4d8775ca61
Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
4.0 KiB
OIDC Client Dex Server Certificates
The oidc-auth-apps application installs a proxy identity provider (dex server) that can be configured to proxy authentication requests to an (s) identity provider, such as Windows Active Directory.
The oidc-auth-apps application also provides an client for accessing the username and password login page for user authentication and retrieval of tokens.
Note
For details on how installing, configuring, and using oidc-auth-apps,
refer to User Authentication Using Windows Active Directory
<user-authentication-using-windows-active-directory-security-index>.
This section is specifically about certificates management.
Oidc-auth-apps needs three certificates to work:
- client and identity provider server certificate (secret
local-dex.tls) - trusted certificate (secret
dex-client-secret) - Windows Active Directory certificate (secret wadcert)
OIDC client and identity provider server certificate
client and Identity provider server certificate is used to secure the connection between client and identity provider by HTTPS.
This certificate is stored in Kubernetes TLS secret
local-dex.tls.
OIDC client and identity provider trusted CA certificate
The trusted certificate is the certificate that signs the client and identity server certificate.
It has to be installed for client to verify identity server’s certificate for HTTPS connection.
trusted certificate is stored in Kubernetes secret
dex-client-secret.
Windows Active Directory CA certificate (WAD CA certificate)
certificate is the certificate that signed the Windows Active Directory that is configured to proxy authentication requests to.
In order for identity provider (as the authentication proxy) to securely connect and authenticate users to the Windows Active Directory by HTTPS, the ’s certificate needs to installed and configured for to trust the Windows Active Directory.
Install OIDC certificates
certificates are not auto generated.
They need to be installed as Kubernetes secrets as part of the app configuration.
Refer to Configure OIDC Auth Applications
<configure-oidc-auth-applications>, on how to install
certificates into Kubernetes secrets.
Update/Renew OIDC certificates
Warning
certificates are not auto renewed. They have to be updated manually
by updating the secrets from the new certificate files and restart the
oidc-auth application.
Update/renew client and identity provider server certificate:
~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=/home/sysadmin/new_ssl/dex-cert.pem --key=/home/sysadmin/new_ssl/dex-key.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -Update/renew trusted certificate:
~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/new_ssl/dex-ca.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -Update/renew certificate:
~(keystone_admin)]$ kubectl create secret generic wadcert --from-file=/home/sysadmin/new_ssl/AD_CA.cer –save-config –dry-run=client -n kube-system -o yaml | kubectl apply -f -Restart client and identity provider proxy (dex-server):
~(keystone_admin)]$ kubectl rollout restart deployment oidc-dex -n kube-system ~(keystone_admin)]$ kubectl rollout restart deployment stx-oidc-client -n kube-system