Hi Tim, Thanks for the help! I made two mistakes, and fixed them, following your suggestions, but I am unfortunately still not connecting from Apache to Dspace, although it is now clear the certificate information is being passed through..
First, I was using an outdated format for the listing of the two kinds of authentication in authentication.cfg, and your pointer to the 6 version was helpful there. I had them on the same line, with a comma. Now they are loading sequentially, with the certificate auth loading first. I also was not looking at the right log file, duh. Now I can see some error messages, and can tell that Dspace is grappling with the client certificate, although still failing to validate it. I tried all variations of the instructions for configuring the authentication-x509.cfg file, but in the end I am getting: 2017-09-08 08:02:34,351 INFO org.dspace.authenticate.X509Authentication @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authentication:X.509 Certificate FAILED SIGNATURE check\colon; java.security.SignatureException\colon; Signature does not match. 2017-09-08 08:02:34,351 WARN org.dspace.authenticate.X509Authentication @ anonymous:session_id=EF3D87F4E30DDB194B8C9DCCF2AD4525:ip_addr=141.2.34.31:authenticate:type=x509certificate, status=BAD_CREDENTIALS (not valid) I installed the client.p12 file in the browser, and the client.pem file in Dspace, using the keystore with the correct password. I produced my files using these wonderful instructions: https://gist.github.com/mtigas/952344 Sorry, still mystified. Best regards, Paul On Thu, Sep 7, 2017 at 6:55 PM, Tim Donohue <[email protected]> wrote: > Hi Paul, > > I'll admit, I've never used the X.509 cert auth myself, but I notice there > are some more notes in the X.509 docs at: > https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins# > AuthenticationPlugins-X.509CertificateAuthentication > > Namely, I see that it states: > "If you are using HTTPS with Tomcat, note that the <Connector> tag *must* > include > the attribute clientAuth="true" so the server requests a personal Web > certificate from the client." > > Not sure if that's the problem here, but you might want to carefully > review the instructions here again. If you are still hitting issues, you > also should check your logs to see if there's any errors being logged > there, see https://wiki.duraspace.org/display/DSPACE/Troubleshoot+an+error > > > - Tim > > On Thu, Sep 7, 2017 at 7:25 AM Paul Warner <[email protected]> wrote: > >> Hi, >> >> I have configured Apache with ssl using a self-signed certificate, and >> then generated a client certificate from the server certificate. With >> SSLVerifyClient set to 'require', I can get to Dspace only from a browser >> with the client certificate installed. So it works! >> >> But getting Dspace to recognize the certificate is my problem. When I try >> to login with the certificate, at https://myserver/jspui/ >> certificate-login, I get the message: 'You do not seem to have a valid >> Web certificate.' I am running Apache 2.4.18, Apache Tomcat/8.5.15, and >> Dspace 6.1 on Ubuntu 16.04. >> >> In my apache conf, I have SSLOptions StdEnvVars ExportCertData. >> >> I loaded my client.crt certificate into the tomcat keystore, following >> the directions in https://wiki.duraspace.org/display/DSDOC6x/Installing+ >> DSpace: >> >> Optional – ONLY if you need to accept client certificates for the X.509 >> certificate stackable authentication module See the configuration section >> for instructions on enabling the X.509 authentication method. Load the >> keystore with the CA (certifying authority) certificates for the >> authorities of any clients whose certificates you wish to accept. For >> example, assuming the client CA certificate is in *client1.pem*: >> >> >> $JAVA_HOME/bin/keytool -import -noprompt -storepass changeit >> -trustcacerts -keystore $CATALINA_BASE/conf/keystore -alias client1 >> -file client1.pem >> >> I have set authentication.cfg so it includes X509 authentication: >> >> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = >> org.dspace.authenticate.PasswordAuthentication,org.dspace.authenticate. >> X509Authentication >> >> I have set authentication-x509.cfg to include the keystore and password: >> >> authentication-x509.keystore.path = /opt/tomcat/conf/keystore >> authentication-x509.keystore.password = changeit >> >> What am I missing? >> >> Thanks, >> Paul >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/dspace-tech. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > Tim Donohue > Technical Lead for DSpace & DSpaceDirect > DuraSpace.org | DSpace.org | DSpaceDirect.org > > -- > You received this message because you are subscribed to a topic in the > Google Groups "DSpace Technical Support" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/dspace-tech/vtwI5yYtKLc/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
