Chapter 5 —

Third-party Configuration Notes

5.1 Apache Installation and Configuration

The following installation instructions are provided for your convenience. For more information on Apache or help with installation problems, see the Apache web site (http://www.apache.org/).

5.1.1 Installation on Red Hat Linux

Perform the following steps to install Apache on on Red Hat Linux.

1. Download the Apache v2.0.x source from http://httpd.apache.org/dist/httpd and unpack the source using one of the following commands:

   gunzip -d httpd-2_0_x.tar.gz

   tar xvf httpd-2_0_x.tar

2. Change directory (cd) to the httpd-2_0_x directory that you just extracted and run the configuration utility. AssureAccess requires that the shared object module be compiled with Apache. To achieve this, include --enable-so when you execute configure.

   For example, enter the following command on one line:

   ./configure --prefix=<Apache_install_path>

   --enable-module=so --with-mpm=worker

3. Apply the following required patch.
    
   

   Apache does not correctly issue cookies when the HTTP status code is 304 (Content Not Modified) rather than 200. Until this bug (#18388) is fixed, you must patch /httpd-2.0.44/modules/http/http_protocol.c. Find the following code and insert a line with the text "Set-Cookie", after the code that says "Proxy-Authenticate",

   if (r->status == HTTP_NOT_MODIFIED) {
   apr_table_do((int (*)(void *, const char *, const char *))

   form_header_field,
   (void *) &h, r->headers_out,
   "Connection",
   "Keep-Alive",
   "ETag",
   "Content-Location",
   "Expires",
   "Cache-Control",
   "Vary",
   "Warning",
   "WWW-Authenticate",
   "Proxy-Authenticate",
   "Set-Cookie", // <-- add this line
   NULL);
   }

4. Type make and press Enter to compile Apache.
    
   
5. Type make install and press Enter to run the installation scripts.
    

Edit the Apache configuration file to fit your requirements. This file (httpd.conf) is in <Apache_install_path>/conf.

Set the AA_INSTALLDIR environment variable to point to the root directory of AssureAccess, so the Apache system can start the Web Adapter.

5.1.2 Configuration on on Red Hat Linux

This section contains initial configuration settings for the Apache Web Server on on Red Hat Linux.

1. Verify the location of the LoadModule line for AssureAccess. By default, the AssureAccess configuration utilities insert the LoadModule line last in the list of LoadModule directives so that AssureAccess is the first external module to be run by Apache. The LoadModule line must come before any of the "EAA..." directives.
    
   
2. Check the Apache configuration file after running the AssureAccess configuration utility. Verify that the location of the LoadModule line for AssureAccess is specified before any SSL engines and after any JSP Engines. In general, place the AssureAccess LoadModule line after modules that return a response to the client (JSP engines) and before modules that prepare the request for Apache (SSL engines).
    
   
3. Enter (at least) a value for EAASecurityDomain in the servers that will be enabled and enter "EAAFilterEnabled On" in that server.
   
   NOTE: The local configuration tool makes changes tothe httpd.conf file. It wraps "EAA" directives with an "<IfModule...>" line. This is so that if the administrator wants to disable AssureAccess temporarily by commenting out the AssureAccess "LoadModule" line, the server will start. (The server will not start if there are unknown directives, but these <IfModule> sections prevent AssureAccess custom directives from being included except when the AssureAccess module is loaded.)
   
   Example

   LoadModule eaafilter_module /usr/Entegrity/AssureAccess/bin/libmodeaafilter.so
   <IfModule mod_eaafilter.c>
   EAASecurityDomain /main
   EAAFilterEnabled Off
   EAAFilterVerbose On
   </IfModule>

   5.1.3 Apache Configuration File Directives

   You configure the Apache Web Server by editing a configuration file. This file is typically $APACHE_HOME/conf/httpd.conf, but the administrator can use any file.

   AssureAccess defines the following Apache directives:

   EAASecurityDomain <domain>

   Selects the AssureAccess security domain for the current server (main server or virtual host). The AssureAccess security domain controls the set of policies and protected resources that will be used to secure access to this server. The default value for this directive is the value of the security domain that was configured for the J2EE adapter.

   Example: EAASecurityDomain /banking_app

   EAAFilterEnabled On|Off

   Determines if AssureAccess is enabled for the current server. If EAAFilterEnabled is set to "On", AssureAccess will control access to the server based on the configurations in the AssureAccess security domain specified by the EAASecurityDomain directive. If EAAFitlerEnabled is set to "Off", AssureAccess will not modify or prevent any request to the server. EAASecurityDomain must be specified when the filter is enabled. Default value is "On".

   Example: EAAFilterEnabled Off

   EAAFilterVerbose On|Off

   Determines if verbose filtering (displays processing of rules in audit trail) is enabled for the current server. Default value is "Off".

