Certificates provisioning

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Certificates provisioning

João Graça
Hello,

I have the following scenario that I need to study and implement if possible:
 - Active Directory Server where users will be created (actually already there)
 - Syncope Server to manage users
 - Eventually other databases where the users need to be synchronized with the help of syncope
 - Somehow propagate certificates(root and intermediate certs) to the AD server and machines to allow later login in the windows machines with smartcards


So far, I managed to connect syncope with the AD and create/update/delete users and groups.
I also was able to map a plainschema that i created to the altSecutiryIndentities property on the user in the active directory, providing there a string like "X509:<SKI>'here goes the subject key identifier of the user's cert'



With this configuration i can login with the user smartcard in the windows client machine, to this login work i had to install the root and intermediate certs in the active directory server and the clients machines, but here comes the question...

Is there a way to maintain and propagate to server and clients those certs (root and intermediate) with syncope?

And if possible to automate the process of gathering the SubjectKeyIdentifier of the user certificate to the plainschema that i created that maps to the altSecutiryIndentities.


Best,
João Graça



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificates provisioning

mdisabatino



Il 18/05/2017 16:33, João Graça ha scritto:
Hello,

I have the following scenario that I need to study and implement if possible:
 - Active Directory Server where users will be created (actually already there)
 - Syncope Server to manage users
 - Eventually other databases where the users need to be synchronized with the help of syncope
 - Somehow propagate certificates(root and intermediate certs) to the AD server and machines to allow later login in the windows machines with smartcards


So far, I managed to connect syncope with the AD and create/update/delete users and groups.
I also was able to map a plainschema that i created to the altSecutiryIndentities property on the user in the active directory, providing there a string like "X509:<SKI>'here goes the subject key identifier of the user's cert'



With this configuration i can login with the user smartcard in the windows client machine, to this login work i had to install the root and intermediate certs in the active directory server and the clients machines, but here comes the question...

Is there a way to maintain and propagate to server and clients those certs (root and intermediate) with syncope?
Syncope provides binary fields to store files.
You can use the CMD connector[1][2] (Powershell scripts) to manage the certs in Active Directory.

And if possible to automate the process of gathering the SubjectKeyIdentifier of the user certificate to the plainschema that i created that maps to the altSecutiryIndentities.
yes

Regards
M

[1] https://connid.atlassian.net/wiki/display/BASE/CMD
[2] https://github.com/Tirasa/ConnIdCMDBundle




Best,
João Graça




-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificates provisioning

João Graça
Hello Marco,
Thanks for your reply.

Following you reply, I created an AnyType object "ROOTCERT" with an AnyTypeClass "ROOTCERT" and a plain schema "rootCert" of type binary "application/x-x509-ca-cert", in order to upload the root certs that i need (uploaded ok, no problem here).
I was looking to create the same thing with different names for the intermediate certs, but before I tried to follow the guidance in you reply, but i don't really know how to...

I don't know how to proceed with the scripts and the connectors. I saw that i should create a powershell script to map the functions "create", "update", "delete", "search", "test"... but I don't know where to start.

So here goes some questions :)
How do I pass arguments to the powershell scripts(like the certs)?
Where should i indicate to the connector that it should run in the machine X (windows server for example)?
Should i create a connector for each machine that i want the cert on, or I must solve this with the powershell script (run it only on the windows server and from there, somehow, spread the certs across the client machines)?

And about the mapping of the SubjectKeyIdentifier to the plainschema that i created, can you provide some guidance how to accomplish that?
I have the tools to get the info from the smartcard... So I don't know if it's possible "edit" the web page, or add a type to syncope like binary and the button instead of open the dialog to choose the file, it would run a java applet to get the info and fill the textbox...


Best,
João Graça



On 18/05/2017 16:20, Marco Di Sabatino Di Diodoro wrote:



Il 18/05/2017 16:33, João Graça ha scritto:
Hello,

I have the following scenario that I need to study and implement if possible:
 - Active Directory Server where users will be created (actually already there)
 - Syncope Server to manage users
 - Eventually other databases where the users need to be synchronized with the help of syncope
 - Somehow propagate certificates(root and intermediate certs) to the AD server and machines to allow later login in the windows machines with smartcards


So far, I managed to connect syncope with the AD and create/update/delete users and groups.
I also was able to map a plainschema that i created to the altSecutiryIndentities property on the user in the active directory, providing there a string like "X509:<SKI>'here goes the subject key identifier of the user's cert'



With this configuration i can login with the user smartcard in the windows client machine, to this login work i had to install the root and intermediate certs in the active directory server and the clients machines, but here comes the question...

