Red Hat Security: Identity Management and Authentication
Abstract
| Goal |
Introduce Identity Management in Red Hat Enterprise Linux (IdM) and its high-level architecture. |
| Objectives |
|
| Sections |
|
Describe the components and administrative functions of Identity Management.
Compare the supported and community versions of Identity Management.
Organizations need to make resources securely available for users. Computer systems use a framework of protocols, technology, and security policies to define digital identities for users and services, and to control access to computer resources using those identities. Such frameworks are referred to as Identity Management (IdM) or Identity and Access Management (IAM) software.
Identity Management (IdM) is also the name that Red Hat uses to refer to the dedicated identity management solution that is bundled into Red Hat Enterprise Linux. Identity Management in Red Hat Enterprise Linux manages user identities, access controls, and compliance requirements in a centralized and consistent way.
Identity management is the technical as well as the organizational process of registering user accounts and access rights, to control the interaction of people or groups of individuals with applications, systems, networks, and appliances.
The information that defines the identity and authorized actions of users is controlled by IdM; computer systems can be configured to use IdM as the source of user accounts and authorization restrictions.
In contrast with centralized identity management, per-system account management is inconvenient for medium to large-scale systems, making the maintenance of accounts and policy configurations for each system complicated and error prone.
Per-system account management can be an impossible task when containers, VMs, IoT, and edge devices are included into the organization. IdM systems can also provide single sign-on, subtree delegation, federation, and secret storage among other features that per-system account management is not designed to offer.
An identity management system stores the information required for users to authenticate to different systems and applications. It also stores policy information that determines the resources that users are authorized to access.
An identity management solution uses domains to manage multiple machines; these machines share the configuration and resources of all the systems that have joined the domain.
Domain users sign in and authenticate to their domain only one time and then access other systems and resources. Administrators manage only one account for those users across all the machines in the domain.
Centralized management is scalable and sustainable, even in large organizations.
IdM in Red Hat Enterprise Linux provides a rich, flexible, and well-documented command-line interface that simplifies the management of objects stored in the system. The browser-based user interface is compatible with mobile devices. As an administrator, you can use the command-line and browser interfaces to centrally manage the Linux and UNIX systems in an IdM domain.
Implementing IdM in your RHEL environment provides the following benefits:
Simplified IdM infrastructure
Compliance requirements such as PCI DSS
Reduced risk of unauthorized access or unauthorized privilege escalation
Identity foundation for cloud and container operational environments
Improved user experience with enterprise-wide single sign-on across heterogeneous environments
Tighter application integration into the identity management fabric
Identity information and authentication credential management for users, services, systems, and devices
IdM integrates with Microsoft Active Directory to provide the following additional benefits:
Linux clients are centrally managed via native Linux protocols and traditional means, such as LDAP, Kerberos, and POSIX, for greater interoperability.
Authentication, identity, and policy management are managed in a central server for better compliance.
Active Directory user authentication happens in Active Directory to meet audit requirements, without requiring user or password synchronization.
Management of Linux systems can be delegated to Linux administrators for a better separation of duties and delegation of privileges.
IdM is integrated into Red Hat Enterprise Linux 6.2 and later, to simplify identity management for RHEL client systems and servers.
IdM implements identity and access management with the following features:
Central authentication of identities and security mechanisms
Fine-grained access control policies
Integrated Public Key Infrastructure (PKI) services
Two-factor authentication (2FA) support
Cross-realm Kerberos trusts with Active Directory (AD)
Direct client connections to AD
Although IdM is not an administrative tool for AD domains, IdM can also synchronize identities with AD. Depending on the features that an administrator implements, IdM can ease the creation of Linux domains, allowing Linux domain users to access both Linux and Windows resources, and Windows users to access Linux resources.
IdM is the Red Hat tuned and supported release of the upstream open source FreeIPA project, built from popular Linux administration components.
IdM consists of a number of tightly integrated components, some of which can be installed on external servers:
- Directory Server (LDAP)
An open source LDAP directory server. It has a flexible schema that can be customized to define entries for users, machines, network entities, physical equipment, buildings, and more. It is used as the back end that stores data for other applications.
- Kerberos
An authentication protocol that uses symmetric key cryptography to generate tickets that authenticate users to network services. Kerberos-based authentication is safer than password-based authentication. Passwords are never sent over the network, even when accessing services on other machines.
The Kerberos server is installed on the IdM domain controller, and all Kerberos data is stored in the back-end directory server. Directory Server defines access controls for stored Kerberos data. Because all Kerberos data is stored in the IdM directory server back end, the Kerberos server is managed with IdM tools.
