RH362 - ch06s06

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start users-kerberos

Instructions

On the client machine, install the httpd package. Create the /var/www/html/index.html file with This is the client's server content as the content. Enable the firewall ports for HTTP, and then enable and start the httpd service.

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student

Install the httpd package:

[root@client ~]# dnf install httpd
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Permit the http service through the firewall:

[root@client ~]# firewall-cmd --add-service=http
success
[root@client ~]# firewall-cmd --add-service=http --permanent
success

Create the /var/www/html/index.html file with the following content:
```
This is the client's server content
```

Start and enable the httpd service:

[root@client ~]# systemctl enable httpd --now
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@client ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-06-05 23:48:13 EDT; 7s ago
...output omitted...
Jun 05 23:48:13 client.lab.example.com httpd[35318]: Server configured, listening on: port 80

Create a service principal for the HTTP service.

Authenticate to IdM as the admin user:

[root@client ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Add the service principal for the HTTP service in the client machine:

[root@client ~]# ipa service-add HTTP/client.lab.example.com
-----------------------------------------------------------
Added service "HTTP/client.lab.example.com@LAB.EXAMPLE.COM"
-----------------------------------------------------------
  Principal name: HTTP/client.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: HTTP/client.lab.example.com@LAB.EXAMPLE.COM
  Managed by: client.lab.example.com

Install the keytab for the HTTP/client.lab.example.com service principal in the /etc/httpd/http.keytab file. Ensure that the httpd service owns the keytab file.
1. Create and install the keytab for the HTTP/utility.lab.example.com service principal in the /etc/httpd/http.keytab file:
```
[root@client ~]# ipa-getkeytab \
  -s idm.lab.example.com \
  -p HTTP/client.lab.example.com \
  -k /etc/httpd/http.keytab
Keytab successfully retrieved and stored in: /etc/httpd/http.keytab
```
2. Change the ownership of the /etc/httpd/http.keytab file to the apache user:
```
[root@client ~]# chown apache /etc/httpd/http.keytab
```
Configure the httpd service so that the resources under the http://client.lab.example.com/restricted directory can only be accessed by the idmuser01@LAB.EXAMPLE.COM user. Create the configuration in the /etc/httpd/conf.d/restricted.conf file. Create the /var/www/html/restricted/ directory and the index.html file inside it with Restricted content in the client server as the content.
1. Install the mod_auth_gssapi package to integrate Kerberos authentication with the HTTPD server:
```
[root@client ~]# dnf install mod_auth_gssapi
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!
```
2. Create the /etc/httpd/conf.d/restricted.conf configuration file to enable keytab authentication for the idmuser01 user principal. Add the following content to the file:
```
<Location /restricted>
    AuthType gssapi
    AuthName LAB.EXAMPLE.COM
    GssapiBasicAuth On
    GssapiBasicAuthMech krb5
    GssapiCredStore keytab:/etc/httpd/http.keytab
    Require user idmuser01@LAB.EXAMPLE.COM
</Location>
```
3. Create the /var/www/html/restricted/ directory and the index.html file inside it with the following content:
```
Restricted content in the client server
```
4. Restart the httpd service:
```
[root@client ~]# systemctl restart httpd
```
On the workstation machine, open a browser and navigate to the http://client.lab.example.com and to http://client.lab.example.com/restricted websites. In the restricted website, authenticate as the idmuser01 user using RedHat123^ as the password.
1. Log out from the client machine:
```
[root@client ~]# logout
[student@client ~]$ logout
Connection to client closed.
```
2. Open the web browser and navigate to the http://client.lab.example.com website.
  Confirm that you see the public message.
3. Navigate to the http://client.lab.example.com/restricted website.
  The web page prompts for a username and password. Provide the credentials of the idmuser01 and confirm that you can see the restricted message.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish users-kerberos

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8