Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
On 04/26/2012 04:51 PM, hshhs caca wrote: Hi folks, When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily. Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert. There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. What is the reason for manually configuring the client? --Robinson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
From: Dmitri Pal d...@redhat.com Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert.There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. Thanks. That's pretty clear. certmonger and Dogtag could be a very useful combination. For my case, where internal/outside company web servers already have external certified 3-year wildcard certificates, and IPA/LDAP servers have the dogtag/certmonger installed for them, maybe I can put off installing host certificates and certmonger services on other IPA clients to save a few CPU cycles now? Sure I can turn certmonger on and create host certificates anytime as long as needs pop up later. What is the reason for manually configuring the client? The main purposes here is company policy. we use central config management systems to push out config files and etc. Basically we did it for seperate Kerberos and LDAP solutions, and not it is required to do that for IPA solution as well. Another benefit is, as long as I know how to do it manually, hen in case the compo script ipa-client-install is a overkill, I can do subcomponent only. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
On 04/27/2012 03:05 PM, David Copperfield wrote: From: Dmitri Pal d...@redhat.com Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert.There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. Thanks. That's pretty clear. certmonger and Dogtag could be a very useful combination. For my case, where internal/outside company web servers already have external certified 3-year wildcard certificates, and IPA/LDAP servers have the dogtag/certmonger installed for them, maybe I can put off installing host certificates and certmonger services on other IPA clients to save a few CPU cycles now? Up to you. Sure I can turn certmonger on and create host certificates anytime as long as needs pop up later. What is the reason for manually configuring the client? The main purposes here is company policy. we use central config management systems to push out config files and etc. Basically we did it for seperate Kerberos and LDAP solutions, and not it is required to do that for IPA solution as well. Another benefit is, as long as I know how to do it manually, hen in case the compo script ipa-client-install is a overkill, I can do subcomponent only. May be it would be helpful to share your experience on a IPA wiki page for others for follow with the similar use cases? Do you have something that I can post there? If you found anything missing in the documentation please file a BZ or ticket in upstream trac. Thanks. --David -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
Hi folks, When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily. Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. --Robinson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users