Re: [one-users] Sunstone and x509 Authentication
Dear Farooq, I think the problem is the driver assigned to serveradmin (x509), you must change it to server_x509 [1]. Otherwise it will not use the certificates specified in server_x509_auht.conf. x509 driver should be used by regular users and not by the server user. So there are two users in this scenario: 1. The user that is trying to authenticate using Sunstone. This user should have the driver x509 and his DN as password. 2. The user used by Sunstone sever (serveradmin) to interact with OpenNebula. This user should have the driver server_x509 and his server certificate DNas password. Also, you should check that the (unix) user running oned and sunstone-server has permission to read the certificates specified in server_x509_auth.conf. BTW it would be nice to use the same thread for issues related to the x509 configuration instead of opening new ones, so other users can benefit from it. Kind Regards [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html ---8- If you want to configure x509 authentication in sunstone these are the main steps (beside the apache configuration): Option A: -- * Sunstone configuration - auth: x509 - core_auth: cipher The server will authenticate on behalf of other user using the serveradmin user and symmetric encription to generate the token that contains the client username. * Configuration: This is the default behavior and no configuration is needed. - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of the serveradmin user that will be used to encrypt the token - oneuser list should show a serveradmin user with server_cipher auth driver defined. Option B: -- * Sunstone configuration - auth: x509 - core_auth: x509 The server will authenticate on behalf of other user using the serveradmin user and server certificates to generate the token that contains the client username. * Configuration: http://www.opennebula.org/documentation:rel3.2:cloud_auth?#x509_encryption - change serveradmin driver to server_x509 instead of server_cipher - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin user and the server certificates to encrypt the token In both cases the browser will interact with Apache and will authenticate the user. The sunstone server will send this information to OpenNebula using one of the previous options. --8--- On 16 December 2011 00:13, Faarooq Lowe l...@fnal.gov wrote: We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1 :port: 9869 # Authentication driver for incomming requests # sunstone, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication #:auth: sunstone :auth: x509 # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens #:core_auth: server_cipher :core_auth: x509 # Life-time in seconds for token renewal (that used to handle OpenNebula auths) :token_expiration_delta: 1800 server_x509_auth.conf # User to be used for x509 server authentication :srv_user: serveradmin # Path to the certificate used by the OpenNebula Services # Certificates must be in PEM format :one_cert: /etc/grid-security/hostcert.pem :one_key: /etc/grid-security/hostkey.pem serveradmin information -bash-3.2$ oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : DN with no spaces AUTH_DRIVER : x509 ENABLED : Yes USER TEMPLATE Logs oned.log Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key' for nil:NilClass sunstone.log 131.225.168.168 - - [15/Dec/2011 17:03:26] GET / HTTP/1.1 200 1384 0.0037 131.225.168.168 - - [15/Dec/2011 17:04:28] POST /login HTTP/1.1 500 61 0.0802 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Daniel Molina Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Sunstone and x509 Authentication
On Fri, 16 Dec 2011, Daniel Molina wrote: Dear Farooq, I think the problem is the driver assigned to serveradmin (x509), you must change it to server_x509 [1]. Otherwise it will not use the certificates specified in server_x509_auht.conf. x509 driver should be used by regular users and not by the server user. So there are two users in this scenario: 1. The user that is trying to authenticate using Sunstone. This user should have the driver x509 and his DN as password. 2. The user used by Sunstone sever (serveradmin) to interact with OpenNebula. This user should have the driver server_x509 and his server certificate DNas password. Then the documentation of the oneuser command should be modified to indicate that server_x509 is a legal option in the oneuser chauth subcommand. It's not listed either in the command usage or on the web page. Also, what about the oneadmin user, user 0.. should that be server_x509 too or should that still be x509 driver? [root@fgitb317 one]# oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER: x509 ENABLED: Yes USER TEMPLATE [root@fgitb317 one]# [root@fgitb317 one]# oneuser show 0 USER 0 INFORMATION ID : 0 NAME : oneadmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER: x509 ENABLED: Yes USER TEMPLATE [root@fgitb317 one]# * chauth userid auth [password] Changes the User's auth driver valid options: read_file, sha1, ssh, x509, key, cert, driver Also, you should check that the (unix) user running oned and sunstone-server has permission to read the certificates specified in server_x509_auth.conf. BTW it would be nice to use the same thread for issues related to the x509 configuration instead of opening new ones, so other users can benefit from it. Kind Regards [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html ---8- If you want to configure x509 authentication