[one-users] Problem with Sunstone and x509 Auth
Georg
georg at intelli-point.at
Mon Nov 21 04:13:05 PST 2011
Thanks a lot!
That did the trick!
It works!
THANKS!
-----Ursprüngliche Nachricht-----
An:Georg <georg at intelli-point.at>;
CC:users at lists.opennebula.org;
Von:Héctor Sanjuán <hsanjuan at opennebula.org>
Gesendet:Mo 21.11.2011 13:04
Betreff:Re: AW: [one-users] Problem with Sunstone and x509 Auth
Ah, sorry, I just realized that basicly this is the one that you need:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
Can you trying adding it as well?
Héctor Sanjuán
OpenNebula Developer
On 21/11/11 12:47, Georg wrote:
>
> First of all thank you!
>
>
>
> I'm afraid the error stays the same.
>
> The config now looks like this:
>
>
>
> <VirtualHost *:443>
> DocumentRoot /var/www
> SSLEngine On
> SSLCertificateFile /etc/apache2/sslzert.pem
> SSLVerifyClient require
> SSLVerifyDepth 2
> SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
> SSLOptions +StdEnvVars +ExportCertData
>
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> # initialize the special headers to a blank value to avoid http header
> forgeries
> RequestHeader set SSL_CLIENT_S_DN ""
> RequestHeader set SSL_CLIENT_I_DN ""
> RequestHeader set SSL_SERVER_S_DN_OU ""
> RequestHeader set SSL_CLIENT_VERIFY ""
>
> # add all the SSL_* you need in the internal web application
> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
>
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
> </VirtualHost>
>
>
> the certificate dn's are following:
>
>
>
> the oneadmin dn:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> e8:62:52:9a:61:bc:d2:a7
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master
> Validity
> Not Before: Nov 13 08:39:13 2011 GMT
> Not After : Nov 12 08:39:13 2012 GMT
> Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
> CN=oneadmin
>
>
>
>
> oneuser output:
>
> ID GROUP NAME
> PASSWORD
> 0 oneadmin oneadmin
> /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one
>
>
>
>
> and the full cn from the users table in the mysql backend
>
>
>
> <USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER>
>
>
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> *An:* Georg <georg at intelli-point.at>;
> *CC:* users at lists.opennebula.org;
> *Von:* Héctor Sanjuán <hsanjuan at opennebula.org>
> *Gesendet:* Mo 21.11.2011 12:35
> *Betreff:* Re: [one-users] Problem with Sunstone and x509 Auth
> Hello,
>
> It may be that ssl headers are not being forwarded. Try this to set the
> ssl headers on your virtual host file:
>
> ------------------------------------------------
> # initialize the special headers to a blank value to avoid http header
> forgeries
> RequestHeader set SSL_CLIENT_S_DN ""
> RequestHeader set SSL_CLIENT_I_DN ""
> RequestHeader set SSL_SERVER_S_DN_OU ""
> RequestHeader set SSL_CLIENT_VERIFY ""
>
> # add all the SSL_* you need in the internal web application
> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s
>
> ---------------------------------------------------
>
> Right before the proxy pass directives:
>
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
>
>
> Hope it helps and let us know if it works,
>
> Héctor Sanjuán
> OpenNebula Developer
>
> On 21/11/11 12:15, Georg wrote:
> > Hey!
> >
> > I'm trying to get sunstone to work with x509 certificates but fail
> miserably
> >
> > My configuration looks as follows:
> >
> >
> >
> > Opennebula Version 3.0.0 compiled from source
> >
> >
> >
> > Opennebula with passwords works as a charm and also with x509 on
> the CLI
> >
> >
> >
> > What i'm trying to achieve is logging in from sunstone but i get a "
> >
> > OpenNebula is not running" message.
> >
> > I already searched the newslist a bit and found a more detailed
> error after
> >
> > using that fix
> > http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html
> >
> >
> >
> >
> >
> > The Error message is:
> >
> > Authentication failed. Username not found in certificate chain
> >
> >
> >
> >
> >
> >
> >
> > I already checked the config for mistakes but because it's working on
> > the CLI i don't think there's anything wrong with the certificates.
> >
> >
> >
> > The sunstone configuration looks as following:
> >
> >
> >
> > ======================================
> >
> > # OpenNebula sever contact information
> > :one_xmlrpc: http://localhost:2633/RPC2
> >
> > # Server Configuration
> > :host: 127.0.0.1
> > :port: 9869
> >
> > #:auth: basic
> > :auth: x509
> >
> > # VNC Configuration
> > :vnc_proxy_base_port: 29876
> > :novnc_path: /srv/cloud/one/share/noVNC
> >
> >
> >
> > ======================================
> >
> >
> >
> >
> >
> > For a secure web connection i use apache as proxy having following
> config
> >
> >
> >
> >
> >
> > ======================================
> >
> >
> >
> > <VirtualHost *:443>
> > DocumentRoot /var/www
> > SSLEngine On
> > SSLCertificateFile /etc/apache2/sslzert.pem
> > SSLVerifyClient require
> > SSLVerifyDepth 2
> > SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
> > SSLOptions +StdEnvVars +ExportCertData
> >
> >
> >
> >
> > ProxyRequests Off
> >
> > <Proxy *>
> > Order deny,allow
> > Allow from all
> > </Proxy>
> >
> > ProxyPass /admin/ http://localhost:9869/
> > ProxyPassReverse /admin/ http://localhost:9869/
> > </VirtualHost>
> >
> >
> >
> >
> >
> > My assumption is that there's something wrong with the apache/sunstone
> > configuration, but i'm stuck at the moment
> >
> >
> >
> > Any help would be aprecciated =)
> >
> >
> >
> > Have a nice Day!
> >
> > Georg
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111121/ff92af6b/attachment-0003.htm>
More information about the Users
mailing list