SCEP - dogtagpki/freeipa GitHub Wiki

Short Term Solution

Description

  1. In the DMZ, install the Dogtag Perl-based RA. Point this RA to the IPA-CA. (ipa-host:443). It will talk to the IPA-CA directly. As part of the setup, an RA agent is created that allows the RA to send agent authenticated requests to the IPA-CA (similar tot IPA-RA plugin)

  2. Populate RA with relevant agents/users

  3. On the ipa server, replace /etc/httpd/conf.d/ipa-pki-proxy.conf with the following:

# VERSION 1 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/profileSubmit">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/registerRaUser|^/ca/admin/ca/getBySerial">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/ee/ca/pkiclient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:9447/
    ProxyPassReverse ajp://localhost:9447/
</LocationMatch>

  1. Note that this adds the following servlets: /ca/ee/ca/profileSubmit, /ca/admin/ca/registerRaUser, /ca/admin/ca/getBySerial for installation of the RA, and /ca/ee/ca/pkiclient for SCEP operations. /ca/ee/ca/pkiclient must be added to the stanza for those operations that require client auth.

  2. Change/add the following parameter in /var/lib/pki-ca/conf/CS.cfg: ca.scep.enable=true

  3. Restart IPA

  4. When installing the RA, make sure to refer to the security domain CA as https://{ipa_hostname}:443.

  5. This was tested using an SCEP client (sscep) modified to use sha-2 encryption. (link to be provided)

How this works

  1. client contacts dogtag-RA and requests a pin (one time password). This generates a pin request on the RA.

  2. An agent connects to the RA using a browser and provides a agent cert for authentication. The agent approves the pin request and a pin is generated.

  3. The agent provides the pin to the client in an out-of-band method. (phone, email)

  4. Client router sends SCEP requests to enroll to dogtag RA, providing the pin as the challenge password.

  5. RA sends agent authenticated request to IPA-CA to decode the SCEP message. The CA decodes the message and sends it back to the RA.

  6. RA reads the decoded message from IPA and confirms that the pin is correct. If so, it passes an agent authenticated request to the IPA-CA to perform the enrolment operation. The RA retrieves the issued cert.

  7. RA deletes the pin from its database

  8. RA provides cert to the client router.

Problems

  1. RA maintains its own identity store of authorized agents. This means dual maintenanceof identity information (ipa and ra).

  2. RA store is in sqlite - which has no real time replication mechanism (sqlite has an online, optimized, replication mechanism — see http://www.sqlite.org/backup.html. It would be enough to call the backup API from the RA)

  3. RA is in DMZ. Better not to have identity/pin info in the DMZ.

Long Term Solution

  1. IPA would be the location for identity and pin operations.

  2. Clients inside the firewall would connect directly to IPA.

  3. Clients outside the firewall would connect to a scaled down RA, which would simply proxy the requests to IPA.

How this works - clients inside firewall

  1. User contacts IPA and provides kerberos credentials. Through some UI or CLI command, he requests that router X be able to enroll via SCEP. As the user is authenticated as an agent, IPA generates a pin and provides it to the user.

  2. router contacts IPA with relevant pin in SCEP request.

  3. IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.

  4. IPA-CA issues the cert

  5. IPA returns cert to client router

How this works - clients outside firewall

  1. Client contacts new dummy RA in the DMZ and requests a pin.

  2. Pin request is proxied to IPA.

  3. Agent contacts IPA and provides kerberos credentials. Through some UI or CLI command, he lists the pending pin requests and approves the pin request. IPA generates a pin and displays it. The agent provides the pin to the client in an out-of-band manner.

  4. router contacts the RA with relevant pin in SCEP request.

  5. RA proxies this request to IPA

  6. IPA verifies pin and sends an agent authenticated SCEP request (from the extended IPA-RA plugin) to the IPA-CA.

  7. IPA-CA issues the cert

  8. IPA returns cert to the RA, which returns it to the client router.

⚠️ **GitHub.com Fallback** ⚠️