Project

Profile

Help

Actions
Send by e-mail Copy link

Task #6830

closed

Update yum/dnf documentation on how .repo files can be configured to present a client cert and key

Added by bmbouter about 3 years ago. Updated over 1 year ago.

Status:
CLOSED - DUPLICATE
Priority:
High
Assignee:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp-certguard/142":https://github.com/pulp/pulp-certguard/issues/142

The cert and key from clients now occur during TLS submission. That means these docs are out of date.

We should update the docs to show how a yum/dnf client can be configured to submit the cert and key via TLS.

Actions
Copy link
 #1

Updated by bmbouter about 3 years ago

  • Tracker changed from Issue to Task
  • Project changed from Pulp to CertGuard
  • % Done set to 0
Actions
Copy link
 #2

Updated by OnceUponALoop almost 3 years ago

Hey all - I just watched the "Pulp certguard Tour - 2020.05.20" youtube video, thank you for putting that together it was useful.

I especially appreciate the dev overview of the code structure in the end. It makes it easier to jump in by saving all the "what the hell is going on here" upfront cost.

Regarding the yum configuration - I'm familiar enough with the topic that I thought I could respond to the videos request for yum x509-auth configuration details.

Yum x509

Yum can either have the x509 cert info in the it's main configuration or in each repo configuration.

Assuming we've already configure Pulp and have placed the required certificates in /etc/pki/entitelments/ (this is the default RHSM path, I'm not sure if there's a more standards-compliant path)

  • Global

    Define the x509 info in /etc/yum.conf and it will apply to all repos.

    .

     [main]
 
 # x509 Auth Info
 sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
 sslclientkey    = /etc/pki/entitlement/<user-key>.pem
 sslcacert       = /etc/pki/entitlement/<ca-cert>.pem

    To exclude a certain repo from the x509 configuration, update the repo configuration as follows

     [pulp-repo-clear]
 name            = Unprotected Repo - Global x509 is configured
 baseurl         = http://pulp.example.com/content/rpm/pulp-repo-clear
 sslverify       = 1
 enabled         = 1
 gpgcheck        = 1
 gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PULP-REPO-CLEAR
 # Auth Not Needed
 sslclientcert = _none_
 sslclientkey  = _none_
 sslcacert     = _none_

  • Per Repo

    Define the x509 info for each repo that supports certguard (if repos have different certguards) in /etc/yum.repos.d/<repo-name>.repo

    This is probably the most straightforward implementation, and should be recommended as it avoids all the corner cases as well.

     [pulp-repo-cg]
 name            = Cert Guard Protected Repo
 baseurl         = http://pulp.example.com/content/rpm/pulp-repo-cg
 sslverify       = 1
 enabled         = 1
 gpgcheck        = 1
 gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-MYREPO
 # x509 Auth
 sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
 sslclientkey    = /etc/pki/entitlement/<user-key>.pem
 sslcacert       = /etc/pki/entitlement/<ca-cert>.pem
Actions
Copy link
 #3

Updated by bmbouter almost 3 years ago

  • Priority changed from Normal to High
Actions
Copy link
 #4

Updated by pulpbot over 1 year ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE
Actions
Send by e-mail Copy link

Also available in: Atom PDF