- Domain Name Service (DNS)
DNS is required for an IdM domain to ensure that clients can resolve hostnames and communicate with each other and the IdM server. Services, such as Kerberos, depend on hostnames to identify their principal identities. DNS maps and resolves hostnames to and from IP addresses so that clients can resolve hostnames.
DNS is required to enroll new clients in the IdM domain, locate the IdM servers within the domain, and locate all services and clients within the domain. The IdM server installation creates DNS zone records that allow IdM clients and servers to use DNS service discovery to find the LDAP and Kerberos servers (the IdM servers) that are required for participation in the IdM domain. Red Hat recommends that the IdM server also manages the DNS domain.
- Certificate System
Services and applications primarily use certificates for Transport Layer Security (TLS) authentication and secure communication. IdM can include a certificate authority (CA). This CA issues certificates to resources within the IdM domain, such as replicas, hosts, services, users, and applications. This certificate authority can be used as a root CA or it can have its policies defined by an existing external root or intermediate CA.
The Certificate System component also provides a Vault (Data Recovery Manager) subsystem. A vault is a secure location for storing, retrieving, sharing, and recovering secrets. A secret is security-sensitive data that should only be accessible by a limited group of people or entities. For example, secrets include passwords, PINs and private SSH keys. Users and services can access the secrets stored in a vault from any machine enrolled in the IdM domain.
Red Hat offers three identity management solutions. Two solutions are additional, chargeable products: Red Hat Directory Server and Red Hat Certificate System. The third solution is Identity Management in Red Hat Enterprise Linux, included at no additional cost. Each solution provides similar technologies for managing identities, but with product features intended for different use cases.
Red Hat Directory Server is an LDAP-based directory server solution that manages identities and application information. For example, in an organization that provides paid online services, the service applications need to store customer accounts and credentials. A traditional, full-featured LDAP server is the best technology for this use case. Programmers can customize how their applications integrate with LDAP storage when using Red Hat Directory Server as the identity back end.
Red Hat Directory Server is an LDAP v3-compliant product, distributed as a separate subscription. It supports four-way multi-supplier replication, scalability to thousands of operations per second and tens of millions of entries stored, TLS/SSL and SASL security. It also supports custom plug-in extensions, online schema and configuration updates over LDAP, internationalized entries, and optional on-disk encryption of selected attributes.
The following use cases are some of those supported by Red Hat Directory Server:
Identity and application management for custom environments, such as custom email systems and other business applications
Migration from X.500 and earlier versions of LDAP
Custom object classes integration
Multi-supplier replication
High availability
Red Hat Certificate System offers a security framework for managing user identities and ensures communication privacy by providing an infrastructure for managing public keys. The framework includes the following components:
Certificate authority
Key recovery authority
Certificate status protocol
Token processing system
You can buy a subscription for Red Hat Certificate System as a stand-alone product to create a comprehensive PKI infrastructure. Red Hat Certificate System can operate as either a root certificate authority or as an intermediate authority, integrating existing trust models.
Red Hat Certificate System use cases include providing internal TLS certificate management for web servers, token assisted authentication, secure communications, and digital signatures and user identity.
The core certificate authority component provided by Red Hat Certificate System is the same component included in IdM. However, Red Hat Certificate System includes all the components and features that are available in the upstream community project. Red Hat Certificate System is not limited to defined domain namespaces.
A Red Hat Certificate System deployment can issue certificates for users, devices, and services that are in unrelated management realms. For example, in an organization that provisions certificates as a service, Red Hat recommends Red Hat Certificate System as the solution. Red Hat Certificate System can manage enterprise identities by issuing certificates. These certificates can be issued for internal identities and external identities, such as customers and partners.
IdM is a centralized and unified way to manage identity stores, authentication, policies, and authorization policies in a Linux-based domain environment. IdM supports the advanced features of Red Hat Enterprise Linux, and provides native integration with Active Directory.
The primary purpose of IdM is to manage identities, user authentication, and authorization policies for users and services in RHEL domains. The core directory server technology is the same for both Red Hat Directory Server and IdM. However, IdM is optimized for managing RHEL domain identities and authorization policies. The IdM design is intentionally limited to controlled schema without any expected custom extensibility. However, the IdM design also provides multiple benefits: simpler configuration, better automation of resource management, and increased efficiency in managing RHEL domain-based identities.
IdM is best suited as a solution that integrates a user database, secure authentication, public key infrastructure, and DNS management for distributed users and systems in a RHEL environment.
IdM integrates directory server, certificate server, Kerberos identities, and DNS name server components into a single identity management solution for a wide range of clients, including supported Linux, MacOS, and Windows client operating system.
Choose the solution that best fits your organization's requirements:
Use IdM if your integration objective is to provide unified centralized management of POSIX identities in Linux domains with Linux systems enrolled to IdM.
Use IdM if you are interested in issuing certificates to users and services running on RHEL, IdM-enrolled clients without the need for certificate approval workflows.
