Well I realize I haven't updated this blog a lot recently, but that's because I was working hard to get the first results towards "Bonjour Robert!"
First thing first, the architecture has changed a bit compared to my first idea on how to say "Bonjour Robert!"
From applet to Reverse Proxy architecture
We figured out that the management of the smart card on the client's side was already done by firefox, through the registration of Belgian eID PKCS#11 module in the browser. So the idea was to set up a reverse proxy that would ensure secure access to imexis' website http://www.imexis.net
So this would consist of 3 steps
1) install the reverse proxy
2) configure the reverse proxy to map the access to www.imexis.net
3) configure firefox and connect to the reverse proxy (which should result in an access to www.imexis.net)
Well, step 1 was not really a piece of cake if you ask me. First I wanted to install the proxy on my Mac, but I soon faced problems to compile the apache server and the openssl server (openssl is used to create self-signed certificates and private keys for the server). After several attempts I decided to use a Virtual Machine with a Ubuntu Linux distribution on it. This way it would be easier to have information on forums (running apache servers on Linux is a very common thing), and I would be sure not to have any compatibility issues. Moreover, the documentations I had available to me covered the case of a Linux installation.
So I installed a program called VMWare that makes it possible to run my Virtual Machine, and installed Ubuntu (yeehaa, welcome to the Linux world).
Next step was to follow the procedure found in the Belgian eID Authentication Reverse Proxy User's Guide. The document may seem straightforward but it is important to understand every single step of it thoroughly. This is of course what took me a while to realize. It had already been 3 days since I first tried to install it on my Mac, and yet I hadn't progressed an inch with that installation. It took me one more day to figure out how to get all the necessary components for Ubuntu, and to finish the compilation and installation of the apache and openssl server.
Venturing in the World of Linux
I wanted to talk a bit about Ubuntu before I go on with this. Since I spent a lot of time discovering all sorts of things with Linux and Ubuntu.
First the most important thing to remember with Ubuntu is the apt-get command. If you need to install an application on your Operating System, like for example a text editor, or a GNU C Compiler you don't need to look it up on the internet (like you would for windows XP), there is probably a package made by its creator, that you can download and install simply by doing
apt-get install gccYou don't need to do anything else, which is magical (and probably one of the reasons why people like Ubuntu so much). There is also an application that provides a more graphical interface to apt-get which is called aptitude.
I had used Linux before, but with a graphical interface, and at that time I didn't really use it in depth. I still have a lot of things to discover of course, but it is really a pleasure to start with all this. It can also be frustrating not to know how to do things but I hereby salute my friends who helped me out when I was lost, and also the internet community which is very active and contains zounds of useful informations.
Configuring the proxy
Let's get back to our reverse proxy :-) So I had compiled and installed apache, now it was time to configure the beast, and that's also a tough task. The documentation mentioned above contained all I needed of course, but in order to understand what I was doing, I used the apache documentation a lot.
First thing, I had to configure the SSL part of apache (that enables secure connection). This is all managed by an apache module named mod_ssl
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
I then had to create the self-singned certificates by using openssl. This is made in 3 steps:
1) generate a private key for the server:
This key will serve to encode outgoing information from the proxy, and can only be decoded by the public key (as I explained a few posts before)
openssl genrsa -out server.key 1024Openssl will create an 1024 bits RSA key. You are then prompted by openssl to specify which hashing algorithm will be used, as well as other options and specifications about the owner of the key.
2) generate a certificate signing request
A certificate needs to be signed in order to be accepted. With our private key we can generate an signature request, that can then be sent to a Certificate Authority who will officially sign the certificate. You can also sign it yourself, but in that case, whoever receives this certificate on his browser will be warned that it is not signed by a trusted source, and the user will be required to either accept or reject that certificate.
openssl req -out req.csr -new -key server.key -sha1 days 20003) Self-sign the certificate
Since this certificate will be used for testing, I don't really need to have it signed by a CA (I know I can trust myself =-)) so I can sign it myself this way
openssl x509 -in req.csr -out server_cert.pem -req -signkey server.key -days 2000Once that is done, I can then configure my apache server to use the server_cert.perm as a certificate, and use server.key as private key.
Next step is then to configure the reverse proxy. Without going into too many details, I can ask my reverse proxy to map incoming adresses to another adress I choose. So if my apache server is called via https://www.jeango.com I can map the folder /imexis to http://www.imexis.net
This way if someone goes to https://www.jeango.com/imexis he will actually see the page on www.imexis.net but this will be totally invisible to him.
Amongst other things I had to configure, I had to include the OCSP access which is a protocol used to validate the status (valid, revoked, suspended, blocked) of the incoming certificates.
Pains and Tribulations
Needless to say this didn't happen with a snap of a finger, as a matter of fact I first had a lot of problems with the compilation of apache, and it took me a lot of time to understand every configuration of the proxy. Then when I finally had this finished, the server wouldn't start in SSL mode, I found out that I had configured something twice in the files, which generated a conflict, but still it didn't work so I uninstalled everything, recompiled, re-installed, re-configured and today it finally works.
Identifying with eID
Now that our server is set up, it is still needed to configure firefox correctly, and for this, it is required to have installed the middleware for eID smartcards, and follow a procedure described in this document:
http://www.google.be/search?q=firefox+eid&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
The document says that when trying to access a server, the browser will automatically ask to insert the card in the reader if there is none, but here it doesn't work. Instead I get a page saying that the SSL Handshake failed, I'll have to look into this.
Anyways, after doing all this, I inserted Robert's ID card, typed in my browser the SSL adress of my apache server and magic happened, the browser asked me which certificate to use, then prompted for my PIN, and sure enough, I saw before my eyes the welcome page of our magnificent imexis website :D
So what's next?
Well now I'll start playing with an apache tomcat servlet and see how we can interact with the card to finally say "Bonjour Robert!".
That's all for today ;) if you found the courage to read all this, send me a mail saying "bonjour robert!" (you should know my email, if you don't, well thanks for reading anyways :-))
Articles
Aucun commentaire:
Enregistrer un commentaire