2.2. Using Ansible to configure the IdM server for smart card authentication

You can use Ansible to enable smart card authentication for users whose certificates have been issued by the certificate authority (CA) of the <EXAMPLE.ORG> domain that your Identity Management (IdM) CA trusts. To do that, you must obtain the following certificates so that you can use them when running an Ansible playbook with the ipasmartcard_server ansible-freeipa role script:

The certificate of the root CA that has either issued the certificate for the <EXAMPLE.ORG> CA directly, or through one or more of its sub-CAs. You can download the certificate chain from a web page whose certificate has been issued by the authority. For details, see Step 4 in Configuring a browser to enable certificate authentication.
The IdM CA certificate. You can obtain the CA certificate from the /etc/ipa/ca.crt file on any IdM CA server.
The certificates of all of the CAs that are intermediate between the <EXAMPLE.ORG> CA and the IdM CA.

Prerequisites

You have root access to the IdM server.
You know the IdM admin password.
You have the root CA certificate, the IdM CA certificate, and all the intermediate CA certificates.
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

If your CA certificates are stored in files of a different format, such as DER, convert them to PEM format:
```
# openssl x509 -in <filename>.der -inform DER -out <filename>.pem -outform PEM
```
The IdM Certificate Authority certificate is in PEM format and is located in the /etc/ipa/ca.crt file.
Optional: Use the openssl x509 utility to view the contents of the files in the PEM format to check that the Issuer and Subject values are correct:
```
# openssl x509 -noout -text -in root-ca.pem | more
```
Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Create a subdirectory dedicated to the CA certificates:
```
$ mkdir SmartCard/
```

For convenience, copy all the required certificates to the ~/MyPlaybooks/SmartCard/ directory:

# cp /tmp/root-ca.pem ~/MyPlaybooks/SmartCard/
# cp /tmp/intermediate-ca.pem ~/MyPlaybooks/SmartCard/
# cp /etc/ipa/ca.crt ~/MyPlaybooks/SmartCard/ipa-ca.crt

In your Ansible inventory file, specify the following:

The IdM servers that you want to configure for smart card authentication.
The IdM administrator password.
The paths to the certificates of the CAs in the following order:
- The root CA certificate file
- The intermediate CA certificates files
- The IdM CA certificate file

The file can look as follows:

[ipaserver]
ipaserver.idm.example.com

[ipareplicas]
ipareplica1.idm.example.com
ipareplica2.idm.example.com

[ipacluster:children]
ipaserver
ipareplicas

[ipacluster:vars]
ipaadmin_password= "{{ ipaadmin_password }}"
ipasmartcard_server_ca_certs=/home/<user_name>/MyPlaybooks/SmartCard/root-ca.pem,/home/<user_name>/MyPlaybooks/SmartCard/intermediate-ca.pem,/home/<user_name>/MyPlaybooks/SmartCard/ipa-ca.crt

Create an install-smartcard-server.yml playbook with the following content:

---
- name: Playbook to set up smart card authentication for an IdM server
  hosts: ipaserver
  become: true

  roles:
  - role: ipasmartcard_server
    state: present

Save the file.
For example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/ directory on the control node.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
```
$ ansible-playbook --vault-password-file=password_file -v -i inventory install-smartcard-server.yml
```
The ipasmartcard_server Ansible role performs the following actions:
- It configures the IdM Apache HTTP Server.
- It enables Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) on the Key Distribution Center (KDC).
- It configures the IdM Web UI to accept smart card authorization requests.
Optional: If the certificate authority that issued the user certificate does not provide any Online Certificate Status Protocol (OCSP) responder, you may need to disable OCSP check for authentication to the IdM Web UI:
1. Connect to the IdM server as root:
  ssh root@ipaserver.idm.example.com
2. Set the SSLOCSPEnable parameter to off in the /etc/httpd/conf.d/ssl.conf file:
  SSLOCSPEnable off
3. Restart the Apache daemon (httpd) for the changes to take effect immediately:
  # systemctl restart httpd
警告
Do not disable the OCSP check if you only use user certificates issued by the IdM CA. OCSP responders are part of IdM.
For instructions on how to keep the OCSP check enabled, and yet prevent a user certificate from being rejected by the IdM server if it does not contain the information about the location at which the CA that issued the user certificate listens for OCSP service requests, see the SSLOCSPDefaultResponder directive in Apache mod_ssl configuration options.
The server listed in the inventory file is now configured for smart card authentication.
注意
To enable smart card authentication in the whole topology, set the hosts variable in the Ansible playbook to ipacluster:
--- - name: Playbook to set up smartcard for IPA server and replicas hosts: ipacluster [...]

2.2. Using Ansible to configure the IdM server for smart card authentication

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links