While Kerberos’ reputation as a Single Sign On solution is quite strong, its adoption outside the corporate VPN has been limited. One reason is that many host providers block port 88 traffic in the firewalls. What would it take to make Kerberos a viable solution in a web-only constrained situation?
Now that Folsom development has started in earnest, I figured I’d follow Russell‘s example and write down a bit of my plan for work in the next couple of months.
My last post suggested an extension to the Java language that I think will be quite helpful. Until such a feature exists, we can fake it by using annotations.
Continue reading
There is a very small feature that could be added to Java in order to improve it significantly: Add names to the Parameter object in the Reflection API.
Continue reading
After calling for Keystone to migrate to HTTPD, several people asked me if I would show how this can be done. Here are the steps.
Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.
At least, it is on Fedora 16
sudo yum install mod_nss
/etc/httpd/alias/ is populated already with ca and server cert self signed
/etc/httpd/conf.d/nss.conf already exists
change 8443 to 443 in two places
--- /etc/httpd/conf.d/nss.conf.orig 2012-03-29 12:59:06.319470425 -0400 +++ /etc/httpd/conf.d/nss.conf 2012-03-29 12:19:38.862721465 -0400 @@ -17,7 +17,7 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 8443 +Listen 443 ## ## SSL Global Context @@ -81,7 +81,7 @@ ## SSL Virtual Host Context ## -+ # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs"
Make sure your firewall is open on the HTTPS port. Add the following line in /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
before the statement
-A INPUT -j REJECT --reject-with icmp-host-prohibited
and restart the services
sudo systemctl restart iptables.service sudo systemctl restart httpd.service
The documentation provides a lot more detail. Almost all of these steps are performed by the RPM install on F16 and later.
It is possible to run a computer with no persistent storage for its root file system other than a single image downloaded an held in RAM. The computer does not needs a local disk. The computer also does not need a SAN or NAS device for the Root File system.
There are numerous uses for this style of booting. A short list:
Devstack is a developer tool for dealing with the wide array of projects that make up openstack. The original devstack is Ubuntu specific. Russell B has been working on getting Fedora its own Devstack. Today, I’m a test subject.
The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code.
(Reposted from the pki-users mailing list)