cosign-announce at umich.edu cosign release and update announcements

I forgot to add this VERY IMPORTANT item to the announcement. Certificate authority (CA) files need to be rehashed for IISCosign 1.1.1 to work properly. The intention was to make this change for 1.1.2 or later to make upgrading more transparent, but... well, I forgot. So now that 1.1.1 is out there, we can all start rehashing now. It's very simple and Apache/Unix people have been doing this for years now. That is, this is the 'right way' to work with CA files.

The main side effect of this is to receive a looping.html error page and to see a line such as error:14090086:lib(20):func(144):reason(134) in a cosign log file.

Here's how to rehash a CA file (umwebCA.pem in this case). Openssl.exe is placed in your IISCosign directory upon install.

From a command prompt run:

openssl x509 -noout -hash -in \path\to\umwebCA.pem

A hash value is displayed. Copy the contents of the \path\to\umwebCA.pem file into a file called <hash>.0

In your cosign.dll.config file have <CAFilePath> point to the folder where the has is located. (Whereas in the past it would point directly to the file).

--Jarod Malestein

--On Friday, February 18, 2005 5:26 PM -0500 jarod@xxxxxxxxx wrote:

This is being called 1.1.1 instead of 1.1.0 since the versioning with
InstallShield was slightly off.  Therefore, to make sure people are given
the upgrade option with the installer and to avoid confusion, this one is
being labeled 1.1.1.  It is highly recommended you upgrade as soon as
possible, especially if you are on a pre-1.1.0 version, due to many
useful bug fixes.

We are constantly refining and improving IISCosign and the installer.  If
there are any recommendation or questions you have, please send them to
cosign@xxxxxxxxxx

The next major item on the IISCosign roadmap is adding the Kerberos
ticket passing functionality.

A list of the major changes since version 1.0.0 is below.

--Jarod Malestein
--University of Michigan - ITCS

Changes in IISCosign 1.1.1:
+ Installer

Various, small fixes.

+ Some major IISCosign failures reported to the Event Viewer.

There is now a facility with IISCosign to report events directly to the
Event Viewer.  This is very useful for diagnosing problems, especially if
the log files cannot be created.  The events reported are not
comprehensive
and will continue to be tweaked based on administrators' experience and
input.

+ You can now specify allowUnauthenticatedAccess to <Protected/pages.
Example:

<Protected allowPublicAccess="TRUE">/MySweetWebApp</Protected>

NOTE: this was previously labeled allowUnauthenticatedAccess.  For clarity
and parity with the Apache version, this has been changed to
allowPublicAccess.  Both will still work, but the former will, eventually,
be deprecated.

You can have a folder or web page(s) that can be accessed
by both logged in and non-logged in users.  If the user is logged in, the
HTTP_REMOTE_USER, HTTP_REMOTE_REALM, and HTTP_COSIGN_SERVICE variables
will be available.  If the user is not logged in, he is not redirected
and only the HTTP_COSIGN_SERVICE variable is available.

+ Log file locking issue circumvented.  This prevented multiple instances
of the filter from being instantiated in IIS 6.0.  Multiple log files are
created if possible.

+ <HttpsOnly /option added. Default is TRUE. Set to FALSE to allow
users to access cosign-protected pages without a secure connection.
Example:

<HttpsOnly>FALSE</HttpsOnly>

+ Corrected bug that would protect something like "/studentsAndStaff" if
"/students" was protected.  Then broke it, fixed it, broke it, fixed it.
This is something you may want to double-check.

+ Extra info put into log file.  Please provide feedback on what you
would and wouldn't like to have in the cosign log file.

+ Https redirect bug fixed.

+ Specifying web sites by their IIS description rather than DNS name is
now an option.
Change your <Service /tag as follows:

<Service IISDescription="IISCosign web site">cosign-service-name
...
</Service>

You can use either the original websitename item to refer to the DNS name
or the new IISDescription. If both are present, IISCosign first looks for
IISDescription and will ignore websitename.

For the curious parties, the "IISDescription" is compared to the
ServerComment for the web site in the IIS metabase.

+ You can now limit the log file size. Change your <LogFilePathto look
like this:

<LogFilePath fileSizeInKB="4096">C:\Program
Files\CosignFilter\Logs</LogFilePath>