From 43cbca96faf6539ab0dc90c0de79b57897b1a127 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jul 06 2021 08:44:08 +0000 Subject: Also added snippet for service account from IPA for tls cert Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 5084f1f..426e66d 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -27,6 +27,22 @@ Pre-requisites: * `ipa-client` role applied with correct script deployed Once we have shell access on such enrolled node, we can proceed like this : + +``` +/usr/libexec/centos/generate_ipa_tls_krb5 + +You need to call the script like this : /usr/libexec/centos/generate_ipa_tls_krb5 -arguments + -n : node name / fqdn ([REQUIRED], example 'ppc64-01.cbs.centos.org') + -d : Description for that host ([REQUIRED], example 'cbs koji builder') + -s : service for principal ([REQUIRED], example 'compile' would create compile/ppc64-01.cbs.centos.org service in IPA) + -h : display this help + +You also need a valid kerberos ticket otherwise script will exit + +``` + +Here is an output example for the command with arguments: + ``` /usr/libexec/centos/generate_ipa_tls_krb5 -n mbs.mbox.stg.centos.org -d 'Koji mbox STG mbs' -s 'HTTP' [+] Adding host in IPA and adding delegation to retrieve certs/keytab ... @@ -88,6 +104,29 @@ Keytab successfully retrieved and stored in: /etc/pki/centos/certs/HTTP-mbs.mbox You can now import into `pkistore` (and correct directory based on role) git-crypted repository the needed .crt and .key files from /etc/pki/centos/certs/ directory +#### TLS service account + +While the mentioned above script is probably the one that we'll use the most for nodes, we can also have to create service account, just to retrieve TLS cert used to auth against other services. As we'll just do that on *very* limited use cases, we can just "manually" execute the following snippet, still with first a valid kerberos ticket to be able to add users in IPA (so also on an enrolled machine and ideally the same one we use for the node certificates) : + +``` +# Let's first define some variables +service_account="mbox_stg_kojira" +full_name="CentOS kojira mbox STG service user" +realm="STG.FEDORAPROJECT.ORG" + +# Before next steps we *have* to have ipa rights to create ipa users and valid kerberos ticket +pushd /etc/pki/centos/certs >/dev/null +ipa user-show ${service_account} >/dev/null 2>&1 || ipa user-add --cn="${full_name}" --displayname="${full_name}" --password --first=${service_account} --last=${service_account} ${service_account} + +# Now that we have created the account with strong and random password, we can create private key and csr and ask IPA CA to sign it +# Create a private key and csr first +test -e ${service_account}.key || openssl req -new -newkey rsa:2048 -days 3650 -nodes -keyout ${service_account}.key -out ${service_account}.csr -subj "/CN=${service_account}" +# kinit as user (will ask password and also twice to set new password which can be the same one we decided to use +kinit ${service_account}@${realm} +ipa cert-request ${service_account}.csr --principal=${service_account} --profile-id=userCerts --certificate-out=${service_account}.crt && rm ${service_account}.csr +``` + +You can now push both .key/.crt files into `pkistore` git-crypted repository *and* also record the service account password in the IPA-service-accounts file in that same git-crypted repository ### Red Hat CA (internal setup only)