Use Red Hat Directory Server if your integration objective is to have an LDAP store for web applications that include various non-POSIX attributes, and you do not expect the users and groups to be visible on the POSIX-compliant operating system level.
Use Red Hat Certificate System if you are interested in a Certificate Authority solution with custom certificate approval workflows and features beyond those needed for basic Linux domain management.
Red Hat Enterprise Linux provides a bundled identity management solution. Red Hat contributes to the upstream open source project that integrates this solution.
Red Hat participates in supporting individual open source projects. It contributes code, developer time, resources, and support, and often collaborates with developers from other Linux distributions, to improve the general quality of software for everyone.
Red Hat sponsors and integrates open source projects into the community-driven FreeIPA project. The FreeIPA project provides a free working environment to serve as a development lab and proving ground for features to be incorporated into CentOS Stream and RHEL products.
Red Hat brands FreeIPA as IdM and integrates it to CentOS Stream to be ready for long-term support and standardization, and integrates it into RHEL.
FreeIPA is the upstream open source community project for IdM. This project is an integrated security information management solution combining Linux (Fedora, CentOS Stream), 389 Directory Server, MIT Kerberos, NTP, DNS, and Dogtag Certificate System. It consists of a web interface and command-line administration tools.
FreeIPA is an integrated identity and authentication management solution for Linux and UNIX networked environments. A FreeIPA server provides centralized authentication, authorization, and account information by storing data about users, groups, hosts, and other objects necessary to manage the security aspects of a network of computers.
FreeIPA is built on well-known open source components and standard protocols with a focus on ease of management and automation of installation and configuration tasks.
The Red Hat-supported FreeIPA community is where most open source development, idea maturation, and component integration work takes place. The FreeIPA community uses existing open source components and tracks related open source development.
The FreeIPA project was initiated to solve existing difficulties in enterprise identity management, such as providing a reliable open source alternative for identity management and creating a robust solution for central management of vital Linux security information. The FreeIPA project provides access to the information collected and managed, for better synchronization and analysis.
As an upstream project, Red Hat does not provide support for the FreeIPA community edition. Instead, IdM is the tuned and integrated version for Red Hat Enterprise Linux, maintained and supported by Red Hat.
Some upstream functionality is tech preview for use in Red Hat Enterprise Linux or only supported by the upstream project or on Fedora and CentOS Stream. The web UI might look different from the upstream version, because IdM follows the Red Hat product branding designs.
CentOS Stream is the upstream project for RHEL. Development of the next RHEL version is transparent and open for community contributions that can directly influence the next release. Patches that are submitted to CentOS Stream are integrated faster to RHEL, to allow significant changes during the current RHEL version lifecycle. CentOS Stream is a continuous integration and delivery distribution, with tested and stable nightly builds.
The CentOS project welcomes contributors worldwide, to give RHEL derivatives the opportunity to contribute to CentOS Stream for their own benefit. The CentOS project also aims to promote sustainable open source software that responds faster to security exploits, emerging technologies, and changing customer requirements.
Note
Before 2019, CentOS Linux was a free, unsupported distribution, community-built from Red Hat source code after each major RHEL release. Although the CentOS community enjoyed having a free RHEL clone, this model had disadvantages. Commonly, developer contributions to CentOS Linux were not back-ported to Fedora or RHEL without considerable duplicate effort. Significant delays occurred between a RHEL release and its corresponding CentOS distribution build, with a similar delay for critical RHEL security, driver, and tuning fixes. Red Hat switched to the CentOS Stream model to address these issues.
A benefit of CentOS Stream is that, as the source for RHEL development, it is available in all the same architectures as RHEL, including AMD64, Intel 64, ARM64, 64-bit PowerPC, and IBM z Systems.
Many innovative technology organizations have proven that CentOS Stream is a viable replacement for the original downstream CentOS Linux. CentOS Stream can be freely downloaded and installed for many use cases, including development and light production. For community users with use cases that are not suitable for a continuously delivered distribution with asynchronous patch releases, Red Hat provides free individual RHEL developer subscriptions for small-scale use, such as demos, prototyping, quality assurance, and limited production.
If FreeIPA users want to contribute to feature enhancement, they can either contribute to FreeIPA, or to CentOS Stream if the request is Red Hat implementation-specific. If you want to test upcoming IdM features before the next RHEL release (where it is bundled), then you can use the free CentOS Stream to build systems and test the features and integration to IdM.
References
For more information, refer to the Introduction to IdM section in the Red Hat Enterprise Linux 9 Planning Identity Management Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/planning_identity_management/index#intro-to-ipa-overview-of-planning-idm-and-access-control
For more information about FreeIPA, refer to the project page at: FreeIPA
