Bug 1455946 - Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master
Summary: Provide a tooling automating the configuration of Smart Card authentication o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks: 1473272
TreeView+ depends on / blocked
 
Reported: 2017-05-26 13:54 UTC by Petr Vobornik
Modified: 2017-08-02 08:14 UTC (History)
16 users (show)

Fixed In Version: ipa-4.5.0-17.el7
Doc Type: Known Issue
Doc Text:
The "ipa-advise" command does not fully configure smart card authentication The "ipa-advise config-server-for-smart-card-auth" and "ipa-advise config-client-for-smart-card-auth" commands do not fully configure the Identity Management (IdM) server and client for smart card authentication. As a consequence, after running the script that the "ipa-advise" command generated, smart card authentication fails. To work around the problem, see the manual steps for the individual use case in the Linux Domain Identity, Authentication, and Policy Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html
Clone Of:
: 1473272 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-26 13:54:00 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6982

Currently the task of setting up Smart Card authentication against FreeIPA KDC and WebUI require a number of non-trivial manual tasks (e.g. enabling OCSP, configuring PKINIT etc.). As an Administrator I want to be able to set up the feature by running one or more CLI scripts which will:

a) check whether the environment is ready to support the feature
b) if yes, configure the individual components without any human intervention
c) if the required components were already configured, do nothing but report success anyway

The last point is important for re-use of these tools in configuration managers like Chef, Ansible etc.

Comment 2 Petr Vobornik 2017-05-26 13:54:14 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6982

Comment 4 Petr Vobornik 2017-06-05 15:58:28 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7000

Comment 11 Scott Poore 2017-06-20 23:55:39 UTC
What is the expected level of configuration at the end of executing the advise scripts?

At the moment, I think the advise script for client config is either incomplete or confusing.

It requires a cert that signed the cert on the card.  This to implies that it will use this cert to completely setup the client configuration to use the card with no further interventions.  This is not the case however when I ran the script.

Post advise script steps needed to complete setup for my environment:

0. I have to make sure the signing CA cert(s) are all located on both the IPA Client and Server (in my case, we're using /etc/ipa to store them).

1. In my case, the signing cert is not the root ca so I have to also add that to /etc/pki/nssdb.

[root@vm2 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C

2.  Then I have to add pkinit_anchors on the client for the two CA certs needed to verify the cert on the card:

[root@vm2 ~]# vim /etc/krb5.conf
...
[realms]
  EXAMPLE.TEST = {
    ...    
    pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
    pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem
  }

3.  Then I have to add the CA certs to /etc/pki/nssdb on the IPA Server:

[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C
[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-ca.pem -n "Smart Card CA" -t CT,C,C

4.  And add the pkinit_anchors as well on the IPA server.  

[root@vm1 ~]# vim /etc/krb5.conf
...
[realms]
 EXAMPLE.TEST = {
...
  pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
  pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem
}


The following is OPTIONAL and depends on environment (if USB redirecting to a VM for testing like I'm doing)

5.  Add some timeouts to sssd.conf to support long lookup times

[root@vm2 ~]# vim /etc/sssd/sssd.conf
...
[domain/example.test]
...
krb5_auth_timeout = 60

It is confusing that the advise script prompts for a ca cert but, only configures it in one place.
[root@vm2 ~]# ipa-advise config-client-for-smart-card-auth > advise.sh
trying https://vm1.example.test/ipa/session/json

[root@vm2 ~]# chmod 755 advise.sh

[root@vm2 ~]# ./advise.sh
You need to provide the path to the PEM file containing CA signing the Smart Cards

[root@vm2 ~]# ./advise.sh jitc-ca.pem
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package dconf-0.26.0-2.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed
...truncating yum output...
Complete!

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "OpenSC" added to database.

A couple things I would have expected:

1.  generated script should take a "list" of files to include.  Maybe just as a simple quoted string to be split during processing like "file1 file2 file3".

2.  I expect the script to add the pkinit_anchors to the client's /etc/krb5.conf

3.  I expect output stating to copy the files to the server and run the same there.  OR, the server script should do similar to above.  I think that would be preferable.

Comment 12 Martin Babinsky 2017-06-21 11:29:40 UTC
Scott,

the client side advise plugin should configure all aspects of smart card auth, if you need so much additional work to set it up, then I need to fix the plugin to perform them.

As for the server-side config, I would say that only the part which imports the card signing certs/CAs and configures pkinit anchor should be added to server-side advise. Do you agree or is it necessary to run full client config?

Comment 14 Scott Poore 2017-06-21 15:01:48 UTC
Martin,

Yes, I think I agree.  Just need the pkinit_anchors in krb5.conf and nssdb imports on the server side.  I didn't seem to need anything else.

Thanks,
Scott

Comment 15 Scott Poore 2017-06-22 22:01:07 UTC
Martin,

Also, be aware, that I just ran the server script on an IPA server with FIPS mode enabled and I was prompted for the NSSDB password:

+ certutil -M -n Server-Cert -d /etc/httpd/alias -t Pu,u,u
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

I had to look it up from /etc/httpd/alias/pwdfile.txt.  Should certutil command use -f /etc/httpd/alias/pwdfile.txt if that file exists?  If it doesn't exist run without  -f and expect people to know the password?

Thanks,
Scott

Comment 16 Martin Babinsky 2017-06-23 13:40:28 UTC
Hi Scott,

good catch, I will push this fix on top of all other improvements I made for the smart card advises.

Comment 17 Scott Poore 2017-06-23 17:07:16 UTC
Question based on the use of ipa-certupdate you also pointed out earlier.

Instead of the pkinit_anchors, will you have the server script run something like the following?

ipa-cacert-manage install
ipa-certupdate

and the client script run
ipa-certupdate


Still need the certutil on the client side I think but, that would handled the pkinit_anchors right?

Thanks,
Scott

Comment 18 Martin Babinsky 2017-06-26 14:31:46 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7036

Comment 21 Scott Poore 2017-06-27 19:33:23 UTC
Martin,

Also note, we may want the client script to check that krb5-pkinit is installed.  A client I was testing on was missing that as well.

Thanks,
Scott

Comment 22 Martin Bašti 🖰 2017-07-04 07:51:52 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/69ba5f942284d17f32650638965c21dcf907a579
https://pagure.io/freeipa/c/584abe5b68b74d6a4721525328d5dfadd0e092c0
https://pagure.io/freeipa/c/e0c2e0f26cc264dccc51295cdd595109b4e46392
https://pagure.io/freeipa/c/36e0d2d65cf19033b1022737cd24a1120bc0f85f
https://pagure.io/freeipa/c/0181334c4c8e4b73b9b1c634d9837857e5e388b8
https://pagure.io/freeipa/c/dea4b4ca1bebf128a9a2e26dbbe9ffd3d6f360e1
https://pagure.io/freeipa/c/9808395c17388d69b51e562bc7f2b1d7d172a7fb
https://pagure.io/freeipa/c/85a79b5ccd29a532f7e3f0f17b9ba08153bf9717
https://pagure.io/freeipa/c/a9fec090f7a50e6f53394cab1cc5929c18934ac0
https://pagure.io/freeipa/c/4d57aef7a50eeae04bbd117531808ac616c675eb
https://pagure.io/freeipa/c/e0cf7090f3869bc3d4673242f64d63011dc8d1a5
https://pagure.io/freeipa/c/53c5c0ad7bde137b1123504f6a52c2b22e2a3868
ipa-4-5:
https://pagure.io/freeipa/c/23917c71f72ba899054bc5dc72c36d5308ead94c
https://pagure.io/freeipa/c/ef2ab942d2dee4a7a902f70a7eaf1c35cf88bee6
https://pagure.io/freeipa/c/3ebab27ded06a72d807c10b1ba521c6406df1ab4
https://pagure.io/freeipa/c/e5f31e35d3d17b5871cb39ebe55b413ba0dca489
https://pagure.io/freeipa/c/9561e3f8a2be66c1c236ac7fe296a8c8cbbac5c1
https://pagure.io/freeipa/c/666c2da3afcc461870d423409db4298e7ead6493
https://pagure.io/freeipa/c/2be45a1d95b7033ee25a643fdd74f5f30c41fea5
https://pagure.io/freeipa/c/61f6cb7e6fa632db08628534c512a22e35682dc1
https://pagure.io/freeipa/c/08f56c3c8ccde61146baec16085b325726582752
https://pagure.io/freeipa/c/e5e4c0a484412e11cc414ca80dc230b0000c00d7
https://pagure.io/freeipa/c/e14194e171be82d43ad16b4a585502a9c28aace3
https://pagure.io/freeipa/c/1114e113d5cc558f13398af8bc5a179b33f9354b

Comment 30 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.