[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-07 Thread Rob Crittenden via FreeIPA-users 
Jochen Hein wrote:
> Jochen Hein via FreeIPA-users 
> writes:
> 
>> Rob Crittenden via FreeIPA-users 
>> writes:
>>
>>> So theoretically certmonger could for example, track PEM files in the
>>> filesystem and upon renewal run a post script to import the updated cert
>>> into the java keystore.
>>
>> This is my current script to get a cert from IPA, which is tracked by
>> certmonger.  I've yet to test refreshing a certificate, but the steps
>> manually did work (I expect some SELINUX woes...):
> 
> Exactly as I though, I got an AVC denied:
> 
>> # Get a certificate and key from IPA
>> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
>> #   -k /etc/pki/tls/private/saml.example.org.key \
>> #   -N CN=saml.example.org \
>> #   -D saml.example.org \
>> #   -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
>> ##   -C ""
> 
> type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for
> pid=7057 comm="certmonger" name="refresh_keycloak_certificate"
> dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> 
> I stored my refresh script in /root and might have some luck with
> chcon.  But is there a location, for example in /etc, that would give my
> script the needed rights?  No examples I've looked at in the IdM manual
> used -C and no discussion about selinux lables.
> 
> certmonger scripts are stored in /usr/libexec/ipa/certmonger and have:
> 
> # ls -lZ /usr/libexec/ipa/certmonger/restart_httpd
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0   
> /usr/libexec/ipa/certmonger/restart_httpd
> 
> Once I label my script with bin_t I get more denials, so probably not
> the right thing to do:
> 
> type=AVC msg=audit(1501563217.770:154): avc:  denied  { write } for  
> pid=12545 comm="mkhomedir" name="lib" dev="vdc1" ino=131 
> scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1501619025.994:1172): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=AVC msg=audit(1501619132.710:1173): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=AVC msg=audit(1501619192.323:1174): avc:  denied  { create } for  
> pid=18555 comm="certmonger" name="saml.jochen.org.key" 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1501619605.451:1182): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1501699449.127:2460): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1502045477.106:1325): avc:  denied  { execute } for  
> pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" 
> ino=36338210 scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> type=AVC msg=audit(1502049392.796:1375): avc:  denied  { write } for  
> pid=3851 comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1502049392.799:1376): avc:  denied  { write } for  
> pid=3852 comm="openssl" name="temp.p12" dev="sda1" ino=18535954 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1502049392.802:1377): avc:  denied  { read } for  pid=3854 
> comm="keytool" name="cpu" dev="sysfs" ino=33 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
> 
> Is there some documentation where the admin should store his scripts and
> how to label them that I missed?
> 
> I found certmonger_selinux, but that's too abstract for me. 
> 
> The (probably too big) hammer made it work for me:
> 
> # chcon -v --type=certmonger_unconfined_exec_t 
> /root/refresh_keycloak_certificate

I think your best bet is to move this into /usr/libexec/ipa/certmonger,
or some other place within /usr/libexec (which the FHS designs as a
place for binaries run by other programs).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-06 Thread Jochen Hein via FreeIPA-users 
Jochen Hein via FreeIPA-users 
writes:

> Rob Crittenden via FreeIPA-users 
> writes:
>
>> So theoretically certmonger could for example, track PEM files in the
>> filesystem and upon renewal run a post script to import the updated cert
>> into the java keystore.
>
> This is my current script to get a cert from IPA, which is tracked by
> certmonger.  I've yet to test refreshing a certificate, but the steps
> manually did work (I expect some SELINUX woes...):

Exactly as I though, I got an AVC denied:

> # Get a certificate and key from IPA
> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
> #   -k /etc/pki/tls/private/saml.example.org.key \
> #   -N CN=saml.example.org \
> #   -D saml.example.org \
> #   -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
> ##   -C ""

type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for
pid=7057 comm="certmonger" name="refresh_keycloak_certificate"
dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

I stored my refresh script in /root and might have some luck with
chcon.  But is there a location, for example in /etc, that would give my
script the needed rights?  No examples I've looked at in the IdM manual
used -C and no discussion about selinux lables.

certmonger scripts are stored in /usr/libexec/ipa/certmonger and have:

# ls -lZ /usr/libexec/ipa/certmonger/restart_httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0   
/usr/libexec/ipa/certmonger/restart_httpd

