第 2 章 Configuring Identity Management for smart card authentication

Procedure

1. Create a directory in which you will do the configuration:

   [root@server]# mkdir ~/SmartCard/

2. Navigate to the directory:

   [root@server]# cd ~/SmartCard/

3. Obtain the relevant CA certificates stored in files in PEM format. If your CA certificate is stored in a file of a different format, such as DER, convert it to PEM format. The IdM Certificate Authority certificate is in PEM format and is located in the /etc/ipa/ca.crt file.

   Convert a DER file to a PEM file:

   # openssl x509 -in <filename>.der -inform DER -out <filename>.pem -outform PEM

4. For convenience, copy the certificates to the directory in which you want to do the configuration:

   [root@server SmartCard]# cp /tmp/rootca.pem ~/SmartCard/
   [root@server SmartCard]# cp /tmp/subca.pem ~/SmartCard/
   [root@server SmartCard]# cp /tmp/issuingca.pem ~/SmartCard/

5. Optional: If you use certificates of external certificate authorities, use the openssl x509 utility to view the contents of the files in the PEM format to check that the Issuer and Subject values are correct:

   [root@server SmartCard]# openssl x509 -noout -text -in rootca.pem | more

6. Generate a configuration script with the in-built ipa-advise utility, using the administrator’s privileges:

   [root@server SmartCard]# kinit admin
   [root@server SmartCard]# ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh

   The config-server-for-smart-card-auth.sh script performs the following actions:

   • It configures the IdM Apache HTTP Server.
   • It enables Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) on the Key Distribution Center (KDC).
   • It configures the IdM Web UI to accept smart card authorization requests.

7. Execute the script, adding the PEM files containing the root CA and sub CA certificates as arguments:

   [root@server SmartCard]# chmod +x config-server-for-smart-card-auth.sh
   [root@server SmartCard]# ./config-server-for-smart-card-auth.sh rootca.pem subca.pem issuingca.pem
   Ticket cache:KEYRING:persistent:0:0
   Default principal: admin@IDM.EXAMPLE.COM
   [...]
   Systemwide CA database updated.
   The ipa-certupdate command was successful

   注意

   Ensure that you add the root CA’s certificate as an argument before any sub CA certificates and that the CA or sub CA certificates have not expired.

8. Optional: If the certificate authority that issued the user certificate does not provide any Online Certificate Status Protocol (OCSP) responder, you may need to disable OCSP check for authentication to the IdM Web UI:

   1. Set the SSLOCSPEnable parameter to off in the /etc/httpd/conf.d/ssl.conf file:

      SSLOCSPEnable off

   2. Restart the Apache daemon (httpd) for the changes to take effect immediately:

      [root@server SmartCard]# systemctl restart httpd

   警告

   Do not disable the OCSP check if you only use user certificates issued by the IdM CA. OCSP responders are part of IdM.

   For instructions on how to keep the OCSP check enabled, and yet prevent a user certificate from being rejected by the IdM server if it does not contain the information about the location at which the CA that issued the user certificate listens for OCSP service requests, see the SSLOCSPDefaultResponder directive in Apache mod_ssl configuration options.

   The server is now configured for smart card authentication.

   注意

   To enable smart card authentication in the whole topology, run the procedure on each IdM server.