#2464 Improvements for authentication during installation.
Closed: migrated 3 years ago by dmoluguw. Opened 7 years ago by edewata.

Currently the security domain (SD) relies on tokens to allow a subsystem to access another subsystem during installation. The token is initially created through the SecurityDomain REST service or the GetCookie servlet, then the token is then authenticated through TokenAuthentication module which calls TokenAuthenticate servlet.

In replicated KRA environment, the SD used by the KRA clone to create the token and the SD used by the KRA master to authenticate the token might be different. In some cases, the replication between the SDs doesn't happen fast enough so the token authentication could fail (see ticket #2434).

There might be ways to address this issue.

Option 1: The token could be signed by the SD so a subsystem can authenticate the token without contacting the SD. This probably can be implemented with Kerberos or Kerberos-like system.

Option 2: The SD could be detached from CA and it will always be installed in all PKI instances (ticket #782). The KRA clone and KRA master could be changed to use the same SD on KRA master, so there's no replication issue.


Option 3: Instead of assuming that KRA master has an SD, the KRA clone could ask the KRA master the location of the SD, then contact it directly.

Metadata Update from @edewata:
- Issue set to the milestone: 10.4

7 years ago

Metadata Update from @edewata:
- Custom field feature adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: 10.4)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2584

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata