用于custodia的freeipa保险库插件
custodia.ipa的Python项目详细描述
warningcustodia.ipa是一个带有临时api的技术预览。
ipa是 Custodia。它提供集成 用FreeIPA。ipavault插件是 与FreeIPA vault的接口。秘密是 加密并存储在Dogtag的密钥中 恢复代理。ipacertrequest插件创建私钥并 按需签署证书。最后,ipainterface插件是 包装ipalib和gssapi身份验证的助手插件。
要求
安装
- 点
- 设置工具>;=18.0
运行时
- 保管费=0.5.0
- ipalib=4.5.0
- iPaclient=4.5.0
- Python2.7(IPA保险库中的Python3支持不稳定)
custodia.ipa需要ipa注册主机和kerberos tgt 身份验证。建议提供带有keytab的凭据 文件或GSS代理。此外,ipavault依赖于密钥恢复代理 服务(ipa-kra-install)。
测试和开发
- 车轮
- 毒性
virtualenv要求
custodia.ipa依赖于几个二进制扩展名和共享库 例如,python密码学、python gssapi、python ldap和 PythonNSS。对于在虚拟环境中安装,C编译器和 需要几个开发包。
$ virtualenv venv $ venv/bin/pip install --upgrade custodia.ipa
$ sudo dnf install python2 python-pip python-virtualenv python-devel \ gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \ nss-devel openldap-devel cyrus-sasl-devel openssl-devel
debian/ubuntu
$ sudo apt-get update $ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \ gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \ libsasl2-dev libssl-dev
示例配置
创建目录
$ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia $ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia $ sudo chmod 750 /var/lib/custodia /var/log/custodia
创建服务帐户和keytab
$ kinit admin $ ipa service-add custodia/$HOSTNAME $ ipa service-allow-create-keytab custodia/$HOSTNAME --users=admin $ mkdir -p /etc/custodia $ ipa-getkeytab -p custodia/$HOSTNAME -k /etc/custodia/ipa.keytab $ chown custodia:custodia /etc/custodia/ipa.keytab
IPA证书请求插件需要其他权限
$ ipa privilege-add \ --desc="Create and request service certs with Custodia" \ "Custodia Service Certs" $ ipa privilege-add-permission \ --permissions="Retrieve Certificates from the CA" \ --permissions="Request Certificate" \ --permissions="Revoke Certificate" \ --permissions="System: Modify Services" \ "Custodia Service Certs" # for add_principal=True $ ipa privilege-add-permission \ --permissions="System: Add Services" \ "Custodia Service Certs" $ ipa role-add \ --desc="Create and request service certs with Custodia" \ "Custodia Service Cert Adminstrator" $ ipa role-add-privilege \ --privileges="Custodia Service Certs" \ "Custodia Service Cert Adminstrator" $ ipa role-add-member \ --services="custodia/$HOSTNAME" \ "Custodia Service Cert Adminstrator"
创建/etc/custodia/ipa.conf
# /etc/custodia/ipa.conf [global] debug = true makedirs = true [auth:ipa] handler = IPAInterface keytab = ${configdir}/${instance}.keytab ccache = FILE:${rundir}/ccache [auth:creds] handler = SimpleCredsAuth uid = root gid = root [authz:paths] handler = SimplePathAuthz paths = /. /secrets [store:vault] handler = IPAVault [store:cert] handler = IPACertRequest backing_store = vault [/] handler = Root [/secrets] handler = Secrets store = vault [/secrets/certs] handler = Secrets store = cert
运行custodia服务器
$ systemctl start custodia@ipa.socket
IPA证书请求
ipacertrequest存储插件在上生成或撤消证书 苍蝇。它使用备份存储来缓存证书和私钥。这个 插件可以自动创建服务主体。但是主人必须 已经存在。ipacertrequest不在 需求。
像GET /path/to/store/HTTP/client1.ipa.example这样的请求生成 服务HTTP/client1.ipa.example的私钥和csr DNS使用者替代名称^{TT5}$。企业社会责任就是 转发给IPA并由Dogtag签名。结果证书及其信任 链作为pem包与私钥一起返回。
$ export CUSTODIA_INSTANCE=ipa $ custodia-cli get /certs/HTTP/client1.ipa.example -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority Subject: organizationName=IPA.EXAMPLE, commonName=client1.ipa.example Serial Number: 22 Validity: Not Before: 2017-04-27 09:44:20 Not After: 2019-04-28 09:44:20 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority Serial Number: 1 Validity: Not Before: 2017-04-26 08:24:11 Not After: 2037-04-26 08:24:11 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
delete请求将证书/密钥对从备份存储中删除,并 同时撤消证书。
自动续订已吊销或过期的证书 已经实施。
FreeIPA 4.4支持
默认设置和权限将针对freeipa>;=4.5进行调整。为了 4.4,插件必须配置为chain=False。额外的 权限Request Certificate with SubjectAltName也是必需的。
ipa privilege-add-permission \ --permissions="Request Certificate with SubjectAltName" \ "Custodia Service Certs"