Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1449088 - URL scope of how the Apache webserver handles a SSL username supplied from the client
Summary: URL scope of how the Apache webserver handles a SSL username supplied from th...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.2.9
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Evgeni Golov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 08:25 UTC by Kenny Tordeurs
Modified: 2021-03-11 15:12 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 17:08:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 19550 0 Normal Closed Set SSL username when supplied from the client 2020-03-03 14:32:16 UTC

Description Kenny Tordeurs 2017-05-09 08:25:19 UTC 
Description of problem:
After updating Satellite from 6.2.8 to 6.2.9. 
We can no longer log in to the Satellite WEB-UI using Single Sign On with our smart cards.
We have located the source to our problem in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf 

BugZilla 1367162 limits the URL scope of how the Apache webserver handles a SSL username supplied from the client. This change in katello.conf breaks the method of how we log in to the Satellite WEB-UI using our smart cards. 

Detailed info
===================== 
https://bugzilla.redhat.com/show_bug.cgi?id=1367162
--- /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf	2016-11-02 09:22:48.308639320 +0100
+++ /tmp/puppet-file20170502-25928-101m16o	2017-05-02 09:30:58.026811503 +0200
@@ -3,7 +3,9 @@
 # CHANGES WILL LIKELY BE OVERWRITTEN.
 #
 
-SSLUsername SSL_CLIENT_S_DN_CN
+<Location /pulp/api>
+  SSLUsername SSL_CLIENT_S_DN_CN
+</Location>
 
 Alias /pub /var/www/html/pub
 <Location /pub>
=============================

Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution.

Customer got it working by changing these lines in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf

Removed this section
#<Location /pulp/api>
#  SSLUsername SSL_CLIENT_S_DN_CN
#</Location>

Added this section
<LocationMatch /pulp/api|/users/extlogin>
  SSLUsername SSL_CLIENT_S_DN_CN
</LocationMatch>

Version-Release number of selected component (if applicable):
Satellite 6.2.9


Actual results:
Smart card SSO not working after the change.

Expected results:
Smart card SSO working after upgrade.

Additional info:
Comment 2 Stephen Benjamin 2017-05-15 19:55:16 UTC 
Created redmine issue http://projects.theforeman.org/issues/19550 from this bug
Comment 3 Satellite Program 2017-05-24 10:07:10 UTC 
Upstream bug assigned to mhulan
Comment 4 Satellite Program 2017-05-24 10:07:16 UTC 
Upstream bug assigned to mhulan
Comment 5 Marek Hulan 2017-05-24 11:45:15 UTC 
Kenny, would it be possible to ask customer to try following configuration instead? It's based on what they already tested but we'd like to be sure that the upstream patch would work in their scenario.

in /etc/httpd/conf.d/05-foreman-ssl.conf

add following

> <Location /users/extlogin>
>   SSLUsername SSL_CLIENT_S_DN_CN
> </Location>

just after the last </Directory> directive in the virtual host definition. And also reverting their customer change with <LocationMatch /pulp/api|/users/extlogin>

If it works after httpd restart, we'd consider that working and it would help us to get the patch in.
Comment 6 Kenny Tordeurs 2017-06-01 11:55:56 UTC 
Hi Marek,

Asked the customer to test that and they said it worked fine for them.
Comment 7 Satellite Program 2017-06-02 10:07:13 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/19550 has been resolved.
Comment 10 Evgeni Golov 2017-08-23 14:05:47 UTC 
FAILED_QA

Version Tested: Satellite 6.3.0 Snap 12
foreman-installer-katello-3.4.4-1.el7sat.noarch
katello-installer-base-3.4.4-1.el7sat.noarch
foreman-installer-1.15.2-1.el7sat.noarch

The snippet
+<Location <%= @suburi -%>/users/extlogin>
+  SSLUsername SSL_CLIENT_S_DN_CN
+</Location>
is missing from the httpd configuration.

The upstream PR https://github.com/theforeman/puppet-foreman/pull/564 was merged and is included in upstream's 8.0.0 release of the puppet module.
However, we currently only ship 7.2.0 of puppet-foreman which does not include that fix.
Comment 14 Bryan Kearney 2018-02-21 17:08:42 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336
Note You need to log in before you can comment on or make changes to this bug.