On Wed, Dec 16, 2015 at 11:11:42AM +0100, Martin Kosek wrote:
> On 12/16/2015 09:17 AM, Jan Cholasta wrote:
> > On 16.12.2015 08:54, Martin Kosek wrote:
> ...
> >>>   7. cert-request fetches the configuration for the specified sub-CA,
> >>> or the
> >>> default sub-CA if none was specified, from LDAP
> >>>
> >>>   8. cert-request forwards the request to the certmonger CA helper
> >>> specified in
> >>> the LDAP configuration over D-Bus (this is the D-Bus method that
> >>> currently does
> >>> not exist and needs to be implemented)
> >>>
> >>>   9. certmonger executes the specified CA helper to handle the request
> >>>
> >>>   10. the CA helper requests the certificate from the CA and returns
> >>> either the
> >>> certificate, wait delay or error
> >>>
> >>>   11. certmonger returns the result back to cert-request
> >>
> >> These steps are subject to Fraser's question (and I am curious too), i.e.:
> >>
> >> - how is authentication done? certmonger runs with FreeIPA server host
> >> principal.
> > 
> > We are on the server, so the RA agent cert is used to authenticate to 
> > Dogtag as
> > usual, and whatever authentication is configured for other CAs is used for
> > other CAs.
> 
> Right, this is how it works now. However, in FreeIPA 4.4 or later, we plan to
> switch GSSAPI authentication with Dogtag to get better authorization 
> capabilities:
> 
> https://fedorahosted.org/freeipa/ticket/5011
> 
> But maybe this could be done via S4U2Proxy as Fraser suggested, although in
> this case it would be more complicated as certmonger itself does not have
> access to user HTTP/ipa.server ticket, like Apache does, given that Apache
> would contact certmonger via DBUS.
> 
If I am not mistaken, Certmonger already uses host credentials, so
IPA framework can S4U2Proxy to get user ticket for Certmonger, then
Certmonger can S4U2Proxy to get user ticket for Dogtag.

Big +1 to the fact that we are pushing away from RA cert to GSS-API
for authenticating to Dogtag.

> > 
> >> - how will we handle 3-step certificate request, i.e.:
> >>    - certificate is requested and in moderation/wait queue
> >>    - request have to be acked by Dogtag administrator (we do not have
> >> API yet)
> >>    - client should be able to ask for generated certificate
> > 
> > This is not really related to my proposal, since we have to figure this out 
> > for
> > our Dogtag IPA CA anyway, but the CA helper can return a wait delay in this
> > case, so certmonger can poll the request until it is approved.
> 
> Ok.
> 
> >>>   12. cert-request returns the result back to IPA CA helper on the client
> >>>
> >>>   13. the IPA CA helper on the client returns the result back to
> >>> certmonger
> >>>
> >>>   14. if the result was wait delay, certmonger waits and then retries the
> >>> request from step 4, otherwise it stores the certificate or sets error
> >>> status
> >>>
> >>
> >> Right, 12-14 is again the standard flow. Good summary of the steps!
> > 
> > 
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to