[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_saml and certificates



Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
> Hi Sampo,
>   I've been trying to set up ZXID's mod_auth_saml on an OS X server.  The
> EntityDescriptor XML doesn't seem to contain the public x.509 cert.

The metadata (the URL ending in o=B) will not have certificates if
none actually were available. Thus visualizing the metadata in
a brower is a good way to check whether it is finding the certs. So
it is a feature ;-)

> Does mod_auth_saml use the cert from /var/zxid/pem/ssl-nopw-cert.pem?

The certs for metadata live in files

/var/zxid/pem/sign-nopw-cert.pem
/var/zxid/pem/enc-nopw-cert.pem

In more recent versions (current is 0.38, which version were you using?)
ZXID will automatically generate self signed certs if the certs are
not installed yet. However it may fail to write them to the filesystem
due to permissions problem. You should check that the user as which
Apache runs can indeed read from and write to /var/zxid/pem directory.

If you want to use officially issued certificates, you will of course
need to place them in the two files mentioned. Please note that the
files should be concatenation of certificate and the private key. Due
to this and the practise of not using password on the private keys
you should pay attention to protecting these files with filesystem
permissions - the caveat is that if you protect too well then
even the apache process can't read them. Recommended permissions are

  chown APACHEUSER /var/zxid/pem
  chmod -R 02750 /var/zxid/pem

where APACHEUSER is distribution dependent user account used to
run the apache process. You can do `ps axu | grep httpd' to see
what user apache runs as.

Cheers,
--Sampo

P.S. Out of curiosity, which IdP are you using?

> How do I get this to show up in the EntityDescriptor XML file?
>
> Thanks,
>   Thomas
> ______________________
> Thomas Beaman
> Business Systems Group
> Perot Systems Contractor @
> NASA Ames Research Center