Chapter 51. Authentication and Interoperability

With a recent update of the pki-core package, certain ciphers are no longer enabled by default in the Identity Management (IdM) Certificate Authority (CA). As a consequence, setting up an IdM server with integrated CA on RHEL 7.6 as a replica of a master running on RHEL 6 fails with a CRITICAL Failed to configure CA instance error. To work around the problem, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file:

+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

As a result, the IdM installation on RHEL 7.6 no longer fails. Note that installing a CA-less IdM replica on RHEL 7.6 works as expected even without this workaround. (BZ#1667434)

In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail.

If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter.

To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content:

# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

To apply the change, reload the systemd configuration:

# systemctl daemon-reload

and start the radiusd service:

# systemctl start radiusd

The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI:

# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret

(BZ#1571754)

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.

Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.

If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future release of RHEL.

(JIRA:RHELPLAN-155168)