RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2075452 - [RFE] add certificate support to ipa-client instead of one time password
Summary: [RFE] add certificate support to ipa-client instead of one time password
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-12-26
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
Alexandra Nikandrova
URL:
Whiteboard:
Depends On:
Blocks: 2143224
TreeView+ depends on / blocked
 
Reported: 2022-04-14 09:19 UTC by Alexandre Maumené
Modified: 2023-05-16 09:29 UTC (History)
9 users (show)

Fixed In Version: ipa-4.9.10-8.module+el8.8.0+17352+b0592984
Doc Type: Enhancement
Doc Text:
.`ipa-client-install` now supports authentication with PKINIT Previously, the `ipa-client-install` supported only password based authentication. This update provides support to `ipa-client-install` for authentication with PKINIT. For example: ---- ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem ---- To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the PKINIT certificate. For more information see the `ipa-cacert-manage(1)` man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host to a principal that has permission to add or modify a host record. For more information see the `ipa certmaprule-add` man page.
Clone Of:
: 2143224 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:28:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9269 0 None None None 2022-11-17 09:02:04 UTC
Fedora Pagure freeipa issue 9271 0 None None None 2022-11-16 11:57:54 UTC
Red Hat Issue Tracker FREEIPA-8167 0 None None None 2022-04-14 09:26:11 UTC
Red Hat Issue Tracker RHELPLAN-118954 0 None None None 2022-04-14 09:26:16 UTC
Red Hat Product Errata RHBA-2023:2794 0 None None None 2023-05-16 08:29:36 UTC

Description Alexandre Maumené 2022-04-14 09:19:17 UTC
Description of problem:

We would like to deploy 5G Distributed Unit (basically x86 servers strapped on a pole, next to a 5G antenna) in a ZTP (Zero Touch Provisioning) manner. The DU servers will be provisioned in factory and then send directly on site. Since we want to achieve ZTP we cannot register our servers with ipa-client using a One Time Password. Those servers will be installed outdoor (and not in DC) so there won't be possibility for an operator to connect to it prior its installation.

But from factory, the servers will each be provisioned with its own certificate. We would like to know if it would be possible to use such certificate to register the server with IDM.

Thanks in advance.

Comment 2 Alexander Bokovoy 2022-04-14 10:25:46 UTC
Some notes.

I think one can achieve that already, almost.

Since you are using certificates, you might be able to set up Kerberos PKINIT using a certificates and certificate mapping rules.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/index

A host object is essentially a Kebreros principal host/f.q.d.n@REALM. When PKINIT is in use, a password key does not need to be present.

If a certificate issued for this host has distinct properties, a matching and mapping rule can be set up to allow KDC to associate a PKINIT request with this principal.

For example:

# ipa certmaprule-mod host-rule --matchrule='<SAN:dNSName>.*\.ipa\.test' --maprule='(fqdn={subject_dns_name})'
------------------------------------------------------
Modified Certificate Identity Mapping Rule "host-rule"
------------------------------------------------------
  Rule name: host-rule
  Description: Map cert to host
  Mapping rule: (fqdn={subject_dns_name})
  Matching rule: <SAN:dNSName>.*\.ipa\.test
  Enabled: TRUE

The certificate mapping rule above says that we match an LDAP entry which has fqdn attribute equal to SAN dNSName value from the certificate and that matching rule for SAN dNSName is forcing it to be in .ipa.test domain.

On the client side the following will allow us to acquire Kerberos TGT for host/client.ipa.test principal with the certificate that corresponds to these features:

kinit -X X509_user_identity=FILE:./client.crt,./client.key -X X509_anchors=FILE:./kdc-ca-bundle.pem  host/client.ipa.test

The resulting Kerberos TGT is 

[root@client ~]# klist
Ticket cache: KCM:0
Default principal: host/client.ipa.test

Valid starting     Expires            Service principal
04/14/22 10:09:24  04/15/22 10:02:44  krbtgt/IPA.TEST
	renew until 04/21/22 10:09:22

What we lack, currently, is an option in ipa-client-install that would allow us to perform 'kinit' with the supplied certificate bundle. ipa-client-install will fail in non-interactive (-U) mode because we haven't supplied a password.

