2.8 Implementing Token-Based Logins

Systems that use tokens (also called smart cards) as login credentials require a modified configuration. In these systems, a token is passed from server to client, and the client uses the token to log in to the server. The configuration involves the following tasks:

  1. Section 2.8.1, Configuring Operations Center for Token-based Authentication

  2. Section 2.8.2, Configuring the Reverse Proxy (Apache Web Server)

  3. Section 2.8.3, Preparing Certificates and Keystores

  4. Section 2.8.4, Securing Communications Between Reverse Proxy and Operations Center Server

  5. Section 2.8.5, Securing Communications Between Browser and Reverse Proxy

  6. Section 2.8.6, Turning on Client Certificates

2.8.1 Configuring Operations Center for Token-based Authentication

To enable token-based authentication, you must first configure applet_params.xml and Formula.custom.properties with matching values for the authorization principal and authorization token.

To configure Operations Center for token-based authentication:

  1. Stop the Operations Center server.

  2. On the Operations Center server, configure the following properties in Operations_Center_installation_location/NOC/html/template/applet_params.xml:

    <param name="Connection.allow.auth.principal" value="true" />

    <param name="Connection.header.auth.principal" value="authorization_principal" />

    <param name="Connection.header.auth.token" value="authorization_token" />

  3. In the Operations Center Configuration Manager, ensure that the host name is set to the fully-qualified domain name of the Operations Center server and the client/server communications mode is set to unsecured communications.

    You will enable secure communications when you perform the procedures in Section 2.8.4, Securing Communications Between Reverse Proxy and Operations Center Server.

  4. Configure the following properties in Operations_Center_installation_location/NOC/config/Formula.custom.properties, ensuring that the authorization principal and authorization token values match the values in applet_params.xml:

    Server.allow.auth.principal=true

    Server.header.auth.principal=authorization_principal

    Server.header.auth.token=authorization_token

  5. Start the Operations Center server.

  6. Log in to the Operations Center console as administrator and create a user for testing purposes, ensuring that the user name matches the name you will eventually use based on the client certificate.

  7. Log in to the Operations Center console using the credentials for the test user.

2.8.2 Configuring the Reverse Proxy (Apache Web Server)

In this procedure, you will complete basic configuration of the reverse proxy (the Apache Web Server) and then force the user that you created in Section 2.8.1, Configuring Operations Center for Token-based Authentication to be logged on using token-based authentication.

To complete basic configuration of the reverse proxy:

  1. Stop the Apache Web Server.

  2. On the Apache Web Server, modify Apache_installation_location/Apache/conf/https.conf as follows:

    1. Specify the listening port for the Apache Web Server:

      Listen port_number

    2. Enable (uncomment) the following modules:

      • LoadModule headers_module modules/mod_headers.so

      • LoadModule proxy_module modules/mod_proxy.so

      • LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

      • LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

      • LoadModule proxy_connect_module modules/mod_proxy_connect.so

      • LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

      • LoadModule proxy_http_module modules/mod_proxy_http.so

      • LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

      • LoadModule substitute_module modules/mod_substitute.so

  3. Configure the proxy with the following settings:

    ProxyRequests Off

    <Proxy *>

    Order deny,allow

    Allow from all

    RequestHeader unset authorization_principal

    RequestHeader set auth-principal "test_user_email_address"

    </Proxy>

    ProxyPass / http://Operations_Center_Server_FQDN:Operations_Center_Server_listening_port/

    ProxyPassReverse / http://Operations_Center_Server_FQDN:Operations_Center_Server_listening_port/

  4. Configure substitution logic so that the URLs that the host returns are redirected to the Apache Web Server:

    <Location />

    AddOutputFilterByType SUBSTITUTE text/html

    AddOutputFilterByType SUBSTITUTE text/css

    AddOutputFilterByType SUBSTITUTE text/javascript

    AddOutputFilterByType SUBSTITUTE application/x-java-jnlp-file

    Substitute "s|http://Operations_Center_Server_FQDN:Operations_Center_Server_listening_port|http://Apache_Web_Server_FQDN:Apache_listening_port|niq"

    Substitute "s|http://Operations_Center_Server_name:Operations_Center_Server_listening_port|http://Apache_Web_Server_FQDN:Apache_listening_port|niq"

    Substitute "s|http://Operations_Center_Server_IPaddress:Operations_Center_Server_listening_port|http://Apache_Web_Server_FQDN:Apache_listening_port|niq"

    </Location>

  5. Start the Apache Web Server.

  6. Open a browser and access https://Apache_Web_Server:port_number to verify that you can open the Operations Center console login page.