   Example: EAAFilterVerbose Off

   5.1.4 Configuration File Directives for SAML-Enabled SSO

   SAML-enabled single sign-on (SSO) allows end-user, browser-based single sign-on between web sites and application servers that 1) are in different DNS domains, 2) that are administered by different organizations, 3) that are in different "zones of trust", and/or 4) that may be using different SSO products (for example, Entegrity AssureAccess, Entrust, RSA, and so on).

   — The side that performs the end-user authentication is called the "source site."

   — The side that relies on the remote authentication is called the "destination site."

   A user either attempts to access a resource at the destination side or clicks a special link at the source side that begins the authentication process and, eventually, navigates the user to the intended resource at the destination side.

   In the middle of this flow are three services (two deployed at the source site and one deployed at the destination side) that ensure that the user is authenticated and that proof of the user's authentication and attributes are securely communicated from the source site to the destination site.

   — The two services at the source site are: "Intersite Transfer" and "Responder."

   — The service at the destination site is: "Artifact Consumer."

   There are three new configuration directives for Apache (one each for each of the three services). Each of the directives takes two arguments.

   The first argument is the path where the service is deployed, that is, any request to the web server at that path will be served by the corresponding SAML service rather than going to the web server's normal processing.

   The second argument is a list of the name/value pairs that describe the initialization parameters of the service. The "SecurityDomainName" parameter is not required since the AssureAccess domain is already specified by the "EAASecurityDomain" configuration directive.

   EAAIntersiteTransfer

   Syntax:

   EAAIntersiteTransfer path [IncludeSubjectLocality=true|false]

   Parameters:

   IncludeSubjectLocality (default false): Determines if browser IP address or hostname is included in SAML SSO Assertion

   Example:

   EAAIntersiteTransfer /IntersiteTransfer

   EAAResponder

   Syntax:

   EAAResponder path SAMLResponderConfigurationName=name

   Parameters:

   SAMLResponderConfigurationName (required): Name of responder configuration created in EAA console

   Example:

   EAAResponder /Responder SAMLResponderConfigurationName=SourceResponder

   EAAArtifactConsumer

   Syntax:

   EAAArtifactConsumer path KeystoreLocation=location&KeystorePassword=password[&Alias=alias&ClientKeyPassword=password][&BasicAuthUsername=username&BasicAuthPassword=password][&IncludeRespondWith=true|false]

   Parameters:

   KeystoreLocation (required): Path to keystore created by trust wizard

   KeystorePassword (required: Password to keystore

   Alias (required if destination site authentication is by client certificate): Alias into keystore for client certificate

   ClientKeyPassword (required if destination site authentication is by client certificate): Password to client certificate

   BasicAuthUsername (required if destination site authentication is by basic authentication): Username for authentication

   BasicAuthPassword (required if destination site authentication is by basic auth.): Password for authentication

   IncludeRespondWith (default false): Compatability option to include "RespondWith" information. Not required by AssureAccess and will be removed in SAML 1.1.

   Example:

   EAAArtifactConsumer /ArtifactConsumer KeystoreLocation=/home/apache2/conf/keystore&KeystorePassword=password&Alias=artifactconsumer&ClientKeyPassword=secret

   ---

   5.2 iPlanet Web Server on Solaris

   This procedure describes permissions you need to set on the iPlanet Web Server on Solaris. Since this is necessary because of how Solaris works, it is not necessary to do this with any other operating system.

   Note: These instructions assume that AssureAccess was installed as root.

   1. Install the iPlanet Web Server (iWS) as root and select all the defaults which include running the server as nobody.
       
      

      Note: Before changing file ownerships or permissions, write down the current settings. At the end of this procedure, you will restore the original settings.

   2. In the AssureAccess/config directory, issue the chown command on web.properties and j2ee.properties to change the ownership of the files to "nobody". If web.properties or j2ee.properties does not already exist, issue chmod on the config directory so that "nobody" has write permission.
       
      
   3. Change to the iWS server-specific directory, usually /usr/netscape/server4/ https-<server_name>, where <server_name> is the name of the web server.
       
      
   4. Use chown to change ownership of the conf directory to "nobody".
       
      
   5. Change to the conf directory.
       
      
   6. Use chown to change ownership of magnus.conf, obj.conf, and jvm12.conf to "nobody".
       
      
   7. Use su to set user identity to "nobody".
       
      
   8. Execute ./localconfig
       
      
   9. In the AssureAccess Local Configuration Tool, you should see your iWS server instance listed in the web panel.
       
      
   10. Set the enabled flag and security domain as desired.
        
       
   11. Click Save. An error appears indicating that the update of magnus.conf failed. Ignore this error message.
        
       
   12. Exit the Local Configuration Tool.
        
       
   13. Change back to the iWS server instance conf directory. You should see that obj.conf and jvm12.conf have been updated.
        
       
   14. Restore the original file ownerships or permissions that you set with chown and chmod above.
        
       

       The server should now start correctly with the AssureAccess adapter enabled.

       ---

       Copyright © 2000-2006 Entegrity Solutions Corporation