in sunstone these are the main steps (beside the apache configuration): Option A: -- * Sunstone configuration - auth: x509 - core_auth: cipher The server will authenticate on behalf of other user using the serveradmin user and symmetric encription to generate the token that contains the client username. * Configuration: This is the default behavior and no configuration is needed. - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of the serveradmin user that will be used to encrypt the token - oneuser list should show a serveradmin user with server_cipher auth driver defined. Option B: -- * Sunstone configuration - auth: x509 - core_auth: x509 The server will authenticate on behalf of other user using the serveradmin user and server certificates to generate the token that contains the client username. * Configuration: http://www.opennebula.org/documentation:rel3.2:cloud_auth?#x509_encryption - change serveradmin driver to server_x509 instead of server_cipher - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin user and the server certificates to encrypt the token In both cases the browser will interact with Apache and will authenticate the user. The sunstone server will send this information to OpenNebula using one of the previous options. --8--- On 16 December 2011 00:13, Faarooq Lowe l...@fnal.gov wrote: We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1 :port: 9869 # Authentication driver for incomming requests # sunstone, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication #:auth: sunstone :auth: x509 # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens #:core_auth: server_cipher :core_auth: x509 # Life-time in seconds for token renewal (that used to handle OpenNebula auths) :token_expiration_delta: 1800 server_x509_auth.conf # User to be used for x509 server authentication :srv_user: serveradmin # Path to the certificate used by the OpenNebula Services # Certificates must be in PEM format :one_cert: /etc/grid-security/hostcert.pem :one_key: /etc/grid-security/hostkey.pem serveradmin information -bash-3.2$ oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : DN with no spaces AUTH_DRIVER : x509 ENABLED : Yes USER TEMPLATE Logs oned.log Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key' for nil:NilClass sunstone.log 131.225.168.168 - - [15/Dec/2011 17:03:26] GET / HTTP/1.1 200 1384
Re: [one-users] Sunstone and x509 Authentication
On 16 December 2011 16:08, Steven Timm t...@fnal.gov wrote: On Fri, 16 Dec 2011, Daniel Molina wrote: Dear Farooq, I think the problem is the driver assigned to serveradmin (x509), you must change it to server_x509 [1]. Otherwise it will not use the certificates specified in server_x509_auht.conf. x509 driver should be used by regular users and not by the server user. So there are two users in this scenario: 1. The user that is trying to authenticate using Sunstone. This user should have the driver x509 and his DN as password. 2. The user used by Sunstone sever (serveradmin) to interact with OpenNebula. This user should have the driver server_x509 and his server certificate DNas password. Then the documentation of the oneuser command should be modified to indicate that server_x509 is a legal option in the oneuser chauth subcommand. It's not listed either in the command usage or on the web page. The legal values for the auth driver are defined in the oned.conf. But yes, maybe we should add this information to the oneuser help. arguments = --authn ssh,x509,ldap,server_cipher,server_x509 Also, what about the oneadmin user, user 0.. should that be server_x509 too or should that still be x509 driver? If you want to use oneadmin through sunstone you have to set x509 driver for him (as a regular user), so he can login through sunstone and the cli. The server_x509 should be only used by the serveradmin user. [root@fgitb317 one]# oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 It must be server_x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# [root@fgitb317 one]# oneuser show 0 USER 0 INFORMATION ID : 0 NAME : oneadmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# * chauth userid auth [password] Changes the User's auth driver valid options: read_file, sha1, ssh, x509, key, cert, driver Also, you should check that the (unix) user running oned and sunstone-server has permission to read the certificates specified in server_x509_auth.conf. BTW it would be nice to use the same thread for issues related to the x509 configuration instead of opening new ones, so other users can benefit from it. Kind Regards [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html ---8- If you want to configure x509 authentication in sunstone these are the main steps (beside the apache configuration): Option A: -- * Sunstone configuration - auth: x509 - core_auth: cipher The server will authenticate on behalf of other user using the serveradmin user and symmetric encription to generate the token that contains the client username. * Configuration: This is the default behavior and no configuration is needed. - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of the serveradmin user that will be used to encrypt the token - oneuser list should show a serveradmin user with server_cipher auth driver defined. Option B: -- * Sunstone configuration - auth: x509 - core_auth: x509 The server will authenticate on behalf of other user using the serveradmin user and server certificates to generate the token that contains the client username. * Configuration: http://www.opennebula.org/documentation:rel3.2:cloud_auth?