Hi Paul,
Again, I admit I've not really used this myself :)
That said, Googling that error message ("FAILED SIGNATURE check
java.security.SignatureException Signature does not match") brought up
this StackOverflow answer which might be applicable:
https://stackoverflow.com/a/38524172/3750035
Hoping maybe that'll get you one step further. Admittedly, when
encountered with oddities like this myself, I jump to googling to error, as
oftentimes some clues can be found out there in StackOverflow and similar.
Assuming you get this working, I'd also encourage you to consider helping
us correct/enhance our official documentation around X.509 Certificate
Authorization (I'll gladly give you edit rights if you are willing). I
suspect this documentation is simply lacking / unclear, and enhancing it
could help others who may follow in your footsteps.
Good luck, and definitely feel free to keep posting your status & other
errors you come across (and we'll do our best to help find/suggestion
solutions). At the very least, it will be helpful for others in the future
(when searching these lists).
Tim
On Fri, Sep 8, 2017 at 1:19 AM Paul Warner <[email protected]> wrote:
> Hi Tim,
>
> Thanks for the help! I made two mistakes, and fixed them, following your
> suggestions, but I am unfortunately still not connecting from Apache to
> Dspace, although it is now clear the certificate information is being
> passed through..
>
> First, I was using an outdated format for the listing of the two kinds of
> authentication in authentication.cfg, and your pointer to the 6 version was
> helpful there. I had them on the same line, with a comma. Now they are
> loading sequentially, with the certificate auth loading first. I also was
> not looking at the right log file, duh. Now I can see some error messages,
> and can tell that Dspace is grappling with the client certificate, although
> still failing to validate it. I tried all variations of the instructions
> for configuring the authentication-x509.cfg file, but in the end I am
> getting:
>
> 2017-09-08 08:02:34,351 INFO org.dspace.authenticate.X509Authentication @
> anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authentication:X.509
> Certificate FAILED SIGNATURE check\colon;
> java.security.SignatureException\colon; Signature does not match.
> 2017-09-08 08:02:34,351 WARN org.dspace.authenticate.X509Authentication @
> anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authenticate:type=x509certificate,
> status=BAD_CREDENTIALS (not valid)
>
> I installed the client.p12 file in the browser, and the client.pem file in
> Dspace, using the keystore with the correct password. I produced my files
> using these wonderful instructions:
>
> https://gist.github.com/mtigas/952344
>
> Sorry, still mystified.
>
> Best regards,
> Paul
>
> On Thu, Sep 7, 2017 at 6:55 PM, Tim Donohue <[email protected]>
> wrote:
>
>> Hi Paul,
>>
>> I'll admit, I've never used the X.509 cert auth myself, but I notice
>> there are some more notes in the X.509 docs at:
>>
>> https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
>>
>> Namely, I see that it states:
>> "If you are using HTTPS with Tomcat, note that the <Connector> tag *must*
>> include
>> the attribute clientAuth="true" so the server requests a personal Web
>> certificate from the client."
>>
>> Not sure if that's the problem here, but you might want to carefully
>> review the instructions here again. If you are still hitting issues, you
>> also should check your logs to see if there's any errors being logged
>> there, see
>> https://wiki.duraspace.org/display/DSPACE/Troubleshoot+an+error
>>
>> - Tim
>>
>> On Thu, Sep 7, 2017 at 7:25 AM Paul Warner <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> I have configured Apache with ssl using a self-signed certificate, and
>>> then generated a client certificate from the server certificate. With
>>> SSLVerifyClient set to 'require', I can get to Dspace only from a browser
>>> with the client certificate installed. So it works!
>>>
>>> But getting Dspace to recognize the certificate is my problem. When I
>>> try to login with the certificate, at
>>> https://myserver/jspui/certificate-login, I get the message: 'You do
>>> not seem to have a valid Web certificate.' I am running
>>> Apache 2.4.18, Apache Tomcat/8.5.15, and Dspace 6.1 on Ubuntu 16.04.
>>>
>>> In my apache conf, I have SSLOptions StdEnvVars ExportCertData.
>>>
>>> I loaded my client.crt certificate into the tomcat keystore, following
>>> the directions in
>>> https://wiki.duraspace.org/display/DSDOC6x/Installing+DSpace:
>>>
>>> Optional – ONLY if you need to accept client certificates for the X.509
>>> certificate stackable authentication module See the configuration section
>>> for instructions on enabling the X.509 authentication method. Load the
>>> keystore with the CA (certifying authority) certificates for the
>>> authorities of any clients whose certificates you wish to accept. For
>>> example, assuming the client CA certificate is in *client1.pem*:
>>>
>>>
>>> $JAVA_HOME/bin/keytool -import -noprompt -storepass changeit
>>> -trustcacerts -keystore $CATALINA_BASE/conf/keystore -alias client1
>>> -file client1.pem
>>>
>>> I have set authentication.cfg so it includes X509 authentication:
>>>
>>> plugin.sequence.org.dspace.authenticate.AuthenticationMethod =
>>> org.dspace.authenticate.PasswordAuthentication,org.dspace.authenticate.X509Authentication
>>>
>>> I have set authentication-x509.cfg to include the keystore and password:
>>>
>>> authentication-x509.keystore.path = /opt/tomcat/conf/keystore
>>> authentication-x509.keystore.password = changeit
>>>
>>> What am I missing?
>>>
>>> Thanks,
>>> Paul
>>>
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "DSpace Technical Support" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> Visit this group at https://groups.google.com/group/dspace-tech.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>
>> Tim Donohue
>> Technical Lead for DSpace & DSpaceDirect
>> DuraSpace.org | DSpace.org | DSpaceDirect.org
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "DSpace Technical Support" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/dspace-tech/vtwI5yYtKLc/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>>
>
>> To post to this group, send email to [email protected].
>> Visit this group at https://groups.google.com/group/dspace-tech.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