Once I label my script with bin_t I get more denials, so probably not
the right thing to do:

type=AVC msg=audit(1501563217.770:154): avc:  denied  { write } for  pid=12545 
comm="mkhomedir" name="lib" dev="vdc1" ino=131 
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1501619025.994:1172): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619132.710:1173): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619192.323:1174): avc:  denied  { create } for  
pid=18555 comm="certmonger" name="saml.jochen.org.key" 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1501619605.451:1182): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1501699449.127:2460): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1502045477.106:1325): avc:  denied  { execute } for  
pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" 
ino=36338210 scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1502049392.796:1375): avc:  denied  { write } for  pid=3851 
comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.799:1376): avc:  denied  { write } for  pid=3852 
comm="openssl" name="temp.p12" dev="sda1" ino=18535954 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.802:1377): avc:  denied  { read } for  pid=3854 
comm="keytool" name="cpu" dev="sysfs" ino=33 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Is there some documentation where the admin should store his scripts and
how to label them that I missed?

I found certmonger_selinux, but that's too abstract for me. 

The (probably too big) hammer made it work for me:

# chcon -v --type=certmonger_unconfined_exec_t 
/root/refresh_keycloak_certificate

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-03 Thread Rob Crittenden via FreeIPA-users 
Jochen Kellner via FreeIPA-users wrote:
> Hi,
> 
> 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" 
> 
> schrieb:
> 
>> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users 
>> wrote:
>>> I'm playing around with keycloak and wanted to use an SSL certificate
>>> from IPA. I've looked around but didn't see any howto about using java
>>> keytool with ipa-getcert. Has someone experience with it?
>>>
>> Might as well jump straight to commands/logs :)
> 
> I did some more research yesterday and finally got a certificate
> along the following lines:
> 
> - Generate a java keystore with keytool as described in the keycloak docs.
> - Generate a csr with keytool and paste it into Freeipa.
> - Got a certificate back from Freeipa.
> - Import the certificate into keytool (again keycloak docs).
> 
> My first tries had the cert attributes wrong, but I think I now got it right,
> but need to check with chrome to be sure. I'll post my steps later.
> 
> I was not successful in creating a certificate with ipa-getcert and
> import the key into keytool. But I'll try to get something monitored by
> certmonger - otherwise I'm sure the cert would expire... 

certmonger doesn't support storing certificates in a java keystore.

certmonger has the concept of pre and post renewal scripts so you can,
for example stop or start a service, or import a renewed certificate
somewhere else (IPA uses this to store a copy of some certificates in LDAP).

So theoretically certmonger could for example, track PEM files in the
filesystem and upon renewal run a post script to import the updated cert
into the java keystore.

The tricky bit might be in dealing with the CSR. certmonger needs the
private key in order do the renewal.

I guess one thing you could do is a straight ipa-getcert -f
/path/to/cert.pem -k /path/to/key.pem ...  -C
/path/to/your/post/script

Then take the resulting PEM files, create a PKCS#12 file out of them,
and import that into your java keystore. Then all renewals will run that
post-script which you can setup to update the cert in the java keystore.
I guess.

I don't know much at all about java so there is a lot of hand waving
going on. I hope some of it makes some sense/is doable.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-03 Thread Jochen Kellner via FreeIPA-users 
Hi,

3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" 

schrieb:

> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote:
>> I'm playing around with keycloak and wanted to use an SSL certificate
>> from IPA. I've looked around but didn't see any howto about using java
>> keytool with ipa-getcert. Has someone experience with it?
>> 
> Might as well jump straight to commands/logs :)

I did some more research yesterday and finally got a certificate
along the following lines:

- Generate a java keystore with keytool as described in the keycloak docs.
- Generate a csr with keytool and paste it into Freeipa.
- Got a certificate back from Freeipa.
- Import the certificate into keytool (again keycloak docs).

My first tries had the cert attributes wrong, but I think I now got it right,
but need to check with chrome to be sure. I'll post my steps later.

I was not successful in creating a certificate with ipa-getcert and
import the key into keytool. But I'll try to get something monitored by
certmonger - otherwise I'm sure the cert would expire... 

Jochen
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-02 Thread Fraser Tweedale via FreeIPA-users 
On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote:
> 
> Hi,
> 
> I'm playing around with keycloak and wanted to use an SSL certificate
> from IPA.  I've looked around but didn't see any howto about using java
> keytool with ipa-getcert. Has someone experience with it?
> 
> I was not successful adding key/cert created by certmonger into keytool,
> and also not successful signing a csr from keytool with IPA. If noone
> has hints, I'll try again and provide commands/logs...
> 
> Jochen
>
Hi Jochen,

Might as well jump straight to commands/logs :)

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org