23.7. Integrating Identity Management Smart-card Authentication with Web Applications

As a developer whose applications use the Identity Management server as an authentication back end through the Identity Management web infrastructure Apache modules, you can configure the applications to enable authentication of users with multiple role accounts linked to their smart card. This enables these users to use the application under allowed role accounts.

23.7.1. Prerequisites for Web Application Authentication with Smart Cards

On the server where the Apache web application is running:
  • Enroll the server as a client in the Identity Management domain.
  • Install the sssd-dbus and mod_lookup_identity packages.
  • Make sure Apache has a working HTTPS connection configured using the mod_nss module.

23.7.2. Configuring Identity Management Smart-card Authentication for a Web Application

  1. Enable TLS renegotiation in the mod_nss configuration in the /etc/httpd/conf.d/nss.conf file:
    NSSRenegotiation
    NSSRequireSafeNegotiation on
  2. Make sure that the CA issuing the user certificates is trusted for the client certificates in the mod_nss certificate database. The default location for the database is /etc/httpd/alias.
  3. Add the web application. In this procedure, we are using an almost minimal example consisting of a login page and a protected area.
    • The /login end point only lets the user provide a user name and sends the user to a protected part of the application.
    • The /app end point checks the REMOTE_USER environment variable. If the login was successful, the variable contains the ID of the logged-in user. Otherwise, the variable is unset.
  4. Create a directory, and set its group to apache and the mode to at least 750. In this procedure, we are using a directory named /var/www/app/.
  5. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/login.py.
    Save the following contents to the file:
    #! /usr/bin/env python
    
    def application(environ, start_response):
        status = '200 OK'
        response_body = """
    <!DOCTYPE html>
    <html>
        <head>
            <title>Login</title>
        </head>
        <body>
            <form action='/app' method='get'>
                Username: <input type='text' name='username'>
                <input type='submit' value='Login with certificate'>
            </form>
        </body>
    </html>
    """
        response_headers = [
            ('Content-Type', 'text/html'),
            ('Content-Length', str(len(response_body)))
        ]
        start_response(status, response_headers)
        return [response_body]
  6. Create a file, and set its group to apache and the mode to at least 750. In this procedure, we are using a file named /var/www/app/protected.py.
    Save the following contents in the file:
    #! /usr/bin/env python
    
    def application(environ, start_response):
        try:
            user = environ['REMOTE_USER']
        except KeyError:
            status = '400 Bad Request'
            response_body = 'Login failed.\n'
        else:
            status = '200 OK'
            response_body = 'Login succeeded. Username: {}\n'.format(user)
    
        response_headers = [
            ('Content-Type', 'text/plain'),
            ('Content-Length', str(len(response_body)))
        ]
        start_response(status, response_headers)
        return [response_body]
  7. Create a configuration file for your application. In this procedure, we are using a file named /etc/httpd/conf.d/app.conf with the following contents:
    <IfModule !lookup_identity_module>
        LoadModule lookup_identity_module modules/mod_lookup_identity.so
    </IfModule>
    
    WSGIScriptAlias /login /var/www/app/login.py
    WSGIScriptAlias /app /var/www/app/protected.py
    
    <Location "/app">
        NSSVerifyClient require
        NSSUserName SSL_CLIENT_CERT
        LookupUserByCertificate On
        LookupUserByCertificateParamName "username"
    </Location>
    In this file:
    • The first part loads mod_lookup_identity if it is not already loaded.
    • The next part maps the /login and /app end points to the respective Web Server Gateway Interface (WSGI) scripts.
    • The last part configures mod_nss for the /app end point so that it requires a client certificate during the TLS handshake and uses it. In addition, it configures an optional request parameter username to look up the identity of the user.