Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30370

Implement `rightcert` Support in NetworkManager-libreswan

    • ZStream
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 10
    • 3
    • False
    • Hide

      None

      Show
      None
    • No
    • NMT - RHEL-9.5 DTM 8
    • Approved Blocker
    • Hide

      User story:

      As an OpenShift administrator,

      I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication,

      So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication.

      Acceptance criteria:

      Given a system with NetworkManager-libreswan installed,

      When a network administrator configures an IPSec connection specifying both leftcert and rightcert parameters for certificate-based authentication,

      Then NetworkManager-libreswan should successfully recognize and apply the rightcert parameter. 

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Unit test and integration test are written and pass
      • The code is part of a downstream build attached to an errata
      • The code is backported into RHEL-9.2
      • The release note text is filled

       
      AC and QE test alignment:
      The CI test added in https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1674 aligns well with the acceptance criteria provided above as it includes the setup and configuration steps (Imports the server certificate into local database, adds VPN connection with `leftcert` and `rightcert` and brings up the connection and verifies the connection state and associated routes. 

      Show
      User story: As an OpenShift administrator, I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication, So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication. Acceptance criteria: Given a system with NetworkManager-libreswan installed, When a network administrator configures an IPSec connection specifying both leftcert and rightcert parameters for certificate-based authentication, Then NetworkManager-libreswan should successfully recognize and apply the rightcert parameter.  Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The code is backported into RHEL-9.2 The release note text is filled   AC and QE test alignment : The CI test added in https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1674 aligns well with the acceptance criteria provided above as it includes the setup and configuration steps (Imports the server certificate into local database, adds VPN connection with `leftcert` and `rightcert` and brings up the connection and verifies the connection state and associated routes. 
    • Pass
    • None
    • Enhancement
    • Hide
      .The `NetworkManager-libreswan` plugin supports the `rightcert` option

      You can use the `rightcert` option when configuring Libreswan connections through NetworkManager. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using a certificate.
      Show
      .The `NetworkManager-libreswan` plugin supports the `rightcert` option You can use the `rightcert` option when configuring Libreswan connections through NetworkManager. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using a certificate.
    • Done
    • None

      While configuring IPSec connections through nmstate for secure communication between hosts, it became evident that a key feature, certificate-based authentication using rightcert, is unsupported. This limitation is due to the lack of rightcert parameter support in the NetworkManager-libreswan plugin. Therefore, this ticket will track the implementation of this parameter. 

       

              ihuguet@redhat.com Inigo Huguet
              rh-ee-sfaye Stanislas Faye
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: