[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Jochen Hein wrote: > Jochen Hein via FreeIPA-users> writes: > >> Rob Crittenden via FreeIPA-users >> writes: >> >>> So theoretically certmonger could for example, track PEM files in the >>> filesystem and upon renewal run a post script to import the updated cert >>> into the java keystore. >> >> This is my current script to get a cert from IPA, which is tracked by >> certmonger. I've yet to test refreshing a certificate, but the steps >> manually did work (I expect some SELINUX woes...): > > Exactly as I though, I got an AVC denied: > >> # Get a certificate and key from IPA >> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \ >> # -k /etc/pki/tls/private/saml.example.org.key \ >> # -N CN=saml.example.org \ >> # -D saml.example.org \ >> # -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1 >> ## -C "" > > type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for > pid=7057 comm="certmonger" name="refresh_keycloak_certificate" > dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > I stored my refresh script in /root and might have some luck with > chcon. But is there a location, for example in /etc, that would give my > script the needed rights? No examples I've looked at in the IdM manual > used -C and no discussion about selinux lables. > > certmonger scripts are stored in /usr/libexec/ipa/certmonger and have: > > # ls -lZ /usr/libexec/ipa/certmonger/restart_httpd > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 > /usr/libexec/ipa/certmonger/restart_httpd > > Once I label my script with bin_t I get more denials, so probably not > the right thing to do: > > type=AVC msg=audit(1501563217.770:154): avc: denied { write } for > pid=12545 comm="mkhomedir" name="lib" dev="vdc1" ino=131 > scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lib_t:s0 tclass=dir > type=AVC msg=audit(1501619025.994:1172): avc: denied { write } for > pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=dir > type=AVC msg=audit(1501619132.710:1173): avc: denied { write } for > pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=dir > type=AVC msg=audit(1501619192.323:1174): avc: denied { create } for > pid=18555 comm="certmonger" name="saml.jochen.org.key" > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:var_lib_t:s0 tclass=file > type=AVC msg=audit(1501619605.451:1182): avc: denied { write } for > pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:admin_home_t:s0 tclass=dir > type=AVC msg=audit(1501699449.127:2460): avc: denied { write } for > pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:admin_home_t:s0 tclass=dir > type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for > pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" > ino=36338210 scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > type=AVC msg=audit(1502049392.796:1375): avc: denied { write } for > pid=3851 comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(1502049392.799:1376): avc: denied { write } for > pid=3852 comm="openssl" name="temp.p12" dev="sda1" ino=18535954 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(1502049392.802:1377): avc: denied { read } for pid=3854 > comm="keytool" name="cpu" dev="sysfs" ino=33 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:sysfs_t:s0 tclass=dir > > Is there some documentation where the admin should store his scripts and > how to label them that I missed? > > I found certmonger_selinux, but that's too abstract for me. > > The (probably too big) hammer made it work for me: > > # chcon -v --type=certmonger_unconfined_exec_t > /root/refresh_keycloak_certificate I think your best bet is to move this into /usr/libexec/ipa/certmonger, or some other place within /usr/libexec (which the FHS designs as a place for binaries run by other programs). rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Jochen Hein via FreeIPA-userswrites: > Rob Crittenden via FreeIPA-users > writes: > >> So theoretically certmonger could for example, track PEM files in the >> filesystem and upon renewal run a post script to import the updated cert >> into the java keystore. > > This is my current script to get a cert from IPA, which is tracked by > certmonger. I've yet to test refreshing a certificate, but the steps > manually did work (I expect some SELINUX woes...): Exactly as I though, I got an AVC denied: > # Get a certificate and key from IPA > #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \ > # -k /etc/pki/tls/private/saml.example.org.key \ > # -N CN=saml.example.org \ > # -D saml.example.org \ > # -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1 > ## -C "" type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file I stored my refresh script in /root and might have some luck with chcon. But is there a location, for example in /etc, that would give my script the needed rights? No examples I've looked at in the IdM manual used -C and no discussion about selinux lables. certmonger scripts are stored in /usr/libexec/ipa/certmonger and have: # ls -lZ /usr/libexec/ipa/certmonger/restart_httpd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/ipa/certmonger/restart_httpd Once I label my script with bin_t I get more denials, so probably not the right thing to do: type=AVC msg=audit(1501563217.770:154): avc: denied { write } for pid=12545 comm="mkhomedir" name="lib" dev="vdc1" ino=131 scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1501619025.994:1172): avc: denied { write } for pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1501619132.710:1173): avc: denied { write } for pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1501619192.323:1174): avc: denied { create } for pid=18555 comm="certmonger" name="saml.jochen.org.key" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1501619605.451:1182): avc: denied { write } for pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1501699449.127:2460): avc: denied { write } for pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" ino=36338210 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(1502049392.796:1375): avc: denied { write } for pid=3851 comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1502049392.799:1376): avc: denied { write } for pid=3852 comm="openssl" name="temp.p12" dev="sda1" ino=18535954 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1502049392.802:1377): avc: denied { read } for pid=3854 comm="keytool" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Is there some documentation where the admin should store his scripts and how to label them that I missed? I found certmonger_selinux, but that's too abstract for me. The (probably too big) hammer made it work for me: # chcon -v --type=certmonger_unconfined_exec_t /root/refresh_keycloak_certificate Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Jochen Kellner via FreeIPA-users wrote: > Hi, > > 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" >> schrieb: > >> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users >> wrote: >>> I'm playing around with keycloak and wanted to use an SSL certificate >>> from IPA. I've looked around but didn't see any howto about using java >>> keytool with ipa-getcert. Has someone experience with it? >>> >> Might as well jump straight to commands/logs :) > > I did some more research yesterday and finally got a certificate > along the following lines: > > - Generate a java keystore with keytool as described in the keycloak docs. > - Generate a csr with keytool and paste it into Freeipa. > - Got a certificate back from Freeipa. > - Import the certificate into keytool (again keycloak docs). > > My first tries had the cert attributes wrong, but I think I now got it right, > but need to check with chrome to be sure. I'll post my steps later. > > I was not successful in creating a certificate with ipa-getcert and > import the key into keytool. But I'll try to get something monitored by > certmonger - otherwise I'm sure the cert would expire... certmonger doesn't support storing certificates in a java keystore. certmonger has the concept of pre and post renewal scripts so you can, for example stop or start a service, or import a renewed certificate somewhere else (IPA uses this to store a copy of some certificates in LDAP). So theoretically certmonger could for example, track PEM files in the filesystem and upon renewal run a post script to import the updated cert into the java keystore. The tricky bit might be in dealing with the CSR. certmonger needs the private key in order do the renewal. I guess one thing you could do is a straight ipa-getcert -f /path/to/cert.pem -k /path/to/key.pem ... -C /path/to/your/post/script Then take the resulting PEM files, create a PKCS#12 file out of them, and import that into your java keystore. Then all renewals will run that post-script which you can setup to update the cert in the java keystore. I guess. I don't know much at all about java so there is a lot of hand waving going on. I hope some of it makes some sense/is doable. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Hi, 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users"schrieb: > On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: >> I'm playing around with keycloak and wanted to use an SSL certificate >> from IPA. I've looked around but didn't see any howto about using java >> keytool with ipa-getcert. Has someone experience with it? >> > Might as well jump straight to commands/logs :) I did some more research yesterday and finally got a certificate along the following lines: - Generate a java keystore with keytool as described in the keycloak docs. - Generate a csr with keytool and paste it into Freeipa. - Got a certificate back from Freeipa. - Import the certificate into keytool (again keycloak docs). My first tries had the cert attributes wrong, but I think I now got it right, but need to check with chrome to be sure. I'll post my steps later. I was not successful in creating a certificate with ipa-getcert and import the key into keytool. But I'll try to get something monitored by certmonger - otherwise I'm sure the cert would expire... Jochen ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: > > Hi, > > I'm playing around with keycloak and wanted to use an SSL certificate > from IPA. I've looked around but didn't see any howto about using java > keytool with ipa-getcert. Has someone experience with it? > > I was not successful adding key/cert created by certmonger into keytool, > and also not successful signing a csr from keytool with IPA. If noone > has hints, I'll try again and provide commands/logs... > > Jochen > Hi Jochen, Might as well jump straight to commands/logs :) Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org