Certificate based authentication has been available since version 2.0 of the product. If you want to get certificate based authentication a try in a CloudBolt follow these simple steps:
Configuring PKI in CloudBolt's Web Interface
- Log into CloudBolt as an admin user
- From the DB browser page, replace "/admin/db/" with "/alladmin/"
- Find the Utilities section and click on '+ Add' in the PKIUtilities row
- Enter regex expressions that should evaluate to username, first, last and email fields based on the Subject (or DN) field in the user certificates your company uses
- Optionally, you can determine what groups the new users should have requestor, approver, etc roles in. IMPORTANT: Do not assign the inventory manager role as it's been deprecated
- Save the form
Configure PKI in CloudBolt's server settings
Edit /var/opt/cloudbolt/proserv/customer_settings.py, and append to the flie this following section:
# Enable PKI section
LOGIN_URL = "/pki/login"
from settings import INSTALLED_APPS
INSTALLED_APPS += ('pki',)
Configure apache to require client certificates for the /pki/login url
- scp a copy of the root ca certificate to the c2 server. For this article we'll use /var/opt/cloudbolt/proserv/ca.crt as the path for the certificate
- Edit /etc/httpd/conf/httpd.conf, and add the following section:
<Location /pki/login>
SSLCACertificateFile /var/opt/cloudbolt/proserv/ca.crt
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StdEnvVars
</Location>
* If you are using a intermediate CA cert, instead of SSLCACertificateFile use the directiveSSLCertificateChainFile
3. Restart httpd
0 Comments