23.5. Authenticating to the Identity Management Web UI with a Smart Card
23.5.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI
- On an Identity Management server, create a shell script to configure the server.
- Use the
ipa-advise config-server-for-smart-card-authcommand, and save its output to a file:
ipa-advise config-server-for-smart-card-auth > server_smart_card_script.sh
- Open the script file, and review its contents.
- Add execute permissions to the file using the
chmod +x server_smart_card_script.sh
- Run the script on all servers in the Identity Management domain.
- Make sure the sssd-dbus package is installed.
- On an Identity Management server, add the CA certificate to the NSS database used by the HTTP server:
ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem#
ipa-certupdateon all replicas and clients.
- Restart the HTTP server and the Kerberos server:
systemctl restart httpd#
systemctl restart krb5kdcRepeat the commands on all replicas.
23.5.2. Preparing the Browser for Smart-card Authentication
- Launch Firefox.
- Configure Firefox to read the certificate from the smart card.
- Select→ → → →
Figure 23.6. Configuring security devices in Firefox
- Click Load PKCS#11 Device window, fill out the following information:. In the
- Module Name:
- Module filename:
Figure 23.7. Device Manager in Firefox
- Clickto confirm. Then click to close the Device Manager.
23.5.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User
- Insert the smart card into the smart card reader.
- In the browser, navigate to the Identity Management web UI at
- If the smart card certificate is linked to a single user account, do not fill out the Username field.If the smart card certificate is linked to multiple user accounts, fill out the Username field to specify the required account.
Figure 23.8.in the Identity Management web UI
- Enter the smart card PIN when prompted.
Figure 23.9. Entering the smart card PIN
- A new window opens, proposing the certificate to use. Select the smart card certificate.
Figure 23.10. Selecting the smart card certificate
- If the authentication fails, see Section A.4, “Investigating Smart Card Authentication Failures”.
23.5.4. Additional Resources
- For details on the Identity Management web UI, see Section 5.4, “The IdM Web UI”.