[one-users] Problem with Sunstone and x509 Auth

Georg georg at intelli-point.at
Mon Nov 21 04:13:05 PST 2011


 Thanks a lot!

That did the trick!

It works!

 
THANKS!

-----Ursprüngliche Nachricht-----
An:Georg <georg at intelli-point.at>; 
CC:users at lists.opennebula.org; 
Von:Héctor Sanjuán <hsanjuan at opennebula.org>
Gesendet:Mo 21.11.2011 13:04
Betreff:Re: AW: [one-users] Problem with Sunstone and x509 Auth
Ah, sorry, I just realized that basicly this is the one that you need:

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

Can you trying adding it as well?

Héctor Sanjuán
OpenNebula Developer

On 21/11/11 12:47, Georg wrote:
> 
> First of all thank you!
> 
>  
> 
> I'm afraid the error stays the same.
> 
> The config now looks like this:
> 
>  
> 
> <VirtualHost *:443>
>      DocumentRoot /var/www
>      SSLEngine On
>      SSLCertificateFile /etc/apache2/sslzert.pem
> SSLVerifyClient require
> SSLVerifyDepth 2
> SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
> SSLOptions +StdEnvVars +ExportCertData
> 
> ProxyRequests Off
> 
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> # initialize the special headers to a blank value to avoid http header
> forgeries
> RequestHeader set SSL_CLIENT_S_DN    ""
> RequestHeader set SSL_CLIENT_I_DN    ""
> RequestHeader set SSL_SERVER_S_DN_OU ""
> RequestHeader set SSL_CLIENT_VERIFY  ""
> 
> # add all the SSL_* you need in the internal web application
> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
> 
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
> </VirtualHost>
>  
> 
> the certificate dn's are following:
> 
>  
> 
> the oneadmin dn:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             e8:62:52:9a:61:bc:d2:a7
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master
>         Validity
>             Not Before: Nov 13 08:39:13 2011 GMT
>             Not After : Nov 12 08:39:13 2012 GMT
>         Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
> CN=oneadmin
>  
> 
>  
> 
> oneuser output:
> 
>   ID GROUP    NAME                                                     
> PASSWORD
>    0 oneadmin oneadmin       
> /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one
>  
> 
>  
> 
> and the full cn from the users table in the mysql backend
> 
>  
> 
> <USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER>
> 
>  
> 
>  
> 
>  
> 
>     -----Ursprüngliche Nachricht-----
>     *An:* Georg <georg at intelli-point.at>;
>     *CC:* users at lists.opennebula.org;
>     *Von:* Héctor Sanjuán <hsanjuan at opennebula.org>
>     *Gesendet:* Mo 21.11.2011 12:35
>     *Betreff:* Re: [one-users] Problem with Sunstone and x509 Auth
>     Hello,
> 
>     It may be that ssl headers are not being forwarded. Try this to set the
>     ssl headers on your virtual host file:
> 
>     ------------------------------------------------
>     # initialize the special headers to a blank value to avoid http header
>     forgeries
>     RequestHeader set SSL_CLIENT_S_DN    ""
>     RequestHeader set SSL_CLIENT_I_DN    ""
>     RequestHeader set SSL_SERVER_S_DN_OU ""
>     RequestHeader set SSL_CLIENT_VERIFY  ""
> 
>     # add all the SSL_* you need in the internal web application
>     RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>     RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
>     RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
>     RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s
> 
>     ---------------------------------------------------
> 
>     Right before the proxy pass directives:
> 
>     ProxyPass /admin/ http://localhost:9869/
>     ProxyPassReverse /admin/ http://localhost:9869/
> 
> 
>     Hope it helps and let us know if it works,
> 
>     Héctor Sanjuán
>     OpenNebula Developer
> 
>     On 21/11/11 12:15, Georg wrote:
>     > Hey!
>     >
>     > I'm trying to get sunstone to work with x509 certificates but fail
>     miserably
>     >
>     > My configuration looks as follows:
>     >
>     >  
>     >
>     > Opennebula Version  3.0.0 compiled from source
>     >
>     >  
>     >
>     > Opennebula with passwords works as a charm and also with x509 on
>     the CLI
>     >
>     >  
>     >
>     > What i'm trying to achieve is logging in from sunstone but i get a "
>     >
>     > OpenNebula is not running" message.
>     >  
>     > I already searched the newslist a bit and found a more detailed
>     error after
>     >
>     > using that fix
>     > http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html
>     >
>     >  
>     >
>     >  
>     >
>     > The Error message is:
>     >
>     >  Authentication failed. Username not found in certificate chain
>     >
>     >  
>     >
>     >  
>     >
>     >  
>     >
>     > I already checked the config for mistakes but because it's working on
>     > the CLI i don't think there's anything wrong with the certificates.
>     >
>     >  
>     >
>     > The sunstone configuration looks as following:
>     >
>     >  
>     >
>     > ======================================
>     >
>     > # OpenNebula sever contact information
>     > :one_xmlrpc: http://localhost:2633/RPC2
>     >
>     > # Server Configuration
>     > :host: 127.0.0.1
>     > :port: 9869
>     >
>     > #:auth: basic
>     > :auth: x509
>     >
>     > # VNC Configuration
>     > :vnc_proxy_base_port: 29876
>     > :novnc_path: /srv/cloud/one/share/noVNC
>     >
>     >  
>     >
>     > ======================================
>     >
>     >  
>     >
>     >  
>     >
>     > For a secure web connection i use apache as proxy having following
>     config
>     >
>     >  
>     >
>     >  
>     >
>     > ======================================
>     >
>     >  
>     >
>     > <VirtualHost *:443>
>     >      DocumentRoot /var/www
>     >      SSLEngine On
>     >      SSLCertificateFile /etc/apache2/sslzert.pem
>     >      SSLVerifyClient require
>     >      SSLVerifyDepth 2
>     >      SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
>     >      SSLOptions +StdEnvVars +ExportCertData
>     >
>     >  
>     >
>     >
>     >      ProxyRequests Off
>     >
>     > <Proxy *>
>     > Order deny,allow
>     > Allow from all
>     > </Proxy>
>     >
>     > ProxyPass /admin/ http://localhost:9869/
>     > ProxyPassReverse /admin/ http://localhost:9869/
>     > </VirtualHost>
>     >
>     >  
>     >
>     >  
>     >
>     > My assumption is that there's something wrong with the apache/sunstone
>     > configuration, but i'm stuck at the moment
>     >
>     >  
>     >
>     > Any help would be aprecciated =)
>     >
>     >  
>     >
>     > Have a nice Day!
>     >
>     > Georg
>     >
>     >
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.opennebula.org
>     > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111121/ff92af6b/attachment-0003.htm>


More information about the Users mailing list