Simple Apache-SSL integration and DN-based authentication

From EGEE-see WIki

Jump to: navigation, search

This is the simple description of httpd-SSL integration and DN-based authentication. It can be very useful to those who want to create web applications which will be used by different users who should have different access permissions to various structural parts of the application (just specific users can see/change parts of the application).

If httpd installation does not exist by default it can be easily installed using APT 

  $ apt-get update
  $ apt-get install httpd
  $ chkconfig httpd on

or YUM 

  $ yum update
  $ yum install httpd
  $ chkconfig httpd on

and started with 

  $ /etc/init.d/httpd start

Apache test page at http://localhost/ should be visible now.

Module mod_ssl should be installed in order to get SSL support 

  $ apt-get install mod_ssl

or 

  $ yum install mod_ssl

as well as RPMs of all Certification Authorities accredited by EUGridPMA. Installation instructions are available at http://grid-deployment.web.cern.ch/grid-deployment/lcg2CAlist.html.

In httpd configuration file /etc/httpd/conf/httpd.conf following lines should be added 

  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  
  SSLCertificateFile    /etc/grid-security/hostcert.pem
  SSLCertificateKeyFile /etc/grid-security/hostkey.pem
  SSLCACertificatePath  /etc/grid-security/certificates

and after that httpd should be restarted 

  $ /etc/init.d/httpd restart

This module relies on OpenSLL to provide the cryptography engine. After the last step, encrypted Apache test page should be available at https://localhost/, as well as the same page without encryption.

In order to enable the certificate revocation list (CRL) (this is recommended) mod_ssl should be configured to check certificate revocation list. This can be done installing fetch-crl package from glite repository 

  $ apt-get update
  $ apt-get install fetch-crl
  $ ln -s /usr/share/doc/fetch-crl-2.6.0/fetch-crl.sysconfig /etc/sysconfig/fetch-crl

and creating cron job /etc/cron.d/fetch-crl 

  15 5,11,17,23 * * * root source /usr/share/doc/fetch-crl-2.6.0/fetch-crl.cron >> /var/log/fetch-crl-cron.log 2>&1

This step is not required if you are using Grid machine. In that case fetch-crl package and cron job are already installed.

In order to load updated CRL information httpd server must be restarted periodically, so another cron job should be created. Let's call it /etc/cron.d/httpd-restart 

  PATH=/sbin:/bin:/usr/sbin:/usr/bin 
  30 5,11,17,23 * * * root /usr/sbin/apachectl graceful >> /dev/null 2>&1

At the end following line 

  SSLCARevocationPath /etc/grid-security/certificates

should be added to httpd configuration file /etc/httpd/conf/httpd.conf.

Let’s create resource /var/www/html/see-grid/. The following situations can be interesting:

  • The resource should be reached with and without encryption
    In this situation additional steps are not required. This is the default situation.
  • The resource should be reached only with encryption
    This situation requires following lines in /etc/httpd/conf/httpd.conf file 
  <Directory "/var/www/html/see-grid">
       SSLRequireSSL
  </Directory>
  • The resource should be reached only with encryption and client’s DN should be requested and verified 
  <Directory "/var/www/html/see-grid">
       SSLRequireSSL
       SSLVerifyClient      require
       SSLVerifyDepth       5
  </Directory>
  • The resource should be reached with encryption, client’s DN should be requested and verified, and only the member of certain organization (O) and of organization unit (OU) should be able to see contents 
  <Directory "/var/www/html/see-grid">
       SSLRequireSSL
       SSLVerifyClient      require
       SSLVerifyDepth       5
       SSLOptions           +FakeBasicAuth
       SSLRequire           %{SSL_CLIENT_S_DN_O} eq "AEGIS" \
              		     and %{SSL_CLIENT_S_DN_OU} eq "Institute of Physics Belgrade"
  </Directory>

The following syntax can be used here also

  <Directory "/var/www/html/see-grid">
       SSLRequireSSL
       SSLVerifyClient      require
       SSLVerifyDepth       5
       SSLOptions           +FakeBasicAuth
       SSLRequire           %{SSL_CLIENT_S_DN_O} eq "AEGIS" \
                            and %{SSL_CLIENT_S_DN_OU} in { "Institute of Physics Belgrade","UOB”}
  </Directory>

and different parts of certificate can be put as a condition too.

