[one-users] Problem with Sunstone and x509 Auth
Georg
georg at intelli-point.at
Mon Nov 21 03:47:41 PST 2011
First of all thank you!
I'm afraid the error stays the same.
The config now looks like this:
<VirtualHost *:443>
DocumentRoot /var/www
SSLEngine On
SSLCertificateFile /etc/apache2/sslzert.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
SSLOptions +StdEnvVars +ExportCertData
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass /admin/ http://localhost:9869/
ProxyPassReverse /admin/ http://localhost:9869/
</VirtualHost>
the certificate dn's are following:
the oneadmin dn:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e8:62:52:9a:61:bc:d2:a7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master
Validity
Not Before: Nov 13 08:39:13 2011 GMT
Not After : Nov 12 08:39:13 2012 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=oneadmin
oneuser output:
ID GROUP NAME PASSWORD
0 oneadmin oneadmin /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one
and the full cn from the users table in the mysql backend
<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER>
-----Ursprüngliche Nachricht-----
An:Georg <georg at intelli-point.at>;
CC:users at lists.opennebula.org;
Von:Héctor Sanjuán <hsanjuan at opennebula.org>
Gesendet:Mo 21.11.2011 12:35
Betreff:Re: [one-users] Problem with Sunstone and x509 Auth
Hello,
It may be that ssl headers are not being forwarded. Try this to set the
ssl headers on your virtual host file:
------------------------------------------------
# initialize the special headers to a blank value to avoid http header
forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s
---------------------------------------------------
Right before the proxy pass directives:
ProxyPass /admin/ http://localhost:9869/
ProxyPassReverse /admin/ http://localhost:9869/
Hope it helps and let us know if it works,
Héctor Sanjuán
OpenNebula Developer
On 21/11/11 12:15, Georg wrote:
> Hey!
>
> I'm trying to get sunstone to work with x509 certificates but fail miserably
>
> My configuration looks as follows:
>
>
>
> Opennebula Version 3.0.0 compiled from source
>
>
>
> Opennebula with passwords works as a charm and also with x509 on the CLI
>
>
>
> What i'm trying to achieve is logging in from sunstone but i get a "
>
> OpenNebula is not running" message.
>
> I already searched the newslist a bit and found a more detailed error after
>
> using that fix
> http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html
>
>
>
>
>
> The Error message is:
>
> Authentication failed. Username not found in certificate chain
>
>
>
>
>
>
>
> I already checked the config for mistakes but because it's working on
> the CLI i don't think there's anything wrong with the certificates.
>
>
>
> The sunstone configuration looks as following:
>
>
>
> ======================================
>
> # OpenNebula sever contact information
> :one_xmlrpc: http://localhost:2633/RPC2
>
> # Server Configuration
> :host: 127.0.0.1
> :port: 9869
>
> #:auth: basic
> :auth: x509
>
> # VNC Configuration
> :vnc_proxy_base_port: 29876
> :novnc_path: /srv/cloud/one/share/noVNC
>
>
>
> ======================================
>
>
>
>
>
> For a secure web connection i use apache as proxy having following config
>
>
>
>
>
> ======================================
>
>
>
> <VirtualHost *:443>
> DocumentRoot /var/www
> SSLEngine On
> SSLCertificateFile /etc/apache2/sslzert.pem
> SSLVerifyClient require
> SSLVerifyDepth 2
> SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
> SSLOptions +StdEnvVars +ExportCertData
>
>
>
>
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
> </VirtualHost>
>
>
>
>
>
> My assumption is that there's something wrong with the apache/sunstone
> configuration, but i'm stuck at the moment
>
>
>
> Any help would be aprecciated =)
>
>
>
> Have a nice Day!
>
> Georg
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111121/c8b185c6/attachment-0003.htm>
More information about the Users
mailing list