Skip to content

Commit

Permalink
Split EST doc between installation and admin
Browse files Browse the repository at this point in the history 
[skip ci]
  • Loading branch information
@fmarco76
fmarco76 committed Jan 22, 2025
1 parent 6005cc0 commit ba785b6
Show file tree
Hide file tree
Showing 5 changed files with 253 additions and 197 deletions.
103 changes: 103 additions & 0 deletions docs/admin/est/Managing_DS_Realm.adoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
= Managing DS Realm =

If you have chosen to use an LDAP instance for user management, before
adding users, please ensure that you have configured the directory
server and added base entries. Installation instructions can be found
https://github.com/dogtagpki/pki/wiki/DS-Installation[here].

The user DB requires a node containing the users (_inetOrgPerson_) and
a node containing the groups (_groupOfUniqueNames_). Therefore, if
the base dn is `dc=pki,dc=example,dc=com` it is possible to create a
tree with a user using the command:

----
ldapadd -x -H ldap://estds.example.com:389 \
-D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=est,dc=pki,dc=example,dc=com
objectClass: domain
dc: est
dn: ou=people,dc=est,dc=pki,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: est-test-user
sn: EST TEST USER
cn: EST TEST USER
userPassword: Secret.123
dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: estclient
uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
EOF
----

== TLS mutual authentication ==

The above configurations allow client authentication using
_username/password_. In some cases or for specific operation, such as
re-enroll for a new certificate, mutual authentication with client
certificate is required.

Realm configuration already support certificate based authentication
out-of-the-box but in order to authenticate a user some additional
information are needed. In more detail, the user entry has to include
a _description_ containing some certificate details and the binary
certificate.

The _description_ has the format
`<Version>;<Serial>;<Issuer>;<subject>`. The version is the hex value
(without _0x_), the serial is in decimal and issuer and subject are
distinguished name (DN). The format for DN is from the more specific
attribute to the more general (note: some tools, like *OpenSSL*, have
different order), separated by comma. As an example, if the user has
a certificate with the following values:

----
$ openssl x509 -in cert.pem -subject -serial -issuer -text -noout |head -11
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:1c:9e:b7:9a:2d:cc:17:69:24:a2:81:4e:06:07:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
Validity
Not Before: Jan 16 11:31:11 2025 GMT
Not After : Apr 16 11:31:11 2025 GMT
Subject: CN=test.example.com
----

Then the user entry `est-test-user` defined above can be modified in the
DS case with the command:
----
$ ldapmodify -H ldap://ds.example.com:3389 \
-D "cn=Directory Manager" -w Secret.123 <<EOF
dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
changetype: modify
add: description
description: 2;67939231264256858734977554404570695488;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=test.example.com
-
add: userCertificate
userCertificate::<certificate_base64>
EOF
----

replacing the `<certificate_base64>` with the actual value. To obtain
the value from the DER certificate it is possible to use the command:
----
$ openssl base64 -in cert.der | sed 's/^/ /'
----
89 changes: 89 additions & 0 deletions docs/admin/est/Managing_PostgreSQL_Realm.adoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
= Managing PostgreSQL Realm =

If you have chosen to use *PostgreSQL* for user management, you first
need to prepare a database (e.g. est) and a user (e.g. est) to access
the database. Installation instructions can be found link:https://www.postgresql.org/download/linux[here].

After the installation, verify the database connection with the
following command:
----
$ psql -U est -d est
----
To use the _PostreSQL_ DB the user tables should be created with the
sql file provided in
`/usr/share/pki/est/conf/realm/postgresql/create.sql` and then filled
with the user information. The tables can be created with the command:
----
$ psql -U est -t -A -f /tmp/create.sql est
----
Then fill the tables with the commands:
----
$ psql -U est -t -A -c "INSERT INTO users VALUES ('est-test-user', 'EST TEST USER', '<tomcat_digest>');" est
$ psql -U est -t -A -c "INSERT INTO groups VALUES ('estclient', 'EST TEST USERS');" est
$ psql -U est -t -A -c "INSERT INTO group_members VALUES ('estclient', 'est-test-user');" est
----

Note: the tomcat digest for the password can be obtained with the command:
----
$ tomcat-digest <user_password>
----

It is possible to use different schemas but in this case a custom
`statements.conf` file (provided in the same folder) has to be
provided in order to retrieve the user information from the DB.

