Cleaning a machine

Posted on March 19, 2024 by Adam Young

After you get something working, you find you might have missed a step in documenting how you got that working. You might have installed a package that you didn’t remember. Or maybe you set up a network connection. In my case, I find I have often brute-forced the SSH setup for later provisioning. Since this is done once, and then forgotten, often in the push to “just get work done” I have had to go back and redo this (again usually manually) when I get to a new machine.

To avoid this, I am documenting what I can do to get a new machine up and running in a state where SSH connections (and forwarding) can be reliably run. This process should be automatable, but at a minimum, it should be understood.

Continue reading →

Comparing Istio and Keystone Middleware

Posted on April 7, 2018 by Adam Young

One way to learn a new technology is to compare it to what you already know. I’ve heard a lot about Istio, and I don’t really grok it yet, so this post is my attempt to get the ideas solid in my own head, and to spur conversations out there.

Continue reading →

Managing CloudForms’ Certificates with certmonger

Posted on March 7, 2018 by Adam Young

When you enroll CloudForms with an IdM Server, you do not automatically get the HTTPS certificates from that server. It takes a deliberate additional step to do so.

Continue reading →

Enable Logging for root Certmonger

Posted on March 2, 2018 by Adam Young

While trying to debug an Ansible module calling Certmonger, I found myself afoul of some mistake I could not quite trace. Certmonger was having trouble reading the key to generate the certificate. But nothing was showing up in the log. Here’s how I got some logging info.

Continue reading →

Java and Certmonger Continued

Posted on February 15, 2018 by Adam Young

Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.

Continue reading →

Certmonger, SELinux and Keystores in random locations

Posted on February 15, 2018 by Adam Young

In my last post, SELinux was reporting AVCs when certmonger tried to access an NSS Database in a non-standard location. To get rid of the AVC, and get SELinx to allow the operations, we need to deal with the underlying cause of the AVC.
Continue reading →

Java and Certmonger

Posted on February 14, 2018 by Adam Young

Earlier this week, I got some advice from John Dennis on how to set up the certificates for a Java based web application. The certificates were to be issued by the Dogtag instance in a Red Hat Identity Mangement (RH IdM) install. However, unlike the previous examples I’ve seen, this one did some transforms from the certificate files, into PKCS12 and then finally into the keystore. It Looks like this:

ipa-getcert request -f /etc/pki/tls/certs/rhsso-cert.pem -k /etc/pki/tls/private/rhsso-key.pem -I rhsso -K RHSSO/`hostname` -D `hostname`

openssl pkcs12 -export -name rhsso -passout pass:FreeIPA4All -in /etc/pki/tls/certs/rhsso-cert.pem -inkey /etc/pki/tls/private/rhsso-key.pem -out rhsso.p12

keytool -importkeystore -srckeystore rhsso.p12 -srcstoretype PKCS12 -srcstorepass FreeIPA4All -destkeystore keycloak.jks -deststorepass FreeIPA4All -alias rhsso

keytool -keystore keycloak.jks -import -file /etc/ipa/ca.crt -alias ipa-ca

cp keycloak.jks /etc/opt/rh/rh-sso7/keycloak/standalone/

Aside from the complications of this process, it also means that the application will not be updated when Certmonger automatically renews the certificate, leading to potential down time. I wonder if there is a better option.

Continue reading →

Tokens without revocation

Posted on July 9, 2016 by Adam Young

PKI tokens in Keystone suffered from many things, most essentially the trials due to the various forms of revocation. I never wanted revocation in the first place. What could we have done differently? It just (I mean moments ago) came to me.
Continue reading →

De-conflicting Swift-Proxy with FreeIPA

Posted on July 7, 2016 by Adam Young

Port 8080 is a popular port. Tomcat uses it as the default port for unencrypted traffic. FreeIA, installs Dogtag which runs in Tomcat. Swift proxy also chose that port number for its traffic. This means that if one is run on that port, the other cannot. Of the two, it is easier to change FreeIPA, as the port is only used for internal traffic, where as Swift’s port is in the service catalog and the documentation.
Continue reading →

Lessons Learned writing a certmonger helper for Anchor

Posted on May 11, 2016 by Adam Young

Guang Yee has been trying to get certmonger talking to Anchor — an ephemeral CA, worth a post by itself. His attitude went from “this is easy” to “I’m about to give up on certmonger” to “Got it.” Here is his post-mortem:

Continue reading →

Adam Young's Web Log

The Notebook of a Programmer Climber Musician Ex-Soldier Woodworker and a few other things

Category Archives: PKI

Cleaning a machine

Comparing Istio and Keystone Middleware

Managing CloudForms’ Certificates with certmonger

Enable Logging for root Certmonger

Java and Certmonger Continued

Certmonger, SELinux and Keystores in random locations

Java and Certmonger

Tokens without revocation

De-conflicting Swift-Proxy with FreeIPA

Lessons Learned writing a certmonger helper for Anchor