Wiki Navigation

Notes for the Configuration of UABgrid On-line CA 1.0

This is the version o fUABgrid CA based on PHPki, as such, most of the user interface configuration concerns configuration of Apache. There is an off-line component to this CA that is not part of PHPki that is currently used to assign host certificates manually.

Apache config notes

Using a SSLCACeritficatePath instead of SSLCACertificateFile implies that the certificate chain is built at runtime, ie. after root privs are lost by httpd. This means the dir that contains the cert hashes needs to be searchable my unprivileged processes. The default on redhat boxes is to assume that a bundle file is used for all the trusts, which is read at process startup before root privs are lost. It's easy enough to accommodate this change with the following permission:

 chmod 711 /etc/httpd/conf/ssl.crt

Pubcookie Module

This version of UABgrid CA uses domain based authentication (single source authn) and as such only supports certificate assignement to members of UAB. The WebISO solution currently used in Pubcookie.

To build Pubcookie just follow the default configure; make; make install steps. It's sufficient for our needs. The configure file is very simple and can be defined as such. Subsitute the correct cert and key as appropriate.

# ssl config
ssl_key_file: /etc/httpd/conf/ssl.key/server.key
ssl_cert_file: /etc/httpd/conf/ssl.crt/server.crt

# keyclient-specific config
keymgt_uri: https://weblogin.ac.uab.edu:2222
ssl_ca_path: /etc/httpd/conf/ssl.crt

The configuration proceeds as described in the pubcookie client docs. The keyserver command readily negotiates a key with the server based on the UABgrid CA trust frabric (as long as the pubcookie client uses a uabgrid ca then the weblogin server trusts it automatically). Rather than copying the key from the archive we create a new one due to the server compromise.

The weblogin.lab.ac.uab.edu granting cert needs to be installed manually. Simply putting the hosts cert in the /usr/local/pubcookie/keys/pubcookie_granting.cert is sufficient and accomplishes what the download command would.

Add a LoadModule? config as directed for Apache2.0 in /etc/httpd/conf.d/pubcookie.conf

LoadModule pubcookie_module   modules/mod_pubcookie.so

PubcookieLogin https://weblogin.ac.uab.edu/
PubcookieLoginMethod POST
PubcookieDomain .uab.edu
PubcookieEncryption DES
PubCookieAuthTypeNames BlazerID

PubcookieSessionKeyFile /etc/httpd/conf/ssl.key/server.key
PubcookieSessionCertFile /etc/httpd/conf/ssl.crt/server.crt
PubcookieKeyDir /usr/local/pubcookie/keys/

The Pubcookie* settings above need to be in a global location so that they are defined in each VirtualHost? container. If you just put it into one (or not all) VirtualHost? section you'll get an error like:

[emerg] PubCookieAuthTypeNames? configuration directive must be set! Configuration Failed

And Apache won't start. This is easy enough to do by including a default set in the pubcookie.conf loaded across all vhosts and then overriding, or ignoring, the config in individual VirtualHost? sections.

The post method with DES has been tested and is working.

Download in other formats:

Plain Text