[one-users] econe-server with x509 fails to set HTTP_SSL_CLIENT_CERT

Daniel Molina dmolina at opennebula.org
Thu Jan 17 03:31:01 PST 2013


On 17 January 2013 12:23, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
> Hi Daniel,
>
> Thanks very much for your message.
>> $ curl "https://myone38sever?Action=DescribeInstances" --cert cert.pem
> I see. So, for each of 6(on3.2) or 21(one.3.8) econe commands, we will have to set proper action
> to Action= in the curl..

Note that you will have to define more parameters for example if you
want to use the attach_volume method [1] you have to define the
VolumeId, InstanceId and Device params.:

 $ curl "https://myone38sever?Action=AttachVolume&VolumeId=...." --cert cert.pem

Maybe you can modify the AWS::EC2::Base class to include the client
certificate in the request, or monkey patch it to use curl to connect
to the server.


[1] Ruby
        def attach_volume(volume, instance, device)
            begin
                response = @ec2_connection.attach_volume(
                    :volume_id => volume,
                    :instance_id => instance,
                    :device => device
                    )
            rescue Exception => e
                error = CloudClient::Error.new(e.message)
                return error
            end

            return response
        end

>
>> Please, also check that the headers module is enable in Apache and
>> your apache conf includes the following lines for the econe server:
> We have been using Apache and GridSite for a while in order to
> enable use of certificates on the client site.
>
> Thanks again.
> Hyunwoo
> FermiCloud Project
>
>
> ________________________________________
> From: Daniel Molina [dmolina at opennebula.org]
> Sent: Thursday, January 17, 2013 5:06 AM
> To: Hyun Woo Kim
> Cc: users at lists.opennebula.org
> Subject: Re: [one-users] econe-server with x509 fails to set HTTP_SSL_CLIENT_CERT
>
> Hi Hyunwoo,
>
> On 17 January 2013 05:38, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
>> I first set ONE_AUTH to be ~/.one/one_x509 (created from my personal
>> certificate)
>> and then do,
>> econe-upload  --url https://myone38sever file.img
>>
>> This fails with the error message;
>> econe-upload:
>>                 <Error>
>>                     <Code>AuthFailure</Code>
>>                     <Message>Could not create X509 certificate from
>> </Message>
>>                 </Error>
>>
>>
>> I can find that this message originates from
>> $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
>> because HTTP_SSL_CLIENT_CERT is not set(see below [1]).
>>
>> I also confirmed that Apache also fails to set it
>> which means the client side, econe-upload command fails to send PEM string
>> correctly,
>>
>> If you look at "upload_image method"  in
>> $ONE_LOCATION/lib/ruby/cloud/econe/EC2QueryClient.rb,
>> I guess one of the following lines fails;
>>             str = AWS.canonical_string(params, @uri.host)
>>             sig = AWS.encode(@access_key_secret, str, false)
>>
>>             if curb
>>>>                 post_fields << Curl::PostField.content("Signature",sig)
>>                 post_fields << Curl::PostField.file("file",file_name)
>>
>>                 connection = Curl::Easy.new(@uri.to_s)
>>                 connection.multipart_form_post = true
>>                 connection.ssl_verify_peer = false
>>                 connection.http_post(*post_fields)
>>
>>
>> Could Open Nebula developers investigate this?
>> (I am seeing the same error in both ON3.2 and ON3.8)
>>
>> Thanks very much.
>>
>> Hyunwoo Kim
>> FermiCloud Project
>>
>> ================================
>> [1] module X509CloudAuth
>>     def do_auth(env, params={})
>>         # For https, the web service should be set to include the user cert
>> in the environment.
>>         cert_line   = env['HTTP_SSL_CLIENT_CERT']
>>         cert_line   = nil if cert_line == '(null)' # For Apache mod_ssl
>>         chain_index = 0
>>
>>         # Use the https credentials for authentication
>>         unless cert_line.nil?
>>             begin
>>                 m      = cert_line.match(/(-+BEGIN
>> CERTIFICATE-+)([^-]*)(-+END CERTIFICATE-+)/)
>>                 cert_s = "#{m[1]}#{m[2].gsub(' ',"\n")}#{m[3]}"
>>                 cert   = OpenSSL::X509::Certificate.new(cert_s)
>>             rescue
>>                 raise "Could not create X509 certificate from " + cert_line
>>             end
>> ===================================
>>
>
> Currently econe tools do not support x509 client certificates. If you
> want to use x509 authentication through EC2 you must use curl to
> interact with the server. If you use this kind of authentication, the
> EC2 Signature method will not be used anymore and you will have to
> specify your certificate in the curl command.
>
> For example if you want to list all your running instances:
> $ curl "https://myone38sever?Action=DescribeInstances" --cert
> /path/to/your/client/cert.pem
>
> Please, also check that the headers module is enable in Apache and
> your apache conf includes the following lines for the econe server:
>       RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>       RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
>       RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
>       RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
>       RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>
>
> You may find this guide usefull. It shows how to enable x509 auth in Sunstone:
> http://wiki.opennebula.org/sunstone_x509
>
> Cheers
>
> PS: Note that econe-upload is not an EC2 API method. We created this
> method to be able to upload images to OpenNebula as an alternative to
> S3 API.
>
> --
> Daniel Molina
> Project Engineer
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula



More information about the Users mailing list