How to authenticate hammer using SSL certificate instead of username/password?

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Satellite 6.3.3 and later

Issue

How to authenticate hammer using SSL certificate instead of username/password?

Resolution

Enable below settings via satellite webui:

Navigate to Administer -> Settings -> Authentication

Authorize Login delegation            Yes
Authorize Login delegation API        Yes

Update httpd configuration file

# vi /etc/httpd/conf.d/05-foreman-ssl.conf

add SSLUserName SSL_CLIENT_S_DN_CN to the ## SSL directives section. It should look like:

 ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-apache.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLVerifyClient         optional
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars +ExportCertData
  SSLUserName SSL_CLIENT_S_DN_CN

Restart httpd service

# systemctl restart httpd

Comment out username password details in the hammer configuration files ~/.hammer/cli.modules.d/foreman.yml and ~/.hammer/cli_config.yml :

# vi ~/.hammer/cli_config.yml
:foreman:
     :host: 'https://satellite.example.com'
#     :username: 'admin'
#     :password: 'secure'

Same way comment out username password details from another file.

# vi ~/.hammer/cli.modules.d/foreman.yml
#     :username: 'admin'
#     :password: 'secure'

Now make a note of the CN field in the client certificate you are going to use. We suggest using foreman's client certificate for the next tests, so read this cert to grab its CN field:

# openssl x509 -noout -subject -in /etc/foreman/client_cert.pem
subject= /C=US/ST=North Carolina/O=FOREMAN/OU=PUPPET/CN=satellite.example.com

In the example above we have CN=satellite.example.com. This will always match your Satellite's hostname. The hammer command will use the CN field as a username when authenticating to the foreman API.

Now try to authenticate hammer using foreman's client SSL certificate and its respective key. This request will fail because the satellite.example.com user does not yet exist on your Satellite, and it will report a missing permission.

# hammer  --ssl-client-cert /etc/foreman/client_cert.pem --ssl-client-key /etc/foreman/client_key.pem user list
Access denied
Missing one of the required permissions: view_users

The request failed because the satellite.example.com user did not yet exist on your Satellite. The request itself will cause foreman to create this user (with Authorized by: EXTERNAL on the users database), but the new user will have no permissions, so the user list command failed because of missing permissions.

Login to the Satellite web UI and assign the new satellite.example.com user any roles you wish. For the user list command we are trying to use, the required role would be Viewer. If you wish to use hammer to collect information only, the Viewer role is appropriate. Alternatively, if you wish to use hammer to set values on your Satellite you may add the respective Edit or Manager roles (perhaps even the admin role) to the new user.

On Satellite 6.4 and earlier, you may use the /etc/pki/katello/certs/pulp-client.crt certificate and its respective key, but this certificate will fail with later versions because its CN field says CN=admin and Satellite will by default already have an admin user in the INTERNAL user database, thus causing a conflict when trying to auto-create the admin user as an EXTERNAL user:

# hammer --ssl-client-cert /etc/pki/katello/certs/pulp-client.crt --ssl-client-key=/etc/pki/katello/private/pulp-client.key user list

500 Internal Server Error   # <== on Satellite 6.8 and later
-

ID | LOGIN                     | NAME       | EMAIL                 | ADMIN | LAST LOGIN          | AUTHORIZED BY
-|-|-|-|-|-|-
8  | testuser01                |            |                       | yes   | 2021/05/13 19:38:43 | Internal     
10 | satellite.example.com |            |                       | no    | 2021/06/23 16:14:27 | External     
9  | testuser02                |            |                       | no    | 2021/05/13 19:42:49 | Internal

For permanent setting for SSL certs update the hammer config file as below:

# vi ~/.hammer/cli_config.yml

:foreman:
  :host: 'https://satellite.example.com'

:ssl:
  :ssl_client_cert: '/etc/pki/katello/certs/pulp-client.crt'
  :ssl_client_key: '/etc/pki/katello/private/pulp-client.key'

Note: Be careful about indentation while adding content to yml file. For any help feel free to contact Red Hat technical support.

Try running hammer commands without passing ssl certificate details.

# hammer host list 
# hammer user list

For more KB articles/solutions related to Red Hat Satellite 6.x hammer Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x hammer-related Issues

SBR

SysMgmt

Product(s)

Red Hat Satellite

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.