EDT 2015 HTTP/1.1 200 OK Date: Mon, 21 Sep 2015 21:20:46 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=41828 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=5d49e1790cb9321285407e1a7ec8e4fdfa6cf9bbdfec3535db44ae16f1bdd694 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgB0rpG6VuU-xTTBlMmiIwAAAAE </pre> --> </body> </html> [root@blade01 conf.d]# cat /var/log/httpd/ssl_access_log 2620:52:0:83c:21a:64ff:fe33:ff02 - bob20669 [21/Sep/2015:17:20:46 -0400] "GET /application/login HTTP/1.1" 200 2866 ######################################################### ######################################################### ### Second Test without resetting httpd ######################################################### ######################################################### [root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjEyMTE4MDRaFw0xNzA5MjEyMTE4MDRaMCoxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDERMA8GA1UEAwwIYm9iMjA2NjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsRZW2sEvczwkF5LJ5f/3QyQFzxMYz2shUCDvzYXvSRQdosSAIcpI65tTzxvhBKn8+zslL2+IULb4ZvhycrhIoAjOKammZLiYYIpyjgkatmNu9V9UKwWsKxAgg75338ZnVGq9RrjwOtVwHhZ7oGvk0O3+k09iTsmXP8cP2QQQEh1XaNxhqB+WO2XbLLV9lefFJlZl3DQdERPQ6/M8aBKwnMuoJwFE+zFKaAda70wjmUiCCeJCIm0gpyEr71PX4eTP/b2nkANJT4LWNd8eeSuY0PL4o6FerEjoLmSLEL0/MNDY5mj1qNcqKVRC/q9mEIOvRQtFZSKexHLVjzoLa/J3AgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBQpLLhxktYerqlf4Sv2wTEeOoy+fzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDSTSIzglpbODRtGBUW6w520IimgMA0GCSqGSIb3DQEBCwUAA4IBAQBn21OvjmAFw0RDX6y8oo80FuTgCJ2hKkKt2QAhpFtirM2kNSJG7+E//Dwbs4Tyg5CSBOPXsdFi2NkRTA4/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN" ----------------------------------------- Removed certificates from user "bob20669" ----------------------------------------- User login: bob20669 [root@blade05 ~]# ipa user-show User login: bob20669 User login: bob20669 First name: Robert Last name: Chase Home directory: /home/bob20669 Login shell: /bin/sh Email address: bob20669 UID: 1690400001 GID: 1690400001 Account disabled: False Password: True Member of groups: webgroup1 Member of HBAC rule: allow_wikiapp Kerberos keys available: True [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:23:24 EDT 2015 HTTP/1.1 200 OK Date: Mon, 21 Sep 2015 21:23:24 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=41838 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=37a16ea0d534719ef8b20936bc117ad0beb7e9d5607604c305ef7214e4f35f1c SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgB1TAojq3yAqwqOWasdDQAAAAM </pre> --> </body> </html> ######################################################### ######################################################### ### Third Test after resetting httpd ######################################################### ######################################################### [root@blade01 conf.d]# systemctl restart httpd [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:34:55 EDT 2015 HTTP/1.1 401 Unauthorized Date: Mon, 21 Sep 2015 21:34:55 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 WWW-Authenticate: Negotiate Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html> [root@blade01 conf.d]# tail -1 /var/log/httpd/ssl_access_log 2620:52:0:83c:21a:64ff:fe33:ff02 - - [21/Sep/2015:17:34:55 -0400] "GET /application/login HTTP/1.1" 401 127
moving back to ON_QA while I cover a few more test cases
################################################################################ # Test 1: clean test using certificate user lookup ################################################################################ ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:27:30 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:27:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42417 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=32086bb5d36b75c2722cc8db3e9bfa35630acf309267b0d95525425afa8a2ef0 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgFzYvG3b1f9oOlfemcqmAAAAAM </pre> --> </body> </html> ################################################################################ # Test 2: cached test after removing cert from user ################################################################################ ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:27:44 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:27:44 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42421 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=ed2d95e96b1ab4e5d1c5d01cc19fed1b2f34242f131a1c1c2687f6de60bcb889 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgFzcCbtg6tovgxkbPgRMQAAAAQ </pre> --> </body> </html> ################################################################################ # Test 3: failure test after clearing sssd cache ################################################################################ On Client: sss_cache -E -- getent passwd bob20669 On Master: date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade01 ~]# sss_cache -E -- [root@blade01 ~]# getent passwd bob20669 bob20669:*:1690400001:1690400001:Robert Chase:/home/bob20669:/bin/sh [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:28:01 EDT 2015 HTTP/1.1 401 Unauthorized Date: Tue, 22 Sep 2015 15:28:01 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 WWW-Authenticate: Negotiate Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@blade05 ~]# ################################################################################ # Test 4: failure test with different user with cert ################################################################################ sss_cache -E -- ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade01 ~]# sss_cache -E -- [root@blade05 ~]# ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:29:47 EDT 2015 HTTP/1.1 403 Forbidden Date: Tue, 22 Sep 2015 15:29:47 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Content-Length: 219 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /application/login on this server.</p> </body></html> ################################################################################ # Test 5: failure test with good user with cert for different CN ################################################################################ make sure cache is clear by removing or doing getent passwd newuser1 On Master: ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt On Client: sss_cache -E -- getent passwd newuser1 On Master: ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# [root@blade01 ~]# sss_cache -E -- [root@blade01 ~]# getent passwd newuser1 newuser1:*:1690400007:1690400007:new test:/home/newuser1:/bin/sh [root@blade01 ~]# [root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:31:30 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:31:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42433 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0D SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=newuser1,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=newuser1 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 22 12:53:48 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 22 12:53:48 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=1a39c6e56fb21c9412f29f8b4c73b03c15973975378b7c03ea6c36746dc161af SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgF0Uqjjs90oNxHj7O05ogAAAAA </pre> --> </body> </html>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2451.html