Friday, December 4, 2015

Attribute Authority, Command Line Interface (AACLI)

Today, I have encountered one interesting tool in Shibboleth IdP which will check the resolver, filters and also the metadata so that you can know exactly what will happen in any given situation without starting the IdP. J

As a developer, I would say it’s a great tool as you don’t have to restart your IdP again and again after every changes.

The name of the tool is (Attribute Authority, Command Line Interface) ACCLI which is located in the IDP_HOME/bin directory and is called aacli.sh or aacli.bat.

How it works?

Make sure, you have set IDP_HOME to your system environment variable.

To check what all attribute it will return for userId SysAdmin and Service Provider EntityId “https://domain.waheedtechblog.com/shibboleth”)

aacli.bat --configDir=C:\idp\conf\ --principal=SysAdmin --requester=https://domain1.com/Shibboleth



Please check here for detail information.
- No comments:
Labels: ,

Wednesday, October 14, 2015

How to enable multiple domains in Apache Server using Name-Based VirtualHosts and SSL

Scenario: I have an Apache Server(SSL enabled) and tomcat running on my machine and there is one application (app1) hosted on tomcat which is only accessible from Apache Server. You cannot access it directly from tomcat.
Now you want to access app1 using multiple domains i.e. domain1.waheedtechblog.com annd domain2.waheedtechblog.com should point to the same application which is hosted on tomcat.

 (I want to implement different Authentication mechanism based on different domains)
Solution: The above case can be achieved using NameBased VirtualHosts and SSL.
First you need to uncomment following lines form ${apache}/conf/httpd.conf file
  • LoadModule ssl_module modules/mod_ssl.so
  • LoadModule proxy_module modules/mod_proxy.so
  • LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
  • LoadModule rewrite_module modules/mod_rewrite.so
  • LoadModule proxy_http_module modules/mod_proxy_http.so
  • Include conf/extra/httpd-ssl.conf

then goto ${apache}/conf/extra/httpd-ssl.conf file add Virtualhost tag for each domain.

Listen 443
NameVirtualHost *:443

<VirtualHost *:443>

DocumentRoot "c:/Apache2/htdocs"
ServerName domain1.waheedtechblog.com
ServerAdmin admin@example.com
ErrorLog "c:/Apache2/logs/error_domain1.log"
TransferLog "c:/Apache2/logs/access_domain1.log"

SSLEngine on
SSLCertificateFile "C:\Apache2\certificate\domain1.crt"
SSLCertificateKeyFile "C:\Apache2\certificate\domain1.key"

ProxyPass / ajp://sp.domain.com:8009/app1/

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:443>

DocumentRoot "c:/Apache2/htdocs"
ServerName domain2.waheedtechblog.com
ServerAdmin admin@example.com
ErrorLog "c:/Apache2/logs/error_domain2.log"
TransferLog "c:/Apache2/logs/access_domain2.log"

SSLEngine on
SSLCertificateFile "C:\Apache2\certificate\domain2.crt"
SSLCertificateKeyFile "C:\Apache2\certificate\domain2.key"

ProxyPass / ajp://sp.domain.com:8009/app1/

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

Points to remember:
  • Add all DNS entry in system hosts file Eg: for windows (Add “127.0.0.1 domain1.waheedtechblog.com” to “C:\Windows\System32\drivers\etc\hosts”)
  • Make sure you are using different certificates and Key for each domain or else it will always point to default VirtualHost i.e. first one that you have defined. Click here on how to generate key and certificate.
  • In proxyPass, always ends with '/' or else you will see redirect issue.

In case of any issue, You can drop your comment in the comment box.

Reference:

https://wiki.apache.org/httpd/NameBasedSSLVHosts
- 1 comment:
Labels: , , ,

How to generate SSL Key, CSR and Self Signed Certificate using OpenSSL.

I have already discussed how to generate SSL certificate using keytool over here. In this article, I am going to explain how can you achieved the same thing using OpenSSL tool.
The three differnet files that I am going to generate i.e. :
  • waheedtechblog.key
  • waheedtechblog.csr
  • waheedtechblog.crt

Generate Private key : waheedtechblog.key

openssl genrsa -des3 -out waheedtechblog.key 1024



Generate a Certificate Signing Request (CSR)

Using above generated key file, We will now create the CSR file

openssl req -new -key waheedtechblog.key -out waheedtechblog.csr



Generate a Self-Signed SSL Certificate

openssl x509 -req -days 365 -in waheedtechblog.csr -signkey waheedtechblog.key -out waheedtechblog.crt



These file can be used to enable SSL in Apache Server.

Sometime, we need to remove passphrase to run key in Apache Server, if you get such issue while enabling SSL in Apache Server then run following command to remove passphrase :

openssl rsa -in waheedtechblog.key -out waheedtechblog_new.key



Your new file is key without encryption.


Thank you..!!!!




- No comments:
Labels: , ,
Subscribe to: Posts (Atom)

How TOPT Works: Generating OTPs Without Internet Connection

Introduction Have you ever wondered how authentication apps like RSA Authenticator generate One-Time Passwords (OTPs) without requiring an i...