When you enroll CloudForms with an IdM Server, you do not automatically get the HTTPS certificates from that server. It takes a deliberate additional step to do so.
Managing CloudForms’ Certificates with certmonger
Reply
Generating a Callgraph for Keystone
Once I know a starting point for a call, I want to track the other functions that it calls. pycallgraph will generate an image that shows me that.
Continue reading
Inspecting Keystone Routes
What Policy is enforced when you call a Keystone API? Right now, there is no definitive way to say. However, with some programmatic help, we might be able to figure it out from the source code. Lets start by getting a complete list of the Keystone routes.
Enable Logging for root Certmonger
While trying to debug an Ansible module calling Certmonger, I found myself afoul of some mistake I could not quite trace. Certmonger was having trouble reading the key to generate the certificate. But nothing was showing up in the log. Here’s how I got some logging info.
OpenStack Role Assignment Inheritance for CloudForms
Operators expect to use CloudForms to perform administrative tasks. For this reason, the documentation for OpenStack states that the Keystone user must have an admin role. We found at least one case, however, where this was not sufficient. Fortunately, we have a better approach, and one that can lead to success in a wider array of deployments.
Continue readingJava on Port 443
I’ve been working on setting up a Java based SAML provider. This means that the application needs to handle request and response over HTTPS. And, since often this is deployed in data centers where non-standard ports are blocked, it means that the HTTPS really needs to be supported on the proper port, which is 443. Here are the range of options.
Continue reading
Java and Certmonger Continued
Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.
Certmonger, SELinux and Keystores in random locations
In my last post, SELinux was reporting AVCs when certmonger tried to access an NSS Database in a non-standard location. To get rid of the AVC, and get SELinx to allow the operations, we need to deal with the underlying cause of the AVC.
Continue reading
Java and Certmonger
Earlier this week, I got some advice from John Dennis on how to set up the certificates for a Java based web application. The certificates were to be issued by the Dogtag instance in a Red Hat Identity Mangement (RH IdM) install. However, unlike the previous examples I’ve seen, this one did some transforms from the certificate files, into PKCS12 and then finally into the keystore. It Looks like this:
ipa-getcert request -f /etc/pki/tls/certs/rhsso-cert.pem -k /etc/pki/tls/private/rhsso-key.pem -I rhsso -K RHSSO/`hostname` -D `hostname` openssl pkcs12 -export -name rhsso -passout pass:FreeIPA4All -in /etc/pki/tls/certs/rhsso-cert.pem -inkey /etc/pki/tls/private/rhsso-key.pem -out rhsso.p12 keytool -importkeystore -srckeystore rhsso.p12 -srcstoretype PKCS12 -srcstorepass FreeIPA4All -destkeystore keycloak.jks -deststorepass FreeIPA4All -alias rhsso keytool -keystore keycloak.jks -import -file /etc/ipa/ca.crt -alias ipa-ca cp keycloak.jks /etc/opt/rh/rh-sso7/keycloak/standalone/
Aside from the complications of this process, it also means that the application will not be updated when Certmonger automatically renews the certificate, leading to potential down time. I wonder if there is a better option.
Continue readingVirtualization Setup for RH CSA study
While my company has wonderful resources to allow employees to study for our certifications, they are time limited to prevent waste. I find I’ve often kicked off the lab, only to get distracted with a reql-world-interrupt, and come back to find the lab has timed out. I like working on my own systems, and having my own servers to work on. As such, I’m setting up a complementary system to the corporate one for my own study.
Continue reading