Additionally, java driver for PostgreSQL need to be installed in the EST server and linked into library folder of pki:

----
# dnf install -y postgresql-jdbc
# ln -s /usr/share/java/postgresql-jdbc/postgresql.jar /usr/share/pki/server/common/lib
# ln -s /usr/share/java/ongres-scram/client.jar /usr/share/pki/server/common/lib
# ln -s /usr/share/java/ongres-scram/common.jar /usr/share/pki/server/common/lib
# ln -s /usr/share/java/ongres-stringprep/saslprep.jar /usr/share/pki/server/common/lib/
# ln -s /usr/share/java/ongres-stringprep/stringprep.jar /usr/share/pki/server/common/lib/
----

== TLS mutual authentication ==

The above configurations allow client authentication using
_username/password_. In some cases or for specific operation, such as
re-enroll for a new certificate, mutual authentication with client
certificate is required.

Realm configuration already support certificate based authentication
out-of-the-box but in order to authenticate a user some additional
information are needed. In more detail, the user entry has to include
a _description_ containing some certificate details and the binary
certificate.

The _description_ has the format
`<Version>;<Serial>;<Issuer>;<subject>`. The version is the hex value
(without _0x_), the serial is in decimal and issuer and subject are
distinguished name (DN). The format for DN is from the more specific
attribute to the more general (note: some tools, like *OpenSSL*, have
different order), separated by comma.

These information are stored in the _user_certs_ table. As an example, if the user
has a certificate with the following values:

----
$ openssl x509 -in cert.pem -subject -serial -issuer -text -noout |head -11
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:1c:9e:b7:9a:2d:cc:17:69:24:a2:81:4e:06:07:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
Validity
Not Before: Jan 16 11:31:11 2025 GMT
Not After : Apr 16 11:31:11 2025 GMT
Subject: CN=test.example.com
----

Then the user entry `est-test-user` defined above requires a new entry in
the _user_certs_ table which can be added with:
----
$ psql -U est -t -A -c "INSERT INTO user_certs VALUES ('est-test-user', '2;67939231264256858734977554404570695488;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=test.example.com', pg_read_binary_file('/cert.der'));" est
----
41 changes: 29 additions & 12 deletions docs/installation/est/Installing_EST.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ This page describes the process to install an _EST subsystem_.

The *EST subsystem* requires the package `dogtag-pki-est` installed in the server which will run the instance:

```
----
# dnf install dogtag-pki-est
```
----



Expand All @@ -27,7 +27,7 @@ point to a CA on a different host or with a different port use the options `-h
<hostname>`, `-p <port_number>` or `-U <CA_uri`. To use a different
nssdb use the option `-d <nssdb_path>`.

```
----
# pki -n caadmin ca-group-add "EST RA Agents"
---------------------------
Added group "EST RA Agents"
Expand All @@ -46,13 +46,13 @@ Added user "est-ra-1"
Added group member "est-ra-1"
-----------------------------
User: est-ra-1
```
----

Add and enable the EST enrollment profile `estServiceCert.cfg` (it is
available in `/usr/share/pki/ca/profiles/ca` if the *dogtag-pki-ca*
package is installed):

```
----
# pki -n caadmin ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
----------------------------
Added profile estServiceCert
Expand All @@ -61,12 +61,22 @@ Added profile estServiceCert
--------------------------------
Enabled profile "estServiceCert"
--------------------------------
```
----

Note: before enabling the profile verify if the options satisfy the requirement for the deployment.


## EST Subsystem Installation


== EST Subsystem Installation ==

*EST* subsystem has its own realm authentication with a separate
user DB. _LDAP_, _PostreSQL_ and file based DB are supported. The DB
has to be prepared in advance for authentication to work. User
management is handled on the selected DB, outside EST. Management
information of _LDAP_ DB is available in the page
xref:../../admin/est/Managing_DS_Realm.adoc[Managing DS Realm] while
for _PostgreSQL_ in the page xref:../../admin/est/Managing_PostgreSQL_Realm.adoc[Managing PostgreSQL Realm].

