EST with postgresql based authentication #4856
Conversation
|
@fmarco76 I've merged PR #4854. FYI, I'm planning to modify pkispawn so that it can create an SSL server cert for ACME automatically, and I'll modify the ACME test with a separate instance to use that automation, but I'll keep the original test with manual cert creation as a separate test (i.e. ACME with existing NSS database) to make sure it will support reinstallation or containers (where the NSS database already exists). |
fmarco76
force-pushed
the
EST_CI
branch
2 times, most recently
from
b711e45
to
5f80007
Compare
|
@edewata I have updated the actions |
| docker exec ca pki -n caadmin ca-cert-export --output-file estUser.crt $CERT_ID | ||
| docker exec ca pki nss-cert-import --cert estUser.crt estUser | ||
|
|
||
| docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_user.p12 -n estUser -W Secret.123 |
There was a problem hiding this comment.
It might be possible to import the admin cert & key using pki pkcs12-cert-import --append into est_server.p12 so they can be imported by pkispawn.
https://github.com/dogtagpki/pki/wiki/PKI-PKCS12-Certificate-CLI
There was a problem hiding this comment.
I was looking a way to easily append to the same p12 but I did not find it. This is way better, thanks!
| docker exec ca pki client-cert-request uid=estUser | tee output | ||
| REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) | ||
|
|
||
| docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output | ||
| CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) | ||
|
|
||
| docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --serial $CERT_ID | ||
| docker exec ca pki -n caadmin ca-cert-export --output-file estUser.crt $CERT_ID |
There was a problem hiding this comment.
It might be possible to use pki ca-cert-issue to issue the cert, then use pki ca-user-cert-add --input to assign the cert.
https://github.com/dogtagpki/pki/wiki/PKI-User-Certificate-CLI
| public void setup() throws Exception { | ||
|
|
||
| logger.info("Setting up PostgreSQL realm"); | ||
|
|
||
| String filename = "/usr/share/pki/acme/realm/postgresql/create.sql"; | ||
| String content = new String(Files.readAllBytes(Paths.get(filename))); | ||
|
|
||
| String[] stats = content.split(";"); | ||
| for (String sql : stats) { | ||
| sql = sql.trim(); | ||
| if (StringUtils.isEmpty(sql)) continue; | ||
| logger.info("SQL: " + sql); | ||
|
|
||
| try (PreparedStatement ps = connection.prepareStatement(sql)) { | ||
| ps.executeUpdate(); | ||
|
|
||
| } catch (SQLException e) { | ||
|
|
||
| // https://www.postgresql.org/docs/current/errcodes-appendix.html | ||
| String sqlState = e.getSQLState(); | ||
|
|
||
| // If table already exists, ignore | ||
| if (!"42P07".equals(sqlState)) { | ||
|
|
||
| logger.error("Unable to set up PostgreSQL realm: " + e.getMessage()); | ||
| logger.error("SQL state: " + sqlState); | ||
|
|
||
| throw e; | ||
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Is it possible to keep this code? I think it was meant to make ACME easier to use, i.e. just run PostgreSQL and ACME, and it's ready to use (ACME doesn't require initial users). If necessary (e.g. for EST) the tables can be created first and this code will not alter the tables. We probably can add a new param in realm.conf to specify the path, for example:
create=/usr/share/pki/acme/realm/postgresql/create.sql
There was a problem hiding this comment.
The problem of this code is that it check for the table and if not present then it will create the tables. If the DB is provided by the user and the table names do not match the new table should not be created. We can make this optional.
fmarco76
force-pushed
the
EST_CI
branch
4 times, most recently
from
f924e7e
to
a8301ca
Compare
| CERT_ID=$(docker exec ca pki nss-cert-show estUser |sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p") | ||
| docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --serial $CERT_ID |
There was a problem hiding this comment.
I think we can use pki ca-user-cert-add --input so no need to parse the serial number.
https://github.com/dogtagpki/pki/wiki/PKI-User-Certificate-CLI
|
|
||
| String createFile = info.getProperty("dbcreate.file"); | ||
| if (createFile != null) { | ||
| try{ | ||
| connect(); | ||
| setup(createFile); | ||
| } catch (Exception e) { | ||
| throw new LifecycleException("DB creation failed. Creation file: " + createFile, e); | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I think the setup() was originally called from connect() because there is no guarantee that containers will be started in certain orders. For example, sometimes the ACME container is started first, then the PostgreSQL container is added later or it was not running when ACME container is started. With the new code that probably won't work anymore. My suggestion is to return setup() to its original position, but we can keep the dbcreate.file param. What do you think?
There was a problem hiding this comment.
I do not think this parameter should be used after the installation. If we have it in the init then at the server start the DB should be created and the parameter should be removed. This could be done during pkispawn by the user.
In a container environment there is no reason to provide a DB without table after the initial setup. Who should fill the table with the user? In any case it should be possible to define a startup order although it is not needed in this case.
Since the current implementation perform the check in the connect() I am reverting it and evaluate again when we will move to container.
There was a problem hiding this comment.
Thanks! Yeah, ACME doesn't require any user unless we want to manage something remotely (which there isn't much that can be done anyway). EST seems to require a pre-existing realm, so the requirement is different. We can certainly revisit this requirement again.
The realm should not modify the user database but it has to be provided and configured in advance. However, if a file is provided it is used during the initialisation and not during the authentication.
Adding a new test to verify the connection between the EST subsystem and a realm user database handled with Postgresql. Additionally, the realm test on separate instance has been modified to authenticate the EST subsystem into the CA using a certificate.
Since DB could be not available before the connection the setup is moved back to the connection method.
|
|
@edewata Thanks! |
PKIPostgreSQLRealmclass has been modified to avoid and change in DB. The DB has to be ready before configuring the realm. A new test working with this realm is included.Additionally, the realm test on separate instance has been modified to authenticate the EST subsystem into the CA using a certificate.