Univention Bugzilla – Full Text Bug Listing |
Summary: | Make SSL certificate for SAML server configurable | ||
---|---|---|---|
Product: | UCS | Reporter: | Sven Anders <s.anders> |
Component: | SAML | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, gohmann, grandjean, markus.daehlmann, scheinig, stoeckigt |
Version: | UCS 4.2 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.429 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017072621000191, 2017081721000321 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Sven Anders
2016-03-19 09:25:12 CET
requested again by @school customer @Jürn: could create a patch for this, when you've got some time. Requested again. For the affected customers it is really difficult so I raised "feel" flag. Please also check the 92univention-management-console-web-server.inst join script and the script /etc/univention/templates/modules/setup_saml_sp.py. One of the customers reported the curl command uses the ucsCA. (In reply to Stefan Gohmann from comment #5) > Please also check the 92univention-management-console-web-server.inst join > script and the script /etc/univention/templates/modules/setup_saml_sp.py. > One of the customers reported the curl command uses the ucsCA. yes, this is because Bug #39179 was unfixed at that time. I don't see any options for our customers to solve it. Thus, I increased the "feel" flag once again because they are blocked. The certificates are now configurable via UCR-Variables similar to the one for the regular apache configuration: +[saml/apache2/ssl/certificate] +Description[de]=Der absolute Pfad zur SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$domainname/cert.pem). +Description[en]=The absolute path to the SSL certificate file for mod_ssl of the SAML virtualhost. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/cert.pem). +Type=str +Categories=saml + +[saml/apache2/ssl/key] +Description[de]=Der absolute Pfad zum privaten RSA/DSA-Schlüssel der SSL-Zertifikatsdatei für mod_ssl des SAML VirtualHost. Der Schlüssel muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucs-sso.$doma +Description[en]=The absolute path to the private RSA/DSA key of the SSL certificate file for mod_ssl of the SAML virtualhost. The key needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucs-sso.$domainname/privat +Type=str +Categories=saml + +[saml/apache2/ssl/ca] +Description[de]=Der absolute Pfad zum Zertifikat der Zertifizierungsstelle (CA) für mod_ssl. Das Zertifikat muss PEM-codiert sein. Ist die Variable nicht gesetzt, wird das Zertifikat aus der UCS-CA verwendet (/etc/univention/ssl/ucsCA/CAcert.pem). +Description[en]=The absolute path to the certificate of the certificate authority (CA) for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/ucsCA/CAcert.pem). +Type=str +Categories=saml + +[saml/apache2/ssl/certificatechain] +Description[de]=Der Pfad zu einer Datei mit den CA-Zerifikaten. Diese werden dem Clientbrowser eines Benutzers übermittelt, damit ein Zertifikat für die Authentifizierung des Benutzers ausgewählt werden kann, das von einer dieser CAs ausgestellt wurde. +Description[en]=The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs. +Type=str +Categories=saml What I tested: 1. Configured a domain with DC MAster, DC Slave, DC Backup. Install new packages everywhere. 2. created some new certificates from another CA, copied them to the system 3. ucr set saml/apache2/ssl/key=/etc/univention/ssl/saml/private.key saml/apache2/ssl/certificate=/etc/univention/ssl/saml/cert.pem saml/apache2/ssl/ca=/etc/univention/ssl/saml/ca/CAcert.pem 4. service apache2 reload 5. Opened a browser to the https://slave32.saml.dev/univention/management/ and single sign on'ed to every system. univention-saml (4.0.14-10): ccef254f42c6f15f966cd3951efebe3f2ce49845 | Merge branch 'fbest/40927-saml-certificate' into 4.2-2 8a5e4f4ddcdef843fb388cf8f6e480e4b084db13 | Bug #40927: make SAML apache certificate configurable univention-saml.yaml: 87f5615c4bb3e0b6db05a3e88b8a3bb0a9612e7a | YAML Bug #40927 Looks good What I tested: On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK On master, backup Moved the certificates under /etc/univention/ssl/ucs-sso.univention.intranet to /tmp ucr set saml/apache2/ssl/... restart apache -> OK On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK On master, backup Moved certs back unset saml/apache2/ssl/... restart apache -> OK On master, backup, slave ucs-test -s saml -E dangerous (without 27_renewed_idp_cert) -> OK YAML -> OK |