  7. Log in to the console and verify that you are automatically logged in as the test user.

2.8.3 Preparing Certificates and Keystores

Token-based authentication requires at least three certificate/private key pairs (one for the Operations Center server process, one for the Apache Web Server process, and one for the browser process). If a certificate authority signs the certificates, then only the certificate that the certificate authority signs has to be trusted. If you are using self-signed certificates, the processes must trust each self-signed certificate.

The preferred formats for certificate and private key information are as follows:

  • For the Operations Center server, Java KeyStore (JKS) and Distinguished Encoding Rules (DER)

  • For the Apache Web Server, Privacy Enhanced Mail (PEM)

  • For most browsers, Public Key Cryptography Standards 12 (PKCS12, or PFX)

To prepare certificates and keystores:

  1. Prepare certificates and keystores for the Operations Center server:

    1. On the Operations Center server, run the following command to generate a keystore that contains a private key and certificate:

      Operations_Center_installation_location/NOC/bin/gencert -host Operations_Center_Server_FQDN

      The command generates three files in the local directory: keystore, keystore.csr, and keystore.cer.

    2. Move keystore to the Operations_Center_installation_location/NOC/config folder.

    3. (Conditional) If you are using a certificate authority to sign certificates:

      • Download the certificate in DER format.

      • Run the following command to import the certificate in DER format to the lib/security/cacerts file of the Java runtime environment (JRE) that the Operations Center server uses:

        keytool -import -keystore "JRE_installation_location\lib\security\cacerts" -storepass password -file "Certificate_download_location" -alias certificate_authority

      • Send keystore.csr file to the certificate authority and have it signed.

      • Download the signed certificate and run the following command to import it to your keystore:

        keytool -import -keystore "Operations_Center_installation_location/NOC/config/keystore" -storepass password -alias Operations_Center_server_FQDN -file "Signed_certificate_download_location" -trustcacerts

    4. (Conditional) If you are using self-signed certificates, run the following command to import keystore.cer to the lib/security/cacerts file of the JRE that the Operations Center server uses:

      keytool -import -keystore "JRE_installation_location\lib\security\cacerts" -storepass password -file "Operations_Center_installation_location/NOC/bin/keystore.cer" -alias Operations_Center_Server_FQDN

      Repeat the command for each certificate that must be trusted.

  2. Prepare certificates and keystores for the Apache Web Server:

    1. (Conditional) If the Apache Web Server and Operations Center server are on different hosts, generate a new certificate for the Apache Web Server following the steps used to generate a new certificate for the Operations Center server.

    2. Run the following command to convert the certificate and private key to PKCS12 (PFX) format:

      keytool -importkeystore -srckeystore "Operations_Center_installation_location\NOC\config\keystore" -destkeystore "Apache_installation_location/Apache2.2/ssl/Apache_Web_Server_FQDN.pfx" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -srcalias Apache_Web_Server_FQDN -destalias Apache_Web_Server_FQDN

    3. Run the following command to convert the PKSC12 file to PEM format:

      openssl pkcs12 -in "Apache_installation_location/Apache2.2/ssl/Apache_Web_Server_FQDN.pfx" -out "Apache_installation_location/Apache2.2/ssl/Apache_Web_Server_FQDN.pem" -nodes

    4. (Conditional) If you are using a certificate authority to sign certificates, download the certificate in PEM (base 64) format and copy it to Apache_installation_location/Apache2.2/ssl/trustedCAs.pem

    5. (Conditional) If you are using self-signed certificates, concatenate the PEM certificates for the Operations Center server, the Apache Web Server, and the browser (once generated).

  3. Use OpenSSL to prepare certificates and keystores for the browser:

    1. (Conditional) If you are using a certificate authority to sign certificates:

      • Run the following command to create a private key:

        openssl.exe genrsa -des3 -out testuser.key 2048

      • Import the certificate into the browser.