However, if we would add that, ipa-join would work seamlessly with the ticket acquired for the host itself. Below I am demonstrating that:

[root@client ~]# cp ipa-ca.crt /etc/ipa/ca.crt
[root@client ~]# ipa-join -s master.ipa.test -k ./host.keytab -d
JSON-RPC request:
{"method": "join", "params": [["client.ipa.test"], {"nsosversion": "5.16.15-201.fc35.x86_64", "nshardwareplatform": "x86_64"}]}
*   Trying 10.0.192.191:443...
* Connected to master.ipa.test (10.0.192.191) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ipa/ca.crt
*  CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: O=IPA.TEST; CN=master.ipa.test
*  start date: Mar 19 15:08:09 2022 GMT
*  expire date: Mar 19 15:08:09 2024 GMT
*  subjectAltName: host "master.ipa.test" matched cert's "master.ipa.test"
*  issuer: O=IPA.TEST; CN=Certificate Authority
*  SSL certificate verify ok.
* Server auth using Negotiate with user ''
> POST /ipa/json HTTP/1.1
Host: master.ipa.test
Authorization: Negotiate YIIHGwYGKwYBBQUCoIIHDzCCBwugDTALBgkqhkiG9xIBAgKiggb4BIIG9GCCBvAGCSqGSIb3EgECAgEAboIG3zCCBtugAwIBBaEDAgEOogcDBQAgAAAAo4IF5mGCBeIwggXeoAMCAQWhChsISVBBLlRFU1SiIjAgoAMCAQOhGTAXGwRIVFRQGw9tYXN0ZXIuaXBhLnRlc3SjggWlMIIFoaADAgEUoQMCAQGiggWTBIIFjyzXjB2wpEDOY/ErlMZyqDDdcUrQgqACzkdrhyktFHRxvNN+vpTHE1aivGI5e8pPvqHmUDycrK5GnFaase4kbzl38X0ZJwuOtZHzZ2qRGUSgh72pOiZA3JKbBkqw2Cn52Vkk+HzG6taBC8CrB1Zo/7z8h8nH4PsdPQei08yiwre29jbKXebB6jFz78Di1LSCcaYflJxV2215FaCT0iCNxnpoJ7/MNBbn4edzl7ZNB+jR56BbgRE6CQIyoWCXqTRcz7uuD9V9tMEEOr59YeAhwKkAFzfgCN5PKqsk9oN9wiz/FVaKwMzRcwJIWTVjXYt/5M1h98CV6trYXKU2G+LJQQ2C9hfP91sbTzWKfpJs/C/XjinxOBcyMevUI034KEnV7hox23Hxp7eUxV878JqGl2MQlon9OrvgiCmAQKkSoh6FnD6uHNiJ7I80xDORCh5MHXjyJ3+XuuTnxZh2xxd+vsIydbCzFbaZHf4S52I4BLBQfxPBwwPm4lTykQDrysTPKYYaq02k3qp7BymC1l/1tlyOkDF5j/ZB3wwAzYqUtjwkNY55GcmJH4PzXGYn87FSCKuNr77ffNgtGUJ1QvpBqnjcFaq6FXMiAMlUHh4TWGoJW51jGRTPhTDazRjUSb2u+BDTJU7FJHxwhRJWo30WIoxxIdJ+pLp4NO3V16mFO6JFj2lnhJwsoSNcxD8M/NFdTMaq4XVbqxjj7FBL11iGpTEnk5cwyKtr3GkrFGF2877JR6g0UsW1/13SR6dwsQi0gohmeAVIUlm8vsIqgv2uuPrp4FJFnFdRqGN/ghnFmEmcF4cORG6uYc84EsKK2k63nahqqCEZbOfcYb6J4IlZonzhZj+2RsoxA5z2drp7Ao/hP3tbmby3erVowU6k0LN5jMvDhA+WLNOooAJelTTHkKE2scHc3UiXh/w87ADXzKm86ka+rPNAmyeGDkuH4OHfRRSw8+7L7Iymeg1EjWLh6GfrzVp5VS0yVZupTFr/lqi2LrURBqOJJWcxXxm4TpYjCbSQ4KtzdVTFGhwVDr2vIBE2vRNXc+l4QdL/WohpV+Rr9ozBNckOrgaLSsEZR4qoFv3RXT7a1SNn8AODACqBrhiprkhiyrSsE1ynKaQaZuR6Ugo7tbPAdJysTA14lteYvgj9cE/aftNAdcvL6MIyCn/LH1LTSV2h0S/HoKqQsYAoA2F/GysAl+zm+SW7Md/xzDukDY+cJyLcr6nv/zOdMbnuhmtZfkytI5FnmWm4q2ghqFwY39Xv6/YmOJmFJg37g6cDW8APzjXuhJEY14k4KSj9a5RVKYnFMWcFDP4L5QOwQsYntqP5Co1Y1S1cWISPCct3OAQIYO1qvmR6B6qVjzaw79H/D77Mjv5t5xSqlkaZUm3TMhALGlZCpw8Wq3j6YorSj11aN6V0jwd4c7gnSmCy4eIEn5RPHNcfR8bgANrF8PtDN21oQejWRe3AzqRbl27F4mfdkPjwD+vcblkVGKMzzD0Q2O0u5aOXxAt+Ek/AbCRn2EIIXEZlD29TS3kvaJy6Qm0MdDQBJitRvgi1GeRqFQXN+bcws8leAr96R2gabjR63yIqUeTidr7UGpqe/MwFkp0uVA6z+qk550iZ7deQpjOyhoKa6fSZ0afhDJ+f0SAUJd1NLAkZoXOETuu5g3oLeE1hA538QXvDiTUyjrh2vcXzvePj4zSSQojT0HhCuYpGviafdxiFBk7K5OjmeBloHPBoDw7Px7d+QZ5eln4Retlsvj/Xg9AVhsl6btVKe0NMnLg0Jb7ardoW1TZTH3LdMIQSvJiTfaLQIlismJXVKmjBJ32WIXLIXQjTb5CrAQp23oBcVm964HkRxP3OXqpiOkCF3fhPHRr7O9ZLLp61Q/Qk2kw3L5eHvAj2Iv+kgdswgdigAwIBEqKB0ASBzXucpxfshT6wKES0hX79r3VErLOzXrAyIZJ36vqQ/ZrwgA9/SIbtK2/3wLSLHhBUfveGFI3IpswuJ12fHsvYZpv/JDwC62SUbnwRt0lQvv4qAq0C852RvMt6pfj2mn8rmvPOo4jmnigSfiD+TF8Iv6PGIwNNOjaXmNqLodqzfl0PXAitvu/C2Ru+cws4wPtL26wd4yrGcmqpt+JH87apuNi/LJ/ihGm4N/4A4KyeKswav8MmOfydR8eaTMptRyOC3z+wiaP6r5djCH8R06s=
referer: https://master.ipa.test/ipa
User-Agent: ipa-join/4.10.0.dev202203170906+gite6e0eac08
Accept: application/json
Content-Type: application/json
Content-Length: 127

* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 Success
< Date: Thu, 14 Apr 2022 10:20:47 GMT
< Server: Apache/2.4.52 (Fedora Linux) OpenSSL/1.1.1l mod_wsgi/4.9.0 Python/3.10 mod_auth_gssapi/1.6.3
< WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvddDY5UDWDRprq5LI4lw7L0sHrZG6Er15icIXCrMOsYrQX6IDd6jh+yC5HG0+KoHiB1v2i36E1Skgt6pLwwLPv4zByO8wH5ytl4CYKpX4t+XgVXt45q654nqtrkQUzNUUfeHuMw5lZrOqpE5lI6um
< Set-Cookie: ipa_session=MagBearerToken=dxoLo5xrWUkyucLMtYpukEFdfkTxcDqSmA1BQGkKhkM8J0XqVY96WjrJVqH%2fuj%2bBfRMq%2bVX13cwHO0s7mxKCEKIO4UQeiYfh2W39Q6zxrhVhtZecvkIOPfwrX6xL%2fOKXl3xW7ybLrscDuWpQP%2btU98%2bPh12vX6Io3UTK9HmS8ivXdXsLhNI9rg%2bKACQJs%2b3MAw9WUlGAsaUJfD5ezXaz7BXfSa%2bQtwmo2okJdWrf%2bUIKEQIrwxKx1aumuD%2fKz37Y;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache, private
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< 
* Connection #0 to host master.ipa.test left intact
JSON-RPC response:
{"result": ["fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test", {"objectclass": ["ipaobject", "nshost", "ipahost", "pkiuser", "ipaservice", "krbprincipalaux", "krbprincipal", "ieee802device", "ipasshhost", "top", "ipaSshGroupOfPubKeys"], "cn": ["client.ipa.test"], "serverhostname": ["client"], "ipauniqueid": ["08e04aba-bbd6-11ec-b677-fa163e094202"], "krbprincipalname": ["host/client.ipa.test"], "usercertificate": [{"__base64__": "MIIEnTCCAwWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIyMDQxNDA5MzkwM1oXDTI0MDQxNDA5MzkwM1owLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNVBAMMD2NsaWVudC5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM8ELw8jd12otd1C0NUx/qPPSzwH1LsrzpDrV6hdPjJ67PM0X1BjAHQDcex/7sJH/wSphndXW90ZxBGk4Qk8/Q69WQcFteuI9VzsfgTXEfhb39iwbrP+kY5sVOgaB/Kx5kiYDWBBFfCFnpoZSnFr7YBQYtI5mZnZqluzS5FlUBlHNP5AXgxNiJ25Qb8HZXTiNg733Sf5RAzJ/DdKrXP/gVeznmu0HyoxvQWOa3Pzp7OtWael6wL4kYbQFCzQxfrCGQ+fWkF+I7gjTrTWoMQq/2LrDkIyxlf+aez1DcTyOrN+WZiK5OHKiXcqxJjb1VMc4z6btF56/l4hcrNzVNkyRUCAwEAAaOCAUAwggE8MB8GA1UdIwQYMBaAFBjMlz8/keiSkCGKBHMU85Xw047WMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYsaHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCblmyu0T7mUBLTM982Wy5wG81ScMBoGA1UdEQQTMBGCD2NsaWVudC5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEAmLA/rTijpPDvbMdxERuhW5AWfWqcGSh0nknUi3n2ZKJbYDbrxcVWqJt/MilFKclx1Di8HCNxZH5Gbfz4u3jHW1fFRKLcb8ejjNtxxLx8soDH7U0uEh21elYwVyN+hNMY+9fQDgpNzA4BCp+Z3xrvAmLM01FmwJ9/nyYPd6jGFQfV7ubGFrNhlX+Pqvx3zqFEz3OXTQFCOAwi8GQSLQKdo1qccwvvTcdO0S/MMGbcfU/m2DlOqq8fUefasOP50gN/bCy2SzIbS8qC3x6vyFJ+J+g6FNFZxIrDAWvMCKUf5I6RgmBJ7HP/MLbAE0UxDFlIEKRSE1nCDluAva+c3vnEnu+V7U41qwlLb9rc1KnmoucLc9iCFTxDrF1GcP+DHe/gRLtTl23yxDtYmyOlg0Qdq3opj3B1tVkvGEo/AMyLX7qyKMawVQyUJOwkfLwCFh+6jtH2XyeKlGrEO+8QBcctb0ycIYRWFdTI8cON3qjfxQ9ruOhZUAmTqfEkndrna5Sm"}], "fqdn": ["client.ipa.test"], "krbcanonicalname": ["host/client.ipa.test"], "has_password": false, "has_keytab": false, "subject": "CN=client.ipa.test,O=IPA.TEST", "serial_number": "15", "serial_number_hex": "0xF", "issuer": "CN=Certificate Authority,O=IPA.TEST", "valid_not_before": "Thu Apr 14 09:39:03 2022 UTC", "valid_not_after": "Sun Apr 14 09:39:03 2024 UTC", "sha1_fingerprint": "2d:16:5e:2d:91:ed:b3:23:3b:d0:68:b6:10:bb:31:22:32:6d:22:c3", "sha256_fingerprint": "d5:08:5b:fa:d7:60:6f:9c:0d:05:da:87:5f:51:a9:4b:ea:39:f9:6e:f1:7d:95:0f:7f:ce:b4:a3:d6:48:f4:bb", "ipakrbrequirespreauth": true, "ipakrbokasdelegate": false, "ipakrboktoauthasdelegate": false, "managedby_host": ["client.ipa.test"], "managing_host": ["client.ipa.test"], "dn": "fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test", "ipacertificatesubjectbase": ["O=IPA.TEST"]}], "error": null, "id": null, "principal": "host/client.ipa.test", "version": "4.10.0.dev202203211148+git9312dc6f4"}
Keytab successfully retrieved and stored in: ./host.keytab


As you can see, once we registered the host, it was successfully added by the 'host/client.ipa.test' principal.

This is all possible because host itself can manage own properties.

Comment 3 Alexander Bokovoy 2022-04-14 11:19:40 UTC
So, for the purpose of structuring a possible implementation:

- add options to ipa-client-install to allow to specify a PKINIT certificate and KDC CA chain
- add kinit variant that uses PKINIT certificate and KDC CA chain to obtain a TGT in ipalib/install/kinit.py
- add logic in in ipaclient/install/client.py:_install() to use this new kinit variant in case these options were specified
- documentation needs to be updated, both for ipa-client-install and may be a separate design page should be created

It probably makes no sense to autodiscover the principal corresponding to the certificate. Instead, require that if PKINIT certificate is used, -p must be explicitly set to the full principal (including realm).

This all sounds relatively limited effort, though creating tests would probably take a bit of time.

Comment 10 Alexander Bokovoy 2022-11-16 11:57:54 UTC
Upstream ticket: https://pagure.io/freeipa/issue/9271
Upstream PR: https://github.com/freeipa/freeipa/pull/6543

Test provided as a part of the upstream PR: ipatests/test_integration/test_pkinit_install.py

Comment 12 Christian Heimes 2022-11-16 14:35:06 UTC
Feature design is documented at https://github.com/freeipa/freeipa/blob/master/doc/designs/client-install-pkinit.md .

ipa-client-install \
  --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
  --pkinit-anchor=FILE:/path/to/kdc-ca-bundle.pem

Comment 13 Alexander Bokovoy 2022-11-16 19:15:56 UTC
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/9d902d340793d01aa6b65d01a1facaf480819526

Comment 14 Florence Blanc-Renaud 2022-11-17 08:56:30 UTC
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/80da53eaada1b5ad61b8cff2f9ed1217fea600c9

Comment 15 Florence Blanc-Renaud 2022-11-17 09:02:02 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/9269

Comment 16 Florence Blanc-Renaud 2022-11-17 09:02:51 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/9271

Comment 24 errata-xmlrpc 2023-05-16 08:28:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2794


Note You need to log in before you can comment on or make changes to this bug.