Skip to content

Configuring CMC Shared Token Authentication

Jump to bottom
Endi S. Dewata edited this page Jul 18, 2022 · 15 revisions

Overview

This page describes the process to configure CMC shared token authentication.

It assumes that:

  • Issuance protection certificate has been created.

Setting Up Authentication Database

First, update the schema to add the LDAP attribute for the shared token:

$ ldapmodify \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/ca/auth/ds/schema.ldif

Create the subtree (e.g. ou=people,dc=example,dc=com) to store the users:

$ ldapadd \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/ca/auth/ds/create.ldif

Then add the users:

$ ldapadd \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/ca/auth/ds/example.ldif

Configuring Authentication Manager

Add an authentication manager using the above authentication database:

$ pki-server ca-config-set auths.instance.SharedToken.ldap.basedn ou=people,dc=example,dc=com
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.authtype BasicAuth
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt "Rule SharedToken"
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.host ds.example.com
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.port 3389
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.secureConn false
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.version 3
$ pki-server ca-config-set auths.instance.SharedToken.pluginName SharedToken
$ pki-server ca-config-set auths.instance.SharedToken.shrTokAttr shrTok

Enabling caFullCMCSharedTokenCert Profile

$ sed -i \
    -e "s/\(enable\)=.*/\1=true/" \
    /var/lib/pki/pki-tomcat/ca/profiles/ca/caFullCMCSharedTokenCert.cfg

Restarting CA Subsystem

$ pki-server ca-undeploy --wait
$ pki-server ca-deploy --wait

Generating Shared Token

$ CMCSharedToken \
    -d /root/.dogtag/nssdb \
    -p "" \
    -n issuance_protection \
    -s <token> \
    -o shared_token.b64

$ sed -i -e :a -e 'N;s/\n/,/;ba' shared_token.b64
$ SHARED_TOKEN=$(cat shared_token.b64)

Adding User with Shared Token

$ cp \
    /usr/share/pki/server/examples/cmc/shared_secret-user.ldif \
    shared_secret-user.ldif

$ sed -i "\$ a\\shrTok: $SHARED_TOKEN" shared_secret-user.ldif

$ ldapadd \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f shared_secret-user.ldif

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally