Red Hat Security: Identity Management and Authentication

Instructions

1. Install the Key Recovery Authority (KRA) on the idm machine.

   1. Log in to the idm machine as the student user, and change to the root user:

      [student@workstation ~]$ ssh idm
      [student@idm ~]$ sudo -i
      [sudo] password for student: student

   2. Install the KRA using the ipa-kra-install command:

      [root@idm ~]# ipa-kra-install
      Directory Manager password: RedHat123^
      
      ===================================================================
      This program will setup Dogtag KRA for the IPA Server.
      
      Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
        [1/9]: configuring KRA instance
        [2/9]: create KRA agent
        [3/9]: enabling ephemeral requests
        [4/9]: restarting KRA
        [5/9]: configure certmonger for renewals
        [6/9]: configure certificate renewals
        [7/9]: add vault container
        [8/9]: apply LDAP updates
        [9/9]: enabling KRA instance
      Done configuring KRA server (pki-tomcatd).
      Restarting the directory server
      The ipa-kra-install command was successful

   3. Log out of the idm machine:

      [root@idm ~]# logout
      [student@idm ~]$ logout
      [student@workstation ~]$

2. As the student user on the client machine, create a standard vault and store a secret in it.

   1. Log in to the client machine as the student user:

      [student@workstation ~]$ ssh client
      [student@client ~]$

   2. View the size and modification time of the /home/student/database.kdbx file:

      [student@client ~]$ ls -l ~/database.kdbx
      -rw-r--r--. 1 student student 65536 Jun 16 09:34 /home/student/database.kdbx

   3. Authenticate to IdM as the idmuser01 user:

      [student@client ~]$ kinit idmuser01
      Password for idmuser01@LAB.EXAMPLE.COM: RedHat123^

   4. Create a standard vault using the ipa vault-add command:

      [student@client ~]$ ipa vault-add keepassx --type standard
      ----------------------
      Added vault "keepassx"
      ----------------------
        Vault name: keepassx
        Type: standard
        Owner users: idmuser01
        Vault user: idmuser01

   5. Store the /home/student/database.kdbx file using the ipa vault-archive command:

      [student@client ~]$ ipa vault-archive keepassx --in ~/database.kdbx
      -----------------------------------
      Archived data into vault "keepassx"
      -----------------------------------

   6. Log out of the client machine:

      [student@client ~]$ logout
      [student@workstation ~]$

3. As the student user on the idm machine, retrieve a secret stored in the keepassx vault.

   1. Log in to idm as the student user:

      [student@workstation ~]$ ssh idm
      [student@idm ~]$

   2. Authenticate to IdM as the idmuser01 user:

      [student@idm ~]$ kinit idmuser01
      Password for idmuser01@LAB.EXAMPLE.COM: RedHat123^

   3. Retrieve a secret stored in the keepassx vault:

      [student@idm ~]$ ipa vault-retrieve keepassx --out ~/database.kdbx
      ------------------------------------
      Retrieved data from vault "keepassx"
      ------------------------------------

   4. View the details for the /home/student/database.kdbx file. Note that the size matches the original file, but the modification time is the time that the secret was retrieved. Only the content of the file is stored in the vault, not the file itself.

      [student@idm ~]$ ls -l ~/database.kdbx
      -rw-r--r--. 1 student student 65536 Jun 16 09:39 /home/student/database.kdbx

   5. Log out of the idm machine:

      [student@idm ~]$ logout
      [student@workstation ~]$