#x509_encryption - change serveradmin driver to server_x509 instead of server_cipher - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin user and the server certificates to encrypt the token In both cases the browser will interact with Apache and will authenticate the user. The sunstone server will send this information to OpenNebula using one of the previous options. --8--- On 16 December 2011 00:13, Faarooq Lowe l...@fnal.gov wrote: We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1 :port: 9869 # Authentication driver for incomming requests # sunstone, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication #:auth: sunstone :auth: x509 # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens #:core_auth: server_cipher :core_auth: x509 # Life-time in seconds for token renewal (that used to handle OpenNebula auths) :token_expiration_delta: 1800 server_x509_auth.conf # User to be used for x509 server authentication :srv_user: serveradmin #
Re: [one-users] Sunstone and x509 Authentication
On Fri, 16 Dec 2011, Daniel Molina wrote: On 16 December 2011 16:08, Steven Timm t...@fnal.gov wrote: On Fri, 16 Dec 2011, Daniel Molina wrote: Dear Farooq, I think the problem is the driver assigned to serveradmin (x509), you must change it to server_x509 [1]. Otherwise it will not use the certificates specified in server_x509_auht.conf. x509 driver should be used by regular users and not by the server user. So there are two users in this scenario: 1. The user that is trying to authenticate using Sunstone. This user should have the driver x509 and his DN as password. 2. The user used by Sunstone sever (serveradmin) to interact with OpenNebula. This user should have the driver server_x509 and his server certificate DNas password. Then the documentation of the oneuser command should be modified to indicate that server_x509 is a legal option in the oneuser chauth subcommand. It's not listed either in the command usage or on the web page. The legal values for the auth driver are defined in the oned.conf. But yes, maybe we should add this information to the oneuser help. arguments = --authn ssh,x509,ldap,server_cipher,server_x509 In our oned.conf we currently have AUTH_MAD = [ executable = one_auth_mad, arguments = --authn x509,server_x509 ] There is at least one web page that says it should still be x509,server Which is right? Steve Timm Also, what about the oneadmin user, user 0.. should that be server_x509 too or should that still be x509 driver? If you want to use oneadmin through sunstone you have to set x509 driver for him (as a regular user), so he can login through sunstone and the cli. The server_x509 should be only used by the serveradmin user. [root@fgitb317 one]# oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 It must be server_x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# [root@fgitb317 one]# oneuser show 0 USER 0 INFORMATION ID : 0 NAME : oneadmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# * chauth userid auth [password] Changes the User's auth driver valid options: read_file, sha1, ssh, x509, key, cert, driver Also, you should check that the (unix) user running oned and sunstone-server has permission to read the certificates specified in server_x509_auth.conf. BTW it would be nice to use the same thread for issues related to the x509 configuration instead of opening new ones, so other users can benefit from it. Kind Regards [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html ---8- If you want to configure x509 authentication in sunstone these are the main steps (beside the apache configuration): Option A: -- * Sunstone configuration - auth: x509 - core_auth: cipher The server will authenticate on behalf of other user using the serveradmin user and symmetric encription to generate the token that contains the client username. * Configuration: This is the default behavior and no configuration is needed. - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of the serveradmin user that will be used to encrypt the token - oneuser list should show a serveradmin user with server_cipher auth driver defined. Option B: -- * Sunstone configuration - auth: x509 - core_auth: x509 The server will authenticate on behalf of other user using the serveradmin user and server certificates to generate the token that contains the client username. * Configuration: http://www.opennebula.org/documentation:rel3.2:cloud_auth?#x509_encryption - change serveradmin driver to server_x509 instead of server_cipher - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin user and the server certificates to encrypt the token In both cases the browser will interact with Apache and will authenticate the user. The sunstone server will send this information to OpenNebula using one of the previous options. --8--- On 16 December 2011 00:13, Faarooq Lowe l...@fnal.gov wrote: We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1 :port: 9869 # Authentication driver for incomming requests # sunstone, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication #:auth: sunstone :auth: x509 # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens #:core_auth: server_cipher :core_auth: x509 # Life-time in seconds for token
Re: [one-users] Sunstone and x509 Authentication
