[one-users] Sunstone and x509 Authentication

Daniel Molina dmolina at opennebula.org
Fri Dec 16 04:23:11 PST 2011 

Dear Farooq,

I think the problem is the driver assigned to serveradmin (x509), you
must change it to server_x509 [1]. Otherwise it will not use the
certificates specified in server_x509_auht.conf. x509 driver should be
used by regular users and not by the "server" user.

So there are two users in this scenario:
1. The user that is trying to authenticate using Sunstone. This user
should have the driver x509 and his DN as password.
2. The user used by Sunstone sever (serveradmin) to interact with
OpenNebula. This user should have the driver server_x509 and his
server certificate DNas password.

Also, you should check that the (unix) user running oned and
sunstone-server has permission to read the certificates specified in
server_x509_auth.conf.

BTW it would be nice to use the same thread for issues related to the
x509 configuration instead of opening new ones, so other users can
benefit from it.

Kind Regards

[1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html

------->8-------------------------
If you want to configure x509 authentication in sunstone these are the
main steps (beside the apache configuration):

Option A:
--------------
* Sunstone configuration
 - auth: x509
 - core_auth: cipher

The server will authenticate on behalf of other user using the
"serveradmin" user and symmetric encription to generate the token that
contains the client username.

* Configuration: This is the default behavior and no configuration is needed.
- $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
the serveradmin user that will be used to encrypt the token
- oneuser list should show a serveradmin user with server_cipher auth
driver defined.

Option B:
--------------
* Sunstone configuration
 - auth: x509
 - core_auth: x509

The server will authenticate on behalf of other user using the
"serveradmin" user and server certificates to generate the token that
contains the client username.

* Configuration:
http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
- change serveradmin driver to server_x509 instead of server_cipher
- edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
user and the server certificates to encrypt the token


In both cases the browser will interact with Apache and will
authenticate the user. The sunstone server will send this information
to OpenNebula using one of the previous options.
------------------8<-------------------


On 16 December 2011 00:13, Faarooq Lowe <lowe at fnal.gov> wrote:
> We are still having problems getting sunstone to work with x509
> authentication.
>
> Could someone please advise?
>
> Here is what we have
>
> sunstone-server.conf
>
> # Server Configuration
> :host: 127.0.0.1
> :port: 9869
>
> # Authentication driver for incomming requests
> #   sunstone, for OpenNebula's user-password scheme
> #   x509, for x509 certificates based authentication
> #:auth: sunstone
> :auth: x509
>
> # Authentication driver to communicate with OpenNebula core
> #   cipher, for symmetric cipher encryption of tokens
> #   x509, for x509 certificate encryption of tokens
> #:core_auth: server_cipher
> :core_auth: x509
>
> # Life-time in seconds for token renewal (that used to handle OpenNebula
> auths)
> :token_expiration_delta: 1800
>
> server_x509_auth.conf
>
> # User to be used for x509 server authentication
>
> :srv_user: serveradmin
>
> # Path to the certificate used by the OpenNebula Services
> # Certificates must be in PEM format
>
> :one_cert: "/etc/grid-security/hostcert.pem"
> :one_key: "/etc/grid-security/hostkey.pem"
>
> serveradmin information
>
> -bash-3.2$ oneuser show 1
> USER 1 INFORMATION
> ID             : 1
> NAME           : serveradmin
> GROUP          : 0
> PASSWORD       : <DN with no spaces>
> AUTH_DRIVER    : x509
> ENABLED        : Yes
>
> USER TEMPLATE
>
> Logs
>
> oned.log
>
> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key'
> for nil:NilClass
>
> sunstone.log
>
> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384 0.0037
> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 61
> 0.0802
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list