[Freeipa-users] subjectAlternitiveName for webservice
Rob Crittenden
rcritten at redhat.com
Thu Mar 19 14:04:22 UTC 2015
Matt . wrote:
> Isn't this documented well (yet) ?
Is what documented yet?
rob
>
> The RH docs are always very detailed about it, but I'm not sure
> here... I see solutions but not 100% from A to Z to make sure we do it
> the proper way.
>
> 2015-03-12 16:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Not worried, I need to try.
>>
>> I think it's not an issue as we use persistance for the connection. We
>> only do some user adding/chaging stuff, nothing really fancy but it
>> needs to be decent. As persistence comes in I think we don't have to
>> worry about it, we discussed that here earlier as I remember.
>>
>> Or do I ?
>>
>> Something else; did you had a nice PTO ?
>>
>> 2015-03-12 15:54 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Hi,
>>>>
>>>> Security wise I can understand that.
>>>>
>>>> Yes I have read about that... but that would let me use the
>>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as
>>>> "other" host.
>>>
>>> Kerberos through a load balancer can be a problem. Is this what you're
>>> worried about?
>>>
>>> rob
>>>
>>>>
>>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> Hi Guys,
>>>>>>
>>>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm
>>>>>> kinda stuck with this issue.
>>>>>
>>>>> Wildcard certs are not supported.
>>>>>
>>>>> You can request a SAN with certmonger using -D <FQDN>. That will work
>>>>> with IPA 4.x for sure, maybe 3.3.5.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>> I'm reviewing some things.
>>>>>>>
>>>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to
>>>>>>> have the same certificates on both servers. Maybe a wildcard for my
>>>>>>> domain could do instead of having only both fqdn's of the servers
>>>>>>> including the loadbalancer's fqdn.
>>>>>>>
>>>>>>> But the question remains, how?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I will balance with IP persistance so I think there won't be any
>>>>>>>> mixing as long as that "used" server is online.
>>>>>>>>
>>>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote:
>>>>>>>>>>
>>>>>>>>>> OK, understood.
>>>>>>>>>>
>>>>>>>>>> But when a webservice does execute a command (from scripting) to a SVR
>>>>>>>>>> record and the first is not reacable, would it try to do it again or
>>>>>>>>>> will handle DNS this in front of it ?
>>>>>>>>>>
>>>>>>>>>> I do a kinit against an IPA server using a keytab after I first
>>>>>>>>>> checked if the user was able to auth himself using his ldap
>>>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff
>>>>>>>>>> to the IPA server.
>>>>>>>>>>
>>>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server
>>>>>>>>>> is down and doesn't even try to direct any of the commands to it...
>>>>>>>>>> I'm not sure if the SRV will handle this well when doing these command
>>>>>>>>>> from PHP for an example. Building in extra checks in front could be
>>>>>>>>>> done but it not ideal as a loadbalancer can handle such things much
>>>>>>>>>> better.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OK, this makes things much more clear. Thanks for the explanation.
>>>>>>>>> Rob. What is our failover logic for API?
>>>>>>>>>
>>>>>>>>> For CLI we use a negotiation and then we store a cookie so as long as the
>>>>>>>>> whole conversation goes to the same server you should be fine. I do not
>>>>>>>>> think you need to re-encrypt the traffic at load balancer and thus have a
>>>>>>>>> cert there then if you can enforce the use of the same server in this case.
>>>>>>>>>
>>>>>>>>> The issue I anticipate is with Kerberos. I think you should not load balance
>>>>>>>>> the Kerberos traffic, only the API commands starting with the negotiation.
>>>>>>>>>
>>>>>>>>> Rob does that make sense for you?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Matt
>>>>>>>>>>
>>>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>>>
>>>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
>>>>>>>>>>>> SRV won't fit here sorry to say.
>>>>>>>>>>>>
>>>>>>>>>>>> I auth users, so their keytab should be the same between two masters I
>>>>>>>>>>>> believe ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Each entity in Kerberos exchange has its own identity and key.
>>>>>>>>>>> If you send a ticket that is destined to service A instead to service B
>>>>>>>>>>> it
>>>>>>>>>>> would not work unless they share the same keys and identity. Sharinf same
>>>>>>>>>>> keys and identities between the servers just would not work with IPA.
>>>>>>>>>>> Keep in mind that IPA clients and server need to work and fail over if
>>>>>>>>>>> you
>>>>>>>>>>> do not have any load balancers and this is the common case. You are
>>>>>>>>>>> trying
>>>>>>>>>>> to add one where it is really not needed creating overhead for yourself.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not
>>>>>>>>>>>> 100% there in step 6
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks again!
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>
>>>>>>>>>>>> Matthijs
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using
>>>>>>>>>>>>>> curl/json.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API.
>>>>>>>>>>>>> It
>>>>>>>>>>>>> will
>>>>>>>>>>>>> handle fail over for you even without any load balancer. That would be
>>>>>>>>>>>>> easiest
>>>>>>>>>>>>> way.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> As I need redundancy and don't want to have it script managed, but one
>>>>>>>>>>>>>> central point where I can tal to I use a loadbalancer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Well, if you can control clients then the easiest and most universal
>>>>>>>>>>>>> way
>>>>>>>>>>>>> is to
>>>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution
>>>>>>>>>>>>> works
>>>>>>>>>>>>> even when servers are geographically distributed/in different networks
>>>>>>>>>>>>> and
>>>>>>>>>>>>> does not have single point of failure (the load balancer).
>>>>>>>>>>>>>
>>>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>>>>>>>>>>>>> on the IPA server because this is needed for the http service
>>>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server
>>>>>>>>>>>>>> and make it as an ALT name to it's Certificate.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As the users are the same on both servers I would asume i can use a
>>>>>>>>>>>>>> keytab for a user against both servers from my clients.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on
>>>>>>>>>>>>> IPA
>>>>>>>>>>>>> server have their own keytabs too. Every service on every server has
>>>>>>>>>>>>> own
>>>>>>>>>>>>> keytab with different key.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about
>>>>>>>>>>>>> possibility
>>>>>>>>>>>>> of
>>>>>>>>>>>>> sharing keytabs between IPA services.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Does this make it more clear ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm still not sure if you want to have human users too or just API
>>>>>>>>>>>>> clients.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each
>>>>>>>>>>>>>>>> ipa
>>>>>>>>>>>>>>>> server ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Any other options ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I do not really understand your use case. Could you describe it in
>>>>>>>>>>>>>>> detail, please?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I
>>>>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically
>>>>>>>>>>>>>>>>> possible to use
>>>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect
>>>>>>>>>>>>>>>>> to ipa
>>>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using
>>>>>>>>>>>>>>>>> classical load
>>>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force
>>>>>>>>>>>>>>>>> you to mess
>>>>>>>>>>>>>>>>> with certs and keytabs.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Petr Spacek @ Red Hat
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Thank you,
>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>
>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Thank you,
>>>>>>>>> Dmitri Pal
>>>>>>>>>
>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>> Red Hat, Inc.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>
More information about the Freeipa-users
mailing list