I think as a practical solution you should remove the password from the server private key as Niphlod pointed out in this same thread. BTW I suggest to use any of apache, nginx, cherokee, uwsgi and probably other webservers instead of rocket and have them do the SSL/TLS part. web2py auth code will work the same, but the server will ask you the password only at startup and it will usually be faster than rocket.
mic 2012/11/8 Amit <amit.khaw...@gmail.com> > Thanks Michele, I resolved the issue by overriding class X509Auth :), one > more clarification: > using openssl, i created CA certificates, private key then client and > server certificates with their private key signed by CA certificate, > everything is working fine except: > when I access My application I always need to provide the server > certificate password on the command prompt (where server has started) to > access the page, is there any way to disable this? Means, user only needs > to import the client certificate to their browser and when they access the > application it will allow to access the pages of the application without > asking the password. Anyways user doesn't have access to the server so they > can't be able to provide the password so in this case, even though they > will be able to import the client certificate, automatically downloaded > server certificate to the browser when they make request for application > but can't be able to access the application pages because on server command > prompt it will ask for password, so how to make it password free? > > > On Wed, Nov 7, 2012 at 6:52 PM, Michele Comitini < > michele.comit...@gmail.com> wrote: > >> Amit, >> >> A "self" was missing this should work: >> >> class MyX509Auth(X509Auth): >> def get_user(self): >> self.subject.surname = <put something here > >> X509Auth.get_user(self) >> auth.settings.login_form = MyX509Auth() >> >> >> 2012/11/7 Michele Comitini <michele.comit...@gmail.com> >> >>> Amit, >>> >>> in your model call the derived class >>> >>> auth.settings.login_form = MyX509Auth() >>> >>> >>> >>> 2012/11/7 Michele Comitini <michele.comit...@gmail.com> >>> >>>> simpatiCA makes the client certificates already with needed fields. >>>> Since you use openssl directly you can set all the fields you need in >>>> the certificates by changing openssl.cnf in your openssl installation. >>>> There is plenty of documentation on that. >>>> >>>> OR you can extend the class X509Auth to fit your needs by overriding >>>> get_user() >>>> >>>> >>>> class MyX509Auth(X509Auth): >>>> def get_user(): >>>> self.subject.surname = <put something here > >>>> X509Auth.get_user(self) >>>> >>>> >>>> mic >>>> >>>> >>>> >>>> 2012/11/7 Amit <amit.khaw...@gmail.com> >>>> >>>>> Hi, >>>>> I filled the email address in the certificate but what I think is >>>>> problem with surname , please check below the log: >>>>> >>>>> >>>>> *File D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py >>>>> in get_user at line 91* code arguments variables >>>>> Function argument list >>>>> >>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>) >>>>> Code listing >>>>> >>>>> 86. >>>>> 87. >>>>> 88. >>>>> 89. >>>>> 90. >>>>> 91. >>>>> >>>>> 92. >>>>> 93. >>>>> 94. >>>>> 95. >>>>> >>>>> >>>>> p = profile = dict() >>>>> >>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' % (a,b), >>>>> self.subject.CN or self.subject.commonName) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' % >>>>> (a,b),self.subject.givenName or username) >>>>> >>>>> >>>>> >>>>> >>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' % >>>>> (a,b),self.subject.surname) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> p['email'] = reduce(lambda a,b: '%s | %s' % >>>>> (a,b),self.subject.Email or self.subject.emailAddress) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER >>>>> p['registration_id'] = self.serial >>>>> >>>>> Variables >>>>> a undefined b undefined builtinreduce <built-in function reduce> >>>>> self.subject.surname [] self >>>>> <gluon.contrib.login_methods.x509_auth.X509Auth >>>>> object> self.subject <Storage {'Email': ['amit1.khaw...