On 16 December 2011 17:55, Steven Timm t...@fnal.gov wrote: On Fri, 16 Dec 2011, Daniel Molina wrote: On 16 December 2011 16:08, Steven Timm t...@fnal.gov wrote: On Fri, 16 Dec 2011, Daniel Molina wrote: Dear Farooq, I think the problem is the driver assigned to serveradmin (x509), you must change it to server_x509 [1]. Otherwise it will not use the certificates specified in server_x509_auht.conf. x509 driver should be used by regular users and not by the server user. So there are two users in this scenario: 1. The user that is trying to authenticate using Sunstone. This user should have the driver x509 and his DN as password. 2. The user used by Sunstone sever (serveradmin) to interact with OpenNebula. This user should have the driver server_x509 and his server certificate DNas password. Then the documentation of the oneuser command should be modified to indicate that server_x509 is a legal option in the oneuser chauth subcommand. It's not listed either in the command usage or on the web page. The legal values for the auth driver are defined in the oned.conf. But yes, maybe we should add this information to the oneuser help. arguments = --authn ssh,x509,ldap,server_cipher,server_x509 In our oned.conf we currently have AUTH_MAD = [ executable = one_auth_mad, arguments = --authn x509,server_x509 ] There is at least one web page that says it should still be x509,server Which is right? These values correspond with the following directories: http://dev.opennebula.org/projects/opennebula/repository/revisions/master/show/src/authm_mad/remotes So --authn x509,server_x509 is the right one. Could you point me to the URL which is wrong to fix it? Kind regards. Steve Timm Also, what about the oneadmin user, user 0.. should that be server_x509 too or should that still be x509 driver? If you want to use oneadmin through sunstone you have to set x509 driver for him (as a regular user), so he can login through sunstone and the cli. The server_x509 should be only used by the serveradmin user. [root@fgitb317 one]# oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 It must be server_x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# [root@fgitb317 one]# oneuser show 0 USER 0 INFORMATION ID : 0 NAME : oneadmin GROUP : 0 PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov AUTH_DRIVER : x509 ENABLED : Yes USER TEMPLATE [root@fgitb317 one]# * chauth userid auth [password] Changes the User's auth driver valid options: read_file, sha1, ssh, x509, key, cert, driver Also, you should check that the (unix) user running oned and sunstone-server has permission to read the certificates specified in server_x509_auth.conf. BTW it would be nice to use the same thread for issues related to the x509 configuration instead of opening new ones, so other users can benefit from it. Kind Regards [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html ---8- If you want to configure x509 authentication in sunstone these are the main steps (beside the apache configuration): Option A: -- * Sunstone configuration - auth: x509 - core_auth: cipher The server will authenticate on behalf of other user using the serveradmin user and symmetric encription to generate the token that contains the client username. * Configuration: This is the default behavior and no configuration is needed. - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of the serveradmin user that will be used to encrypt the token - oneuser list should show a serveradmin user with server_cipher auth driver defined. Option B: -- * Sunstone configuration - auth: x509 - core_auth: x509 The server will authenticate on behalf of other user using the serveradmin user and server certificates to generate the token that contains the client username. * Configuration: http://www.opennebula.org/documentation:rel3.2:cloud_auth?#x509_encryption - change serveradmin driver to server_x509 instead of server_cipher - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin user and the server certificates to encrypt the token In both cases the browser will interact with Apache and will authenticate the user. The sunstone server will send this information to OpenNebula using one of the previous options. --8--- On 16 December 2011 00:13, Faarooq Lowe l...@fnal.gov wrote: We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1
[one-users] Sunstone and x509 Authentication
We are still having problems getting sunstone to work with x509 authentication. Could someone please advise? Here is what we have sunstone-server.conf # Server Configuration :host: 127.0.0.1 :port: 9869 # Authentication driver for incomming requests # sunstone, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication #:auth: sunstone :auth: x509 # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens #:core_auth: server_cipher :core_auth: x509 # Life-time in seconds for token renewal (that used to handle OpenNebula auths) :token_expiration_delta: 1800 server_x509_auth.conf # User to be used for x509 server authentication :srv_user: serveradmin # Path to the certificate used by the OpenNebula Services # Certificates must be in PEM format :one_cert: /etc/grid-security/hostcert.pem :one_key: /etc/grid-security/hostkey.pem serveradmin information -bash-3.2$ oneuser show 1 USER 1 INFORMATION ID : 1 NAME : serveradmin GROUP : 0 PASSWORD : DN with no spaces AUTH_DRIVER: x509 ENABLED: Yes USER TEMPLATE Logs oned.log Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key' for nil:NilClass sunstone.log 131.225.168.168 - - [15/Dec/2011 17:03:26] GET / HTTP/1.1 200 1384 0.0037 131.225.168.168 - - [15/Dec/2011 17:04:28] POST /login HTTP/1.1 500 61 0.0802 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org