[OTDev] OpenSSO now secure
Andreas Maunz andreas at maunz.deFri Jun 11 13:44:46 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ok, here is the solution: Please use <Value>cn=partner,ou=groups,dc=opentox,dc=org</Value> instead of <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> It was wrong in the doc and is now updated. Best Andreas Nina Jeliazkova wrote on 06/11/2010 10:53 AM: > > Andreas Maunz wrote: >> I have checked on the server console: >> >> - the policy has correctly been created >> - you are a member of 'partner' group >> >> So I can see no obvious error here. Could you please make sure to >> refresh your token and try again? >> If it still fails, I will investigate this more closely. > I've verified with > http://opensso.in-silico.ch/opensso/identity/isTokenValid the token is > still valid; and also obtained a new token , unfortunately > authorization still fails. > > Regards, > Nina >> >> Andreas >> >> Nina Jeliazkova wrote on 06/11/2010 10:39 AM: >>> Andreas, >>> >>> My fault, but I've just replaced the policy to use partner group and >>> still not getting authorized. >>> >>> nina at ambit:~$ curl -i -X GET >>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H >>> 'subjectid:..' >>> HTTP/1.1 200 OK >>> Server: nginx/0.6.32 >>> Date: Fri, 11 Jun 2010 08:31:35 GMT >>> Content-Type: text/xml >>> Connection: keep-alive >>> Content-Length: 1188 >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <Policies> >>> <Policy name="nina_top_level_test4" >>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" >>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" >>> creationdate="1276245073888" lastmodifieddate="1276245073888" >>> referralPolicy="false" active="true"> >>> <Rule name="tr1"> >>> <ServiceName name="iPlanetAMWebAgentService"/> >>> <ResourceName >>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> >>> <AttributeValuePair> >>> <Attribute name="POST"/> >>> <Value>allow</Value> >>> </AttributeValuePair> >>> <AttributeValuePair> >>> <Attribute name="GET"/> >>> <Value>allow</Value> >>> </AttributeValuePair> >>> </Rule> >>> <Subjects name="s1" description=""> >>> <Subject name="test" type="LDAPGroups" >>> includeType="inclusive"> >>> <AttributeValuePair> >>> <Attribute name="Values"/> >>> >>> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> >>> </AttributeValuePair> >>> </Subject> >>> </Subjects> >>> </Policy> >>> </Policies> >>> >>> 11:31:53 AM: nina at ambit:~$ curl -i -d >>> 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d 'action=POST' -d >>> 'subjectid=..' 'http://opensso.in-silico.ch/opensso/identity/authorize' >>> HTTP/1.1 200 OK >>> Server: nginx/0.6.32 >>> Date: Fri, 11 Jun 2010 08:31:48 GMT >>> Content-Type: text/plain;charset=UTF-8 >>> Connection: keep-alive >>> Content-Length: 14 >>> >>> boolean=false >>> >>> Regards, >>> Nina >>> Andreas Maunz wrote: >>>> Nina, >>>> >>>> actually, there is no group called 'opentox'. The groups that >>>> currently exist are 'partner' and 'development'. >>>> Please check: >>>> >>>> >>>> am at z21:~/aa$ curl -i -d "attributes_names=objecttype" -d >>>> "attributes_values_objecttype=group" -d >>>> "admin=AQIC5wM2LY4Sfcx8QFIIIagJH2prVX8o5YXh7EtJa024ps8=@AAJTSQACMDE=#" >>>> http://opensso.in-silico.ch/opensso/identity/search >>>> HTTP/1.1 200 OK >>>> Server: nginx/0.6.32 >>>> Date: Tue, 08 Jun 2010 07:50:30 GMT >>>> Content-Type: text/plain;charset=UTF-8 >>>> Connection: keep-alive >>>> Content-Length: 34 >>>> >>>> string=development >>>> string=partner >>>> >>>> Regards >>>> Andreas >>>> >>>> >>>> Nina Jeliazkova wrote on 06/11/2010 