<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta name="Generator" content="Zarafa WebAccess v7.0.0-27791">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>AW: [one-users] Problem with Sunstone and x509 Auth</title>
<style type="text/css">
body
{
font-family: Arial, Verdana, Sans-Serif ! important;
font-size: 12px;
padding: 5px 5px 5px 5px;
margin: 0px;
border-style: none;
background-color: #ffffff;
}
p, ul, li
{
margin-top: 0px;
margin-bottom: 0px;
}
</style>
</head>
<body>
<p><br /> Thanks a lot!</p><p>That did the trick!</p><p>It works!</p><p> </p><p>THANKS!</p><blockquote style="border-left: 2px solid #325FBA; padding-left: 5px;margin-left:5px;">-----Ursprüngliche Nachricht-----<br /><strong>An:</strong> Georg <georg@intelli-point.at>; <br /><strong>CC:</strong> users@lists.opennebula.org; <br /><strong>Von:</strong> Héctor Sanjuán <hsanjuan@opennebula.org><br /><strong>Gesendet:</strong> Mo 21.11.2011 13:04<br /><strong>Betreff:</strong> Re: AW: [one-users] Problem with Sunstone and x509 Auth<br />Ah, sorry, I just realized that basicly this is the one that you need:<br /><br />RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"<br /><br />Can you trying adding it as well?<br /><br />Héctor Sanjuán<br />OpenNebula Developer<br /><br />On 21/11/11 12:47, Georg wrote:<br />> <br />> First of all thank you!<br />> <br />> <br />> <br />> I'm afraid the error stays the same.<br />> <br />> The config now looks like this:<br />> <br />> <br />> <br />> <VirtualHost *:443><br />> DocumentRoot /var/www<br />> SSLEngine On<br />> SSLCertificateFile /etc/apache2/sslzert.pem<br />> SSLVerifyClient require<br />> SSLVerifyDepth 2<br />> SSLCACertificateFile /srv/cloud/one/certs/cacert.pem<br />> SSLOptions +StdEnvVars +ExportCertData<br />> <br />> ProxyRequests Off<br />> <br />> <Proxy *><br />> Order deny,allow<br />> Allow from all<br />> </Proxy><br />> <br />> # initialize the special headers to a blank value to avoid http header<br />> forgeries<br />> RequestHeader set SSL_CLIENT_S_DN ""<br />> RequestHeader set SSL_CLIENT_I_DN ""<br />> RequestHeader set SSL_SERVER_S_DN_OU ""<br />> RequestHeader set SSL_CLIENT_VERIFY ""<br />> <br />> # add all the SSL_* you need in the internal web application<br />> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"<br />> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"<br />> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"<br />> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"<br />> <br />> ProxyPass /admin/ http://localhost:9869/<br />> ProxyPassReverse /admin/ http://localhost:9869/<br />> </VirtualHost><br />> <br />> <br />> the certificate dn's are following:<br />> <br />> <br />> <br />> the oneadmin dn:<br />> <br />> Certificate:<br />> Data:<br />> Version: 3 (0x2)<br />> Serial Number:<br />> e8:62:52:9a:61:bc:d2:a7<br />> Signature Algorithm: sha1WithRSAEncryption<br />> Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master<br />> Validity<br />> Not Before: Nov 13 08:39:13 2011 GMT<br />> Not After : Nov 12 08:39:13 2012 GMT<br />> Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,<br />> CN=oneadmin<br />> <br />> <br />> <br />> <br />> oneuser output:<br />> <br />> ID GROUP NAME <br />> PASSWORD<br />> 0 oneadmin oneadmin <br />> /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one<br />> <br />> <br />> <br />> <br />> and the full cn from the users table in the mysql backend<br />> <br />> <br />> <br />> <USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER><br />> <br />> <br />> <br />> <br />> <br />> <br />> <br />> -----Ursprüngliche Nachricht-----<br />> *An:* Georg <georg@intelli-point.at>;<br />> *CC:* users@lists.opennebula.org;<br />> *Von:* Héctor Sanjuán <hsanjuan@opennebula.org><br />> *Gesendet:* Mo 21.11.2011 12:35<br />> *Betreff:* Re: [one-users] Problem with Sunstone and x509 Auth<br />> Hello,<br />> <br />> It may be that ssl headers are not being forwarded. Try this to set the<br />> ssl headers on your virtual host file:<br />> <br />> ------------------------------------------------<br />> # initialize the special headers to a blank value to avoid http header<br />> forgeries<br />> RequestHeader set SSL_CLIENT_S_DN ""<br />> RequestHeader set SSL_CLIENT_I_DN ""<br />> RequestHeader set SSL_SERVER_S_DN_OU ""<br />> RequestHeader set SSL_CLIENT_VERIFY ""<br />> <br />> # add all the SSL_* you need in the internal web application<br />> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"<br />> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"<br />> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"<br />> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s<br />> <br />> ---------------------------------------------------<br />> <br />> Right before the proxy pass directives:<br />> <br />> ProxyPass /admin/ http://localhost:9869/<br />> ProxyPassReverse /admin/ http://localhost:9869/<br />> <br />> <br />> Hope it helps and let us know if it works,<br />> <br />> Héctor Sanjuán<br />> OpenNebula Developer<br />> <br />> On 21/11/11 12:15, Georg wrote:<br />> > Hey!<br />> ><br />> > I'm trying to get sunstone to work with x509 certificates but fail<br />> miserably<br />> ><br />> > My configuration looks as follows:<br />> ><br />> > <br />> ><br />> > Opennebula Version 3.0.0 compiled from source<br />> ><br />> > <br />> ><br />> > Opennebula with passwords works as a charm and also with x509 on<br />> the CLI<br />> ><br />> > <br />> ><br />> > What i'm trying to achieve is logging in from sunstone but i get a "<br />> ><br />> > OpenNebula is not running" message.<br />> > <br />> > I already searched the newslist a bit and found a more detailed<br />> error after<br />> ><br />> > using that fix<br />> > http://www.mail-archive.com/users@lists.opennebula.org/msg04410.html<br />> ><br />> > <br />> ><br />> > <br />> ><br />> > The Error message is:<br />> ><br />> > Authentication failed. Username not found in certificate chain<br />> ><br />> > <br />> ><br />> > <br />> ><br />> > <br />> ><br />> > I already checked the config for mistakes but because it's working on<br />> > the CLI i don't think there's anything wrong with the certificates.<br />> ><br />> > <br />> ><br />> > The sunstone configuration looks as following:<br />> ><br />> > <br />> ><br />> > ======================================<br />> ><br />> > # OpenNebula sever contact information<br />> > :one_xmlrpc: http://localhost:2633/RPC2<br />> ><br />> > # Server Configuration<br />> > :host: 127.0.0.1<br />> > :port: 9869<br />> ><br />> > #:auth: basic<br />> > :auth: x509<br />> ><br />> > # VNC Configuration<br />> > :vnc_proxy_base_port: 29876<br />> > :novnc_path: /srv/cloud/one/share/noVNC<br />> ><br />> > <br />> ><br />> > ======================================<br />> ><br />> > <br />> ><br />> > <br />> ><br />> > For a secure web connection i use apache as proxy having following<br />> config<br />> ><br />> > <br />> ><br />> > <br />> ><br />> > ======================================<br />> ><br />> > <br />> ><br />> > <VirtualHost *:443><br />> > DocumentRoot /var/www<br />> > SSLEngine On<br />> > SSLCertificateFile /etc/apache2/sslzert.pem<br />> > SSLVerifyClient require<br />> > SSLVerifyDepth 2<br />> > SSLCACertificateFile /srv/cloud/one/certs/cacert.pem<br />> > SSLOptions +StdEnvVars +ExportCertData<br />> ><br />> > <br />> ><br />> ><br />> > ProxyRequests Off<br />> ><br />> > <Proxy *><br />> > Order deny,allow<br />> > Allow from all<br />> > </Proxy><br />> ><br />> > ProxyPass /admin/ http://localhost:9869/<br />> > ProxyPassReverse /admin/ http://localhost:9869/<br />> > </VirtualHost><br />> ><br />> > <br />> ><br />> > <br />> ><br />> > My assumption is that there's something wrong with the apache/sunstone<br />> > configuration, but i'm stuck at the moment<br />> ><br />> > <br />> ><br />> > Any help would be aprecciated =)<br />> ><br />> > <br />> ><br />> > Have a nice Day!<br />> ><br />> > Georg<br />> ><br />> ><br />> ><br />> > _______________________________________________<br />> > Users mailing list<br />> > Users@lists.opennebula.org<br />> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org<br />> <br /></blockquote>
</body>
</html>