How to Setup an Informatics EASE Authenticated Website

Basically EASE is Cosign, like our Weblogin Cosign. The only difference is that you need to register your Informatics EASE website with IS, rather than automatically via the Cosign component to our weblogin.inf servers.

IS have these web pages https://www.ease.ed.ac.uk/admindocs/, the only bit we're interested in is https://www.ease.ed.ac.uk/admindocs/apache.html. You can ignore the bit about getting them to sign certificates for us. Our locally generated x509 ones will do.

So the only thing you need to do is generate the necessary x509 cert, and then (as it says on one of the links above) email ext6033@ed with the detail of the site and the CN of the certificate you generated).

You then need to set the appropriate Cosign Apache directives (given on the second link above), you could do it via the Cosign component, but you'll should make sure it doesn't pollute the spanning map that would try and add your website to our Cosign service.

As an example, this is what I did for ease.homepages.inf.ed.ac.uk. In the service lcfg header added:

!x509.keys                mADD(easehome)
x509.service_easehome         ease.homepages.inf.ed.ac.uk
x509.keyfile_easehome         /etc/httpd/conf/ssl.key/ease.homepages.inf.ed.ac.uk.key
x509.certfile_easehome        /etc/httpd/conf/ssl.crt/ease.homepages.inf.ed.ac.uk.crt
x509.chainfile_easehome       /etc/httpd/conf/ssl.crt/ease.homepages.inf.ed.ac.uk.chain
x509.component_easehome       apache   /* restart apache if keys change */
!x509.uid_easehome                  mSET(apache)
!x509.gid_easehome                  mSET(apache)
!x509.hashed_easehome               mSET(/etc/httpd/conf/CA)

Email IS with:

we'd like to use EASE to protect our site:
https://ease.homepages.inf.ed.ac.uk/
The CN for the certificate is: ease.homepages.inf.ed.ac.uk
We will be using SSL to serve the pages.

Manually configured apache (ie didn't use component) with these resources:

CosignService                   eucsCosign-ease.homepages.inf.ed.ac.uk
CosignHostname                  www.ease.ed.ac.uk
CosignRedirect                  https://www.ease.ed.ac.uk/cosign.cgi
CosignPostErrorRedirect         https://www.ease.ed.ac.uk/post_error.html
CosignCrypto           /etc/httpd/conf/ssl.key/ease.homepages.inf.ed.ac.uk.key /etc/httpd/conf/ssl.crt/ease.homepages.inf.ed.ac.uk.crt /etc/httpd/conf/CA
CosignValidReference            ^https://ease\.homepages\.inf\.ed\.ac\.uk(/.*)?
CosignValidationErrorRedirect   https://www.ease.ed.ac.uk/validation_error.html
CosignPostErrorRedirect         https://www.ease.ed.ac.uk/post_error.html
Note the first directive, CosignService, is the cookie name that the EASE servers are expecting, you should be told by IS what that is, but as their docs say, the convention is it will be "eucsCosign-".

That's it (for the EASE Cosign part). You still have to do the usual stuff to setup your HTTPS web service.

-- NeilBrown - 21 Mar 2012

Topic revision: r1 - 21 Mar 2012 - 16:06:36 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies