1455946 – Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455946 - Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master

Summary: Provide a tooling automating the configuration of Smart Card authentication o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1473272
TreeView+	depends on / blocked

Reported:	2017-05-26 13:54 UTC by Petr Vobornik
Modified:	2017-08-02 08:14 UTC (History)
CC List:	16 users (show)
Fixed In Version:	ipa-4.5.0-17.el7
Doc Type:	Known Issue
Doc Text:	The "ipa-advise" command does not fully configure smart card authentication The "ipa-advise config-server-for-smart-card-auth" and "ipa-advise config-client-for-smart-card-auth" commands do not fully configure the Identity Management (IdM) server and client for smart card authentication. As a consequence, after running the script that the "ipa-advise" command generated, smart card authentication fails. To work around the problem, see the manual steps for the individual use case in the Linux Domain Identity, Authentication, and Policy Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html
Clone Of:
Clones:	1473272 (view as bug list)
Environment:
Last Closed:	2017-08-01 09:51:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-26 13:54:00 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/6982

Currently the task of setting up Smart Card authentication against FreeIPA KDC and WebUI require a number of non-trivial manual tasks (e.g. enabling OCSP, configuring PKINIT etc.). As an Administrator I want to be able to set up the feature by running one or more CLI scripts which will:

a) check whether the environment is ready to support the feature
b) if yes, configure the individual components without any human intervention
c) if the required components were already configured, do nothing but report success anyway

The last point is important for re-use of these tools in configuration managers like Chef, Ansible etc.

Comment 2 Petr Vobornik 2017-05-26 13:54:14 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6982

Comment 4 Petr Vobornik 2017-06-05 15:58:28 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7000

Comment 5 Martin Babinsky 2017-06-06 11:32:35 UTC

Prerequisite command has been pushed upstream

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/1b62e5aac9d9668604e82879c020bff310fa549f
https://pagure.io/freeipa/c/c072135340bc8e75f621e2b9163b1347b9eb528f
https://pagure.io/freeipa/c/cb9353d6e0fbc0912dd20bf29e3835a7740d1af6
master:
https://pagure.io/freeipa/c/e131905f3e0fe9179c5f4a09da4e7a204012603a
https://pagure.io/freeipa/c/92276c1e8809f3ff6b59bd6124869f816627bac7
https://pagure.io/freeipa/c/0772ef20b39b11950fddc913a350534988294c89

Comment 9 Martin Babinsky 2017-06-14 10:52:44 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/0569c02f17f853d97280f52f4a7fefecc72cf45d
https://pagure.io/freeipa/c/e418e9a4ca747886c53d05ae80597834f1d3d021
ipa-4-5:
https://pagure.io/freeipa/c/7ea7ee4326679c098d3e4e4d6a2bc743707708ca
https://pagure.io/freeipa/c/84ca9761bd47f28b72581d1fe6bd8cfa824b6df3

Comment 11 Scott Poore 2017-06-20 23:55:39 UTC

What is the expected level of configuration at the end of executing the advise scripts?

At the moment, I think the advise script for client config is either incomplete or confusing.

It requires a cert that signed the cert on the card.  This to implies that it will use this cert to completely setup the client configuration to use the card with no further interventions.  This is not the case however when I ran the script.

Post advise script steps needed to complete setup for my environment:

0. I have to make sure the signing CA cert(s) are all located on both the IPA Client and Server (in my case, we're using /etc/ipa to store them).

1. In my case, the signing cert is not the root ca so I have to also add that to /etc/pki/nssdb.

[root@vm2 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C

2.  Then I have to add pkinit_anchors on the client for the two CA certs needed to verify the cert on the card:

[root@vm2 ~]# vim /etc/krb5.conf
...
[realms]
  EXAMPLE.TEST = {
    ...    
    pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
    pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem
  }

3.  Then I have to add the CA certs to /etc/pki/nssdb on the IPA Server:

[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C
[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-ca.pem -n "Smart Card CA" -t CT,C,C

4.  And add the pkinit_anchors as well on the IPA server.  

[root@vm1 ~]# vim /etc/krb5.conf
...
[realms]
 EXAMPLE.TEST = {
...
  pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
  pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem
}


The following is OPTIONAL and depends on environment (if USB redirecting to a VM for testing like I'm doing)

5.  Add some timeouts to sssd.conf to support long lookup times

[root@vm2 ~]# vim /etc/sssd/sssd.conf
...
[domain/example.test]
...
krb5_auth_timeout = 60

It is confusing that the advise script prompts for a ca cert but, only configures it in one place.
[root@vm2 ~]# ipa-advise config-client-for-smart-card-auth > advise.sh
trying https://vm1.example.test/ipa/session/json

[root@vm2 ~]# chmod 755 advise.sh

[root@vm2 ~]# ./advise.sh
You need to provide the path to the PEM file containing CA signing the Smart Cards

[root@vm2 ~]# ./advise.sh jitc-ca.pem
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package dconf-0.26.0-2.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed
...truncating yum output...
Complete!

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "OpenSC" added to database.

A couple things I would have expected:

1.  generated script should take a "list" of files to include.  Maybe just as a simple quoted string to be split during processing like "file1 file2 file3".

2.  I expect the script to add the pkinit_anchors to the client's /etc/krb5.conf

3.  I expect output stating to copy the files to the server and run the same there.  OR, the server script should do similar to above.  I think that would be preferable.

Comment 12 Martin Babinsky 2017-06-21 11:29:40 UTC

Scott,

the client side advise plugin should configure all aspects of smart card auth, if you need so much additional work to set it up, then I need to fix the plugin to perform them.

As for the server-side config, I would say that only the part which imports the card signing certs/CAs and configures pkinit anchor should be added to server-side advise. Do you agree or is it necessary to run full client config?

Comment 14 Scott Poore 2017-06-21 15:01:48 UTC

Martin,

Yes, I think I agree.  Just need the pkinit_anchors in krb5.conf and nssdb imports on the server side.  I didn't seem to need anything else.

Thanks,
Scott

Comment 15 Scott Poore 2017-06-22 22:01:07 UTC

Martin,

Also, be aware, that I just ran the server script on an IPA server with FIPS mode enabled and I was prompted for the NSSDB password:

+ certutil -M -n Server-Cert -d /etc/httpd/alias -t Pu,u,u
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

I had to look it up from /etc/httpd/alias/pwdfile.txt.  Should certutil command use -f /etc/httpd/alias/pwdfile.txt if that file exists?  If it doesn't exist run without  -f and expect people to know the password?

Thanks,
Scott

Comment 16 Martin Babinsky 2017-06-23 13:40:28 UTC

Hi Scott,

good catch, I will push this fix on top of all other improvements I made for the smart card advises.

Comment 17 Scott Poore 2017-06-23 17:07:16 UTC

Question based on the use of ipa-certupdate you also pointed out earlier.

Instead of the pkinit_anchors, will you have the server script run something like the following?

ipa-cacert-manage install
ipa-certupdate

and the client script run
ipa-certupdate


Still need the certutil on the client side I think but, that would handled the pkinit_anchors right?

Thanks,
Scott

Comment 18 Martin Babinsky 2017-06-26 14:31:46 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7036

Comment 21 Scott Poore 2017-06-27 19:33:23 UTC

Martin,

Also note, we may want the client script to check that krb5-pkinit is installed.  A client I was testing on was missing that as well.

Thanks,
Scott

Comment 22 Martin Bašti 2017-07-04 07:51:52 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/69ba5f942284d17f32650638965c21dcf907a579
https://pagure.io/freeipa/c/584abe5b68b74d6a4721525328d5dfadd0e092c0
https://pagure.io/freeipa/c/e0c2e0f26cc264dccc51295cdd595109b4e46392
https://pagure.io/freeipa/c/36e0d2d65cf19033b1022737cd24a1120bc0f85f
https://pagure.io/freeipa/c/0181334c4c8e4b73b9b1c634d9837857e5e388b8
https://pagure.io/freeipa/c/dea4b4ca1bebf128a9a2e26dbbe9ffd3d6f360e1
https://pagure.io/freeipa/c/9808395c17388d69b51e562bc7f2b1d7d172a7fb
https://pagure.io/freeipa/c/85a79b5ccd29a532f7e3f0f17b9ba08153bf9717
https://pagure.io/freeipa/c/a9fec090f7a50e6f53394cab1cc5929c18934ac0
https://pagure.io/freeipa/c/4d57aef7a50eeae04bbd117531808ac616c675eb
https://pagure.io/freeipa/c/e0cf7090f3869bc3d4673242f64d63011dc8d1a5
https://pagure.io/freeipa/c/53c5c0ad7bde137b1123504f6a52c2b22e2a3868
ipa-4-5:
https://pagure.io/freeipa/c/23917c71f72ba899054bc5dc72c36d5308ead94c
https://pagure.io/freeipa/c/ef2ab942d2dee4a7a902f70a7eaf1c35cf88bee6
https://pagure.io/freeipa/c/3ebab27ded06a72d807c10b1ba521c6406df1ab4
https://pagure.io/freeipa/c/e5f31e35d3d17b5871cb39ebe55b413ba0dca489
https://pagure.io/freeipa/c/9561e3f8a2be66c1c236ac7fe296a8c8cbbac5c1
https://pagure.io/freeipa/c/666c2da3afcc461870d423409db4298e7ead6493
https://pagure.io/freeipa/c/2be45a1d95b7033ee25a643fdd74f5f30c41fea5
https://pagure.io/freeipa/c/61f6cb7e6fa632db08628534c512a22e35682dc1
https://pagure.io/freeipa/c/08f56c3c8ccde61146baec16085b325726582752
https://pagure.io/freeipa/c/e5e4c0a484412e11cc414ca80dc230b0000c00d7
https://pagure.io/freeipa/c/e14194e171be82d43ad16b4a585502a9c28aace3
https://pagure.io/freeipa/c/1114e113d5cc558f13398af8bc5a179b33f9354b

Comment 30 errata-xmlrpc 2017-08-01 09:51:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.