23.6. Authenticating to the Identity Management Web UI with a Smart Card
Note
23.6.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI
- On an Identity Management server, create a shell script to configure the server.
- Use the
ipa-advise config-server-for-smart-card-auth
command, and save its output to a file:#
ipa-advise config-server-for-smart-card-auth > server_smart_card_script.sh
- Open the script file, and review its contents.
- Add execute permissions to the file using the
chmod
utility:#
chmod +x server_smart_card_script.sh
- Run the script on all servers in the Identity Management domain.
- Make sure the sssd-dbus package is installed.
- On an Identity Management server, add the CA certificate to the NSS database used by the HTTP server:
#
ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem
#ipa-certupdate
Repeatipa-certupdate
on all replicas and clients. - Restart the HTTP server and the Kerberos server:
#
systemctl restart httpd
#systemctl restart krb5kdc
Repeat the commands on all replicas.
23.6.2. Preparing the Browser for Smart-card Authentication
- Launch Firefox.
- Configure Firefox to read the certificate from the smart card.
- Select→ → → →
Figure 23.16. Configuring security devices in Firefox
- Click Load PKCS#11 Device window, fill out the following information:. In the
- Module Name:
OpenSC
- Module filename:
/usr/lib64/opensc-pkcs11.so
Figure 23.17. Device Manager in Firefox
- Clickto confirm. Then click to close the Device Manager.
23.6.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User
- Insert the smart card into the smart card reader.
- In the browser, navigate to the Identity Management web UI at
https://ipaserver.example.com/ipa/ui
. - If the smart card certificate is linked to a single user account, do not fill out the Username field.If the smart card certificate is linked to multiple user accounts, fill out the Username field to specify the required account.
- Click.
Figure 23.18.
in the Identity Management web UI - Enter the smart card PIN when prompted.
Figure 23.19. Entering the smart card PIN
- A new window opens, proposing the certificate to use. Select the smart card certificate.
Figure 23.20. Selecting the smart card certificate
Note
Additional Resources
- If the authentication fails, see Section A.4, “Investigating Smart Card Authentication Failures”.
23.6.4. Additional Resources
- For details on the Identity Management web UI, see Section 5.4, “The IdM Web UI”.