Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

23.6. Authenticating to the Identity Management Web UI with a Smart Card

As an Identity Management user with multiple role accounts in the Identity Management server, you can authenticate with your smart card to the Identity Management web UI as a selected role. This enables you to use the web UI as the selected role.
Note
Only Identity Management users can log in to the web UI with a smart card. Active Directory users can log in with their user name and password. For details, see Section 5.4.2.4, “Authenticating to the IdM Web UI as an AD User”.
For information on configuring the environment to enable the authentication, see:
For information on how to authenticate, see:

23.6.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI

As the Identity Management administrator:
  1. On an Identity Management server, create a shell script to configure the server.
    1. Use the ipa-advise config-server-for-smart-card-auth command, and save its output to a file:
      # ipa-advise config-server-for-smart-card-auth > server_smart_card_script.sh
    2. Open the script file, and review its contents.
    3. Add execute permissions to the file using the chmod utility:
      # chmod +x server_smart_card_script.sh
  2. Run the script on all servers in the Identity Management domain.
  3. Make sure the sssd-dbus package is installed.
Additionally, if an external certificate authority (CA) signed the certificate on the smart card:
  1. On an Identity Management server, add the CA certificate to the NSS database used by the HTTP server:
    # ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem
    # ipa-certupdate
    Repeat ipa-certupdate on all replicas and clients.
  2. Restart the HTTP server and the Kerberos server:
    # systemctl restart httpd
    # systemctl restart krb5kdc
    Repeat the commands on all replicas.

23.6.2. Preparing the Browser for Smart-card Authentication

To configure the browser for smart-card authentication, perform these steps on the client from which the user launches the web browser to access the web UI. The system on which the browser is running does not have to be part of the Identity Management domain. In this procedure, we are using the Firefox browser.
  1. Launch Firefox.
  2. Configure Firefox to read the certificate from the smart card.
    1. Select EditPreferencesAdvancedCertificatesSecurity Devices

      Figure 23.16. Configuring security devices in Firefox

      Configuring security devices in Firefox
    2. Click Load. In the Load PKCS#11 Device window, fill out the following information:
      • Module Name: OpenSC
      • Module filename: /usr/lib64/opensc-pkcs11.so

      Figure 23.17. Device Manager in Firefox

      Device Manager in Firefox
    3. Click OK to confirm. Then click OK to close the Device Manager.
Firefox can now use smart card certificates for authentication.

23.6.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User

To authenticate:
  1. Insert the smart card into the smart card reader.
  2. In the browser, navigate to the Identity Management web UI at https://ipaserver.example.com/ipa/ui.
  3. If the smart card certificate is linked to a single user account, do not fill out the Username field.
    If the smart card certificate is linked to multiple user accounts, fill out the Username field to specify the required account.
  4. Click Login Using Certificate.

    Figure 23.18. Login Using Certificate in the Identity Management web UI

    Login Using Certificate in the Identity Management web UI
  5. Enter the smart card PIN when prompted.

    Figure 23.19. Entering the smart card PIN

    Entering the smart card PIN
  6. A new window opens, proposing the certificate to use. Select the smart card certificate.

    Figure 23.20. Selecting the smart card certificate

    Selecting the smart card certificate
You are now authenticated as the user who corresponds to the smart card certificate.
Note
If an administrator reset the password of a user, the IdM web UI denies access until the user set a new password, for example, using the kinit utility.

Additional Resources

23.6.4. Additional Resources