UJ Research Cluster | SysAdm / Secure Web access with certificates

Install Trail | Secure Web access with certificates
< Configure user authentication | Install Trail | Install Geant4 and Root >

You can increase the security of web access by requiring that the user who connects has a valid certificate issued by an authority that you recognise. This can easily be applied "on top" of any other authentication or IP restriction. In this way the certificate is not used to provide authentication, (which may not be supported by the underlying webapp) but allows you to get rid of random scans, and to track who has tried to login.

Browsers

Unfortunately, Safari does not work well with user certificates. It is possible to add in the KeyChain an Identity Preference for the whole site (using http://server/), but not for a wildcard path; and it tends not to work when requesting pages in the secured area, making a lot of SSL handshakes. Better use Firefox.

Global configuration

To recognise the CAs you want, you need to enable SSLCACertificatePath. Then copy the PEM format CA certificates in etc/httpd/conf/ssl.crt, changing the extension to .crt and run make -f Makefile.crt.

The CustomLog line is helpful to keep trace of who logs in, and of possible errors, but it does not provide much detail when things go wrong.

/etc/httpd/conf.d/ssl.conf:

SSLCACertificatePath /etc/httpd/conf/ssl.crt
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"

Directory access restriction

 <Directory ....>
    SSLRequireSSL
    SSLVerifyClient require
    SSLRequire ( %{SSL_CLIENT_I_DN_O} eq "org1" or %{SSL_CLIENT_I_DN_O} eq "org2" )
</Directory>

< Configure user authentication | Install Trail | Install Geant4 and Root >