[one-users] Problem with Sunstone and x509 Auth

Héctor Sanjuán hsanjuan at opennebula.org
Mon Nov 21 03:35:02 PST 2011

Previous message: [one-users] Problem with Sunstone and x509 Auth
Next message: [one-users] Problem with Sunstone and x509 Auth
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

It may be that ssl headers are not being forwarded. Try this to set the
ssl headers on your virtual host file:

------------------------------------------------
# initialize the special headers to a blank value to avoid http header
forgeries
RequestHeader set SSL_CLIENT_S_DN    ""
RequestHeader set SSL_CLIENT_I_DN    ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY  ""

# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s

---------------------------------------------------

Right before the proxy pass directives:

ProxyPass /admin/ http://localhost:9869/
ProxyPassReverse /admin/ http://localhost:9869/


Hope it helps and let us know if it works,

Héctor Sanjuán
OpenNebula Developer

On 21/11/11 12:15, Georg wrote:
> Hey!
> 
> I'm trying to get sunstone to work with x509 certificates but fail miserably
> 
> My configuration looks as follows:
> 
>  
> 
> Opennebula Version  3.0.0 compiled from source
> 
>  
> 
> Opennebula with passwords works as a charm and also with x509 on the CLI
> 
>  
> 
> What i'm trying to achieve is logging in from sunstone but i get a "
> 
> OpenNebula is not running" message.
>  
> I already searched the newslist a bit and found a more detailed error after
> 
> using that fix
> http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html
> 
>  
> 
>  
> 
> The Error message is:
> 
>  Authentication failed. Username not found in certificate chain
> 
>  
> 
>  
> 
>  
> 
> I already checked the config for mistakes but because it's working on
> the CLI i don't think there's anything wrong with the certificates.
> 
>  
> 
> The sunstone configuration looks as following:
> 
>  
> 
> ======================================
> 
> # OpenNebula sever contact information
> :one_xmlrpc: http://localhost:2633/RPC2
> 
> # Server Configuration
> :host: 127.0.0.1
> :port: 9869
> 
> #:auth: basic
> :auth: x509
> 
> # VNC Configuration
> :vnc_proxy_base_port: 29876
> :novnc_path: /srv/cloud/one/share/noVNC
> 
>  
> 
> ======================================
> 
>  
> 
>  
> 
> For a secure web connection i use apache as proxy having following config
> 
>  
> 
>  
> 
> ======================================
> 
>  
> 
> <VirtualHost *:443>
>      DocumentRoot /var/www
>      SSLEngine On
>      SSLCertificateFile /etc/apache2/sslzert.pem
>      SSLVerifyClient require
>      SSLVerifyDepth 2
>      SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
>      SSLOptions +StdEnvVars +ExportCertData
> 
>  
> 
> 
>      ProxyRequests Off
> 
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
> </VirtualHost>
> 
>  
> 
>  
> 
> My assumption is that there's something wrong with the apache/sunstone
> configuration, but i'm stuck at the moment
> 
>  
> 
> Any help would be aprecciated =)
> 
>  
> 
> Have a nice Day!
> 
> Georg
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

Previous message: [one-users] Problem with Sunstone and x509 Auth
Next message: [one-users] Problem with Sunstone and x509 Auth
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list