[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authentication with Client Certificates

Hello David,

I have some of questions about certificates OpenShift, for begin I have to modify the 'servingInfo.clientCA' parameter and specify this CA?: '/etc/origin/master/ca.crt'
And there are several parameters clientCA. I have to use this?:

  logoutURL: ""
    certFile: master.server.crt
    clientCA: "ca.crt"

To create the client certificate. I have to use the tool oadm create-api-client-config isn't it?
For example:
oadm create-api-client-config --certificate-authority='/etc/origin/master/ca.crt' --master='https://master.domain.es:8443' --client-dir='/etc/origin/master/usertest' --signer-cert='/etc/origin/master/ca.crt' --signer-key='/etc/origin/master/ca.key' --signer-serial='/etc/origin/master/ca.serial.txt' --user='usertest'

Once created, It is possible to test it with the oc client?

If I do:
oc config set-credentials usertest --client-certificate=/etc/origin/master/usertest/usertest.crt

I do not know if it should already be logged into the system or if I have to login again with oc login.


2015-11-16 14:34 GMT+01:00 David Eads <deads redhat com>:
It is possible, but you have to very careful what you sign.  Client certificates operate directly against API server and provide a User, not an Identity (see https://docs.openshift.org/latest/architecture/additional_concepts/other_api_objects.html#user-objects for the distinction between them).  

If you take a look here: https://docs.openshift.org/latest/install_config/master_node_configuration.html, you can find the `servingInfo.clientCA` element.  That controls which CA is trusted to sign client certificates that are presented to the API server.  If you sign a cert containing `Organization`, that will be considered the effective groups for the User. You can add your client certificates to your ~/.kube/config file (equivalent of `oc login`) by running `oc config set-credentials`.

Jordan can probably tell you if they work for the console.

On Mon, Nov 16, 2015 at 6:20 AM, Fran Barrera <franbarrera6 gmail com> wrote:

We need to configure Openshift for allow authentication with client certificates. We are reading this doc (https://docs.openshift.org/latest/install_config/configuring_authentication.html) but we don't see anything.

If it is possible, what are options that would work? CLI, Web Console, API?

Best Regards,

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]