Difference between revisions of "SCEP in IPA"

From Dogtag
Jump to: navigation, search
 
(sqlite and RA)
 
(6 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
# In the DMZ, install the Dogtag Perl-based RA.  Point this RA to the IPA-CA. (ipa-host:443).  It will talk to the IPA-CA directly.  As part of the setup, an RA agent is created that allows the RA to send agent authenticated requests to the IPA-CA(similar tot IPA-RA plugin)
 
# In the DMZ, install the Dogtag Perl-based RA.  Point this RA to the IPA-CA. (ipa-host:443).  It will talk to the IPA-CA directly.  As part of the setup, an RA agent is created that allows the RA to send agent authenticated requests to the IPA-CA(similar tot IPA-RA plugin)
 
# Populate RA with relevant agents/users
 
# Populate RA with relevant agents/users
# For full operation (users, agents), then following servlets need to be exposed in the dogtag-proxy.conf file on the IPA server's /etc/httpd/conf.d/ directory.
+
# On the ipa server, replace /etc/httpd/conf.d/ipa-pki-proxy.conf with the following:
  conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
+
  <pre>
conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser
+
# VERSION 1 - DO NOT REMOVE THIS LINE
conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke
+
 
conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke
+
ProxyRequests Off
# For SCEP operations only, the following servlets need to be exposed in the dogtag-proxy.conf file.  Most likely, this directive would have to be placed in the stanza where client auth is required  - to be investigated.
+
 
/ca/ee/ca/pkiclient
+
# matches for ee port
# Some more servlets may need to be exposed for installation of the RA to succeed - to be investigated.
+
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/profileSubmit">
 +
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 +
    NSSVerifyClient none
 +
    ProxyPassMatch ajp://localhost:9447/
 +
    ProxyPassReverse ajp://localhost:9447/
 +
</LocationMatch>
 +
 
 +
# matches for admin port
 +
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/registerRaUser|^/ca/admin/ca/getBySerial">
 +
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 +
    NSSVerifyClient none
 +
    ProxyPassMatch ajp://localhost:9447/
 +
    ProxyPassReverse ajp://localhost:9447/
 +
</LocationMatch>
 +
 
 +
# matches for agent port and eeca port
 +
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/ee/ca/pkiclient">
 +
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 +
    NSSVerifyClient require
 +
    ProxyPassMatch ajp://localhost:9447/
 +
    ProxyPassReverse ajp://localhost:9447/
 +
</LocationMatch>
 +
</pre>
 +
 
 +
# Note that this adds the following servlets: /ca/ee/ca/profileSubmit, /ca/admin/ca/registerRaUser, /ca/admin/ca/getBySerial for installation of the RA, and /ca/ee/ca/pkiclient for SCEP operations. /ca/ee/ca/pkiclient must be added to the stanza for those operations that require client auth.
 +
# Change/ add the following parameter in /var/lib/pki-ca/conf/CS.cfg : ca.scep.enable=true
 +
# Restart IPA
 +
# When installing the RA, make sure to refer to the security domain CA as https://{ipa_hostname}:443.
 +
# This was tested using an SCEP client (sscep) modified to use sha-2 encryption. (link to be provided)
  
 
=== How this works ===
 
=== How this works ===
Line 17: Line 45:
 
# The agent provides the pin to the client in an out-of-band method. (phone, email)
 
# The agent provides the pin to the client in an out-of-band method. (phone, email)
 
# Client router sends SCEP requests to enroll to dogtag RA, providing the pin as the challenge password.
 
# Client router sends SCEP requests to enroll to dogtag RA, providing the pin as the challenge password.
# RA confirms that the pin is correct, and if so, passes the agent authenticated requests to the IPA-CA.  The RA retrieves the issued cert.
+
# RA sends agent authenticated request to IPA-CA to decode the SCEP message.  The CA decodes the message and sends it back to the RA.
# RA then deletes the pin from its database
+
# RA reads the decoded message from IPA and confirms that the pin is correct. If so, it passes an agent authenticated request to the IPA-CA to perform the enrolment operation.  The RA retrieves the issued cert.
 +
# RA deletes the pin from its database
 
# RA provides cert to the client router.
 
# RA provides cert to the client router.
  
=== Problems ====
+
=== Problems ===
 
# RA maintains its own identity store of authorized agents.  This means dual maintenanceof identity information (ipa and ra).
 
