On Fri, 16 Dec 2011, Daniel Molina wrote:
Dear Farooq,
I think the problem is the driver assigned to serveradmin (x509), you
must change it to server_x509 [1]. Otherwise it will not use the
certificates specified in server_x509_auht.conf. x509 driver should be
used by regular users and not by the "server" user.
So there are two users in this scenario:
1. The user that is trying to authenticate using Sunstone. This user
should have the driver x509 and his DN as password.
2. The user used by Sunstone sever (serveradmin) to interact with
OpenNebula. This user should have the driver server_x509 and his
server certificate DNas password.
Then the documentation of the oneuser command should be modified
to indicate that server_x509 is a legal option in the
oneuser chauth subcommand. It's not listed either in the command
usage or on the web page.
Also, what about the oneadmin user, user 0.. should that be server_x509
too or should that still be x509 driver?
[root@fgitb317 one]# oneuser show 1
USER 1 INFORMATION
ID : 1
NAME : serveradmin
GROUP : 0
PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
AUTH_DRIVER : x509
ENABLED : Yes
USER TEMPLATE
[root@fgitb317 one]#
[root@fgitb317 one]# oneuser show 0
USER 0 INFORMATION
ID : 0
NAME : oneadmin
GROUP : 0
PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
AUTH_DRIVER : x509
ENABLED : Yes
USER TEMPLATE
[root@fgitb317 one]#
* chauth <userid> <auth> [<password>]
Changes the User's auth driver
valid options: read_file, sha1, ssh, x509, key, cert, driver
Also, you should check that the (unix) user running oned and
sunstone-server has permission to read the certificates specified in
server_x509_auth.conf.
BTW it would be nice to use the same thread for issues related to the
x509 configuration instead of opening new ones, so other users can
benefit from it.
Kind Regards
[1]
http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html
------->8-------------------------
If you want to configure x509 authentication in sunstone these are the
main steps (beside the apache configuration):
Option A:
--------------
* Sunstone configuration
- auth: x509
- core_auth: cipher
The server will authenticate on behalf of other user using the
"serveradmin" user and symmetric encription to generate the token that
contains the client username.
* Configuration: This is the default behavior and no configuration is needed.
- $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
the serveradmin user that will be used to encrypt the token
- oneuser list should show a serveradmin user with server_cipher auth
driver defined.
Option B:
--------------
* Sunstone configuration
- auth: x509
- core_auth: x509
The server will authenticate on behalf of other user using the
"serveradmin" user and server certificates to generate the token that
contains the client username.
* Configuration:
http://www.opennebula.org/documentation:rel3.2:cloud_auth?ԉ_encryption
- change serveradmin driver to server_x509 instead of server_cipher
- edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
user and the server certificates to encrypt the token
In both cases the browser will interact with Apache and will
authenticate the user. The sunstone server will send this information
to OpenNebula using one of the previous options.
------------------8<-------------------
On 16 December 2011 00:13, Faarooq Lowe <[email protected]> wrote:
We are still having problems getting sunstone to work with x509
authentication.
Could someone please advise?
Here is what we have
sunstone-server.conf
# Server Configuration
:host: 127.0.0.1
:port: 9869
# Authentication driver for incomming requests
# sunstone, for OpenNebula's user-password scheme
# x509, for x509 certificates based authentication
#:auth: sunstone
:auth: x509
# Authentication driver to communicate with OpenNebula core
# cipher, for symmetric cipher encryption of tokens
# x509, for x509 certificate encryption of tokens
#:core_auth: server_cipher
:core_auth: x509
# Life-time in seconds for token renewal (that used to handle OpenNebula
auths)
:token_expiration_delta: 1800
server_x509_auth.conf
# User to be used for x509 server authentication
:srv_user: serveradmin
# Path to the certificate used by the OpenNebula Services
# Certificates must be in PEM format
:one_cert: "/etc/grid-security/hostcert.pem"
:one_key: "/etc/grid-security/hostkey.pem"
serveradmin information
-bash-3.2$ oneuser show 1
USER 1 INFORMATION
ID : 1
NAME : serveradmin
GROUP : 0
PASSWORD : <DN with no spaces>
AUTH_DRIVER : x509
ENABLED : Yes
USER TEMPLATE
Logs
oned.log
Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key'
for nil:NilClass
sunstone.log
131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384 0.0037
131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 61
0.0802
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
--
------------------------------------------------------------------
Steven C. Timm, Ph.D (630) 840-8525
[email protected] http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
