Overview#
By default PKI server accepts password and client certificate for authentication, but most of the REST operations require that the user was authenticated using client certificate. See PKI Server Authentication.
Under certain circumstances (e.g. ticket #1752) it is necessary to enable password authentication on additional REST methods.
Enabling Password Authentication#
The default list of allowed authentication methods is stored in /usr/share/pki/ca/conf/auth-method.properties. To customize the list for a particular instance, copy the file into the appropriate subsystem configuration folder, for example:
$ cp /usr/share/pki/ca/conf/auth-method.properties /var/lib/pki/pki-tomcat/conf/ca/
Edit the copied file, add passwdUserDBAuthMgr to the REST operations as needed:
account = certUserDBAuthMgr,passwdUserDBAuthMgr
certs = certUserDBAuthMgr,passwdUserDBAuthMgr
groups = certUserDBAuthMgr,passwdUserDBAuthMgr
users = certUserDBAuthMgr,passwdUserDBAuthMgr
In the above example the password authentication is enabled on certificates, groups, and users operations in addition to the default account (i.e. login) operation.
Restarting PKI Server#
The PKI server needs to be restarted for the changes to become effective:
$ systemctl restart pki-tomcatd@pki-tomcat.service
Now it should be possible to execute the following command with password authentication:
$ pki -u caadmin -w Secret.123 ca-user-find
-----------------
3 entries matched
-----------------
User ID: CA-server.example.com-8443
Full name: CA-server.example.com-8443
User ID: caadmin
Full name: caadmin
User ID: pkidbuser
Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------