# RA maintains its own identity store of authorized agents.  This means dual maintenanceof identity information (ipa and ra).
# RA store is in sqlite - which has no real time replication mechanism
+
# RA store is in sqlite - which has no real time replication mechanism (sqlite *has* an online, optimized, replication mechanism -- see http://www.sqlite.org/backup.html. It would be enough to call the backup API from the RA)
 
# RA is in DMZ.  Better not to have identity/pin info in the DMZ.
 
# RA is in DMZ.  Better not to have identity/pin info in the DMZ.
+
 
 
== Long Term Solution ==  
 
== Long Term Solution ==  
 
# IPA would be the location for identity and pin operations.
 
# IPA would be the location for identity and pin operations.
Line 40: Line 69:
 
=== How this works - clients outside firewall ===
 
=== How this works - clients outside firewall ===
 
# Client contacts new dummy RA in the DMZ and requests a pin.
 
# Client contacts new dummy RA in the DMZ and requests a pin.
# Pin request is  
+
# Pin request is proxied to IPA.
# User contacts IPA and provides kerberos credentials.  Through some UI or CLI command, he requests that router X be able to enroll via SCEPAs the user is authenticated as an agent, IPA generates a pin and provides it to the user.
+
# Agent contacts IPA and provides kerberos credentials.  Through some UI or CLI command, he lists the pending pin requests and approves the pin request.  IPA generates a pin and displays it.  The agent provides the pin to the client in an out-of-band manner.
# router contacts IPA with relevant pin in SCEP request.
+
# router contacts the RA with relevant pin in SCEP request.
 +
# RA proxies this request to IPA
 
# IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.
 
# IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.
 
# IPA-CA issues the cert
 
# IPA-CA issues the cert
# IPA returns cert to client router
+
# IPA returns cert to the RA, which returns it to the client router.

Latest revision as of 13:52, 10 August 2012

Short Term Solution

Description

  1. In the DMZ, install the Dogtag Perl-based RA. Point this RA to the IPA-CA. (ipa-host:443). It will talk to the IPA-CA directly. As part of the setup, an RA agent is created that allows the RA to send agent authenticated requests to the IPA-CA(similar tot IPA-RA plugin)
  2. Populate RA with relevant agents/users
  3. On the ipa server, replace /etc/httpd/conf.d/ipa-pki-proxy.conf with the following:
# VERSION 1 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/profileSubmit">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/registerRaUser|^/ca/admin/ca/getBySerial">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/ee/ca/pkiclient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>
  1. Note that this adds the following servlets: /ca/ee/ca/profileSubmit, /ca/admin/ca/registerRaUser, /ca/admin/ca/getBySerial for installation of the RA, and /ca/ee/ca/pkiclient for SCEP operations. /ca/ee/ca/pkiclient must be added to the stanza for those operations that require client auth.
  2. Change/ add the following parameter in /var/lib/pki-ca/conf/CS.cfg : ca.scep.enable=true
  3. Restart IPA
  4. When installing the RA, make sure to refer to the security domain CA as https://{ipa_hostname}:443.
  5. This was tested using an SCEP client (sscep) modified to use sha-2 encryption. (link to be provided)

How this works

  1. client contacts dogtag-RA and requests a pin (one time password). This generates a pin request on the RA.
  2. An agent connects to the RA using a browser and provides a agent cert for authentication. The agent approves the pin request and a pin is generated.
  3. The agent provides the pin to the client in an out-of-band method. (phone, email)
  4. Client router sends SCEP requests to enroll to dogtag RA, providing the pin as the challenge password.
  5. RA sends agent authenticated request to IPA-CA to decode the SCEP message. The CA decodes the message and sends it back to the RA.
  6. RA reads the decoded message from IPA and confirms that the pin is correct. If so, it passes an agent authenticated request to the IPA-CA to perform the enrolment operation. The RA retrieves the issued cert.
  7. RA deletes the pin from its database
  8. RA provides cert to the client router.

Problems

  1. RA maintains its own identity store of authorized agents. This means dual maintenanceof identity information (ipa and ra).
  2. RA store is in sqlite - which has no real time replication mechanism (sqlite *has* an online, optimized, replication mechanism -- see http://www.sqlite.org/backup.html. It would be enough to call the backup API from the RA)
  3. RA is in DMZ. Better not to have identity/pin info in the DMZ.

Long Term Solution

  1. IPA would be the location for identity and pin operations.
  2. Clients inside the firewall would connect directly to IPA.
  3. Clients outside the firewall would connect to a scaled down RA, which would simply proxy the requests to IPA.

How this works - clients inside firewall

  1. User contacts IPA and provides kerberos credentials. Through some UI or CLI command, he requests that router X be able to enroll via SCEP. As the user is authenticated as an agent, IPA generates a pin and provides it to the user.
  2. router contacts IPA with relevant pin in SCEP request.
  3. IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.
  4. IPA-CA issues the cert
  5. IPA returns cert to client router

How this works - clients outside firewall

  1. Client contacts new dummy RA in the DMZ and requests a pin.
  2. Pin request is proxied to IPA.
  3. Agent contacts IPA and provides kerberos credentials. Through some UI or CLI command, he lists the pending pin requests and approves the pin request. IPA generates a pin and displays it. The agent provides the pin to the client in an out-of-band manner.
  4. router contacts the RA with relevant pin in SCEP request.
  5. RA proxies this request to IPA
  6. IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.
  7. IPA-CA issues the cert
  8. IPA returns cert to the RA, which returns it to the client router.