  • The resource can be reached only by specified client’s DNs
    The list of client’s DNs can be put in any file and in this example /etc/httpd/see-grid.users is used. This is the example of file contents 
  /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Neda Svraka:xxj31ZMTZzkVA
  /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Branimir Ackovic:xxj31ZMTZzkVA
  /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz:xxj31ZMTZzkVA
  /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Dusan Vudragovic:xxj31ZMTZzkVA

Note that FakeBasicAuth must have ":xxj31ZMTZzkVA" as a suffix for every DN. In this case /etc/httpd/conf/httpd.conf file should contain following lines

  <Directory "/var/www/html/see-grid">
       SSLRequireSSL
       SSLVerifyClient      require
       SSLVerifyDepth       5
       SSLOptions           +FakeBasicAuth
       AuthName             "SEE-GRID Authentication"
       AuthType             Basic
       AuthUserFile         /etc/httpd/see-grid.users
       require              valid-user
  </Directory>

Module mod_ssl provides a lot of additional environment variables that can be used by cgi-bin applications. This can be checked with simple phpinfo.php script that can be placed in /var/www/html/ folder 

  <?php
       phpinfo();
  ?>

Differences in the number of variables can be noticed comparing the Environment tables at http://localhost/phpinfo.php and https://localhost/phpinfo.php. For my certificate the additional variables and its values are given in the following table

VariableValue
_SERVER["HTTPS"]on
_SERVER["SSL_VERSION_INTERFACE"]mod_ssl/2.0.46
_SERVER["SSL_VERSION_LIBRARY"]OpenSSL/0.9.7a
_SERVER["SSL_PROTOCOL"]TLSv1
_SERVER["SSL_CIPHER"]DHE-RSA-AES256-SHA
_SERVER["SSL_CIPHER_EXPORT"]false
_SERVER["SSL_CIPHER_USEKEYSIZE"]256
_SERVER["SSL_CIPHER_ALGKEYSIZE"]256
_SERVER["SSL_CLIENT_VERIFY"]SUCCESS
_SERVER["SSL_CLIENT_M_VERSION"]3
_SERVER["SSL_CLIENT_M_SERIAL"]13
_SERVER["SSL_CLIENT_V_START"]Jul 19 14:30:25 2007 GMT
_SERVER["SSL_CLIENT_V_END"]Jul 18 14:30:25 2008 GMT
_SERVER["SSL_CLIENT_V_REMAIN"]260
_SERVER["SSL_CLIENT_S_DN"]/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Dusan Vudragovic
_SERVER["SSL_CLIENT_S_DN_C"]RS
_SERVER["SSL_CLIENT_S_DN_O"]AEGIS
_SERVER["SSL_CLIENT_S_DN_OU"]Institute of Physics Belgrade
_SERVER["SSL_CLIENT_S_DN_CN"]Dusan Vudragovic
_SERVER["SSL_CLIENT_I_DN"]/C=RS/O=AEGIS/CN=AEGIS-CA
_SERVER["SSL_CLIENT_I_DN_C"]RS
_SERVER["SSL_CLIENT_I_DN_O"]AEGIS
_SERVER["SSL_CLIENT_I_DN_CN"]AEGIS-CA
_SERVER["SSL_CLIENT_A_KEY"]rsaEncryption
_SERVER["SSL_CLIENT_A_SIG"]sha1WithRSAEncryption
_SERVER["SSL_SERVER_M_VERSION"]3
_SERVER["SSL_SERVER_M_SERIAL"]01C7
_SERVER["SSL_SERVER_V_START"]May 30 14:21:44 2007 GMT
_SERVER["SSL_SERVER_V_END"]May 29 14:21:44 2008 GMT
_SERVER["SSL_SERVER_S_DN"]/DC=ORG/DC=SEE-GRID/O=Hosts/O=Institute of Physics Belgrade/CN=host/athena.phy.bg.ac.yu
_SERVER["SSL_SERVER_S_DN_O"]Hosts
_SERVER["SSL_SERVER_S_DN_CN"]host/athena.phy.bg.ac.yu
_SERVER["SSL_SERVER_I_DN"]/DC=ORG/DC=SEE-GRID/CN=SEE-GRID CA
_SERVER["SSL_SERVER_I_DN_CN"]SEE-GRID CA
_SERVER["SSL_SERVER_A_KEY"]rsaEncryption
_SERVER["SSL_SERVER_A_SIG"]sha1WithRSAEncryption
_SERVER["SSL_SESSION_ID"]76D2278FD42B5EF91928C1F6F10F707284CCCC581EB41C06A629D823FFDD7931

Suggestions and comments can be sent to Dusan Vudragovic (dusan at cern.ch).

Last update: October 30, 2007

Retrieved from "http://wiki.egee-see.org/index.php/Simple_Apache-SSL_integration_and_DN-based_authentication"
Personal tools