[Freeipa-users] subjectAlternitiveName for webservice

Matt . yamakasi.014 at gmail.com
Thu Mar 12 14:17:44 UTC 2015 

Hi,

Security wise I can understand that.

Yes I have read about that... but that would let me use the
loadbalancer to connect ? I was not sure if the SAN would "connect" as
"other" host.

2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi Guys,
>>
>> Is Rob able to look at this ? I hope he has some sparetime as I'm
>> kinda stuck with this issue.
>
> Wildcard certs are not supported.
>
> You can request a SAN with certmonger using -D <FQDN>. That will work
> with IPA 4.x for sure, maybe 3.3.5.
>
> rob
>
>>
>> Thanks!
>>
>>
>>
>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>> I'm reviewing some things.
>>>
>>> When I'm using a loadbalancer, which I prefer in this setup I need to
>>> have the same certificates on both servers. Maybe a wildcard for my
>>> domain could do instead of having only both fqdn's of the servers
>>> including the loadbalancer's fqdn.
>>>
>>> But the question remains, how?
>>>
>>>
>>>
>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>> Hi,
>>>>
>>>> I will balance with IP persistance so I think there won't be any
>>>> mixing as long as that "used" server is online.
>>>>
>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>> On 03/06/2015 11:05 AM, Matt . wrote:
>>>>>>
>>>>>> OK, understood.
>>>>>>
>>>>>> But when a webservice does execute a command (from scripting) to a SVR
>>>>>> record and the first is not reacable, would it try to do it again or
>>>>>> will handle DNS this in front of it ?
>>>>>>
>>>>>> I do a kinit against an IPA server using a keytab after I first
>>>>>> checked if the user was able to auth himself using his ldap
>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff
>>>>>> to the IPA server.
>>>>>>
>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server
>>>>>> is down and doesn't even try to direct any of the commands to it...
>>>>>> I'm not sure if the SRV will handle this well when doing these command
>>>>>> from PHP for an example. Building in extra checks in front could be
>>>>>> done but it not ideal as a loadbalancer can handle such things much
>>>>>> better.
>>>>>
>>>>>
>>>>> OK, this makes things much more clear. Thanks for the explanation.
>>>>> Rob. What is our failover logic for API?
>>>>>
>>>>> For CLI we use a negotiation and then we store a cookie so as long as the
>>>>> whole conversation goes to the same server you should be fine. I do not
>>>>> think you need to re-encrypt the traffic at load balancer and thus have a
>>>>> cert there then if you can enforce the use of the same server in this case.
>>>>>
>>>>> The issue I anticipate is with Kerberos. I think you should not load balance
>>>>> the Kerberos traffic, only the API commands starting with the negotiation.
>>>>>
>>>>> Rob does that make sense for you?
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>
>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
>>>>>>>> SRV won't fit here sorry to say.
>>>>>>>>
>>>>>>>> I auth users, so their keytab should be the same between two masters I
>>>>>>>> believe ?
>>>>>>>
>>>>>>>
>>>>>>> Each entity in Kerberos exchange has its own identity and key.
>>>>>>> If you send a ticket that is destined to service A instead to service B
>>>>>>> it
>>>>>>> would not work unless they share the same keys and identity. Sharinf same
>>>>>>> keys and identities between the servers just would not work with IPA.
>>>>>>> Keep in mind that IPA clients and server need to work and fail over if
>>>>>>> you
>>>>>>> do not have any load balancers and this is the common case. You are
>>>>>>> trying
>>>>>>> to add one where it is really not needed creating overhead for yourself.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not
>>>>>>>> 100% there in step 6
>>>>>>>>
>>>>>>>> Thanks again!
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matthijs
>>>>>>>>
>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>
>>>>>>>>> On 6.3.2015 15:39, Matt . wrote:
>>>>>>>>>>
>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using
>>>>>>>>>> curl/json.
>>>>>>>>>
>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API.
>>>>>>>>> It
>>>>>>>>> will
>>>>>>>>> handle fail over for you even without any load balancer. That would be
>>>>>>>>> easiest
>>>>>>>>> way.
>>>>>>>>>
>>>>>>>>>> As I need redundancy and don't want to have it script managed, but one
>>>>>>>>>> central point where I can tal to I use a loadbalancer.
>>>>>>>>>
>>>>>>>>> Well, if you can control clients then the easiest and most universal
>>>>>>>>> way
>>>>>>>>> is to
>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution
>>>>>>>>> works
>>>>>>>>> even when servers are geographically distributed/in different networks
>>>>>>>>> and
>>>>>>>>> does not have single point of failure (the load balancer).
>>>>>>>>>
>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>>>>>>>>> on the IPA server because this is needed for the http service
>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server
>>>>>>>>>> and make it as an ALT name to it's Certificate.
>>>>>>>>>>
>>>>>>>>>> As the users are the same on both servers I would asume i can use a
>>>>>>>>>> keytab for a user against both servers from my clients.
>>>>>>>>>
>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on
>>>>>>>>> IPA
>>>>>>>>> server have their own keytabs too. Every service on every server has
>>>>>>>>> own
>>>>>>>>> keytab with different key.
>>>>>>>>>
>>>>>>>>> You need to talk with Simo or some other Kerberos guru about
>>>>>>>>> possibility
>>>>>>>>> of
>>>>>>>>> sharing keytabs between IPA services.
>>>>>>>>>
>>>>>>>>>> Does this make it more clear ?
>>>>>>>>>
>>>>>>>>> I'm still not sure if you want to have human users too or just API
>>>>>>>>> clients.
>>>>>>>>>
>>>>>>>>> Petr^2 Spacek
>>>>>>>>>
>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>
>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each
>>>>>>>>>>>> ipa
>>>>>>>>>>>> server ?
>>>>>>>>>>>>
>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>>>>>>>>
>>>>>>>>>>>> Any other options ?
>>>>>>>>>>>
>>>>>>>>>>> I do not really understand your use case. Could you describe it in
>>>>>>>>>>> detail, please?
>>>>>>>>>>>
>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>
>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I
>>>>>>>>>>>>>> can
>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically
>>>>>>>>>>>>> possible to use
>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect
>>>>>>>>>>>>> to ipa
>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using
>>>>>>>>>>>>> classical load
>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force
>>>>>>>>>>>>> you to mess
>>>>>>>>>>>>> with certs and keytabs.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Petr Spacek  @  Red Hat
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thank you,
>>>>>>> Dmitri Pal
>>>>>>>
>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>> Red Hat, Inc.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list