Last updated August 30, 2016
This document is "a work in progress" and specific configurations may vary.
Apache Post-Install
These steps must be run with root privileges and assume you are in the directory where the cosign zipfile was unpacked.
-
Create a working directory for CoSign:
mkdir -p /var/cache/cosign/filter
-
Give the new directory the proper permissions:
Debian:
chown www-data:www-data /var/cache/cosign/filter
Red Hat/CentOS 5: chown apache:apache /var/cache/cosign/filter
-
Create new directories for the CoSign certs and key
Debian:
mkdir /etc/apache2/cosign-ca/ mkdir /etc/apache2/ssl/
Red Hat/CentOS 5:
mkdir /etc/httpd/cosign-ca/ mkdir /etc/httpd/ssl/
-
Set the permissions on the CA cert
chmod 644 ca-cert.pem
-
Install the certs and keys
Debian:
mv ca-cert.pem /etc/apache2/cosign-ca/ c_rehash /etc/apache2/cosign-ca/ mv *.crt *.key /etc/apache2/ssl/
Red Hat/CentOS 5:
mv ca-cert.pem /etc/httpd/cosign-ca/ c_rehash /etc/httpd/cosign-ca/ mv *.crt *.key /etc/httpd/ssl/
NOTE: On RHEL, c_rehash is part of the package openssl-perl. If you don't have it, install it.
If you don't have the c_rehash command installed on your host you can run the following command (requires openssl binary) to achieve the same result:
cd /etc/httpd/cosign-ca/ ln -s ca-cert.pem `openssl x509 -hash -noout -in ca-cert.pem`.0
Basic Apache Configuration
Load the CoSign module
Apache needs to be told to load the CoSign module and the module needs several configuration items including what server to use. Choose either Debian or Non-Debian style configuration options.
Debian style
-
Create a module load file:
/etc/apache2/mods-available/cosign.load
with the following contents:
LoadModule cosign_module /usr/lib/apache2/modules/mod_cosign.so
-
Enable the module (a2enmod cosign)
-
Restart Apache (/etc/init.d/apache2 restart)
Ensure that Apache restarts successfully before continuing.
Non-Debian style
Verify that the following line exists in /etc/httpd/httpd.conf; if it does not, insert it, then restart Apache:
LoadModule cosign_module /usr/lib/httpd/modules/mod_cosign.so
Ensure that Apache restarts successfully before continuing.
If Apache refuses to load the cosign module, there may be an SELinux problem. The default configuration of a RHEL 5 install has SELinux enabled.
Note: Apache 1.x requires two directives for a module load. For example:
LoadModule cosign_module libexec/mod_cosign.so AddModule mod_cosign.c
Configure the CoSign module
The following directives make it possible for <Directory...> statements and .htaccess files to activate CoSign, but do not activate CoSign protection on their own.
CosignProtected off
CosignHostname weblogin.pennkey.upenn.edu
CosignCheckIP never CosignService <application name>
CosignRedirect https://weblogin.pennkey.upenn.edu/login
CosignPostErrorRedirect https://weblogin.pennkey.upenn.edu/post_error.html
CosignFilterDB /var/cache/cosign/filter
CosignCrypto /etc/apache2/ssl/<application name>.key /etc/apache2/ssl/<application name>.crt /etc/apache2/cosign-ca/
NOTE: <application name> needs to be replaced with the name assigned by the self-provisioning system.
These CoSign directives need to be loaded before any other CoSign directives. Where to put these lines depends on your distribution and your configuration preferences.
Debian style
-
Disable the module (a2dismod cosign)
-
Put the above statements into the file: /etc/apache2/mods-available/cosign.conf
-
Enable the module (a2enmod cosign)
-
Restart Apache (/etc/init.d/apache2 restart)
This will cause these statements to be loaded when the module is loaded (before the site configurations).
An alternate place to put these configuration directives is in the main section of the /etc/apache2/sites-available/default-ssl file.
Non-Debian style
Add the above statements to the main section of the apache configuration file or the main section of the HTTPS virtual host configuration file.
Protect websites with CoSign
To protect a directory, put the following statements in a .htaccess file in that directory.
CosignProtected On
AuthType Cosign
Require valid-user
CosignRequireFactor UPENN.EDU
To protect an individual file, put the following in a .htaccess file in the same directory or a higher-level directory.
<Files "file name.html">
CosignProtected On
AuthType Cosign
Require valid-user
CosignRequireFactor UPENN.EDU </Files>