CoSign

De Cliss XXI
Révision datée du 16 mai 2007 à 12:04 par 193.251.53.202 (discussion) (initial import)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Sauter à la navigation Sauter à la recherche

HOWTO: I found it difficult to install CoSign 2.0.2a because the documentation contains inaccuracies, and because it can be hard to debug configuration errors. Here's a working test configuration:

CoSign is composed of 3 main parts:

  • filter: this is mod_cosign, allowing Apache to automatically check the user's CoSign cookie
  • cgi: cosign.cgi and logout.cgi, for initial login and full logout
  • cosignd: the daemon that centralises authentication sessions, can be called from different computers where filter and cgi are installed

Compilation and Installation

I'm using Apache2 here. 

./configure --enable-apache2=/usr/bin/apxs2 \

--prefix=/var/lib/cosign \ --sbindir=/usr/local/sbin \ --mandir=/usr/local/share/man \ --with-filterdb=/var/lib/cosign/filter \ --with-cosigndb=/var/lib/cosign/daemon \ --with-cosignconf=/etc/cosign.conf \ --with-cosigncadir=/etc/cosign/certs/CA \ --with-cosigncert=/etc/cosign/certs/cert.pem \ --with-cosignkey=/etc/cosign/certs/key.pem

TODO: use /usr/lib and /usr/share appropriately, also allowing using the standard --prefix=/usr/local. Use FHS-compliant /usr/lib/cosign/cgi-ssl 

make everything \
&& sudo make install-all \
&& sudo invoke-rc.d apache2 stop && sleep 1 && sudo invoke-rc.d apache2 start

# mod_cosign dir
mkdir -p /var/lib/cosign/filter
chown www-data: /var/lib/cosign/filter

# cosignd dir
sudo mkdir -p /var/lib/cosign/daemon
sudo useradd cosign
sudo chown cosign /var/lib/cosign/daemon

Apache2 configuration

/etc/apache2/sites-available/default: 

# Automatically added in /etc/apache2/httpd.conf by 'make install-all'
LoadModule cosign_module /usr/lib/apache2/modules/mod_cosign.so

NameVirtualHost *:80
NameVirtualHost *:443
# TLS VirtualHost 'cause CoSign requires https login
<VirtualHost *:443>
  SSLEngine		On
  SSLCertificateFile	/etc/apache2/ssl/cert.pem
  SSLCertificateKeyFile	/etc/apache2/ssl/key.pem

  Alias /cosign/ "/var/lib/cosign/html/"
  ScriptAlias /cosign-bin/ "/var/lib/cosign/cgi-ssl/"

  Include sites-available/common.inc
</VirtualHost>

<VirtualHost *:80>
  Include sites-available/common.inc
</VirtualHost>

/etc/apache2/sites-available/common.inc: 

CosignProtected         Off
CosignHostname          localhost
# Don't redirect to https if we come from http
CosignHttpOnly          On
CosignRedirect          https://localhost/cosign-bin/cosign.cgi
CosignPostErrorRedirect https://localhost/cosign/post_error.html
CosignService           simpleservice

CosignCrypto /usr/local/cosign/certs/mod_cosign.key /usr/local/cosign/certs/mod_cosign.crt /usr/local/cosign/certs/CA

Alias /cosign/ "/var/lib/cosign/html/"
ScriptAlias /cosign-bin/ "/var/lib/cosign/cgi-ssl/"

Alias /services/ "/usr/local/cosign/services/"
<Directory "/usr/local/cosign/services">
  CosignProtected On
</Directory>

CoSign configuration

Pitfalls:

  • The cgi doesn't take more than 1 parameter - only service does.
  • set cosignhost is used by cgi, not cosignd. It specifies the host where cosignd runs, and is not related to replication.
  • TODO: fix documentation

/etc/cosign.conf: 

cgi localhost

set cosignhost localhost
set cosigncadir /usr/local/cosign/certs/CA/
set cosigncert /usr/local/cosign/certs/cgi.crt
set cosignkey /usr/local/cosign/certs/cgi.key

cookie cosign-simpleservice reauth FACTOR-LDAP
# Argument 3 and later are name of <FORM> fields from the template
factor /usr/local/cosign/factor/ldap login password

Certificates generation

We'll generate our own Certificate Authority.

TODO: during tests it's frequent to remove and rebuild everything. Typing password is really inconvenient in this case, and -passin doesn't work for 'ca'. Please find a way to make this unattented! 

# Base OpenSSL install
mkdir -p -m 755 /etc/cosign/certs/CA
cd mkdir -p /etc/cosign/certs
umask 0027
mkdir -m 700 demoCA
pushd demoCA
mkdir -m 755 newcerts
mkdir -m 700 private
echo "01" > serial
touch index.txt
popd

# Root CA
# subj model from `openssl x509 -noout -text -in machin.cert`
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO/CN=Root CA/" -x509 -days 365 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem
chmod a+r demoCA/cacert.pem

# Certificate request and private key
# cosignd
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO cosignd/CN=localhost/" -nodes -keyout "cosignd.key" -out "cosignd.csr"
# Sign certificate
openssl ca -in "cosignd.csr" -out "cosignd.crt"

# CGI
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO cgi/CN=localhost/" -nodes -keyout "cgi.key" -out "cgi.csr"
# Sign certificate
openssl ca -in "cgi.csr" -out "cgi.crt"
chgrp www-data cgi.key cgi.crt

# mod_cosign
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO mod_cosign/CN=localhost/" -nodes -keyout "mod_cosign.key" -out "mod_cosign.csr"
# Sign certificate
openssl ca -in "mod_cosign.csr" -out "mod_cosign.crt"

# Allowed certs path
mkdir -m 755 CA
ln demoCA/cacert.pem CA/
c_rehash CA/

# Test - http://www.umich.edu/~umweb/software/cosign/faq.html
openssl verify -CApath CA -purpose any *.crt
openssl s_client -connect localhost:6663 -cert cgi.crt -key cgi.key -CApath CA/ -showcerts -state -debug -crlf -starttls smtp
# AND CHECK THAT YOU INDEED GET "Verify return code: 0 (ok)"
# (s_client won't stop on error!!!)

cosignd server start

TODO: use/adapt scripts/startup/cosignd 

# Launch server with different keys just in case:
/usr/local/cosign/sbin/cosignd -y cosignd.crt -z cosignd.key -x /usr/local/cosign/certs/CA/

Test

Now hit https://localhost/cosign-bin/cosign.cgi

Beyond

Check what monsterd is :)

Récupérée de « https://doc.cliss21.com/index.php?title=CoSign&oldid=2370 »