RH362 - ch07s07

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start alternative-review

Instructions

Install the Key Recovery Authority (KRA) component on the idm machine.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student

Install the KRA component:

Note

If you have already installed the KRA component on the idm machine, then the command fails with the KRA already installed message.

[root@idm ~]# ipa-kra-install
Directory Manager password: RedHat123^

===================================================================
This program will setup Dogtag KRA for the IPA Server.

Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/9]: configuring KRA instance
  [2/9]: create KRA agent
  [3/9]: enabling ephemeral requests
  [4/9]: restarting KRA
  [5/9]: configure certmonger for renewals
  [6/9]: configure certificate renewals
  [7/9]: add vault container
  [8/9]: apply LDAP updates
  [9/9]: enabling KRA instance
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

On the client machine, create the prod-files standard vault and store the /home/student/database.kdbx file as a secret.

Open a new terminal tab and log in to the client machine as the student user. Authenticate to IdM as the idmuser01 user:

[student@workstation ~]$ ssh client
[student@client ~]$ kinit idmuser01
Password for idmuser01@LAB.EXAMPLE.COM: RedHat123^

Review the details of the /home/student/database.kdbx file. Notice specifically the access and modification dates:

[student@client ~]$ stat database.kdbx
  File: database.kdbx
  Size: 65536     	Blocks: 128        IO Block: 4096   regular file
Device: fc04h/64516d	Inode: 8497822     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2023-06-28 17:32:32.849982303 -0400
Modify: 2023-06-28 17:32:32.849982303 -0400
Change: 2023-06-28 17:32:32.849982303 -0400
 Birth: 2023-06-28 17:32:32.849982303 -0400

Create the prod-files standard vault:

[student@client ~]$ ipa vault-add prod-files --type standard
----------------------
Added vault "prod-files"
----------------------
  Vault name: prod-files
  Type: standard
  Owner users: idmuser01
  Vault user: idmuser01

Store the /home/student/database.kdbx file:

[student@client ~]$ ipa vault-archive prod-files --in ~/database.kdbx
-----------------------------------
Archived data into vault "prod-files"
-----------------------------------

On the idm machine, retrieve the secret stored in the prod-files vault.

Switch to the first terminal tab and log out of the root user. Authenticate to IdM as the idmuser01 user:

[root@idm ~]# logout
[student@idm ~]$ kinit idmuser01
Password for idmuser01@LAB.EXAMPLE.COM: RedHat123^

Retrieve the secret stored in the prod-files vault:

[student@idm ~]$ ipa vault-retrieve prod-files --out ~/database.kdbx
------------------------------------
Retrieved data from vault "prod-files"
------------------------------------

Review the details for the /home/student/database.kdbx file.

Note that the size matches the original file, but the modification time is the time that the secret was retrieved. Only the content of the file is stored in the vault, not the file itself:

[student@idm ~]$ stat database.kdbx
  File: database.kdbx
  Size: 65536     	Blocks: 128        IO Block: 4096   regular file
Device: fc04h/64516d	Inode: 8498112     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/ student)   Gid: ( 1000/ student)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2023-06-28 17:46:07.347438594 -0400
Modify: 2023-06-28 17:46:07.347438594 -0400
Change: 2023-06-28 17:46:07.347438594 -0400
 Birth: 2023-06-28 17:46:07.347438594 -0400

Authenticate to IdM as the admin user, and configure two-factor authentication for the idmuser05 user.

Authenticate as the admin user:

[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Configure two-factor authentication for the idmuser05 user:

[student@idm ~]$ ipa user-mod idmuser05 --user-auth-type=otp
-------------------------
Modified user "idmuser05"
-------------------------
  User login: idmuser05
  First name: idmuser05
  Last name: idm
  Home directory: /home/idmuser05
  Login shell: /bin/sh
  Principal name: idmuser05@LAB.EXAMPLE.COM
  Principal alias: idmuser05@LAB.EXAMPLE.COM
  Email address: idmuser05@example.com
  UID: 739000013
  GID: 739000013
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

On your mobile device, search for and install the FreeOTP Authenticator application.
If you choose not to install FreeOTP on your mobile devices, an alternative method using any QR code scanner is provided.
On the idm machine, create a user-managed software token. Set otp as the description and set idmuser05 as the user.
[student@idm ~]$ ipa otptoken-add --desc=otp --owner=idmuser05
Scan the displayed QR code with FreeOTP to provision the token to the mobile device.
As an alternative, use a QR code scanner to scan the QR code.
On the workstation machine, open a web browser and navigate to https://idm.lab.example.com. If you are automatically logged in to the IdM web UI, log out of the dashboard.
In the IdM web UI, log in as the idmuser05 user. For the password, enter the user password followed by a FreeOTP passcode.
For the first part, enter RedHat123^. For the second part, use FreeOTP to generate a passcode. The two items combined form the one-time password (OTP).
Click Login. The passcode is only valid for brief period of time, so if authentication fails, try generating a new passcode.
Note
If you used the QR scanner, use the oathtool --base32 --totp command to generate the required passcode. In the URI displayed on your mobile device, find the secret= value and use that string as the argument for the --totp option. Run the following command on the workstation machine:
[student@workstation ~]$ oathtool --base32 \ --totp CODE 350759
Enter the generated passcode at the end of the password, and then click Login.
Log out of the web UI and exit the SSH session to the client and idm machines.
Exit the client machine and close the second terminal tab.
[student@client ~]$ exit logout Connection to client closed.
Exit the idm machine.
[student@idm ~]$ exit logout Connection to idm closed.

Evaluation

On the workstation machine, change to the student user home directory and use the lab command to grade your work.

[student@workstation ~]$ lab grade alternative-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish alternative-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8