Apache Configuration for CoSign

This document is "a work in progress" and specific configurations may vary.

Apache Post-Install

These steps must be run with root privileges and assume you are in the directory where the cosign zipfile was unpacked.

  • Create a working directory for CoSign:

 mkdir -p /var/cache/cosign/filter
  • Give the new directory the proper permissions:

Debian:

chown www-data:www-data /var/cache/cosign/filter 

Red Hat/CentOS 5: chown apache:apache /var/cache/cosign/filter

  • Create new directories for the CoSign certs and key

Debian:

mkdir /etc/apache2/cosign-ca/ mkdir /etc/apache2/ssl/ 

Red Hat/CentOS 5:

mkdir /etc/httpd/cosign-ca/ mkdir /etc/httpd/ssl/
  • Set the permissions on the CA cert

chmod 644 ca-cert.pem
  • Install the certs and keys

Debian:

mv ca-cert.pem /etc/apache2/cosign-ca/ c_rehash /etc/apache2/cosign-ca/ mv *.crt *.key /etc/apache2/ssl/ 

Red Hat/CentOS 5:

mv ca-cert.pem /etc/httpd/cosign-ca/ c_rehash /etc/httpd/cosign-ca/ mv *.crt *.key /etc/httpd/ssl/

NOTE: On RHEL, c_rehash is part of the package openssl-perl. If you don't have it, install it.

If you don't have the c_rehash command installed on your host you can run the following command (requires openssl binary) to achieve the same result:

cd /etc/httpd/cosign-ca/ ln -s ca-cert.pem `openssl x509 -hash -noout -in ca-cert.pem`.0

 

Basic Apache Configuration

Load the CoSign module

Apache needs to be told to load the CoSign module and the module needs several configuration items including what server to use. Choose either Debian or Non-Debian style configuration options.

Debian style

  • Create a module load file:

/etc/apache2/mods-available/cosign.load

with the following contents:

LoadModule cosign_module /usr/lib/apache2/modules/mod_cosign.so
  • Enable the module (a2enmod cosign)

  • Restart Apache (/etc/init.d/apache2 restart)

Ensure that Apache restarts successfully before continuing.

Non-Debian style

Verify that the following line exists in /etc/httpd/httpd.conf; if it does not, insert it, then restart Apache:

LoadModule cosign_module /usr/lib/httpd/modules/mod_cosign.so

Ensure that Apache restarts successfully before continuing.

If Apache refuses to load the cosign module, there may be an SELinux problem. The default configuration of a RHEL 5 install has SELinux enabled.

Note: Apache 1.x requires two directives for a module load. For example:

LoadModule cosign_module libexec/mod_cosign.so AddModule mod_cosign.c

Configure the CoSign module

The following directives make it possible for <Directory...> statements and .htaccess files to activate CoSign, but do not activate CoSign protection on their own.

CosignProtected off 
CosignHostname weblogin.pennkey.upenn.edu
CosignCheckIP never CosignService <application name>
CosignRedirect https://weblogin.pennkey.upenn.edu/login
CosignPostErrorRedirect https://weblogin.pennkey.upenn.edu/post_error.html
CosignFilterDB /var/cache/cosign/filter
CosignCrypto /etc/apache2/ssl/<application name>.key /etc/apache2/ssl/<application name>.crt /etc/apache2/cosign-ca/

NOTE: <application name> needs to be replaced with the name assigned by the self-provisioning system.

These CoSign directives need to be loaded before any other CoSign directives. Where to put these lines depends on your distribution and your configuration preferences.

Debian style

  • Disable the module (a2dismod cosign)

  • Put the above statements into the file: /etc/apache2/mods-available/cosign.conf

  • Enable the module (a2enmod cosign)

  • Restart Apache (/etc/init.d/apache2 restart)

This will cause these statements to be loaded when the module is loaded (before the site configurations).

An alternate place to put these configuration directives is in the main section of the /etc/apache2/sites-available/default-ssl file.

Non-Debian style

Add the above statements to the main section of the apache configuration file or the main section of the HTTPS virtual host configuration file.

Protect websites with CoSign

To protect a directory, put the following statements in a .htaccess file in that directory.

CosignProtected On
AuthType Cosign
Require valid-user
CosignRequireFactor  UPENN.EDU

To protect an individual file, put the following in a .htaccess file in the same directory or a higher-level directory.

<Files "file name.html"> 
  CosignProtected On
  AuthType Cosign
  Require valid-user
  CosignRequireFactor UPENN.EDU </Files>

Advanced Apache Configuration

Multiple CosignService Configuration

Protecting By Virtual Host Directive

Protecting By Directory/Location Directive

Using Cosign to Initialize an Application Session

Print This Page Share:
Date Posted: April 5, 2013 Tags: Technical Info, Configuration, Web, Security

Was this information helpful?

Login with PennKey to view and post comments