Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1323437 - Satellite 6 web interface trying to use smartcard authentication
Summary: Satellite 6 web interface trying to use smartcard authentication
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Authentication
Version: 6.1.8
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-03 03:35 UTC by dgupte
Modified: 2023-03-24 13:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-04 18:06:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1127787 0 urgent CLOSED [RFE] Satellite 6: x509 Support for Satellite 6 2023-12-15 15:47:46 UTC

Internal Links: 1127787

Description dgupte 2016-04-03 03:35:43 UTC 
Description of problem:

On Satellite 6 server, if the SmartCard is inserted, the Red Hat Satellite Server web authentication page tries to use it, and will not allow normal LDAP authentication.  on Macs it seems as if the web page tries to use Kerberos authentication.

Also, even if the user has already successfully authenticated via LDAP before inserting the SmartCard, again it tries to use SmartCard authentication.

Firefox and Safari on Red Hat Enterprise Linux 6.7 and 7.2
Mac OS X 10.10


How reproducible:

If the SmartCard is inserted, the Red Hat Satellite Server web authentication page tries to use it, and will not allow normal LDAP authentication.

also, if already authenticated successfully, the current Satellite page stays up when smart card is inserted, but as soon as an attempt is made to navigate to another page on Satellite, the smart card prompt appears


Actual results:
When SmartCard is inserted, the Red Hat Satellite Server web authentication page tries to use it, and will not allow normal LDAP authentication.


Expected results:

Satellite Web UI should not try to use smartcard authentication.
Comment 2 Bryan Kearney 2016-07-26 19:00:35 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 3 Marek Hulan 2017-04-12 09:08:45 UTC 
Could you please let us know, how the satellite was installed? Was it configured to allow external authentication using IDM as described at https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication-Using_Identity_Management.html ? Or is the LDAP authentication, which was mentioned in the report, configured via External Auth source as described in https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/chap-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication.html#sect-Red_Hat_Satellite-User_Guide-Using_LDAP ?
Comment 6 Marek Hulan 2017-04-12 10:46:08 UTC 
Additionaly please check with the customer whether they modified any file under /etc/httpd manually and ask them to send all files from there in a tarball.

Also please ask them what is the value of security.default_personal_cert in about:config in their Firefox.

It might also help if they append their smart card vendor CA to /etc/pki/katello/certs/katello-default-ca.crt, after restarting the Apache, we could trust client certificate but it wouldn't be used for authentication. If they experiment with this, make sure they make a backup before they start.

More background:

By default we set SSLVerifyClient to optional so it can be used on some URLs where we authenticate capsules using x509 certificates. For some reason, the certificate from smart card is used by the client and the authentication fails because Apache is not configured to trust the issuer.
Comment 13 Bryan Kearney 2018-09-04 18:06:16 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.
Note You need to log in before you can comment on or make changes to this bug.