Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

23.7. Integrating Identity Management Smart-card Authentication with Web Applications

As a developer whose applications use the Identity Management server as an authentication back end through the Identity Management web infrastructure Apache modules, you can configure the applications to enable authentication of users with multiple role accounts linked to their smart card. This enables these users to use the application under allowed role accounts.
On the server where the Apache web application is running:
  • Enroll the server as a client in the Identity Management domain.
  • Install the sssd-dbus and mod_lookup_identity packages.
  • Make sure Apache has a working HTTPS connection configured using the mod_nss module.
  1. Enable TLS renegotiation in the mod_nss configuration in the /etc/httpd/conf.d/nss.conf file: 
    NSSRenegotiation
NSSRequireSafeNegotiation on
    Copy to Clipboard Toggle word wrap
  2. Make sure that the CA issuing the user certificates is trusted for the client certificates in the mod_nss certificate database. The default location for the database is /etc/httpd/alias.
  3. Add the web application. In this procedure, we are using an almost minimal example consisting of a login page and a protected area.
    • The /login end point only lets the user provide a user name and sends the user to a protected part of the application.
    • The /app end point checks the REMOTE_USER environment variable. If the login was successful, the variable contains the ID of the logged-in user. Otherwise, the variable is unset.
  4. Create a directory, and set its group to apache and the mode to at least 750. In this procedure, we are using a directory named /var/www/app/.
  5. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/login.py.
    Save the following contents to the file: 
    #! /usr/bin/env python

def application(environ, start_response):
    status = '200 OK'
    response_body = """
<!DOCTYPE html>
<html>
    <head>
        <title>Login</title>
    </head>
    <body>
        <form action='/app' method='get'>
            Username: <input type='text' name='username'>
            <input type='submit' value='Login with certificate'>
        </form>
    </body>
</html>
"""
    response_headers = [
        ('Content-Type', 'text/html'),
        ('Content-Length', str(len(response_body)))
    ]
    start_response(status, response_headers)
    return [response_body]
    Copy to Clipboard Toggle word wrap
  6. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/protected.py.
    Save the following contents in the file: 
    #! /usr/bin/env python

def application(environ, start_response):
    try:
        user = environ['REMOTE_USER']
    except KeyError:
        status = '400 Bad Request'
        response_body = 'Login failed.\n'
    else:
        status = '200 OK'
        response_body = 'Login succeeded. Username: {}\n'.format(user)

    response_headers = [
        ('Content-Type', 'text/plain'),
        ('Content-Length', str(len(response_body)))
    ]
    start_response(status, response_headers)
    return [response_body]
    Copy to Clipboard Toggle word wrap
  7. Create a configuration file for your application. In this procedure, we are using a file named /etc/httpd/conf.d/app.conf with the following contents: 
    <IfModule !lookup_identity_module>
    LoadModule lookup_identity_module modules/mod_lookup_identity.so
</IfModule>

WSGIScriptAlias /login /var/www/app/login.py
WSGIScriptAlias /app /var/www/app/protected.py

<Location "/app">
    NSSVerifyClient require
    NSSUserName SSL_CLIENT_CERT
    LookupUserByCertificate On
    LookupUserByCertificateParamName "username"
</Location>
    Copy to Clipboard Toggle word wrap
    In this file:
    • The first part loads mod_lookup_identity if it is not already loaded.
    • The next part maps the /login and /app end points to the respective Web Server Gateway Interface (WSGI) scripts.
    • The last part configures mod_nss for the /app end point so that it requires a client certificate during the TLS handshake and uses it. In addition, it configures an optional request parameter username to look up the identity of the user.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat