[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Thu Mar 12 15:59:33 UTC 2015
Not worried, I need to try.
I think it's not an issue as we use persistance for the connection. We
only do some user adding/chaging stuff, nothing really fancy but it
needs to be decent. As persistence comes in I think we don't have to
worry about it, we discussed that here earlier as I remember.
Or do I ?
Something else; did you had a nice PTO ?
2015-03-12 15:54 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi,
>>
>> Security wise I can understand that.
>>
>> Yes I have read about that... but that would let me use the
>> loadbalancer to connect ? I was not sure if the SAN would "connect" as
>> "other" host.
>
> Kerberos through a load balancer can be a problem. Is this what you're
> worried about?
>
> rob
>
>>
>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Hi Guys,
>>>>
>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm
>>>> kinda stuck with this issue.
>>>
>>> Wildcard certs are not supported.
>>>
>>> You can request a SAN with certmonger using -D <FQDN>. That will work
>>> with IPA 4.x for sure, maybe 3.3.5.
>>>
>>> rob
>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>> I'm reviewing some things.
>>>>>
>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to
>>>>> have the same certificates on both servers. Maybe a wildcard for my
>>>>> domain could do instead of having only both fqdn's of the servers
>>>>> including the loadbalancer's fqdn.
>>>>>
>>>>> But the question remains, how?
>>>>>
>>>>>
>>>>>
>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>> Hi,
>>>>>>
>>>>>> I will balance with IP persistance so I think there won't be any
>>>>>> mixing as long as that "used" server is online.
>>>>>>
>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote:
>>>>>>>>
>>>>>>>> OK, understood.
>>>>>>>>
>>>>>>>> But when a webservice does execute a command (from scripting) to a SVR
>>>>>>>> record and the first is not reacable, would it try to do it again or
>>>>>>>> will handle DNS this in front of it ?
>>>>>>>>
>>>>>>>> I do a kinit against an IPA server using a keytab after I first
>>>>>>>> checked if the user was able to auth himself using his ldap
>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff
>>>>>>>> to the IPA server.
>>>>>>>>
>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server
>>>>>>>> is down and doesn't even try to direct any of the commands to it...
>>>>>>>> I'm not sure if the SRV will handle this well when doing these command
>>>>>>>> from PHP for an example. Building in extra checks in front could be
>>>>>>>> done but it not ideal as a loadbalancer can handle such things much
>>>>>>>> better.
>>>>>>>
>>>>>>>
>>>>>>> OK, this makes things much more clear. Thanks for the explanation.
>>>>>>> Rob. What is our failover logic for API?
>>>>>>>
>>>>>>> For CLI we use a negotiation and then we store a cookie so as long as the
>>>>>>> whole conversation goes to the same server you should be fine. I do not
>>>>>>> think you need to re-encrypt the traffic at load balancer and thus have a
>>>>>>> cert there then if you can enforce the use of the same server in this case.
>>>>>>>
>>>>>>> The issue I anticipate is with Kerberos. I think you should not load balance
>>>>>>> the Kerberos traffic, only the API commands starting with the negotiation.
>>>>>>>
>>>>>>> Rob does that make sense for you?
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>
>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
>>>>>>>>>> SRV won't fit here sorry to say.
>>>>>>>>>>
>>>>>>>>>> I auth users, so their keytab should be the same between two masters I
>>>>>>>>>> believe ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Each entity in Kerberos exchange has its own identity and key.
>>>>>>>>> If you send a ticket that is destined to service A instead to service B
>>>>>>>>> it
>>>>>>>>> would not work unless they share the same keys and identity. Sharinf same
>>>>>>>>> keys and identities between the servers just would not work with IPA.
>>>>>>>>> Keep in mind that IPA clients and server need to work and fail over if
>>>>>>>>> you
>>>>>>>>> do not have any load balancers and this is the common case. You are
>>>>>>>>> trying
>>>>>>>>> to add one where it is really not needed creating overhead for yourself.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not
>>>>>>>>>> 100% there in step 6
>>>>>>>>>>
>>>>>>>>>> Thanks again!
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Matthijs
>>>>>>>>>>
>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>
>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using
>>>>>>>>>>>> curl/json.
>>>>>>>>>>>
>>>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API.
>>>>>>>>>>> It
>>>>>>>>>>> will
>>>>>>>>>>> handle fail over for you even without any load balancer. That would be
>>>>>>>>>>> easiest
>>>>>>>>>>> way.
>>>>>>>>>>>
>>>>>>>>>>>> As I need redundancy and don't want to have it script managed, but one
>>>>>>>>>>>> central point where I can tal to I use a loadbalancer.
>>>>>>>>>>>
>>>>>>>>>>> Well, if you can control clients then the easiest and most universal
>>>>>>>>>>> way
>>>>>>>>>>> is to
>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution
>>>>>>>>>>> works
>>>>>>>>>>> even when servers are geographically distributed/in different networks
>>>>>>>>>>> and
>>>>>>>>>>> does not have single point of failure (the load balancer).
>>>>>>>>>>>
>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>>>>>>>>>>> on the IPA server because this is needed for the http service
>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server
>>>>>>>>>>>> and make it as an ALT name to it's Certificate.
>>>>>>>>>>>>
>>>>>>>>>>>> As the users are the same on both servers I would asume i can use a
>>>>>>>>>>>> keytab for a user against both servers from my clients.
>>>>>>>>>>>
>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on
>>>>>>>>>>> IPA
>>>>>>>>>>> server have their own keytabs too. Every service on every server has
>>>>>>>>>>> own
>>>>>>>>>>> keytab with different key.
>>>>>>>>>>>
>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about
>>>>>>>>>>> possibility
>>>>>>>>>>> of
>>>>>>>>>>> sharing keytabs between IPA services.
>>>>>>>>>>>
>>>>>>>>>>>> Does this make it more clear ?
>>>>>>>>>>>
>>>>>>>>>>> I'm still not sure if you want to have human users too or just API
>>>>>>>>>>> clients.
>>>>>>>>>>>
>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>
>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each
>>>>>>>>>>>>>> ipa
>>>>>>>>>>>>>> server ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any other options ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> I do not really understand your use case. Could you describe it in
>>>>>>>>>>>>> detail, please?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I
>>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically
>>>>>>>>>>>>>>> possible to use
>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect
>>>>>>>>>>>>>>> to ipa
>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using
>>>>>>>>>>>>>>> classical load
>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force
>>>>>>>>>>>>>>> you to mess
>>>>>>>>>>>>>>> with certs and keytabs.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Petr Spacek @ Red Hat
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Thank you,
>>>>>>>>> Dmitri Pal
>>>>>>>>>
>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>> Red Hat, Inc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thank you,
>>>>>>> Dmitri Pal
>>>>>>>
>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>> Red Hat, Inc.
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>
>
More information about the Freeipa-users
mailing list