RH362 - ch05s05

Bookmark this page

Lab: Managing the CA and DNS Integrated Services

Configure IdM service policies and manage authentication entities and records.

Outcomes

Manage the IdM DNS and CA service resources.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start integrated-review

Instructions

On the idm machine, create a Network Security Services (NSS) certificate database in the /root/certs directory. Set RedHat123^ as the database password.
Log in to the idm machine as student and become the root user:
[student@workstation ~]$ ssh idm [student@idm ~]$ sudo -i [sudo] password for student: student
Authenticate to IdM as the admin user:
[root@idm ~]# kinit admin Password for admin@LAB.EXAMPLE.COM: RedHat123^
Create the /root/certs directory:
[root@idm ~]# mkdir ~/certs
Create an NSS certificate database in the certs directory. Set RedHat123^ as the password:
[root@idm ~]# certutil -N -d ~/certs/ ...output omitted... Enter new password: RedHat123^ Re-enter password: RedHat123^

Create and submit a certificate signing request (CSR). Use the httpsrv user for the request and set the key size to 4096. Specify CN=httpsrv, O=LAB.EXAMPLE.COM as the subject name. Save the CSR as the httpsrv.csr file in the root home directory.

Create a certificate signing request (CSR). Set httpsrv as the nickname for the key:

[root@idm ~]# certutil -R -d ~/certs/ \
  -a -g 4096 \
  -n httpsrv \
  -s "CN=httpsrv, O=LAB.EXAMPLE.COM" \
  > ~/httpsrv.csr
Enter Password or Pin for "NSS Certificate DB":RedHat123^

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

...output omitted...
Finished.  Press enter to continue:Enter

Generating key.  This may take a few moments...

Submit the CSR to the IdM CA, using the IECUserRoles profile. If you do not set this option, the default profile designed for network services is used. Use the certificate-out option to specify the location of the certificate:

[root@idm ~]# ipa cert-request \
  --profile-id IECUserRoles \
  --certificate-out ~/httpsrv.pem \
  --principal httpsrv@LAB.EXAMPLE.COM
  ~/httpsrv.csr
  Issuing CA: ipa
  Certificate: MIIFlTCCA/...
  Subject: CN=httpsrv,O=LAB.EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=LAB.EXAMPLE.COM
  Not Before: Thu Jun 01 23:51:09 2023 UTC
  Not After: Sun Jun 01 23:51:09 2025 UTC
  Serial number: 17
  Serial number (hex): 0x11

Verify that the httpsrv user has the certificate assigned:

[root@idm ~]# ipa user-show httpsrv
  User login: httpsrv
  First name: httpsrv
  Last name: httpsrv
  Home directory: /home/httpsrv
  Login shell: /bin/sh
  Principal name: httpsrv@LAB.EXAMPLE.COM
  Principal alias: httpsrv@LAB.EXAMPLE.COM
  Email address: httpsrv@lab.example.com
  ...output omitted...
  Certificate: MIIFlTCCA...
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Add the certificate to the NSS database. Use httpsrv as the nickname of the database entry. Log out from the idm machine.

Add the certificate to the NSS database. Use the -n option to set httpsrv as the nickname of the entry. The -t option sets the trust level. The -i option specifies the input certificate file:
```
[root@idm ~]# certutil -A -d ~/certs/ \
  -n httpsrv \
  -t "P,," \
  -i ~/httpsrv.pem
Enter Password or Pin for "NSS Certificate DB":RedHat123^
```

Verify that the key in the NSS database does not show orphan as its nickname:

[root@idm ~]# certutil -K -d ~/certs/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB": RedHat123^
< 0> rsa      817d6e4b3c412deda6da93f73d944c5f9b483d0f   NSS Certificate DB:httpsrv

Log out from the idm machine:

[root@idm ~]# logout
[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

On the client machine, add a service principal for the httpd service.

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]#

Authenticate to IdM as the admin user:

[root@client ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Add a service principal for the http service:

[root@client ~]# ipa service-add http/client.lab.example.com
----------------------------------------------------------
Added service "http/client.lab.example.com@LAB.EXAMPLE.COM"
-----------------------------------------------------------
  Principal name: http/client.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: http/client.lab.example.com@LAB.EXAMPLE.COM
  Managed by: client.lab.example.com

Create a certificate request for the http/client.lab.example.com principal. Save the resulting certificate in the /etc/httpd/certs directory.

Create the /etc/httpd/certs directory:
```
[root@client ~]# mkdir /etc/httpd/certs
```

By default, Certmonger does not create certificates in arbitrary locations. To create the certificate in the certs directory, configure an SELinux file context:

[root@client ~]# semanage fcontext -a -t cert_t "/etc/httpd/certs(/.*)?"
[root@client ~]# restorecon -R -v /etc/httpd/certs
Relabeled /etc/httpd/certs from unconfined_u:object_r:httpd_config_t:s0 to unconfined_u:object_r:cert_t:s0

Create a certificate request for the http/client.lab.example.com principal. Use the -f and -k options to specify where to store the certificate and key, respectively.

[root@client ~]# ipa-getcert request -f /etc/httpd/certs/cert.pem \
  -k /etc/httpd/certs/cert.key \
  -K http/client.lab.example.com \
  -D client.lab.example.com
New signing request "20230602001645" added.

Verify that Certmonger is monitoring the certificate request. Use the request ID from the previous step:

[root@client ~]# getcert list -i 20230602001645
Number of certificates and requests being tracked: 1.
Request ID '20230602001645':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/httpd/certs/cert.key'
	certificate: type=FILE,location='/etc/httpd/certs/cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=LAB.EXAMPLE.COM
	subject: CN=client.lab.example.com,O=LAB.EXAMPLE.COM
    ...output omitted...
	principal name: http/client.lab.example.com@LAB.EXAMPLE.COM
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	...output omitted...
	track: yes
	auto-renew: yes

Configure the httpd service to use TLS encryption. Edit the /etc/httpd/conf.d/ssl.conf configuration file to update the SSLCertificateFile and SSLCertificateKeyFile directives with the certificate and key absolute path, respectively. Create the /var/www/html/index.html file with The http service is running with TLS encryption as the content. Enable the httpd service in the OS and the firewall.
Edit the /etc/httpd/conf.d/ssl.conf configuration file. Update the SSLCertificateFile directive to the /etc/httpd/certs/cert.pem certificate file. Update the SSLCertificateKeyFile directive to the /etc/httpd/certs/cert.key key file. Review the /etc/httpd/conf.d/ssl.conf file to verify that the service is configured on the idm machine:
...output omitted... SSLCertificateFile /etc/httpd/certs/cert.pem ...output omitted... SSLCertificateKeyFile /etc/httpd/certs/cert.key ...output omitted...
Create the /var/www/html/index.html file with the following content:
The http service is running with TLS encryption
Enable and start the httpd service. Enable runtime firewall traffic to the https service:
[root@client ~]# systemctl enable httpd --now Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. [root@client ~]# firewall-cmd --add-service=https success
Log out of client, then on the idm machine, test a connection to the http service. Try both the secure port and the insecure port of the service:
[root@client ~]# logout [student@client ~]$ logout Connection to client closed. [student@workstation ~]$ ssh idm [student@idm ~]$ curl http://client.lab.example.com curl: (7) Failed to connect to client.lab.example.com port 80: No route to host [student@idm ~]$ curl https://client.lab.example.com The http service is running with TLS encryption

Create the custom-service DNS SRV record for the http service. Set 0 as the priority, 100 as the weight, and 443 as the port. Test the resolution of the SRV record.

Authenticate to IdM as the admin user:

[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Add the custom-service SRV record. Set 0 as the priority, 100 as the weight, and 443 as the port:

[student@idm ~]$ ipa dnsrecord-add
Record name: custom-service
Zone name: lab.example.com
Please choose a type of DNS resource record to be added
The most common types for this type of zone are: A, AAAA

DNS resource record type: SRV
SRV Priority (order): 0
SRV Weight: 100
SRV Port: 443
SRV Target: client
  Record name: custom-service
  SRV record: 0 100 443 client

Test the resolution of the new SRV record:

[student@idm ~]$ dig +short -t SRV custom-service.lab.example.com
0 100 443 client.lab.example.com.

Log out from the idm machine:

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade integrated-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish integrated-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8