Project

Profile

Help

Task #6830

Update yum/dnf documentation on how .repo files can be configured to present a client cert and key

Added by bmbouter 3 months ago. Updated 22 days ago.

Status:
NEW
Priority:
High
Assignee:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation
Sprint:

Description

The cert and key from clients now occur during TLS submission. That means these docs are out of date.

We should update the docs to show how a yum/dnf client can be configured to submit the cert and key via TLS.

History

#1 Updated by bmbouter 3 months ago

  • Tracker changed from Issue to Task
  • Project changed from Pulp to CertGuard
  • % Done set to 0

#2 Updated by OnceUponALoop 2 months ago

Hey all - I just watched the "Pulp certguard Tour - 2020.05.20" youtube video, thank you for putting that together it was useful.

I especially appreciate the dev overview of the code structure in the end. It makes it easier to jump in by saving all the "what the hell is going on here" upfront cost.

Regarding the yum configuration - I'm familiar enough with the topic that I thought I could respond to the videos request for yum x509-auth configuration details.

Yum x509

Yum can either have the x509 cert info in the it's main configuration or in each repo configuration.

Assuming we've already configure Pulp and have placed the required certificates in /etc/pki/entitelments/ (this is the default RHSM path, I'm not sure if there's a more standards-compliant path)

  • Global

    Define the x509 info in /etc/yum.conf and it will apply to all repos.

    .

     [main]
     
     # x509 Auth Info
     sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
     sslclientkey    = /etc/pki/entitlement/<user-key>.pem
     sslcacert       = /etc/pki/entitlement/<ca-cert>.pem
    

    To exclude a certain repo from the x509 configuration, update the repo configuration as follows

     [pulp-repo-clear]
     name            = Unprotected Repo - Global x509 is configured
     baseurl         = http://pulp.example.com/content/rpm/pulp-repo-clear
     sslverify       = 1
     enabled         = 1
     gpgcheck        = 1
     gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PULP-REPO-CLEAR
     # Auth Not Needed
     sslclientcert = _none_
     sslclientkey  = _none_
     sslcacert     = _none_
    
  • Per Repo

    Define the x509 info for each repo that supports certguard (if repos have different certguards) in /etc/yum.repos.d/<repo-name>.repo

    This is probably the most straightforward implementation, and should be recommended as it avoids all the corner cases as well.

     [pulp-repo-cg]
     name            = Cert Guard Protected Repo
     baseurl         = http://pulp.example.com/content/rpm/pulp-repo-cg
     sslverify       = 1
     enabled         = 1
     gpgcheck        = 1
     gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-MYREPO
     # x509 Auth
     sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
     sslclientkey    = /etc/pki/entitlement/<user-key>.pem
     sslcacert       = /etc/pki/entitlement/<ca-cert>.pem
    

#3 Updated by bmbouter 22 days ago

  • Priority changed from Normal to High

Please register to edit this issue

Also available in: Atom PDF