Скачать презентацию TAGPMA Twiki http tagpma es net dhiva es net Скачать презентацию TAGPMA Twiki http tagpma es net dhiva es net

0afc5dc8fc16caa0805a545fa06b9da7.ppt

  • Количество слайдов: 11

TAGPMA Twiki http: //tagpma. es. net dhiva@es. net & helm@es. net TAGPMA Twiki http: //tagpma. es. net dhiva@es. net & helm@es. net

Agenda • • • ESnet Web hosting environment Certificate based authentication Registration Automation Problems&/Solutions Agenda • • • ESnet Web hosting environment Certificate based authentication Registration Automation Problems&/Solutions Suggestions&/Contribution 2

Virtual Web Server • ESnet webmaster been doing the Twiki hosting for other internal/external Virtual Web Server • ESnet webmaster been doing the Twiki hosting for other internal/external services • ESnet uses a particular version of Twiki & template to produce new Twikis – 04 Sep 2004 $Rev: 1742 $ – Wants to maintain 1 version across the Enterprise • TAGPMA is one of them • Same set of Security features imposed on all the TWikis 3

Architecture http: //tagpma. es. net SSL Client Authentication Variables in use & Modified TWiki Architecture http: //tagpma. es. net SSL Client Authentication Variables in use & Modified TWiki modules • readonly mode • Open for anyone • “%Remote User” https: //tagpma. es. net • $Wiki. Name, Wiki. Username • Edit & Add • TWiki. Registration. txt • IGTF Accredited CAs • ~/lib/TWiki. cfg • Open to IGTF community • ~/lib/TWiki. pm • Pre-Registration script, which populates the. htpasswd file for Apache %Certificate %Remote. User 4

Certificate Based Authentication • RCS(Revision Control System) check-in problem – $Subject. DN is not Certificate Based Authentication • RCS(Revision Control System) check-in problem – $Subject. DN is not the same as the $username – Spaces in Subject. DN caused problem – So modified ~/lib/Twiki/Store/Rcs. Wrap. pm • Side effects – Subject. DN is not in compliance with Wiki. Name format, so dead link for that Subject. DN. – The original Subject. DN also not in compliance with Wiki. Name – Every page will have Main. DC=org, DC=doegrids, OU=People, CN=First. Name_Last. Name_98765 instead of Main. Firstname. LN 5

Certificate Based Authentication • Fixes – DN in reverse order – Show only the Certificate Based Authentication • Fixes – DN in reverse order – Show only the CN for. eg Main. CN=First. Name_Last. Name_98765 – Preferably Wiki. Name instead for • RCS checkin in • Showing page owner or modified by …. . these are still in progress. Because we have already seen a TWiki plug-in not working. For Eg. Table creation. 6

Registration Automation • Pre-Registration and Twiki Registration – certificates for Pre-Registration – then Twiki Registration Automation • Pre-Registration and Twiki Registration – certificates for Pre-Registration – then Twiki registration • We couldn’t extract the Subject. DN, if we simply accept the certificate based on the trust anchors, without Pre-Registration • We need to have a. htpasswd at apache level to extract the Subject. DN for Twiki Registration • Initially we had a separate web server just to do the SSL Client authentication to generate the. htpasswd file (Pre-Registration) 7

Registration Automation • Then we were able to extract the Subject. DN and pre-fill Registration Automation • Then we were able to extract the Subject. DN and pre-fill the Twiki registration • We were able to combine the Pre. Registration Script with Twiki (in a single web server) 8

Problems&/Solutions • The trust anchors created few problems – Apache doesn’t throw error messages, Problems&/Solutions • The trust anchors created few problems – Apache doesn’t throw error messages, if there is a problem with the config; it just skip the config and continue to load the rest. – What if the user wants to use a certificate, which was issued by untrusted CA? . The error message wasn’t helpful. • Pre-registration and Twiki registration is not complete – The Subject. DN can have special characters which causes the pre-registration to fail – Still needs filter special characters at the Twiki registration – Still needs to map the Subject. DN to Wiki. Name 9

Problems&/Solutions • Any error in apache configuration for Certificate authentication causes a pop-up window Problems&/Solutions • Any error in apache configuration for Certificate authentication causes a pop-up window for the end user asking for userid/password. The error message are not configurable for certificate based auth. N. • Strange behavior in using +Opt. Renegotiate with SSLOptions (in apache config). – This flag was used to stop the certificate re-authentication pop-up with Mozilla/Firefox family browser. – undesired behavior for the clients those who uses external token like aladdin’s e. Token. Those users often get ‘permission denied’ error, and they have to refresh, every page they go-to. One can also fix this problem by selecting ‘Select One automatically’ option with the browser in the Certificate Options. – We have also noticed the same behavior with few other users who don’t use external tokens. • Twiki shows a ‘? ’ and a dead link for any name which is not in compliance with defined Regular Expression for all the names (~/lib/Twiki. pm) 10

Suggestion&/Solutions • May be we need a different technology to map the Subject. DN Suggestion&/Solutions • May be we need a different technology to map the Subject. DN to Wiki. User. Name; something like openid? ? ? 11