čtvrtek 18. února 2016

Client certificate authentication with oVirt

This post will show you how to configure authentication using client certificates. FreeIPA 4.2.0 introduced support for multiple certificate profiles, including support for user certificates. So we will use integration with FreeIPA 4.2. Please follow this post to create new profile for issuing user certificates in FreeIPA.

Test user creation

We create our user testing user in IPA, please be carefull specifying email address and login, we will need these later on.

pkcs#12 creation

First, we need to create private key for our user: Second, we have to create certificate signing request(CSR), using config, where we specify subjectAltName extension, which must match our user's email address in FreeIPA and commonName which must match user's login. We can now submit our CSR to IPA to issue certificate for our user. Remember to specify our user's login and profile for user certificates. Now, we need to extract user's cetificate. Now lets finnaly create our pkcs#12. Which you can later use with your browser to login.

Apache mod_ssl configuration

Now ssh to your oVirt machine. We need to reconfigure apache mod_ssl module, to require client certificate and since oVirt's AAA works with X-Remote-User header, we need to set it to REMOTE_USER env variable. Please add following lines into /etc/httpd/conf.d/ssl.conf. Now add CA certificate of ipa to /etc/pki/ovirt-engine/apache-ca.pem

oVirt AAA configuration

Authz configuration: Authn configuration: example.properties - specify your specifc creadentials and values for your IPA server Restart ovirt-engine and httpd

Let's try login

Please assign your user some permissions, in our case we assign user omachace SuperUser permission on system. Then we are able login as follows: In order to try it with our browser, please find relevant documentation how to import your pkcs#12 into browser, then you will be able to connect to oVirt via browser using client certificate.

CN to username mapping

In some setups you can met with situation, that your CN and username don't equal, in that moment you can use mapping extension. Imagine situation that in your CN is 'Ondra.Machacek' instead of 'omachace'. Then you would create a new mapping properties file as follows: And then don't forget to link this mapping to authn extension.

1 komentář:

  1. Thanks a lot for the info :-)
    I took a slightly different approach, but this info helped.