tiran/pki-vagans tiran/pki-vagans

  • Stars
    star
    105
  • Rank 328,196 (Top 7 %)
  • Language
    CSS
  • License
    GNU General Publi...
  • Created about 9 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tiran/pki-vagans
github

tiran

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Vagrant + Ansible for Dogtag PKI (WIP and highly experimental)

Vagrant + Ansible for FreeIPA and Dogtag PKI

Authors: Christian Heimes [email protected]

The playbook is partly inspired by and based on Adam Young's rippowam https://github.com/admiyo/rippowam.

Requirements

The FreeIPA setup needs about 3 to 3.5 GB of free RAM and 6 to 7 GB disk space.

Install dependencies

sudo dnf install ansible libvirt vagrant vagrant-libvirt vagrant-hostmanager libselinux-python nss-tools krb5-pkinit
sudo systemctl enable libvirtd
sudo systemctl start libvirtd
sudo usermod -G libvirt -a YOUR_USER

Either restart your session or use newgrp to join the new user group (current shell only).

$ newgrp libvirt

passwords

The default password for the users root and vagrant, FreeIPA's admin user, 389-DS, PKI CA and PKI KRA is Secret123. The Directory Manager password is DMSecret456.

FreeIPA

$ cd ipa
$ ./setup.sh

Vagrant's multi-machine setup can run into a race condition and starts provisioning before all machines have a new SSH key. vagrant up --no-provision followed by vagrant provision is more stable. Sometimes the initial provision fails to configure the client or replica. A second provisioning run with vagrant provision fixes most issues.

The FreeIPA playbook deploys six machines:

  • ipamaster (master.ipa.example) with CA and KRA
  • ipareplica1 (replica1.ipa.example)
  • ipaclient1 (client1.ipa.example)
  • ipafilesserver (fileserver.ipa.example) for NFS, Samba and Apache demos
  • ipavpnserver (vpn.ipa.example) for ocserv VPN
  • ipaidpserver (idp.ipa.example) for Ipsilon IdP

When the machines are up, you can acquire a Kerberos ticket and start a local instance of Firefox to explore the WebUI. The admin password is Secret123.

$ bin/ipa_kinit admin
$ bin/ipa_firefox
$ bin/ipa_ssh [email protected]

FreeIPA test server

$ cd ipatests
$ ./setup.sh

One test machine:

  • ipatestmaster (master.ipatests.local) with CA and KRA

Dogtag PKI

$ cd pki
$ vagrant up

The playbook for Dogtag PKI deploys 389-DS, a CA and a KRA in one VM.

  • pki_server (dogtag.pki.example)

Python 3 dependencies

There is a shell script in pki/rpms that will download some dependencies.

forceful cleanup

rm -rf /var/lib/pki/ /var/log/pki/ /etc/sysconfig/pki-tomcat/ /etc/sysconfig/pki/tomcat/pki-tomcat/ /root/.dogtag/pki-tomcat /etc/pki/pki-tomcat/

Vagrant quick manual

create VM

$ cd pki
$ vagrant up

Provision the VM again

For example to update RPMs

$ vagrant provision

Log into VM

$ vagrant ssh <machine>

Destroy VM

$ vagrant destroy

Install custom RPMs

Copy or symlink files or directories with RPMs into pki/rpms or ipa/rpms and set custom_rpms to True. The Ansible playbook will pick up all RPMs (even in symlinked and nested directory structures) and install them.

When something fails

$ sudo systemctl restart libvirtd.service
$ vagrant provision

Provision non Vagrant machines

Create an inventory.cfg

[ipaserver_master]
master.domain.example

[ipaserver_replica]
replica1.domain.example
replica2.domain.example

[ipa_client]
client1.domain.example
client2.domain.example
client3.domain.example

and shell script

#!/bin/sh
set -ex

PKI_VAGANS="/path/to/pki-vagans"
IPA_DOMAIN="domain.example"

export ANSIBLE_CONFIG=${PKI_VAGANS}/ansible/ansible.cfg

ansible-playbook \
    -i inventory.cfg \
    ${PKI_VAGANS}/ansible/ipa-playbook.yml \
    -vv \
    --extra-vars='{"package_install":true,"package_upgrade":true,"coprs_enabled":[],"ipa_replica_kra":false,"ipa_domain": "'${IPA_DOMAIN}'"}'

Ansible roles

bootstrap

General bootstrapping tasks to set up networking and Ansible dependecies (Python 2).

common

Common tasks for FreeIPA and Dogtag:

  • firewalld
  • SELinux
  • rngd
  • time zones
  • hosts

ipa

FreeIPA base package and common facts

ipa-client

Configure host as FreeIPA client

ipa-httpd

Prepare Apache HTTPD for Ipsilon IdP, GSSAPI and SAML2 service point example

ipa-httpexample

GSSAPI + mod_lookup_identity example

ipa-inventory

Create local configuration files and scripts for kinit, ssh and Firefox

ipa-ipsilon-idp

Set up Ipsilon IdP with SAML2, Persona and OpenID

ipa-nfsserver

Kerberized NFS server and auto.fs for home directories

ipaserver

Install FreeIPA server packages

ipaserver-master

Set up FreeIPA master

ipaserver-replica

Set up FreeIPA replica

ipa-smbserver

Kerberized Samba/CIFS server

ipa-sp-example

SAML2 service point example with mod_auth_mellon

ipa-vpnserver

Kerberized occserv (OpenConnect) VPN server with MS-KKDCP support.

pki

Install Dogtag PKI base packages for stand-alone CA

pki-389ds

Configure 389-DS LDAP server for Dogtag

pki-ca

Configure Dogtag CA instance

pki-kra

Configure Dogtag KRA instance

More Repositories

1

defusedxml

Python
349
star
2

cpython-wasm-test

Test CPython WebAssembly builds with Emscripten SDK
Shell
45
star
3

pysha3

Backport of hashlib.sha3 for 2.7 to 3.5
28
star
4

cpython_builddep

Install CPython build and development dependencies
Shell
15
star
5

certifi-system-store

certifi-system-store, a certifi hack to use system trust store on Linux and FreeBSD
Python
15
star
6

pymemfd

Linux memfd_create wrapper for Python
C
8
star
7

expat

clone of git://git.code.sf.net/p/expat/code_git
C
7
star
8

legacylib

A copy of legacy modules from Python's standard library.
Python
7
star
9

ansible-wasm-buildbot

Ansible playbook for WASM Buildbot
Jinja
6
star
10

socketfromfd

Python module to create a socket from a file descriptor with auto-detection
Python
6
star
11

defusedexpat

C
5
star
12

cpython_autoconf

Container image with autotools to regenerate Python's configure script
Shell
5
star
13

kkdcpasn1

ASN.1 parser for KKDCP (Kerberos KDC Proxy)
C
4
star
14

distro-truststore

Linux distribution CA store test
Python
4
star
15

sssd

System Security Services Daemon https://fedorahosted.org/sssd/
C
3
star
16

python-nss

C
3
star
17

militarygrade

Military grade bad crypto
Python
3
star
18

multissl

Run Python tests against multiple installations of OpenSSL and LibreSSL
Python
3
star
19

instructlab-containers

Unofficial containers for InstructLab
Dockerfile
2
star
20

girolle

Python
2
star
21

pki-example

Example PKI with OpenSSL
Makefile
2
star
22

tlsdb

TLS cipher suite database
Python
2
star
23

dhkex

PoC for ECDHE + cert verify + HKDF
Python
2
star
24

ct_log_list

Generator for OpenSSL certificate transparency log list (ct_log_list.cnf)
Python
2
star
25

legacycrypt

Python legacrypt crypt module for libcrypt / libxcrypt
Python
2
star
26

CVE-2018-8970

Demo for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8970
C
1
star
27

taxonomy-devconfcz2024

1
star