@gmail.com'], >>>>> ...SG'], 'organizationUnitName': ['HSG'], 'SN': []}> p {'first_name': >>>>> 'A | m | i | t | 1 | | K | h | a | w | a | r | e', 'username': 'Amit1 >>>>> Khaware'} >>>>> >>>>> And while generating the certificates it is not asking about surname, >>>>> it's asking below information: >>>>> >>>>> Country Name (2 letter code) [US]: >>>>> State or Province Name (full name) [CA]: >>>>> Locality Name (eg, city) [San Diego]: >>>>> Organization Name (eg, company) [Cafesoft LLC]: >>>>> Organizational Unit Name (eg, section) []: >>>>> Common Name (eg, YOUR name) []:*Cafesoft CA* >>>>> Email Address [c...@cafenet.com]: >>>>> >>>>> Please enter the following 'extra' attributes >>>>> to be sent with your certificate request >>>>> A challenge password []:*password* >>>>> An optional company name []: >>>>> >>>>> >>>>> please check the link : >>>>> >>>>> >>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html >>>>> >>>>> So x509_auth.py expects surname but above link doesn't provide option >>>>> to fill surname :( >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Amit >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Nov 6, 2012 at 8:34 PM, Michele Comitini < >>>>> michele.comit...@gmail.com> wrote: >>>>> >>>>>> self.subject.Email is [] i.e. an empty list. Check if that is the >>>>>> problem. >>>>>> >>>>>> mic >>>>>> Il giorno 06/nov/2012 14:32, "Amit" <amit.khaw...@gmail.com> ha >>>>>> scritto: >>>>>> >>>>>>> I have used below link to generate server certificates, client >>>>>>> certificates and CA certificates, imported client and CA certificates >>>>>>> to >>>>>>> Mozilla Firefox browser and then deploy server certificates and CA >>>>>>> certificate to the Rocket server : >>>>>>> >>>>>>> D:\web2py2.1.1\web2py>web2py.py -a password -i 127.0.0.1 -p 8000 -c >>>>>>> C:\OpenSSL-Win32\bin\cirrusAwareCA\server\certificates\server.test.com.crt >>>>>>> -k C:\OpenSSL-Win32\bin\cirrusAwareCA\server\keys\server.test.com.key >>>>>>> --ca-cert=C:\OpenSSL-Win32\bin\cirrusAwareCA\CA\cirrusAwareCA.crt >>>>>>> >>>>>>> Then Open browser type https://127.0.0.1:8000/MyApp/default/index >>>>>>> >>>>>>> Now its giving error: >>>>>>> <type 'exceptions.TypeError'> reduce() of empty sequence with no >>>>>>> initial value Error snapshot [image: help] >>>>>>> >>>>>>> <type 'exceptions.TypeError'>(reduce() of empty sequence with no >>>>>>> initial value) >>>>>>> >>>>>>> inspect attributes >>>>>>> Frames >>>>>>> >>>>>>> - >>>>>>> >>>>>>> *File D:\web2py2.1.1\web2py\gluon\restricted.py in restricted at >>>>>>> line 209* code arguments variables >>>>>>> - >>>>>>> >>>>>>> *File >>>>>>> >>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py >>>>>>> in <module> at line 76* code arguments variables >>>>>>> - >>>>>>> >>>>>>> *File D:\web2py2.1.1\web2py\gluon\globals.py in <lambda> at line >>>>>>> 187* code arguments variables >>>>>>> - >>>>>>> >>>>>>> *File >>>>>>> >>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py >>>>>>> in user at line 38* code arguments variables >>>>>>> Code listing >>>>>>> >>>>>>> 33. >>>>>>> 34. >>>>>>> 35. >>>>>>> 36. >>>>>>> 37. >>>>>>> 38. >>>>>>> >>>>>>> 39. >>>>>>> 40. >>>>>>> 41. >>>>>>> 42. >>>>>>> >>>>>>> use @auth.requires_login() >>>>>>> @auth.requires_membership('group name') >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> @auth.requires_permission('read','table name',record_id) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> to decorate functions that need access control >>>>>>> """ >>>>>>> return dict(form=auth()) >>>>>>> >>>>>>> >>>>>>> >>>>>>> def download(): >>>>>>> """ >>>>>>> >>>>>>> - >>>>>>> >>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in __call__ at line >>>>>>> 1205* code arguments variables >>>>>>> - >>>>>>> >>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in login at line 2016* >>>>>>> code arguments variables >>>>>>> - >>>>>>> >>>>>>> *File >>>>>>> D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py in >>>>>>> get_user >>>>>>> at line 91* code arguments variables >>>>>>> Function argument list >>>>>>> >>>>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>) >>>>>>> Code listing >>>>>>> >>>>>>> 86. >>>>>>> 87. >>>>>>> 88. >>>>>>> 89. >>>>>>> 90. >>>>>>> 91. >>>>>>> >>>>>>> 92. >>>>>>> 93. >>>>>>> 94. >>>>>>> 