[Pki-devel] Using Dogtag REST API
Hi there I created a small python script that just does a "certreqs". Here is the result : python3 ./test.py {"requestState": "pending", "requestType": "any", "start": 5, "pageSize": 0, "maxTime": 100} Status 200 {'total': 10, 'entries': [ {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/1', 'realm': None, 'certId': '0x1', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/1', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/2', 'realm': None, 'certId': '0x2', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/2', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/3', 'realm': None, 'certId': '0x3', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/3', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/4', 'realm': None, 'certId': '0x4', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/4', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/5', 'realm': None, 'certId': '0x5', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/5', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/6', 'realm': None, 'certId': '0x6', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/6', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/7', 'realm': None, 'certId': None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/8', 'realm': None, 'certId': None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/9', 'realm': None, 'certId': '0x7', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/7', 'certRequestType': 'keygen', 'operationResult': 'success', 'errorMessage': None}, {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 'https://auth.iamts.fr:8443/ca/rest/certrequests/10', 'realm': None, 'certId': '0x8', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/8', 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': None}], 'Link': []} [pascal@dell pki_ui]$ This raises 2 questions. 1/ I requested "pending" cert reqs. But I get also "complete" reqs. Any idea why ? 2/ I set the start field to 5, but I receive all requests. Again why is that ? Thxs again for your help -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jak...@gmail.com - +33 6 87 47 58 19 import requests import json #reqData = '{"requestState": "pending", "requestType": "any", "start": 0, "pageSize": 30, "maxTime": 100}' reqData = '{"requestState": "pending", "requestType": "any", "start": 5, "pageSize": 0, "maxTime": 100}' url = "https://auth.iamts.fr:8443/ca/rest/agent/certrequests"; headers = {'Accept': 'application/json', 'Content-Type':'application/json'} cacertfile='/etc/pki/tls/certs/ca_cert.crt.pem' certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem' keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem' print(reqData) resp = requests.request("GET", url, headers=headers, verify=cacertfile, cert=(certfile,keyfile),data=reqData) print('Status {}'.format(resp.status_code)) if resp.status_code == 200: print(resp.json()) ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] SSO
I would be interested into trying this. 1/ Is there a list of the "environment variables" (I guess these are HTML headers) that dogtag needs ? Did not find it 2/ If I set an Apache reverse proxy, do I still need to insert an admin certificate in the browser's wallet ? Thanks ! P Le 03/07/2020 à 05:05, Fraser Tweedale a écrit : On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote: There's a proposal for GSS-API auth: https://www.dogtagpki.org/wiki/GSS-API_authentication https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication However, it isn't implemented yet. This would probably suffice for SSO though. Although the design doc is called GSS-API Authentication, the feature is actually a more general than that. If you put Dogtag behind a web frontend (e.g. Apache), you can authenticate users via SAML or OIDC and convey the appropriate environment variables, and it will work. Dogtag just sees an external principal and their groups conveyed via AJP request attributes. Cheers, Fraser My 2c, - Alex - Original Message - From: "Dinesh Prasanth Moluguwan Krishnamoorthy" To: "Pascal Jakobi" Cc: pki-devel@redhat.com Sent: Thursday, July 2, 2020 11:18:53 AM Subject: Re: [Pki-devel] SSO Pascal, I don't think Dogtag Web UI supports it. The feature you are suggesting (sounds to me like it) requires a full fledged IDM deployment. You can look at FreeIPA, if you are looking for MFA. FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend to issue certs and also combines several other components to offer a full-fledged IDM deployment. Nonetheless, I'm CC'ing pki-devel to see if other developers have any thoughts. Regards, --Dinesh On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi wrote: Dinesh In fact all I am doing here is in order to offer a GUI that may be used with OpenId Connect (ie Keycloak or so...). The value of this is that it is much more flexible than certificate based authentication. You can have MFA, etc So my question : is there a way to remove the certificate based access control in Dogtag's UI ? I would replace it with a tomcat valve that provides OIDC support. Best -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jak...@gmail.com - +33 6 87 47 58 19 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jak...@gmail.com - +33 6 87 47 58 19 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] SSO
No, it does not require IPA. It does require something as Keycloak or equivalent (an OpenID Connect Provider). Generally those OPs provide features such as MFA or Identity Federation. And there are valves that provide OIDC support on the application side. Best P Le 02/07/2020 à 17:18, Dinesh Prasanth Moluguwan Krishnamoorthy a écrit : Pascal, I don't think Dogtag Web UI supports it. The feature you are suggesting (sounds to me like it) requires a full fledged IDM deployment. You can look at FreeIPA, if you are looking for MFA. FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend to issue certs and also combines several other components to offer a full-fledged IDM deployment. Nonetheless, I'm CC'ing pki-devel to see if other developers have any thoughts. Regards, --Dinesh On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <mailto:pascal.jak...@gmail.com>> wrote: Dinesh In fact all I am doing here is in order to offer a GUI that may be used with OpenId Connect (ie Keycloak or so...). The value of this is that it is much more flexible than certificate based authentication. You can have MFA, etc So my question : is there a way to remove the certificate based access control in Dogtag's UI ? I would replace it with a tomcat valve that provides OIDC support. Best -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jak...@gmail.com <mailto:pascal.jak...@gmail.com> - +33 6 87 47 58 19 -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jak...@gmail.com - +33 6 87 47 58 19 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel