Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

23.7. Integrating Identity Management Smart-card Authentication with Web Applications

As a developer whose applications use the Identity Management server as an authentication back end through the Identity Management web infrastructure Apache modules, you can configure the applications to enable authentication of users with multiple role accounts linked to their smart card. This enables these users to use the application under allowed role accounts.

23.7.1. Prerequisites for Web Application Authentication with Smart Cards
Copiar o link

On the server where the Apache web application is running:
  • Enroll the server as a client in the Identity Management domain.
  • Install the sssd-dbus and mod_lookup_identity packages.
  • Make sure Apache has a working HTTPS connection configured using the mod_nss module.
  1. Enable TLS renegotiation in the mod_nss configuration in the /etc/httpd/conf.d/nss.conf file: 
    NSSRenegotiation
NSSRequireSafeNegotiation on
    Copy to Clipboard Toggle word wrap
  2. Make sure that the CA issuing the user certificates is trusted for the client certificates in the mod_nss certificate database. The default location for the database is /etc/httpd/alias.
  3. Add the web application. In this procedure, we are using an almost minimal example consisting of a login page and a protected area.
    • The /login end point only lets the user provide a user name and sends the user to a protected part of the application.
    • The /app end point checks the REMOTE_USER environment variable. If the login was successful, the variable contains the ID of the logged-in user. Otherwise, the variable is unset.
  4. Create a directory, and set its group to apache and the mode to at least 750. In this procedure, we are using a directory named /var/www/app/.
  5. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/login.py.
    Save the following contents to the file: 
    #! /usr/bin/env python

def application(environ, start_response):
    status = '200 OK'
    response_body = """
<!DOCTYPE html>
<html>
    <head>
        <title>Login</title>
    </head>
    <body>
        <form action='/app' method='get'>
            Username: <input type='text' name='username'>
            <input type='submit' value='Login with certificate'>
        </form>
    </body>
</html>
"""
    response_headers = [
        ('Content-Type', 'text/html'),
        ('Content-Length', str(len(response_body)))
    ]
    start_response(status, response_headers)
    return [response_body]
    Copy to Clipboard Toggle word wrap
  6. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/protected.py.
    Save the following contents in the file: 
    #! /usr/bin/env python

def application(environ, start_response):
    try:
        user = environ['REMOTE_USER']
    except KeyError:
        status = '400 Bad Request'
        response_body = 'Login failed.\n'
    else:
        status = '200 OK'
        response_body = 'Login succeeded. Username: {}\n'.format(user)

    response_headers = [
        ('Content-Type', 'text/plain'),
        ('Content-Length', str(len(response_body)))
    ]
    start_response(status, response_headers)
    return [response_body]
    Copy to Clipboard Toggle word wrap
  7. Create a configuration file for your application. In this procedure, we are using a file named /etc/httpd/conf.d/app.conf with the following contents: 
    <IfModule !lookup_identity_module>
    LoadModule lookup_identity_module modules/mod_lookup_identity.so
</IfModule>

WSGIScriptAlias /login /var/www/app/login.py
WSGIScriptAlias /app /var/www/app/protected.py

<Location "/app">
    NSSVerifyClient require
    NSSUserName SSL_CLIENT_CERT
    LookupUserByCertificate On
    LookupUserByCertificateParamName "username"
</Location>
    Copy to Clipboard Toggle word wrap
    In this file:
    • The first part loads mod_lookup_identity if it is not already loaded.
    • The next part maps the /login and /app end points to the respective Web Server Gateway Interface (WSGI) scripts.
    • The last part configures mod_nss for the /app end point so that it requires a client certificate during the TLS handshake and uses it. In addition, it configures an optional request parameter username to look up the identity of the user.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat