[Cosign-discuss] New Cosign Server Installation - some servers returned UNKNOWN

Wed, 11 Mar 2009 13:29:09 -0700

Over the past couple of days, I've made my second attempt to install a cosign server. This time I got much further! I know it's not the easiest installation, but from what I've learned while working at Penn State I know it's worth the effort. However, I'm hitting a snag :)
What I'm doing: I'm logging into https://lafty-rhel5.stlawu.local/services (a cosign protected directory on my cosign server) successfully with "stest" and it creates a valid kerberos ticket which I can view with klist. If I type an incorrect password, it asks me to re-authenticate, so I'm confident the front end authentication is working. However, I get a 503 reponse after authentication. 
Apache error log:
[Wed Mar 11 15:53:02 2009] [error] [client 10.32.140.72] cosign_choose_conn: some servers returned UNKNOWN, referer: https://lafty-rhel5.stlawu.local/cosign- 
bin/cosign.cgi?cosign-lafty-rhel5.stlawu.local=Ng7jRtRU54OiIPsfxiXcFavjqdaRvGxPN9+XCTehwrHwv3w3bsNjdj-IQ-TqgF5KzmhHtTOGYzK7XdtdU2dY7mWpX1d3BYJzV-DQKFaNZbRSQq
RoOvDq-q1DckhJ;&https://lafty-rhel5.stlawu.local/services/index.html

Messages log:
Mar 11 15:53:02 lafty-rhel5 cosignd[5409]: connect: 10.32.140.96
Mar 11 15:53:02 lafty-rhel5 cosignd[5409]: STARTTLS 10.32.140.96 2 lafty-rhel5.stlawu.local Mar 11 15:53:02 lafty-rhel5 cosignd[5409]: LOGIN stest STLAWU.LOCAL 10.32.140.72 Mar 11 15:53:02 lafty-rhel5 cosignd[5409]: REGISTER stest STLAWU.LOCAL 10.32.140.72 cosign-lafty-rhel5.stlawu.local 

If I start cosign with -d:
debug: STARTTLS 2
debug: CHECK cosign=6wA9+LHMh0WurTjRSKXX4J2oR8L3F6IfAsvqjTJYqw5WxVeyRNKwblAo61+GauFAiZKxIfWLexa4lJlFrKnFnnCj0QW9BWueYaZEsb1U9zDW+X7zA-JnOnW4ASuV debug: LOGIN cosign=6wA9+LHMh0WurTjRSKXX4J2oR8L3F6IfAsvqjTJYqw5WxVeyRNKwblAo61+GauFAiZKxIfWLexa4lJlFrKnFnnCj0QW9BWueYaZEsb1U9zDW+X7zA-JnOnW4ASuV 10.32.140.72 stest STLAWU.LOCAL kerberos debug: CHECK cosign=6wA9+LHMh0WurTjRSKXX4J2oR8L3F6IfAsvqjTJYqw5WxVeyRNKwblAo61+GauFAiZKxIfWLexa4lJlFrKnFnnCj0QW9BWueYaZEsb1U9zDW+X7zA-JnOnW4ASuV debug: REGISTER cosign=6wA9+LHMh0WurTjRSKXX4J2oR8L3F6IfAsvqjTJYqw5WxVeyRNKwblAo61+GauFAiZKxIfWLexa4lJlFrKnFnnCj0QW9BWueYaZEsb1U9zDW+X7zA-JnOnW4ASuV 10.32.140.72 cosign-lafty-rhel5.stlawu.local=Ng7jRtRU54OiIPsfxiXcFavjqdaRvGxPN9+XCTehwrHwv3w3bsNjdj-IQ-TqgF5KzmhHtTOGYzK7XdtdU2dY7mWpX1d3BYJzV-DQKFaNZbRSQqRoOvDq-q1DckhJ
My environment - RHEL 5.3 - 32 bit running in vmware workstation with Apache 2, and a working krb5.conf pointed to Active Directory 

