Bug 40927 - Make SSL certificate for SAML server configurable
Make SSL certificate for SAML server configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-19 09:25 CET by Sven Anders
Modified: 2017-09-20 15:03 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017072621000191, 2017081721000321
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Anders 2016-03-19 09:25:12 CET
It should be posible to change the the Apache config of: 

/etc/univention/templates/files/etc/apache2/sites-available/univention-saml

and make it posible to change the directives:

* SSLCertificateFile 
* SSLCertificateKeyFile 
* SSLCACertificateFile 
and (not present by default):
* SSLCertificateChainFile

by an UCR-Variable.

See also:

http://forum.univention.de/viewtopic.php?f=48&t=4897
Comment 1 Nico Stöckigt univentionstaff 2017-07-26 12:15:54 CEST
requested again by @school customer
Comment 2 Florian Best univentionstaff 2017-08-04 12:30:54 CEST
@Jürn: could create a patch for this, when you've got some time.
Comment 3 Florian Best univentionstaff 2017-08-21 16:15:35 CEST
Requested again.
Comment 4 Stefan Gohmann univentionstaff 2017-08-23 07:00:02 CEST
For the affected customers it is really difficult so I raised "feel" flag.
Comment 5 Stefan Gohmann univentionstaff 2017-08-23 07:02:31 CEST
Please also check the 92univention-management-console-web-server.inst join script and the script /etc/univention/templates/modules/setup_saml_sp.py. One of the customers reported the curl command uses the ucsCA.
Comment 6 Florian Best univentionstaff 2017-08-23 08:59:22 CEST
(In reply to Stefan Gohmann from comment #5)
> Please also check the 92univention-management-console-web-server.inst join
> script and the script /etc/univention/templates/modules/setup_saml_sp.py.
> One of the customers reported the curl command uses the ucsCA.

yes, this is because Bug #39179 was unfixed at that time.
Comment 7 Stefan Gohmann univentionstaff 2017-08-23 14:23:12 CEST
I don't see any options for our customers to solve it. Thus, I increased the "feel" flag once again because they are blocked.
Comment 9 Florian Best univentionstaff 2017-09-19 16:28:49 CEST
The certificates are now configurable via UCR-Variables similar to the one for the regular apache configuration:

+[saml/apache2/ssl/certificate]
+Description[de]=Der absolute Pfad zur SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$domainname/cert.pem).
+Description[en]=The absolute path to the SSL certificate file for mod_ssl of the SAML virtualhost. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/cert.pem).
+Type=str
+Categories=saml
+
+[saml/apache2/ssl/key]
+Description[de]=Der absolute Pfad zum privaten RSA/DSA-Schlüssel der SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Der Schlüssel muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$doma
+Description[en]=The absolute path to the private RSA/DSA key of the SSL certificate file for mod_ssl of the SAML virtualhost. The key needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/privat
+Type=str
+Categories=saml
+
+[saml/apache2/ssl/ca]
+Description[de]=Der absolute Pfad zum Zertifikat der Zertifizierungsstelle (CA) für mod_ssl. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucsCA/CAcert.pem).
+Description[en]=The absolute path to the certificate of the certificate authority (CA) for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucsCA/CAcert.pem).
+Type=str
+Categories=saml
+
+[saml/apache2/ssl/certificatechain]
+Description[de]=Der Pfad zu einer Datei mit den CA-Zerifikaten. Diese werden dem Clientbrowser eines Benutzers übermittelt, damit ein Zertifikat für die Authentifizierung des Benutzers ausgewählt werden kann, das von einer dieser CAs ausgestellt wurde.
+Description[en]=The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs.
+Type=str
+Categories=saml

What I tested:
1. Configured a domain with DC MAster, DC Slave, DC Backup. Install new packages everywhere.
2. created some new certificates from another CA, copied them to the system
3. ucr set saml/apache2/ssl/key=/etc/univention/ssl/saml/private.key saml/apache2/ssl/certificate=/etc/univention/ssl/saml/cert.pem saml/apache2/ssl/ca=/etc/univention/ssl/saml/ca/CAcert.pem
4. service apache2 reload
5. Opened a browser to the https://slave32.saml.dev/univention/management/ and single sign on'ed to every system.

univention-saml (4.0.14-10):
ccef254f42c6f15f966cd3951efebe3f2ce49845 | Merge branch 'fbest/40927-saml-certificate' into 4.2-2
8a5e4f4ddcdef843fb388cf8f6e480e4b084db13 | Bug #40927: make SAML apache certificate configurable

univention-saml.yaml:
87f5615c4bb3e0b6db05a3e88b8a3bb0a9612e7a | YAML Bug #40927
Comment 10 Jürn Brodersen univentionstaff 2017-09-20 12:38:35 CEST
Looks good

What I tested:
On master, backup, slave
ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK

On master, backup
Moved the certificates under /etc/univention/ssl/ucs-sso.univention.intranet to /tmp
ucr set saml/apache2/ssl/...
restart apache -> OK

On master, backup, slave
ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK

On master, backup
Moved certs back
unset saml/apache2/ssl/...
restart apache -> OK

On master, backup, slave
ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK

YAML -> OK
Comment 11 Erik Damrose univentionstaff 2017-09-20 15:03:52 CEST
<http://errata.software-univention.de/ucs/4.2/170.html>