[one-users] Problem with Sunstone and x509 Auth

Georg georg at intelli-point.at
Mon Nov 21 03:47:41 PST 2011


First of all thank you!

 
I'm afraid the error stays the same.

The config now looks like this:

 
<VirtualHost *:443>
     DocumentRoot /var/www
     SSLEngine On
     SSLCertificateFile /etc/apache2/sslzert.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
SSLOptions +StdEnvVars +ExportCertData

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN    ""
RequestHeader set SSL_CLIENT_I_DN    ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY  ""

# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

ProxyPass /admin/ http://localhost:9869/
ProxyPassReverse /admin/ http://localhost:9869/
</VirtualHost>
 
the certificate dn's are following:

 
the oneadmin dn:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e8:62:52:9a:61:bc:d2:a7
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master
        Validity
            Not Before: Nov 13 08:39:13 2011 GMT
            Not After : Nov 12 08:39:13 2012 GMT
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=oneadmin
 
 
oneuser output:

  ID GROUP    NAME                                                      PASSWORD
   0 oneadmin oneadmin        /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one
 
 
and the full cn from the users table in the mysql backend

 
<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER>

 
 
 
-----Ursprüngliche Nachricht-----
An:Georg <georg at intelli-point.at>; 
CC:users at lists.opennebula.org; 
Von:Héctor Sanjuán <hsanjuan at opennebula.org>
Gesendet:Mo 21.11.2011 12:35
Betreff:Re: [one-users] Problem with Sunstone and x509 Auth
Hello,

It may be that ssl headers are not being forwarded. Try this to set the
ssl headers on your virtual host file:

------------------------------------------------
# initialize the special headers to a blank value to avoid http header
forgeries
RequestHeader set SSL_CLIENT_S_DN    ""
RequestHeader set SSL_CLIENT_I_DN    ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY  ""

# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s

---------------------------------------------------

Right before the proxy pass directives:

ProxyPass /admin/ http://localhost:9869/
ProxyPassReverse /admin/ http://localhost:9869/


Hope it helps and let us know if it works,

Héctor Sanjuán
OpenNebula Developer

On 21/11/11 12:15, Georg wrote:
> Hey!
> 
> I'm trying to get sunstone to work with x509 certificates but fail miserably
> 
> My configuration looks as follows:
> 
>  
> 
> Opennebula Version  3.0.0 compiled from source
> 
>  
> 
> Opennebula with passwords works as a charm and also with x509 on the CLI
> 
>  
> 
> What i'm trying to achieve is logging in from sunstone but i get a "
> 
> OpenNebula is not running" message.
>  
> I already searched the newslist a bit and found a more detailed error after
> 
> using that fix
> http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html
> 
>  
> 
>  
> 
> The Error message is:
> 
>  Authentication failed. Username not found in certificate chain
> 
>  
> 
>  
> 
>  
> 
> I already checked the config for mistakes but because it's working on
> the CLI i don't think there's anything wrong with the certificates.
> 
>  
> 
> The sunstone configuration looks as following:
> 
>  
> 
> ======================================
> 
> # OpenNebula sever contact information
> :one_xmlrpc: http://localhost:2633/RPC2
> 
> # Server Configuration
> :host: 127.0.0.1
> :port: 9869
> 
> #:auth: basic
> :auth: x509
> 
> # VNC Configuration
> :vnc_proxy_base_port: 29876
> :novnc_path: /srv/cloud/one/share/noVNC
> 
>  
> 
> ======================================
> 
>  
> 
>  
> 
> For a secure web connection i use apache as proxy having following config
> 
>  
> 
>  
> 
> ======================================
> 
>  
> 
> <VirtualHost *:443>
>      DocumentRoot /var/www
>      SSLEngine On
>      SSLCertificateFile /etc/apache2/sslzert.pem
>      SSLVerifyClient require
>      SSLVerifyDepth 2
>      SSLCACertificateFile /srv/cloud/one/certs/cacert.pem
>      SSLOptions +StdEnvVars +ExportCertData
> 
>  
> 
> 
>      ProxyRequests Off
> 
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> ProxyPass /admin/ http://localhost:9869/
> ProxyPassReverse /admin/ http://localhost:9869/
> </VirtualHost>
> 
>  
> 
>  
> 
> My assumption is that there's something wrong with the apache/sunstone
> configuration, but i'm stuck at the moment
> 
>  
> 
> Any help would be aprecciated =)
> 
>  
> 
> Have a nice Day!
> 
> Georg
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111121/c8b185c6/attachment-0003.htm>


More information about the Users mailing list