Jump to: navigation, search

V4/Smartcard authentication ipa-advise recipes

Revision as of 21:53, 26 May 2017 by Ab (talk | contribs) (enable_client_certificate_logins_on_clients')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Name: V4/Smartcard authentication ipa-advise recipes
Ticket: #6982
Author: pvomacka, mbabinsk
Incomplete.png Pending review
Last updated: 2017-05-26 by Ab


Smartcard authentication requires additional settings to work properly (both PKINIT and Login to WebUI). That setting might not be really straight forward and mainly it has to be done on all FreeIPA servers. As FreeIPA doesn't have any way how to change settings on all servers remotely, we need to create script, which will be then run on all servers. For those purposes ipa has ipa-advise command, which can generate scripts.

Use Cases

  • As an administrator I want to be able to configure Smartcard certificate authentication to FreeIPA WebUI and KDC using minimum manual intervention, ideally via a provided command-line tool
  • As an administrator I want to configure OCSP client certificate checking in a robust way that checks whether my environment will support IPA CA-supplied OCSP responder querying.
  • As an administrator I want to be able to enable PKINIT feature after install/upgrade with minimum effort
  • As an administrator I expect these tools to be easily re-usable in configuration management platforms such as Chef and Ansible


Each use case can be solved by running a dedicated recipe generated by querying a corresponding topic in ipa-advise command. Each script should be able to check whether the environment supports the desired configuration (e.g. all DNS records are resolvable, especially ipa-ca) and should also be idempotent so that it can be safely used in an Ansible playbook. It should also provide information message that the step was successful or provide steps how to solve the issue. In case that a script fails it has to be rerun after fixing described issue.

Smartcard Login activation

The main purpose of this script is to obtain all master's hostnames which are in topology and for each of them call 'ipa service-mod --ok-auth-as-delegate=True'. As the script needs to use ipa CLI it needs to be called with authenticated user. Whether there is a correct ticket or not is the first check (step) of the script.


The script for turning on the OSCP has to be sure that the ipa-ca.domain.com is resolvable because otherwise the issuing of certificates (in CA-full installation) and installing replica (in all installations) will be broken. If the ipa-ca records prove to be unresolvable, the script will emit an error and also provide the list of records for the user to add into their DNS infrastructure. Once the DNS works correctly, the script will continue with subsequent steps.


  1. Check whether the ipa-ca.domain.com is resolvable. If so, it can continue to next steps. If not it generates DNS records which need to be added into DNS system.
  2. Set trust flags of server certificate (usually called Server-Cert) in /etc/httpd/alias NSS DB to "P,,". The "P" flag in SSL section means that the cert is trusted even if we don't know the issuer.
  3. Set NSSOCSP directive to 'on' in /etc/httpd/conf.d/nss.conf in VirtualHost section. For this step, Augeas might be used as it has Lens for HTTPD configuration files.
  4. The OCSP configuration status will be written to sysupgrade file, so that subsequent upgrades of FreeIPA deployments do not break the configuration requested by the system admin.

The reversal script for turning of OSCP check will do steps above in reversal order. The only thing which will be skipped is step 1.


The script will check the PKINIT status on the master (e.g. by running ipa pkinit-status --server FQDN) and if it is not configured, will then use IPA CA to issue PKINIT key pair for KDC.



Feature Management

After calling ipa-advise with the specified topic, the output can be piped to a shell script that will configure the desired functionality on the master.


No UI required.


ipa-advise has new topics:


Checks the status of PKINIT, OCSP and HTTP principal flags on the master and then configures the individual components required to enable SmartCard authentication against IPA master

Command Topic
ipa-advise enable_client_certificate_logins_on_server


This recipe will configure the client-side of Smart Card authentication (pam, gdm, Kerberos client library, etc.)

Command Topic
ipa-advise enable_client_certificate_logins_on_clients


No configuration required.


In the case of OCSP configuration, the script must be able to store the state of the feature in upgrade files so that subsequent updates do not revert the existing configuration.

How to Use

Example 1: configure smart card auth on master.example.com:

# kinit admin
# ipa-advise enable_client_certificate_logins_on_server > configure_smart_cards.sh
trying https://master1.ipa.test/ipa/session/json
# chmod +x configure_smart_cards.sh && ./configure_smart_cards.sh

Test Plan

It should be straightforward to incorporate the newly developed functionality into existing SmartCard login auth test scenarios since much of the implemented enhancements can actually replace the existing manual setup steps required.