My compilation (compiles without issue)
./configure --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu --target=i686-pc-linux-gnu --enable-apache2=/usr/sbin/apxs --enable-krb --prefix=/var/cosign --with-cosignhost=lafty-rhel5.stlawu.local --with-cosignlogouturl= lafty-rhel5.stlawu.local --with-cosigndb=/var/cosign/daemon --with-cosignconf=/var/cosign/etc/cosign.conf --with-cosigncadir=/var/cosign/certs/ --with-cosigncert=/var/cosign/certs/lafty-rhel5.cert --with-cosignkey=/var/cosign/private/lafty-rhel5.pem --with-ticketcache=/var/cosign/ticket --mandir=/usr/local/share/man
My Apache configuration for the cosign server (/etc/httpd/certs is a symlink to /var/cosign/certs): 

  <VirtualHost *:443>
... ... 
   SSLCertificateFile /etc/httpd/certs/lafty-rhel5.cert
   SSLCertificateKeyFile /etc/httpd/certs/lafty-rhel5.key
   SSLCACertificateFile /etc/httpd/certs/ca-cert.pem

   CosignProtected         Off
   CosignHostname          lafty-rhel5.stlawu.local
CosignRedirect https://lafty-rhel5.stlawu.local/cosign-bin/cosign.cgi CosignPostErrorRedirect https://lafty-rhel5.stlawu.local/cosign/post_error.html 
  CosignService           lafty-rhel5.stlawu.local
CosignCrypto /var/cosign/certs/lafty-rhel5.key /var/cosign/certs/lafty-rhel5.cert /var/cosign/certs 

   Alias /cosign/ "/var/cosign/html/"
   ScriptAlias /cosign-bin/ "/var/cosign/cgi-ssl/"

   Alias /services/ "/var/cosign/services/"
   <Directory "/var/cosign/services">
       CosignProtected On
</Directory> </VirtualHost> 

My Cosign.conf (I think this is where I might be making a mistake):

## [Common to cgi and cosignd]
# TLS parameters
set cosigncadir /var/cosign/certs
set cosigncert /var/cosign/certs/lafty-rhel5.cert
set cosignkey /var/cosign/certs/lafty-rhel5.key

## [cosignd-specific]
# Allow access to cosignd with cgi-level privileges (REGISTER new sessions)
# from this CommonName (CN is from the TLS certificate)
#cgi cgi-1
cgi lafty-rhel5.stlawu.local
# Allow cosignd access with service-level privileges (CHECK existing sessions) 
# from these CN (they need not match the source IP or domaine name)
#service mod_cosign-1 0
#service mod_cosign-2 0
service lafty-rhel5.stlawu.local T

cookie cosign-lafty-rhel5.stlawu.local reauth STLAWU.LOCAL

# In the ldapadmin example, we restrict access to the service at the
# Apache level (CosignRequireFactor admin). Alternatively we can
# centralise access restrictions at the cosignd level:
#cookie ldapadmin reauth ldap admin
# Note: you can specify multiple factors.
# By default, a cookie is granted as long as one factor is enabled.


## [cgi-specific]
# cosignd host (it must match the server's CN!)
set cosignhost lafty-rhel5.stlawu.local

# Grab this user's factor:
# - argument 3 and later are name(s) of <FORM>/POST fields from the template
# - at least one factor is required for authentication to succeed
# - a factor executable only returns 1 factor name
# - factor names can be used by mod_cosign (CosignRequireFactor)
# - "-2" means this secondary script is started only if another one was successful 
#factor /usr/lib/cosign/factor/test login password
#factor /usr/lib/cosign/factor/ldap login password
#factor /usr/lib/cosign/factor/admin -2 login

# Override the default template directories,
# so our changes won't be overwritten by an unfortunate 'make install'
#set cosigntmpldir /var/lib/cosign/templates-local

set cosignlogouturl https://lafty-rhel5.stlawu.local/cosign-bin/logout
set cosignloopurl https://lafty-rhel5.stlawu.local/cosign/looping.html










--


_-_-_-_-__-_-_-_-__-_-_-_-__-_-_-_-__-_-_-
Christopher Lafty
Systems Administrator - Windows and Linux
[email protected]
http://infotech.stlawu.edu

136 Madill Hall
St. Lawrence University

Telephone: 315-229-5953
Fax: 315-229-5539
_-_-_-_-__-_-_-_-__-_-_-_-__-_-_-_-__-_-_-


------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to