Signed Authentication and Authorization

Posted on May 16, 2012 by Adam Young

Openstack Keystone currently operates on-line validation for Tokens.Â Once a token is issued out,Â each of the systems presented with the token has to check the validity of the token with the Keystone server.Â This makes Keystone the highest traffic service in an Openstack deployment.Â Using Cryptographic Message Syntax (CMS) we can generated a token that can be verified using public key cryptography instead of making a network call.Â Here’s a proof-of-concept example using the command line tools.

Continue reading →

Generating a Signing Cert using certutil

Posted on May 16, 2012 by Adam Young

Imagine a locked room with a big window. If I am the only person with a key to room, and I tape a poster up inside the window, everyone can read it, and everyone can state with a pretty high degree of certainty that I was the person that I put up the poster. This is analogy to how you can use PKI to sign a document.

Continue reading →

My Openstack Tasks

Posted on May 2, 2012 by Adam Young

Now that Folsom development has started in earnest,Â I figured I’d follow Russell‘s example and write down a bit of my plan for work in the next couple of months.

Continue reading →

Openstack Keystone in HTTPD

Posted on April 4, 2012 by Adam Young

After calling for Keystone to migrate to HTTPD, several people asked me if I would show how this can be done. Here are the steps.

Continue reading →

Client Certificates with mod_nss

Posted on March 30, 2012 by Adam Young

Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.

Continue reading →

Setting up SSL with NSS is easier than you think

Posted on March 30, 2012 by Adam Young

At least, it is on Fedora 16

sudo yum install mod_nss

/etc/httpd/alias/ is populated already with ca and server cert self signed
/etc/httpd/conf.d/nss.conf already exists
change 8443 to 443 in two places

--- /etc/httpd/conf.d/nss.conf.orig	2012-03-29 12:59:06.319470425 -0400
+++ /etc/httpd/conf.d/nss.conf	2012-03-29 12:19:38.862721465 -0400
@@ -17,7 +17,7 @@
 # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
 #       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
 #
-Listen 8443
+Listen 443
 
 ##
 ##  SSL Global Context
@@ -81,7 +81,7 @@
 ## SSL Virtual Host Context
 ##
 
-
+
 
 #   General setup for the virtual host
 #DocumentRoot "/etc/httpd/htdocs"

Make sure your firewall is open on the HTTPS port. Add the following line in /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

before the statement

-A INPUT -j REJECT --reject-with icmp-host-prohibited

and restart the services

sudo systemctl restart iptables.service
sudo systemctl restart httpd.service

The documentation provides a lot more detail. Almost all of these steps are performed by the RPM install on F16 and later.

Announcing Dogtag 10.0.0 (Alpha)

Posted on March 15, 2012 by Adam Young

The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code.

(Reposted from the pki-users mailing list)

Continue reading →

PKI for Keystone

Posted on March 1, 2012 by Adam Young

A recent discussion on the Openstack mailing list brought to light the high load that the Keystone server has due to each server having to authenticate each and every request against Keystone.

Continue reading →

Certificates for Web SSO

Posted on October 27, 2011 by Adam Young

Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs.Â SoÂ we want to be able to do Kerberos, or its equivalent from the browser.

Continue reading →

REST and PKI

Posted on October 18, 2011 by Adam Young

The Dogtag PKI project is a longÂ lived project.Â It is a Java Web Server based application that predates many of the technologies that now are standards of Java Web development.Â One requirement that has changed over time is how to access the server remotely. Continue reading →

Adam Young's Web Log

The Notebook of a Programmer Climber Musician Ex-Soldier Woodworker and a few other things

Category Archives: PKI

Signed Authentication and Authorization

Generating a Signing Cert using certutil

My Openstack Tasks

Openstack Keystone in HTTPD

Client Certificates with mod_nss

Setting up SSL with NSS is easier than you think

Announcing Dogtag 10.0.0 (Alpha)

PKI for Keystone

Certificates for Web SSO

REST and PKI