95. >>>>>>> >>>>>>> >>>>>>> p = profile = dict() >>>>>>> >>>>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' % >>>>>>> (a,b), self.subject.CN or self.subject.commonName) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' % >>>>>>> (a,b),self.subject.givenName or username) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' % >>>>>>> (a,b),self.subject.surname) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> p['email'] = reduce(lambda a,b: '%s | %s' % >>>>>>> (a,b),self.subject.Email or self.subject.emailAddress) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER >>>>>>> p['registration_id'] = self.serial >>>>>>> >>>>>>> Variables a undefined b undefined builtinreduce <built-in >>>>>>> function reduce> self.subject.surname [] self >>>>>>> <gluon.contrib.login_methods.x509_auth.X509Auth >>>>>>> object> self.subject <Storage {'Email': [], 'C': ['IN'], >>>>>>> 'serialNumbe...SG'], 'organizationUnitName': ['HSG'], 'SN': []}> >>>>>>> p {'first_name': 'A | m | i | t', 'username': 'Amit'} >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Amit >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 6, 2012 at 6:42 PM, Michele Comitini < >>>>>>> michele.comit...@gmail.com> wrote: >>>>>>> >>>>>>>> https://github.com/web2py/web2py/blob/master/gluon/main.py#L824 >>>>>>>> >>>>>>>> The log seems to say that your certificate file is not there, or >>>>>>>> not accessible >>>>>>>> >>>>>>>> mic >>>>>>>> >>>>>>>> >>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com> >>>>>>>> >>>>>>>>> I am using Python 2.7.2. >>>>>>>>> >>>>>>>>> On Tue, Nov 6, 2012 at 6:33 PM, Michele Comitini < >>>>>>>>> michele.comit...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> What is your python version? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com> >>>>>>>>>> >>>>>>>>>>> Hi Michele, >>>>>>>>>>> I used Simpatica to generates the certificates but failed to >>>>>>>>>>> deploy to the web2py server, please check once the first mail in >>>>>>>>>>> this mail >>>>>>>>>>> chain where I explained the problem in details. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Amit >>>>>>>>>>> >>>>>>>>>>> On Tue, Nov 6, 2012 at 4:52 PM, Michele Comitini < >>>>>>>>>>> michele.comit...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> I suggest looking at code >>>>>>>>>>>> gluon/contrib/login_methods/x509_auth.py. >>>>>>>>>>>> Basically you can extract anything from client supplied cert and >>>>>>>>>>>> use it >>>>>>>>>>>> with the auth tables of web2py. That is really simple. >>>>>>>>>>>> The tedious part id getting to know what stuff you can put in >>>>>>>>>>>> the cert. That is more related to managing a CA than to web2py >>>>>>>>>>>> itself. >>>>>>>>>>>> >>>>>>>>>>>> I have written a simple but functional app for managing a >>>>>>>>>>>> little CA: simpatiCA <http://goo.gl/nrAhS> ; it is simple >>>>>>>>>>>> enough to be used as an example and extended to your needs. If >>>>>>>>>>>> you need a >>>>>>>>>>>> real CA there are more featured solutions around... >>>>>>>>>>>> >>>>>>>>>>>> mic >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > PS: the man behind X509 auth code in web2py is mcm, sadly for >>>>>>>>>>>> your it's documented how it works but not how to organize the >>>>>>>>>>>> certs (which >>>>>>>>>>>> in > theory you should know in advance) >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2012/11/6 Niphlod <niph...@gmail.com> >>>>>>>>>>>> >>>>>>>>>>>>> hem... one thing is helping you to create certs and key for a >>>>>>>>>>>>> SSL protected webserver, quite another to help you managing a >>>>>>>>>>>>> credential >>>>>>>>>>>>> store (I really don't have time for that). >>>>>>>>>>>>> You have problems on finding out what OpenSSL is and want to >>>>>>>>>>>>> manage X509 ? Really ? >>>>>>>>>>>>> Maybe it's time to read some docs. >>>>>>>>>>>>> >>>>>>>>>>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> PS: the man behind X509 auth code in web2py is mcm, sadly for >>>>>>>>>>>>> your it's documented how it works but not how to organize the >>>>>>>>>>>>> certs (which >>>>>>>>>>>>> in theory you should know in advance) >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >> -- >> >> >> >> > > -- > > > > --