Red Hat Security: Identity Management and Authentication

Bookmark this page
P1234567891011
PreviousNext

Guided Exercise: Managing Smart Card Authentication

Create certificates and implement smart card authentication.

Outcomes

  • Configure IdM for smart card authentication, and authenticate to the IdM web UI using a certificate.

Note

This exercise imports certificates directly into the browser to perform certificate-based authentication because the classroom environment does not support smart cards for all modalities.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start alternative-smartcard

Instructions

  1. Configure IdM to support smart card authentication. This is required to enable certificate-based authentication, even without smart cards.

    1. Log in to the idm machine as the student user, and change to the root user:

      [student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
[root@idm ~]#

    2. Authenticate to IdM as the admin user:

      [root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

    3. Run the ipa-advise config-server-for-smart-card-auth command to generate a configuration script. Make the script executable, and then run it:

      [root@idm ~]# ipa-advise \
  config-server-for-smart-card-auth > ~/server_smart_card_script.sh
[root@idm ~]# chmod u+x ~/server_smart_card_script.sh
[root@idm ~]# ~/server_smart_card_script.sh /etc/ipa/ca.crt
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.COM

Valid starting     Expires            Service principal
06/15/23 08:15:57  06/16/23 07:30:54  krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
06/15/23 08:17:42  06/16/23 07:30:54  HTTP/idm.lab.example.com@LAB.EXAMPLE.COM
--------------------
1 IPA server matched
--------------------
  Server name: idm.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 1
----------------------------
The ipa-pkinit-manage command was successful
PKINIT already enabled
Installing CA certificate, please wait
Verified CN=Certificate Authority,O=LAB.EXAMPLE.COM
CA certificate successfully installed
The ipa-cacert-manage command was successful
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

  2. Export the idmuser01 certificate to PKCS12 format, and then log out.

    1. Use the pk12util command to export the idmuser01 certificate from the /root/idmuser01-cert Name Service Switch (NSS) database:

      [root@idm ~]# pk12util \
  -d ~/idmuser01-cert/ \
  -o ~/idmuser01.p12 \
  -n idmuser01
Enter Password or Pin for "NSS Certificate DB": RedHat123^
Enter password for PKCS12 file: RedHat123^
Re-enter password: RedHat123^
pk12util: PKCS12 EXPORT SUCCESSFUL

    2. Authenticate to IdM as the idmuser01 user to ensure that the password has not expired:

      [root@idm ~]# kinit idmuser01
Password for idmuser01@LAB.EXAMPLE.COM: RedHat123^

    3. Log out of the idm machine:

      [root@idm ~]# logout
[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

  3. Copy the /root/idmuser01.p12 file to workstation:

    Important

    Only perform the following step if you have not previously imported the CA certificate for IdM. If you have reset the IdM VM, then it is possible that a previously imported CA certificate is no longer valid. To resolve this issue, remove the currently trusted certificate, and then reimport.

    [student@workstation ~]$ scp root@idm:idmuser01.p12 ./

  4. On workstation, import the CA certificate into Firefox.

    1. Save the IdM CA certificate locally.

      Navigate to https://idm.lab.example.com. Click Advanced on the warning page, and then click Accept the Risk and Continue. Click the Padlock icon, Connection not secure, and then More information. Click View Certificate, Certificate Authority, and then click PEM (cert) to save the CA certificate. Close the tab when finished.

    2. Import the IdM CA certificate:

      Open Firefox and navigate to about:preferences. Click Privacy & Security, and navigate to the Certificates section. Click View Certificates, Authorities, and then Import. Navigate to the Downloads directory and open the idm-lab-example-com.pem file. Trust the certificate to identify websites, and then click OK and OK.

  5. Import the idmuser01 certificate and enable TLS 1.3.

    1. Import the idmuser01 certificate.

      Open Firefox and navigate to about:preferences. Click Privacy & Security and navigate to the Certificates section. Click View Certificates, Your Certificates, and then Import. Navigate to the student home directory and open the idmuser01.p12 file. Enter RedHat123^ to unlock the file, and then click Sign in and OK.

    2. Enable TLS 1.3 post-handshake authentication. This is supported in Firefox 68.0 and later, but is disabled by default.

      Navigate to about:config, and then click Accept the Risk and Continue. Type post_handshake in the search field, and double-click the security.tls.enable_post_handshake_auth Boolean to set it as true.

  6. Log in to the IdM web UI using a certificate.

    1. Navigate to https://idm.lab.example.com or refresh the tab if already open.

    2. On the IdM web UI login page, click Log in Using Certificate. The idmuser01 certificate should already be selected. Leave Remember this decision selected, and then click OK.

      You are now logged in, and you can see the details for the idmuser01 user.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish alternative-smartcard

PreviousNext
Revision: rh362-9.1-4c6fdb8