Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
23.7. Integrating Identity Management Smart-card Authentication with Web Applications
As a developer whose applications use the Identity Management server as an authentication back end through the Identity Management web infrastructure Apache modules, you can configure the applications to enable authentication of users with multiple role accounts linked to their smart card. This enables these users to use the application under allowed role accounts.
23.7.1. Prerequisites for Web Application Authentication with Smart Cards
On the server where the Apache web application is running:
- Enroll the server as a client in the Identity Management domain.
- Install the sssd-dbus and mod_lookup_identity packages.
- Make sure Apache has a working HTTPS connection configured using the
mod_nssmodule.
23.7.2. Configuring Identity Management Smart-card Authentication for a Web Application
- Enable TLS renegotiation in the
mod_nssconfiguration in the/etc/httpd/conf.d/nss.conffile:NSSRenegotiation NSSRequireSafeNegotiation on
- Make sure that the CA issuing the user certificates is trusted for the client certificates in the
mod_nsscertificate database. The default location for the database is/etc/httpd/alias. - Add the web application. In this procedure, we are using an almost minimal example consisting of a login page and a protected area.
- The
/loginend point only lets the user provide a user name and sends the user to a protected part of the application. - The
/append point checks theREMOTE_USERenvironment variable. If the login was successful, the variable contains the ID of the logged-in user. Otherwise, the variable is unset.
- Create a directory, and set its group to
apacheand the mode to at least750. In this procedure, we are using a directory named/var/www/app/. - Create a file, and set its group to
apacheand the mode to at least750. In this procedure, we are using a file named/var/www/app/login.py.Save the following contents to the file:#! /usr/bin/env python def application(environ, start_response): status = '200 OK' response_body = """ <!DOCTYPE html> <html> <head> <title>Login</title> </head> <body> <form action='/app' method='get'> Username: <input type='text' name='username'> <input type='submit' value='Login with certificate'> </form> </body> </html> """ response_headers = [ ('Content-Type', 'text/html'), ('Content-Length', str(len(response_body))) ] start_response(status, response_headers) return [response_body] - Create a file, and set its group to
apacheand the mode to at least750. In this procedure, we are using a file named/var/www/app/protected.py.Save the following contents in the file:#! /usr/bin/env python def application(environ, start_response): try: user = environ['REMOTE_USER'] except KeyError: status = '400 Bad Request' response_body = 'Login failed.\n' else: status = '200 OK' response_body = 'Login succeeded. Username: {}\n'.format(user) response_headers = [ ('Content-Type', 'text/plain'), ('Content-Length', str(len(response_body))) ] start_response(status, response_headers) return [response_body] - Create a configuration file for your application. In this procedure, we are using a file named
/etc/httpd/conf.d/app.confwith the following contents:<IfModule !lookup_identity_module> LoadModule lookup_identity_module modules/mod_lookup_identity.so </IfModule> WSGIScriptAlias /login /var/www/app/login.py WSGIScriptAlias /app /var/www/app/protected.py <Location "/app"> NSSVerifyClient require NSSUserName SSL_CLIENT_CERT LookupUserByCertificate On LookupUserByCertificateParamName "username" </Location>In this file:- The first part loads
mod_lookup_identityif it is not already loaded. - The next part maps the
/loginand/append points to the respective Web Server Gateway Interface (WSGI) scripts. - The last part configures
mod_nssfor the/append point so that it requires a client certificate during the TLS handshake and uses it. In addition, it configures an optional request parameterusernameto look up the identity of the user.