10:26 AM: >>>>> Andreas, >>>>> >>>>> Thanks, I've created the policy to allow all members of opentox group >>>>> to do POST and GET >>>>> >>>>> curl -i -X GET >>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H >>>>> 'subjectid: ...' >>>>> HTTP/1.1 200 OK >>>>> Server: nginx/0.6.32 >>>>> Date: Fri, 11 Jun 2010 08:22:15 GMT >>>>> Content-Type: text/xml >>>>> Connection: keep-alive >>>>> Content-Length: 1188 >>>>> >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <Policies> >>>>> <Policy name="nina_top_level_test4" >>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" >>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" >>>>> creationdate="1276244370369" lastmodifieddate="1276244370369" >>>>> referralPolicy="false" active="true"> >>>>> <Rule name="tr1"> >>>>> <ServiceName name="iPlanetAMWebAgentService"/> >>>>> <ResourceName >>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> >>>>> <AttributeValuePair> >>>>> <Attribute name="POST"/> >>>>> <Value>allow</Value> >>>>> </AttributeValuePair> >>>>> <AttributeValuePair> >>>>> <Attribute name="GET"/> >>>>> <Value>allow</Value> >>>>> </AttributeValuePair> >>>>> </Rule> >>>>> <Subjects name="s1" description=""> >>>>> <Subject name="test" type="LDAPGroups" >>>>> includeType="inclusive"> >>>>> <AttributeValuePair> >>>>> <Attribute name="Values"/> >>>>> >>>>> <Value>uid=opentox,ou=groups,dc=opentox,dc=org</Value> >>>>> </AttributeValuePair> >>>>> </Subject> >>>>> </Subjects> >>>>> </Policy> >>>>> </Policies> >>>>> >>>>> However, I am not getting authorized (same token used in both curls, >>>>> removed here). And I assume my user is a member of opentox group :) >>>>> >>>>> >>>>> curl -i -d 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d >>>>> 'action=POST' -d 'subjectid=...' >>>>> 'http://opensso.in-silico.ch/opensso/identity/authorize' >>>>> HTTP/1.1 200 OK >>>>> Server: nginx/0.6.32 >>>>> Date: Fri, 11 Jun 2010 08:21:43 GMT >>>>> Content-Type: text/plain;charset=UTF-8 >>>>> Connection: keep-alive >>>>> Content-Length: 14 >>>>> >>>>> boolean=false >>>>> >>>>> Could you help? >>>>> >>>>> Best regards, >>>>> Nina >>>>> >>>>> Andreas Maunz wrote: >>>>>> Sorry, it should read: >>>>>> >>>>>> <Subject name="mygroupname" type="LDAPGroups" >>>>>> includeType="inclusive"> >>>>>> <AttributeValuePair> >>>>>> <Attribute name="Values"/> >>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> >>>>>> </AttributeValuePair> >>>>>> </Subject> >>>>>> >>>>>> instead. >>>>>> >>>>>> A.M. >>>>>> >>>>>> Andreas Maunz wrote on 06/11/2010 10:09 AM: >>>>>>> Hi Nina, >>>>>>> >>>>>>> you would create a policy that contains: >>>>>>> >>>>>>> <Subject name="mygroupname" type="LDAPUsers" >>>>>>> includeType="inclusive"> >>>>>>> <AttributeValuePair> >>>>>>> <Attribute name="Values"/> >>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> >>>>>>> </AttributeValuePair> >>>>>>> >>>>>>> Mind the "ou=groups" instead of "ou=people". Then, create the group >>>>>>> "mygroup" and assign users to it (contact Micha for that). >>>>>>> >>>>>>> Best regards >>>>>>> Andreas >>>>>>> >>>>>>> >>>>>>> Nina Jeliazkova wrote on 06/11/2010 08:53 AM: >>>>>>>> Hi Andreas, >>>>>>>> >>>>>>>> Could you tell how to create a policy, that allows group of >>>>>>>> users to >>>>>>>> POST or GET ? This would be applicable to almost all top level >>>>>>>> resources like /algorithm/{id} , etc. >>>>>>>> >>>>>>>> Following the example at p.12 of the deliverable D3.3. , one could >>>>>>>> create a policy which is per user only. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Nina >>>>>>>> >>>>>>>> Andreas Maunz wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> connections to the OpenSSO service at opensso.in-silico.ch can >>>>>>>>> now be >>>>>>>>> made secure by using SSL. >>>>>>>>> Submit your user credentials safely and obtain a token: >>>>>>>>> >>>>>>>>> **************************************************************** >>>>>>>>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret" >>>>>>>>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> * About to connect() to opensso.in-silico.ch port 443 (#0) >>>>>>>>> * Trying 178.63.18.76... connected >>>>>>>>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0) >>>>>>>>> * successfully set certificate verify locations: >>>>>>>>> * CAfile: none >>>>>>>>> CApath: /etc/ssl/certs >>>>>>>>> * SSLv3, TLS handshake, Client hello (1): >>>>>>>>> * SSLv3, TLS handshake, Server hello (2): >>>>>>>>> * SSLv3, TLS handshake, CERT (11): >>>>>>>>> * SSLv3, TLS handshake, Server finished (14): >>>>>>>>> * SSLv3, TLS handshake, Client key exchange (16): >>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): >>>>>>>>> * SSLv3, TLS handshake, Finished (20): >>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): >>>>>>>>> * SSLv3, TLS handshake, Finished (20): >>>>>>>>> * SSL connection using AES256-SHA >>>>>>>>> * Server certificate: >>>>>>>>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; >>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch >>>>>>>>> * start date: 2010-06-09 16:38:59 GMT >>>>>>>>> * expire date: 2020-06-06 16:38:59 GMT >>>>>>>>> * common name: Christoph Helma (does not match >>>>>>>>> 'opensso.in-silico.ch') >>>>>>>>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; >>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch >>>>>>>>> * SSL certificate verify result: self signed certificate (18), >>>>>>>>> continuing anyway. >>>>>>>>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1 >>>>>>>>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 >>>>>>>>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 >>>>>>>>>> Host: opensso.in-silico.ch >>>>>>>>>> Accept: */* >>>>>>>>>> Content-Length: 32 >>>>>>>>>> Content-Type: application/x-www-form-urlencoded >>>>>>>>>> >>>>>>>>> < HTTP/1.1 200 OK >>>>>>>>> HTTP/1.1 200 OK >>>>>>>>> < Server: nginx/0.6.32 >>>>>>>>> Server: nginx/0.6.32 >>>>>>>>> < Date: Thu, 10 Jun 2010 08:12:27 GMT >>>>>>>>> Date: Thu, 10 Jun 2010 08:12:27 GMT >>>>>>>>> < Content-Type: text/plain;charset=UTF-8 >>>>>>>>> Content-Type: text/plain;charset=UTF-8 >>>>>>>>> < Connection: keep-alive >>>>>>>>> Connection: keep-alive >>>>>>>>> < Content-Length: 72 >>>>>>>>> Content-Length: 72 >>>>>>>>> >>>>>>>>> < >>>>>>>>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=# >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> * Connection #0 to host opensso.in-silico.ch left intact >>>>>>>>> * Closing connection #0 >>>>>>>>> * SSLv3, TLS alert, Client hello (1): >>>>>>>>> **************************************************************** >>>>>>>>> >>>>>>>>> As you can see, a special switch (-k) is still required to allow >>>>>>>>> connections using the self-signed certificate from Christoph. We >>>>>>>>> might >>>>>>>>> improve on this by using a free certificate from startssl.com, >>>>>>>>> which >>>>>>>>> clients trust. >>>>>>>>> >>>>>>>>> Moreover, connections without SSL still work as usual. >>>>>>>>> >>>>>>>>> Greetings >>>>>>>>> Andreas >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -- http://www.maunz.de They told me to install Windows ME or better, so I installed Linux.
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list