On Wed, Dec 16, 2015 at 11:11:42AM +0100, Martin Kosek wrote:
> On 12/16/2015 09:17 AM, Jan Cholasta wrote:
> > On 16.12.2015 08:54, Martin Kosek wrote:
> >>> 7. cert-request fetches the configuration for the specified sub-CA,
> >>> or the
> >>> default sub-CA if none was specified, from LDAP
> >>> 8. cert-request forwards the request to the certmonger CA helper
> >>> specified in
> >>> the LDAP configuration over D-Bus (this is the D-Bus method that
> >>> currently does
> >>> not exist and needs to be implemented)
> >>> 9. certmonger executes the specified CA helper to handle the request
> >>> 10. the CA helper requests the certificate from the CA and returns
> >>> either the
> >>> certificate, wait delay or error
> >>> 11. certmonger returns the result back to cert-request
> >> These steps are subject to Fraser's question (and I am curious too), i.e.:
> >> - how is authentication done? certmonger runs with FreeIPA server host
> >> principal.
> > We are on the server, so the RA agent cert is used to authenticate to
> > Dogtag as
> > usual, and whatever authentication is configured for other CAs is used for
> > other CAs.
> Right, this is how it works now. However, in FreeIPA 4.4 or later, we plan to
> switch GSSAPI authentication with Dogtag to get better authorization
> But maybe this could be done via S4U2Proxy as Fraser suggested, although in
> this case it would be more complicated as certmonger itself does not have
> access to user HTTP/ipa.server ticket, like Apache does, given that Apache
> would contact certmonger via DBUS.
If I am not mistaken, Certmonger already uses host credentials, so
IPA framework can S4U2Proxy to get user ticket for Certmonger, then
Certmonger can S4U2Proxy to get user ticket for Dogtag.
Big +1 to the fact that we are pushing away from RA cert to GSS-API
for authenticating to Dogtag.
> >> - how will we handle 3-step certificate request, i.e.:
> >> - certificate is requested and in moderation/wait queue
> >> - request have to be acked by Dogtag administrator (we do not have
> >> API yet)
> >> - client should be able to ask for generated certificate
> > This is not really related to my proposal, since we have to figure this out
> > for
> > our Dogtag IPA CA anyway, but the CA helper can return a wait delay in this
> > case, so certmonger can poll the request until it is approved.
> >>> 12. cert-request returns the result back to IPA CA helper on the client
> >>> 13. the IPA CA helper on the client returns the result back to
> >>> certmonger
> >>> 14. if the result was wait delay, certmonger waits and then retries the
> >>> request from step 4, otherwise it stores the certificate or sets error
> >>> status
> >> Right, 12-14 is again the standard flow. Good summary of the steps!
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code