      • Run the following command to create a certificate request:

        openssl req -new -key testuser.key -out testuser.csr

      • Submit testuser.csr to the certificate authority.

      • Download the signed certificate in PEM (base 64) format as testuser.cer.

      • Run the following command to generate a PKCS12 keystore:

        openssl pkcs12 -export -in testuser.cer -inkey testuser.key -out testuser.pfx

      • Import testuser.pfx into the browser as a client certificate.

    2. If you are using self-signed certificates:

      • Run the following command to generate a certificate and private key:

        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout testuser.key -out testuser.cer

      • Run the following command to generate a PKCS12 keystore:

        openssl pkcs12 -export -in testuser.cer -inkey testuser.key -out testuser.pfx

      • Import testuser.pfx into the browser as a client certificate.

      • Import testuser.cer into your browser as a trusted certificate.

      • Add testuser.cer to the trustedCAs.pem file on the Apache Web Server.

      • Import the Apache Web Server and Operations Center server certificates into the browser as trusted certificates.

2.8.4 Securing Communications Between Reverse Proxy and Operations Center Server

After you prepare the certificates and establish trust links, enable SSL on the link between the Apache Web Server and the Operations Center server.

To secure communications between the reverse proxy and the Operations Center server:

  1. Stop the Operations Center server and the Apache Web Server.

  2. On the Operations Center server, verify that keystore is present in Operations_Center_installation_location/config.

  3. In the Operations Center Configuration Manager, set the client/server communications mode to Secured communications using SSL.

  4. Restart the Operations Center server.

  5. Open a browser and access https://Operations_Center_server:port_number to verify that you can open the Operations Center console.

  6. On the Apache Web Server, modify Apache_installation_location/Apache/conf/https.conf as follows:

    1. Enable (uncomment) the following line:

      LoadModule ssl_module modules/mod_ssl.so

    2. Enable SSL for proxy connections and identify trusted certificates on the connection:

      SSLProxyCACertificateFile "Apache_installation_location/Apache2.2/ssl/trustedCAs.pem"

    3. Update the substitution mapping to account for any protocol or port changes.

  7. Restart the Apache Web Server.

  8. Open a browser and access https://Apache_Web_Server:port_number to verify that you can open the Operations Center console login page.

  9. Log in to the console and verify that you are automatically logged in as the test user.

2.8.5 Securing Communications Between Browser and Reverse Proxy

After securing communications on the link between the Apache Web Server and the Operations Center server, secure communications between the browser and the Apache Web Server.

To secure communications between the browser and the reverse proxy:

  1. Stop the Apache Web Server.

  2. On the Apache Web Server, modify Apache_installation_location/Apache/conf/https.conf as follows:

    • Configure the listening port for the Apache Web Server:

      Listen port_number

    • Enable SSL for the listening port and identify the keystore:

      SSLEngine on

      SSLCertificateFile "Apache_installation_locationApache2.2/ssl/Apache_Web_Server_FQDN.pem"

  3. Update the substitution mapping to account for any protocol or port changes.

  4. Restart the Apache Web Server.

  5. Open a browser and access https://Apache_Web_Server:port_number to verify that you can open the Operations Center console login page.

  6. Log in to the console and verify that you are automatically logged in as the test user.

2.8.6 Turning on Client Certificates

In this procedure, you will set client verification as optional because the web-started client needs to be able to reach the Operations Center console through the reverse proxy (Apache Web Server) but does not have access to the keystore that is stored in the browser. With this configuration, clients that do not have a certificate can still reach the Operations Center console using the normal login.

To turn on client certificates:

  1. Stop the Apache Web Server.

  2. On the Apache Web Server, modify Apache_installation_location/Apache/conf/https.conf to request client certificates and identify trusted certificates on the connection:

    SSLVerifyClient optional

    SSLVerifyDepth 10

    SSLCACertificateFile "Apache_installation_location/Apache2.2/ssl/trustedCAs.pem"

  3. Restart the Apache Web Server.

  4. Open a browser and access https://Apache_Web_Server:port_number to verify that you can open the Operations Center console. You should be prompted to select a certificate and provide a password to access the associated private key.