passing ssl client certificate from Apache to Dspace
605 views
Skip to first unread message
Paul Warner
Sep 7, 2017, 8:25:51 AM9/7/17
to DSpace Technical Support
Hi,
I have configured Apache with ssl using a self-signed certificate, and then generated a client certificate from the server certificate. With SSLVerifyClient set to 'require', I can get to Dspace only from a browser with the client certificate installed. So it works!
But getting Dspace to recognize the certificate is my problem. When I try to login with the certificate, at https://myserver/jspui/certificate-login, I get the message: 'You do not seem to have a valid Web certificate.' I am running Apache 2.4.18, Apache Tomcat/8.5.15, and Dspace 6.1 on Ubuntu 16.04.
In my apache conf, I have SSLOptions StdEnvVars ExportCertData.
I loaded my client.crt certificate into the tomcat keystore, following the directions in https://wiki.duraspace.org/display/DSDOC6x/Installing+DSpace:
Optional – ONLY if you need to accept client certificates for the X.509 certificate stackable authentication module See the configuration section for instructions on enabling the X.509 authentication method. Load the keystore with the CA (certifying authority) certificates for the authorities of any clients whose certificates you wish to accept. For example, assuming the client CA certificate is in client1.pem:
$JAVA_HOME/bin/keytool -import -noprompt -storepass changeit -trustcacerts -keystore $CATALINA_BASE/conf/keystore -alias client1 -file client1.pemI have set authentication.cfg so it includes X509 authentication:
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication,org.dspace.authenticate.X509Authentication
I have set authentication-x509.cfg to include the keystore and password:
authentication-x509.keystore.path = /opt/tomcat/conf/keystore
authentication-x509.keystore.password = changeit
What am I missing?
Thanks,
Paul
Tim Donohue
Sep 7, 2017, 12:56:02 PM9/7/17
to Paul Warner, DSpace Technical Support
Hi Paul,
I'll admit, I've never used the X.509 cert auth myself, but I notice there are some more notes in the X.509 docs at:
Not sure if that's the problem here, but you might want to carefully review the instructions here again. If you are still hitting issues, you also should check your logs to see if there's any errors being logged there, see https://wiki.duraspace.org/display/DSPACE/Troubleshoot+an+error
I'll admit, I've never used the X.509 cert auth myself, but I notice there are some more notes in the X.509 docs at:
https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
Namely, I see that it states:
"If you are using HTTPS with Tomcat, note that the
Namely, I see that it states:
"If you are using HTTPS with Tomcat, note that the
<Connector> tag must include the attribute clientAuth="true" so the server requests a personal Web certificate from the client."- Tim
--
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--
Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org
Paul Warner
Sep 8, 2017, 2:19:33 AM9/8/17
to Tim Donohue, DSpace Technical Support
Hi Tim,
Thanks for the help! I made two mistakes, and fixed them, following your suggestions, but I am unfortunately still not connecting from Apache to Dspace, although it is now clear the certificate information is being passed through.. First, I was using an outdated format for the listing of the two kinds of authentication in authentication.cfg, and your pointer to the 6 version was helpful there. I had them on the same line, with a comma. Now they are loading sequentially, with the certificate auth loading first. I also was not looking at the right log file, duh. Now I can see some error messages, and can tell that Dspace is grappling with the client certificate, although still failing to validate it. I tried all variations of the instructions for configuring the authentication-x509.cfg file, but in the end I am getting:
2017-09-08 08:02:34,351 INFO org.dspace.authenticate.X509Authentication @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authentication:X.509 Certificate FAILED SIGNATURE check\colon; java.security.SignatureException\colon; Signature does not match.
2017-09-08 08:02:34,351 WARN org.dspace.authenticate.X509Authentication @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authenticate:type=x509certificate, status=BAD_CREDENTIALS (not valid)
https://gist.github.com/mtigas/952344
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscribe@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to a topic in the Google Groups "DSpace Technical Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dspace-tech/vtwI5yYtKLc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dspace-tech+unsubscribe@googlegroups.com.
Tim Donohue
Sep 8, 2017, 10:57:31 AM9/8/17
to Paul Warner, DSpace Technical Support
Hi Paul,
Again, I admit I've not really used this myself :)
That said, Googling that error message ("FAILED SIGNATURE check java.security.SignatureException Signature does not match") brought up this StackOverflow answer which might be applicable: https://stackoverflow.com/a/38524172/3750035
Tim
Again, I admit I've not really used this myself :)
That said, Googling that error message ("FAILED SIGNATURE check java.security.SignatureException Signature does not match") brought up this StackOverflow answer which might be applicable: https://stackoverflow.com/a/38524172/3750035
Hoping maybe that'll get you one step further. Admittedly, when encountered with oddities like this myself, I jump to googling to error, as oftentimes some clues can be found out there in StackOverflow and similar.
Assuming you get this working, I'd also encourage you to consider helping us correct/enhance our official documentation around X.509 Certificate Authorization (I'll gladly give you edit rights if you are willing). I suspect this documentation is simply lacking / unclear, and enhancing it could help others who may follow in your footsteps.
Good luck, and definitely feel free to keep posting your status & other errors you come across (and we'll do our best to help find/suggestion solutions). At the very least, it will be helpful for others in the future (when searching these lists).
Good luck, and definitely feel free to keep posting your status & other errors you come across (and we'll do our best to help find/suggestion solutions). At the very least, it will be helpful for others in the future (when searching these lists).
Tim
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to a topic in the Google Groups "DSpace Technical Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dspace-tech/vtwI5yYtKLc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
Paul Warner
Oct 2, 2017, 7:25:36 AM10/2/17
to Tim Donohue, DSpace Technical Support
Hi Tim,
I just wanted to acknowledge your kind responses, and let you know that my boss decided we should not use x.509 certificate authentication for this project. We are looking to set up a self-sustaining system, or when it is not self-sustaining, at least most of the work should fall on the client, and not on us. We are providing a, so far, free service for them. Maintaining certificates on the clients' machines was a step too far for him. I have pieced together some understanding of this subject, and if I get the time to wrap it up, I will volunteer to help improve the documentation and tell my story. There is very little on the web about this, and it seems the technique is very rarely used.
We are switching to ip authentication for dspace, and now I am struggling with that! ;-)
Best regards,
Paul
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscribe@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to a topic in the Google Groups "DSpace Technical Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dspace-tech/vtwI5yYtKLc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dspace-tech+unsubscribe@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages