Red Hat SummitChapter 9. Managing EST user database
You can find information on DS Realm management and PostgreSQL realm management in the following section.
9.1. Managing DS Realm
The user DB requires a node containing the users inetOrgPerson and a node containing the groups groupOfUniqueNames. Therefore, if the base dn is dc=pki,dc=example,dc=com it is possible to add a user and associate to EST Users group using the following commands:
9.1.1. TLS mutual authentication
The above configurations allow client authentication using username/password. In some cases or for specific operation, such as re-enroll for a new certificate, mutual authentication with client certificate is required.
Realm configuration already support certificate based authentication out-of-the-box but in order to authenticate a user some additional information are needed. In more detail, the user entry has to include a description containing some certificate details and the binary certificate.
The description has the format <Version>;<Serial>;<Issuer>;<subject>. The version is the hex value (without 0x), the serial is in decimal and issuer and subject are distinguished name (DN). The format for DN is from the more specific attribute to the more general (note: some tools, like OpenSSL, have different order), separated by comma. As an example, if the user has a certificate with the following values:
Then the user entry est-test-user defined above can be modified in the DS case with the command:
Replace the <certificate_base64> with the actual value. To obtain the value from the DER certificate it is possible to use the command:
openssl base64 -in cert.der | sed 's/^/ /'
$ openssl base64 -in cert.der | sed 's/^/ /'9.2. Managing PostgreSQL Realm
To add a user and associate to the EST Users group it is possible to execute the following commands:
psql -U est -t -A -c "INSERT INTO users VALUES ('est-test-user', 'EST TEST USER', '<tomcat_digest>');" est
psql -U est -t -A -c "INSERT INTO group_members VALUES ('EST Users', 'est-test-user');" est
$ psql -U est -t -A -c "INSERT INTO users VALUES ('est-test-user', 'EST TEST USER', '<tomcat_digest>');" est
$ psql -U est -t -A -c "INSERT INTO group_members VALUES ('EST Users', 'est-test-user');" estThe tomcat digest for the password can be obtained with the command:
tomcat-digest <user_password>
$ tomcat-digest <user_password>9.2.1. TLS mutual authentication
The above configurations allow client authentication using username/password. In some cases or for specific operation, such as re-enroll for a new certificate, mutual authentication with client certificate is required.
Realm configuration already support certificate based authentication out-of-the-box but in order to authenticate a user some additional information are needed. In more detail, the user entry has to include a description containing some certificate details and the binary certificate.
The description has the format <Version>;<Serial>;<Issuer>;<subject>. The version is the hex value (without 0x), the serial is in decimal and issuer and subject are distinguished name (DN). The format for DN is from the more specific attribute to the more general (note: some tools, like OpenSSL, have different order), separated by comma.
These information are stored in the user_certs table. As an example, if the user has a certificate with the following values:
Then the user entry est-test-user defined above requires a new entry in the user_certs table which can be added with:
psql -U est -t -A -c "INSERT INTO user_certs VALUES ('est-test-user', '2;67939231264256858734977554404570695488;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=test.example.com', pg_read_binary_file('/cert.der'));" est
$ psql -U est -t -A -c "INSERT INTO user_certs VALUES ('est-test-user', '2;67939231264256858734977554404570695488;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=test.example.com', pg_read_binary_file('/cert.der'));" est
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}