Bug 1455946 - Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master
Summary: Provide a tooling automating the configuration of Smart Card authentication o...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
Depends On:
Blocks: 1473272
TreeView+ depends on / blocked
Reported: 2017-05-26 13:54 UTC by Petr Vobornik
Modified: 2017-08-02 08:14 UTC (History)
16 users (show)

Fixed In Version: ipa-4.5.0-17.el7
Doc Type: Known Issue
Doc Text:
The "ipa-advise" command does not fully configure smart card authentication The "ipa-advise config-server-for-smart-card-auth" and "ipa-advise config-client-for-smart-card-auth" commands do not fully configure the Identity Management (IdM) server and client for smart card authentication. As a consequence, after running the script that the "ipa-advise" command generated, smart card authentication fails. To work around the problem, see the manual steps for the individual use case in the Linux Domain Identity, Authentication, and Policy Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html
Clone Of:
: 1473272 (view as bug list)
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-26 13:54:00 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6982

Currently the task of setting up Smart Card authentication against FreeIPA KDC and WebUI require a number of non-trivial manual tasks (e.g. enabling OCSP, configuring PKINIT etc.). As an Administrator I want to be able to set up the feature by running one or more CLI scripts which will:

a) check whether the environment is ready to support the feature
b) if yes, configure the individual components without any human intervention
c) if the required components were already configured, do nothing but report success anyway

The last point is important for re-use of these tools in configuration managers like Chef, Ansible etc.

Comment 2 Petr Vobornik 2017-05-26 13:54:14 UTC
Upstream ticket:

Comment 4 Petr Vobornik 2017-06-05 15:58:28 UTC
Upstream ticket:

Comment 11 Scott Poore 2017-06-20 23:55:39 UTC
What is the expected level of configuration at the end of executing the advise scripts?

At the moment, I think the advise script for client config is either incomplete or confusing.

It requires a cert that signed the cert on the card.  This to implies that it will use this cert to completely setup the client configuration to use the card with no further interventions.  This is not the case however when I ran the script.

Post advise script steps needed to complete setup for my environment:

0. I have to make sure the signing CA cert(s) are all located on both the IPA Client and Server (in my case, we're using /etc/ipa to store them).

1. In my case, the signing cert is not the root ca so I have to also add that to /etc/pki/nssdb.

[root@vm2 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C

2.  Then I have to add pkinit_anchors on the client for the two CA certs needed to verify the cert on the card:

[root@vm2 ~]# vim /etc/krb5.conf
    pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
    pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem

3.  Then I have to add the CA certs to /etc/pki/nssdb on the IPA Server:

[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C
[root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-ca.pem -n "Smart Card CA" -t CT,C,C

4.  And add the pkinit_anchors as well on the IPA server.  

[root@vm1 ~]# vim /etc/krb5.conf
  pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem
  pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem

The following is OPTIONAL and depends on environment (if USB redirecting to a VM for testing like I'm doing)

5.  Add some timeouts to sssd.conf to support long lookup times

[root@vm2 ~]# vim /etc/sssd/sssd.conf
krb5_auth_timeout = 60

It is confusing that the advise script prompts for a ca cert but, only configures it in one place.
[root@vm2 ~]# ipa-advise config-client-for-smart-card-auth > advise.sh
trying https://vm1.example.test/ipa/session/json

[root@vm2 ~]# chmod 755 advise.sh

[root@vm2 ~]# ./advise.sh
You need to provide the path to the PEM file containing CA signing the Smart Cards

[root@vm2 ~]# ./advise.sh jitc-ca.pem
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package dconf-0.26.0-2.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed
...truncating yum output...

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "OpenSC" added to database.

A couple things I would have expected:

1.  generated script should take a "list" of files to include.  Maybe just as a simple quoted string to be split during processing like "file1 file2 file3".

2.  I expect the script to add the pkinit_anchors to the client's /etc/krb5.conf

3.  I expect output stating to copy the files to the server and run the same there.  OR, the server script should do similar to above.  I think that would be preferable.

Comment 12 Martin Babinsky 2017-06-21 11:29:40 UTC

the client side advise plugin should configure all aspects of smart card auth, if you need so much additional work to set it up, then I need to fix the plugin to perform them.

As for the server-side config, I would say that only the part which imports the card signing certs/CAs and configures pkinit anchor should be added to server-side advise. Do you agree or is it necessary to run full client config?

Comment 14 Scott Poore 2017-06-21 15:01:48 UTC

Yes, I think I agree.  Just need the pkinit_anchors in krb5.conf and nssdb imports on the server side.  I didn't seem to need anything else.


Comment 15 Scott Poore 2017-06-22 22:01:07 UTC

Also, be aware, that I just ran the server script on an IPA server with FIPS mode enabled and I was prompted for the NSSDB password:

+ certutil -M -n Server-Cert -d /etc/httpd/alias -t Pu,u,u
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

I had to look it up from /etc/httpd/alias/pwdfile.txt.  Should certutil command use -f /etc/httpd/alias/pwdfile.txt if that file exists?  If it doesn't exist run without  -f and expect people to know the password?


Comment 16 Martin Babinsky 2017-06-23 13:40:28 UTC
Hi Scott,

good catch, I will push this fix on top of all other improvements I made for the smart card advises.

Comment 17 Scott Poore 2017-06-23 17:07:16 UTC
Question based on the use of ipa-certupdate you also pointed out earlier.

Instead of the pkinit_anchors, will you have the server script run something like the following?

ipa-cacert-manage install

and the client script run

Still need the certutil on the client side I think but, that would handled the pkinit_anchors right?


Comment 18 Martin Babinsky 2017-06-26 14:31:46 UTC
Upstream ticket:

Comment 21 Scott Poore 2017-06-27 19:33:23 UTC

Also note, we may want the client script to check that krb5-pkinit is installed.  A client I was testing on was missing that as well.


Comment 22 Martin Bašti 2017-07-04 07:51:52 UTC
Fixed upstream

Comment 30 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.