CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

multiple cosign configuration and runtime issues

  • To: cosign-discuss@xxxxxxxxx
  • Subject: multiple cosign configuration and runtime issues
  • From: Ben Poliakoff <benp@xxxxxxxx>
  • Date: Wed, 10 Nov 2004 16:27:43 -0800
  • User-agent: Mutt/1.4.1i

Hi All,

I've had some time in the past few days to work on getting cosign 1.7.0
installed and working (as both a weblogin server and a client) on a
Fedora Core 2 host running a Fedora stock apache2 (2.0.51-2.7).  OpenSSL
and MIT krb5 are both theoretically recent enough (openssl-0.9.7a-35 and
krb5-*-1.3.4-6).  I know the apache2 stuff isn't used at UofM, but it
looks like a few others on this list are using it, so I thought I'd give
it a try.

And at this point I'm able to log in with my krb5 password at the
main page on the weblogin server, I'm redirected to /services and am
successfully granted the appropriate cookie.  The cosign daemon get's a
TGT for me in /ticket... So far so good.  I've got two cookies ("cosign"
and "cosign-services", the latter being correctly determined from the
value of CosignService for the /services location).

On to the issues....

Issue #1 

When I try to logout something funny happens, apache give me an
"internal error page" and I in my apache errorlog I see:

/usr/local/cosign/certs/ No such file or directory

My CosignCrypto looks like this:

CosignCrypto    /var/cosign/certs/key.pem /var/cosign/certs/cert.pem /var/cosign/certs/CA

Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem? 

Quite possibly I'm misunderstanding the meaning of CosignCrypto!

Issue #2 

So I tried playing along and started making some symlinks so that
/var/cosign/certs/key.pem was linked to
/usr/local/cosign/certs/ (ditto with the cert).

This get's me a little further, but then I hit the next issue.
My cert isn't verifying.  Stracing httpd I find that it thinks
the CAdir is /usr/share/ssl/cert.pem! (i.e. it's looking for
/usr/share/ssl/cert.pem/ddc328ff.0 and naturally not finding it).  I
don't find the string "/usr/share/ssl/cert.pem" anywhere in cosign, but
I do see it in in OpenSSL's "", presumably it's a hard coded
default that's not getting overridden by any other setting.

Issue #3 

Playing along again I make /usr/share/ssl/cert.pem a link to
/var/cosign/certs/CA/ (a directory that contains my cacerts and the hash
links to each of them).  This gets me just a little further.  But logout
still fails with

apache's errorlog reporting:

    net_logout: 511 LOGOUT: Invalid cookie name.

and cosignd reporting to syslog:

    cosignd[15584]: f_logout: cookie name contains '/'

And indeed the cookie name *does* include a / (two of them actually).
Here's the debug (slightly edited) output from cosignd:

    debug: LOGOUT

So I'm not sure if there are many problems here or just a single one.

Do any of these issues look familiar to anyone?

Any suggestions would be gratefully appreciated!


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010