Hi Tim, I just wanted to acknowledge your kind responses, and let you know that my boss decided we should not use x.509 certificate authentication for this project. We are looking to set up a self-sustaining system, or when it is not self-sustaining, at least most of the work should fall on the client, and not on us. We are providing a, so far, free service for them. Maintaining certificates on the clients' machines was a step too far for him. I have pieced together some understanding of this subject, and if I get the time to wrap it up, I will volunteer to help improve the documentation and tell my story. There is very little on the web about this, and it seems the technique is very rarely used.
We are switching to ip authentication for dspace, and now I am struggling with that! ;-) Best regards, Paul Tim Donohue <[email protected]> schrieb am Fr. 8. Sep. 2017 um 16:57: > Hi Paul, > > Again, I admit I've not really used this myself :) > > That said, Googling that error message ("FAILED SIGNATURE check > java.security.SignatureException Signature does not match") brought up > this StackOverflow answer which might be applicable: > https://stackoverflow.com/a/38524172/3750035 > > Hoping maybe that'll get you one step further. Admittedly, when > encountered with oddities like this myself, I jump to googling to error, as > oftentimes some clues can be found out there in StackOverflow and similar. > > Assuming you get this working, I'd also encourage you to consider helping > us correct/enhance our official documentation around X.509 Certificate > Authorization (I'll gladly give you edit rights if you are willing). I > suspect this documentation is simply lacking / unclear, and enhancing it > could help others who may follow in your footsteps. > > Good luck, and definitely feel free to keep posting your status & other > errors you come across (and we'll do our best to help find/suggestion > solutions). At the very least, it will be helpful for others in the future > (when searching these lists). > > Tim > > > On Fri, Sep 8, 2017 at 1:19 AM Paul Warner <[email protected]> wrote: > >> Hi Tim, >> >> Thanks for the help! I made two mistakes, and fixed them, following your >> suggestions, but I am unfortunately still not connecting from Apache to >> Dspace, although it is now clear the certificate information is being >> passed through.. >> >> First, I was using an outdated format for the listing of the two kinds of >> authentication in authentication.cfg, and your pointer to the 6 version was >> helpful there. I had them on the same line, with a comma. Now they are >> loading sequentially, with the certificate auth loading first. I also was >> not looking at the right log file, duh. Now I can see some error messages, >> and can tell that Dspace is grappling with the client certificate, although >> still failing to validate it. I tried all variations of the instructions >> for configuring the authentication-x509.cfg file, but in the end I am >> getting: >> >> 2017-09-08 08:02:34,351 INFO org.dspace.authenticate.X509Authentication >> @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD45 >> 25:ip_addr=141.2.34.31:authentication:X.509 Certificate FAILED SIGNATURE >> check\colon; java.security.SignatureException\colon; Signature does not >> match. >> 2017-09-08 08:02:34,351 WARN org.dspace.authenticate.X509Authentication >> @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD45 >> 25:ip_addr=141.2.34.31:authenticate:type=x509certificate, >> status=BAD_CREDENTIALS (not valid) >> >> I installed the client.p12 file in the browser, and the client.pem file >> in Dspace, using the keystore with the correct password. I produced my >> files using these wonderful instructions: >> >> https://gist.github.com/mtigas/952344 >> >> Sorry, still mystified. >> >> Best regards, >> Paul >> >> On Thu, Sep 7, 2017 at 6:55 PM, Tim Donohue <[email protected]> >> wrote: >> >>> Hi Paul, >>> >>> I'll admit, I've never used the X.509 cert auth myself, but I notice >>> there are some more notes in the X.509 docs at: >>> https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins# >>> AuthenticationPlugins-X.509CertificateAuthentication >>> >>> Namely, I see that it states: >>> "If you are using HTTPS with Tomcat, note that the <Connector> tag >>> *must* include the attribute clientAuth="true" so the server requests a >>> personal Web certificate from the client." >>> >>> Not sure if that's the problem here, but you might want to carefully >>> review the instructions here again. If you are still hitting issues, you >>> also should check your logs to see if there's any errors being logged >>> there, see https://wiki.duraspace.org/display/DSPACE/Troubleshoot+ >>> an+error >>> >>> - Tim >>> >>> On Thu, Sep 7, 2017 at 7:25 AM Paul Warner <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I have configured Apache with ssl using a self-signed certificate, and >>>> then generated a client certificate from the server certificate. With >>>> SSLVerifyClient set to 'require', I can get to Dspace only from a browser >>>> with the client certificate installed. So it works! >>>> >>>> But getting Dspace to recognize the certificate is my problem. When I >>>> try to login with the certificate, at https://myserver/jspui/ >>>> certificate-login, I get the message: 'You do not seem to have a valid >>>> Web certificate.' I am running Apache 2.4.18, Apache Tomcat/8.5.15, and >>>> Dspace 6.1 on Ubuntu 16.04. >>>> >>>> In my apache conf, I have SSLOptions StdEnvVars ExportCertData. >>>> >>>> I loaded my client.crt certificate into the tomcat keystore, following >>>> the directions in https://wiki.duraspace.org/ >>>> display/DSDOC6x/Installing+DSpace: >>>> >>>> Optional – ONLY if you need to accept client certificates for the X.509 >>>> certificate stackable authentication module See the configuration section >>>> for instructions on enabling the X.509 authentication method. Load the >>>> keystore with the CA (certifying authority) certificates for the >>>> authorities of any clients whose certificates you wish to accept. For >>>> example, assuming the client CA certificate is in *client1.pem*: >>>> >>>> >>>> $JAVA_HOME/bin/keytool -import -noprompt -storepass changeit >>>> -trustcacerts -keystore $CATALINA_BASE/conf/keystore -alias >>>> client1 >>>> -file client1.pem >>>> >>>> I have set authentication.cfg so it includes X509 authentication: >>>> >>>> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = >>>> org.dspace.authenticate.PasswordAuthentication,org.dspace.authenticate. >>>> X509Authentication >>>> >>>> I have set authentication-x509.cfg to include the keystore and password: >>>> >>>> authentication-x509.keystore.path = /opt/tomcat/conf/keystore >>>> authentication-x509.keystore.password = changeit >>>> >>>> What am I missing? >>>> >>>> Thanks, >>>> Paul >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "DSpace Technical Support" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at https://groups.google.com/group/dspace-tech. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> >>> Tim Donohue >>> Technical Lead for DSpace & DSpaceDirect >>> DuraSpace.org | DSpace.org | DSpaceDirect.org >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "DSpace Technical Support" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/ >>> topic/dspace-tech/vtwI5yYtKLc/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> >> >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/dspace-tech. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > Tim Donohue > Technical Lead for DSpace & DSpaceDirect > DuraSpace.org | DSpace.org | DSpaceDirect.org > > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
