Chapter 4. Integration with external authentication and authorization domains
The Directory and Domain Services feature brings an additional security level by joining the identity and access management systems of your organization with the Red Hat Hybrid Cloud Console. You can register your existing identity provider domain, such as Red Hat Identity Management (IdM).
The Directory and Domain Services feature is only available in the Preview mode.
4.1. Security considerations for Directory and Domain Services
To register an identity domain of your organization in the Red Hat Hybrid Cloud Console and enroll the machines in it, you must open ports for the required services on the server where your identity domain is deployed.
For example, to ensure your machines have access from the public cloud environment to your IdM server, you must configure access to your IdM server for the following services:
- HTTPS
- Allows the Directory and Domain Service to use the certificate from the RHEL subscription to enroll the image in the IdM server using IPA API.
- Kerberos
- Allows users and hosts to authenticate with the Kerberos authentication method.
- LDAP
- Allows SSSD to retrieve security policies and user information from the IdM server.
The following ports need to be open in order to provide the access to the services.
Service | Ports | Protocol |
---|---|---|
HTTP/HTTPS | 80, 443 | TCP |
LDAP/LDAPS | 389, 636 | TCP |
Kerberos | 88, 464 | TCP and UDP |
DNS | 53 | TCP and UDP (optional) |
By using these protocols, you allow access to your organization from every enrolled machine that runs in a public cloud environment. Make sure your company security policies allow it.
Additional resources
- For more details about ports to access the IdM server, see the Port requirements for IdM.
4.2. Registering an identity domain with the Hybrid Cloud Console
You can register the identity domain of your organization in the Red Hat Hybrid Cloud Console. It enables you to use your existing identity domain with the new instances running from images in the Hybrid Cloud Console.
Currently, the Directory and Domain Services only support an IdM setup. You can only enable one domain at a time. When you enable a domain, you must disable all other domains in the Red Hat Hybrid Cloud Console.
Prerequisites
-
You have the
ipa-hcc-server
package installed from the EPEL repository on the existing IdM server. - You have IPA administrator permissions.
- You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role. For more details, see Procedures for configuring User Access in Red Hat Hybrid Cloud Console.
Procedure
-
Access Hybrid Cloud Console, click
and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens. - Click Register identity domain wizard. to open the
-
Optional: On the Preparation page, the wizard prompts you to verify the
ipa-hcc-server
package is installed on your IdM server. Follow the instructions on the page and click . On the Registration page.
Copy the command for registration of your domain, switch to the terminal of your IdM server and run this command under the
root
privileges:# ipa-hcc register <registration token> Domain information: realm name: <REALM_NAME> domain name: <domain_name> dns domains: <dns_domains>
To continue registering your IdM server, type Yes:
Proceed with registration? Yes/No (default No): <Yes>
- Once the registration command is complete in your IdM server terminal, switch back to the Register identity domain wizard and on the Registration page click to verify registration. Wait for the wizard to verify your registration and click .
- On the Details page, you can customize the Display name field for your domain. Optionally, enter the description for this domain and leave the Domain auto-join on launch toggle enabled if you want to make your domain available during launching images in a public cloud environment after you complete the registration. Click .
- On the Review page, review all your settings and click to complete the registration.
Verification
- Confirm that your domain appears on the Directory and Domain Services dashboard.
Next steps
-
You can enroll your machines to the registered domain during the launch to the environment of your choice. For that, ensure you add the
ipa-hcc-client
package from the EPEL repository during the blueprint creation in Images.
Additional resources
- Learn more about Identity Management.
- Learn more about Creating blueprints and blueprint images.
- Learn more about Adding existing repositories from popular repositories to custom repositories.
- Learn more about Launching customized RHEL images to the cloud platforms with Insights image builder.
4.3. Editing identity domain registrations
You can rename and edit the description of the registered domain. You can also enable or disable the auto-join on launch feature for the registered domain.
Prerequisites
- You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role.
Procedure
-
Access Hybrid Cloud Console, click
and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens. - From the list of domains locate the domain you want to edit, click the Option menu, and choose Edit.
You can edit the following parameters:
- Display name
- Changes the name of your domain.
- Description
- Changes the description of your domain.
- Domain auto-join on launch
- Enables or disables this domain for enrolling the instances during the launch to the public cloud providers.
4.4. Removing authentication domain registration from Hybrid Cloud Console
You can remove the registration of your external authentication domain from the Red Hat Hybrid Cloud Console.
Prerequisites
- You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role.
Procedure
-
Access Hybrid Cloud Console, click
and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens. - From the list of domains locate the domain you want to remove, click the Option menu, and choose Delete. The Delete identity domain registration window opens.
- Select the I understand that this action cannot be undone checkbox and click .
Optional: Access your IdM server terminal and uninstall the
ipa-hcc-server
package:# dnf remove ipa-hcc-server
If your IdM deployment consists of multiple servers, remove the
ipa-hcc-server
package from all of the servers.
Verification
- Open the Directory and Domain Services dashboard and verify the registration of your external authentication domain is not in the list.