Is there a way to maintain and propagate to server and clients those certs (root and intermediate) with syncope?
Syncope provides binary fields to store files.
You can use the CMD connector[1][2] (Powershell scripts) to manage the certs in Active Directory.

And if possible to automate the process of gathering the SubjectKeyIdentifier of the user certificate to the plainschema that i created that maps to the altSecutiryIndentities.
yes

Regards
M

[1] https://connid.atlassian.net/wiki/display/BASE/CMD
[2] https://github.com/Tirasa/ConnIdCMDBundle




Best,
João Graça




-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificates provisioning

mdisabatino

Hi João,


Il 19/05/2017 12:37, João Graça ha scritto:
Hello Marco,
Thanks for your reply.

Following you reply, I created an AnyType object "ROOTCERT" with an AnyTypeClass "ROOTCERT" and a plain schema "rootCert" of type binary "application/x-x509-ca-cert", in order to upload the root certs that i need (uploaded ok, no problem here).
I was looking to create the same thing with different names for the intermediate certs, but before I tried to follow the guidance in you reply, but i don't really know how to...

I don't know how to proceed with the scripts and the connectors. I saw that i should create a powershell script to map the functions "create", "update", "delete", "search", "test"... but I don't know where to start.

There are some old posts [1] where you can find infos about cmd connector and powershell scripts.

So here goes some questions :)
How do I pass arguments to the powershell scripts(like the certs)?
To pass arguments to the powershell scripts you must configure the mapping (provisioning rules) in the resource. Syncope sets the mapped fields in your windows machine as environment variables, this will allow you to access the values of the propagated fields.

Where should i indicate to the connector that it should run in the machine X (windows server for example)?
The connector contains only the scripts path. In powershell you have to use your code to specify the destination where to store the certificates.

Should i create a connector for each machine that i want the cert on, or I must solve this with the powershell script (run it only on the windows server and from there, somehow, spread the certs across the client machines)?
There are two options:

1. Create one connector with N resources, one for each server to be enhanced.
2. Create one connector with one resource and use an additional info (you can pass it by the mapping) to specify in which server to propagate.

It depends on the number of servers you need to manage.

And about the mapping of the SubjectKeyIdentifier to the plainschema that i created, can you provide some guidance how to accomplish that?
can I ask you to explain better your requirements?
I have the tools to get the info from the smartcard... So I don't know if it's possible "edit" the web page, or add a type to syncope like binary and the button instead of open the dialog to choose the file, it would run a java applet to get the info and fill the textbox...


You can override the behavior of the binary field in the console or extend Syncope with a new feature by adding an Extensions [2].


[1] http://blog.tirasa.net/tags/powershell/index.html
[2] https://syncope.apache.org/docs/reference-guide.html#extensions

Regards
M

Best,
João Graça



On 18/05/2017 16:20, Marco Di Sabatino Di Diodoro wrote:



Il 18/05/2017 16:33, João Graça ha scritto:
Hello,

I have the following scenario that I need to study and implement if possible:
 - Active Directory Server where users will be created (actually already there)
 - Syncope Server to manage users
 - Eventually other databases where the users need to be synchronized with the help of syncope
 - Somehow propagate certificates(root and intermediate certs) to the AD server and machines to allow later login in the windows machines with smartcards


So far, I managed to connect syncope with the AD and create/update/delete users and groups.
I also was able to map a plainschema that i created to the altSecutiryIndentities property on the user in the active directory, providing there a string like "X509:<SKI>'here goes the subject key identifier of the user's cert'



With this configuration i can login with the user smartcard in the windows client machine, to this login work i had to install the root and intermediate certs in the active directory server and the clients machines, but here comes the question...

Is there a way to maintain and propagate to server and clients those certs (root and intermediate) with syncope?
Syncope provides binary fields to store files.
You can use the CMD connector[1][2] (Powershell scripts) to manage the certs in Active Directory.

And if possible to automate the process of gathering the SubjectKeyIdentifier of the user certificate to the plainschema that i created that maps to the altSecutiryIndentities.
yes

Regards
M

[1] https://connid.atlassian.net/wiki/display/BASE/CMD
[2] https://github.com/Tirasa/ConnIdCMDBundle




Best,
João Graça




-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/


-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
Loading...