There are two options for the installation:

Expand All @@ -87,10 +97,9 @@ Use `curl` to verify that the *EST subsystem* is deployed and is able to communi

The following command will print the CA signing certificate obtained from the server:

```
----
$ curl --cacert ./ca_signing.crt https://<EST_HOSTNAME>:<EST_PORT>/.well-known/est/cacerts | openssl base64 -d | openssl pkcs7 -inform der -print_certs | openssl x509 -text -noout

```
----

Replace `$EST_HOSTNAME` and `$EST_PORT` with the hostname and port of
the *EST subsystem*, respectively.
Expand All @@ -103,7 +112,7 @@ To test the enrollment using curl, generate a CSR and submit using a
user from the EST user DB associated with the realm. The following
commands will perform the enrollment and print the final certificate:

```
----
$ pki nss-cert-request --csr testServer.csr \
--ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=test.example.com'
$ openssl req -in testServer.csr -outform der | openssl base64 -out testServer.p10
Expand All @@ -113,6 +122,14 @@ $ curl --cacert ./ca_signing.crt --anyauth -u est-test-user:Secret.123 \
-o newCert.p7 https://<EST_HOSTNAME>:<EST_PORT>/.well-known/est/simpleenroll
$ openssl base64 -d -in newCert.p7 | openssl pkcs7 -inform der -print_certs | openssl x509 -text -noout
----

```
Note: the `testServer.p10` file is a base64 encoded pkcs10 DER without header/footer.

In case the enrollment is done using mutual TLS authentication in the
`curl` command above the credentials has to be replaced with the certificate and related key as follows:
----
$ curl --cacert ./ca_signing.crt --cert cert.pem --key key-x-x.pem \
--data-binary @testServer.p10 -H "Content-Type: application/pkcs10"
-o newCert.p7 https://<EST_HOSTNAME>:<EST_PORT>/.well-known/est/simpleenroll
----
24 changes: 12 additions & 12 deletions docs/installation/est/Installing_EST_pki-server.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ link:https://github.com/dogtagpki/pki/wiki/PKI-Server-Create-CLI[here]).

Create the _EST subsystem_ inside the pki server instance:

```
----
# pki-server est-create
```
----

Configure the issuance backend. The class
`org.dogtagpki.est.DogtagRABackend` is used for the EST instance to
Expand All @@ -25,15 +25,15 @@ communicate with the CA. This requires:
* the enrollment _profile_.
```
----
# cat >/var/lib/pki/pki-tomcat/conf/est/backend.conf <<EOF
class=org.dogtagpki.est.DogtagRABackend
url=https://$(hostname):8443
profile=estServiceCert
username=est-ra-1
password=password4ESTUser
EOF
```
----

Note: to use TLS mutual authentication instead of _username/password_, one needs to:

Expand All @@ -53,12 +53,12 @@ Configure request authorization. The class
delegate the authorization to an external process configured with the
parameter *executable*:

```
----
# cat >/var/lib/pki/pki-tomcat/conf/est/authorizer.conf <<EOF
class=org.dogtagpki.est.ExternalProcessRequestAuthorizer
executable=/usr/share/pki/est/bin/estauthz
EOF
```
----

The executable script in this example performs a simple check of the user role and it
is available link:/base/est/bin/estauthz[here]. It can be replaced if a
Expand All @@ -67,26 +67,26 @@ more sophisticated authorization framework has to be adopted.

Deploy the EST application:

```
----
# pki-server est-deploy
```
----

Configure the authentication. The authentication allows one to use realms
from _tomcat_ or developed for dogtag. As an example we use an in
memory realm:

```
----
# cat >/var/lib/pki/pki-tomcat/conf/est/realm.conf <<EOF
class=com.netscape.cms.realm.PKIInMemoryRealm
username=alice
password=4me2Test
roles=estclient
EOF
```
----

Finally, restart the server:

```
----
# pki-server restart --wait
```
----

Loading

0 comments on commit ba785b6

Please sign in to comment.