Using reverse proxy with CertAP - SSO
By default Two-way SSL is used. In this configuration the certificate is provided to the server in the Two-way SSL authentication. If reverse proxy is used this method cannot be applied and the identifying certificate must brought to the Certificate AP in the http header. In order to use the reverse proxy configuration, execute the following steps:Â
cd /d "C:\Program Files\Ubisecure\ubilogin-certap\certap" copy config\tomcat\conf-proxy\server.xml custom\tomcat\config\tomcat\update.cmd
The above commands change the server.xml
that is being used. The new server.xml
specifies that the identifying certificate the client provides to the Certificate AP is not to be acquired via SSL authentication but in the http header with attribute X509Data.
The reverse proxy used must also be configured in such a way that the certificate is passed in the http header as the X509Data attribute.
An example of a http request passed to the Certificate AP from a reverse proxy where the certificate is found in the http header:
GET /certap/saml2/SingleSignOnService?SAMLRequest=fZFRb8IgFIXf9ysa3i2FWq3E1pgYE5MtS9ZtD3tZKFIla4FxqXH%2Fftjpoi8mvMC9597zHeaLY9dGB%2BlAGV0gEicoklqYrdK7Ar29rkc5WpQPc%%3D&locale=en HTTP/1.1 X509Data: -----BEGIN CERTIFICATE-----MIICGjCCAYOgAwIBAgIQD5G4mJqd+CkmnBW0/u9fljANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTExMTIxMjAwMDAwMFoXDTIyMTIxMjAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdEBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjytYrJ6jB8NVaCQUoCYzLOKWwbk6PAvzCI3+xLDjaSUklzzq1i08TVCXspl9MN6nvNR0W1QbaRXb4r9JXGO+R51qIW9pieZP8wcaeHlpAsCki7ccx76AQNwjhgj/EFTq/MicOTo9bJJsIjQOFHXgq4xJ3EpJf7wNN7IRzQJzhPkCAwEAAaNlMGMwHQYDVR0OBBYEFOqcNIpvahGrZm65JR9A8wDpaDseMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUbqvbio+JW0odOAU3Cw53qWChF24wDQYJKoZIhvcNAQEFBQADgYEAMBwnPAtd7bJnMftfcOweo0PQ2mxFAuN2mxCBMuFXfXPBqKsI17ARw2hZWcvSE1u+Du7/pKT8mHxuuHJXOed7BSQ8u0PpIOaDeJHZeh08m2xvZ1eklf92Fr6IoZSKQimfsykPYY+/Wd9TNTthsAyNXzqUTgmyw9kEM1JtdGEHWhs------END CERTIFICATE-----
Modifying the PKI Policy
By default, the same PKI policy is used for all service providers (each authentication method instance in UAS is a SAML service provider). The policy is located in certap/webapp/WEB-INF/uap/pki/policy.xml
.
An example PKI policy is shown below. Trusted issuers are defined in the Trust elements enclosed in a PKI element. In this example, a base64-encoded certificate of the issuer of the HST certificates is introduced. Consequently, all the HST certificates are accepted as valid user credentials. The corresponding CRL distribution point is defined in the crl attribute. The CRL may be either in LDAP form with a query statement, or a HTTP address. Optionally OCSP Server can be used instead of CRL, and configured in OCSP attribute uri.
Other trusted issuers may be added by defining a new Trust element for each trusted issuer.
The user's certificate is defined to be included in a SAML assertion by defining the Subject element's KeyInfoConfirmationData attribute as true. User's certificate is required by UAS to be able to perform a satu-hetu transformation in case of HST certificates. It may be omitted if the HST certificates are not used or if there is no need for the user's hetu.
Attributes to be sent to UAS are defined in the Attribute element. The name of the attribute is defined in the name attribute of the Add element. The content of the attribute is defined in the enclosed elements. In this example, three different attributes are defined. The username attribute is defined as a sha-1 digest (fingerprint) of the certificate. The username.dn attribute is defined as the subject-field of the certificate. The satu attribute is defined as the certificate subject-field's component with oid 2.5.4.5, which is satu in case of HST certificates.
All of the defined attributes must be found in the certificate. Otherwise authentication fails. Please refer to page 3726148049Â for more information about possible attribute values.
<?xml version="1.0" encoding="iso-8859-1"?><Policy xmlns="http://ubisecure.com/schema/certagent.xsd">  <PKI>    <!-- VRK Gov. CA for Citizen Qualified Certificates -->     <!-- CRL distribution point URL and trusted issuer's base64-encoded certificate -->    <Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">      MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG       STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz       a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl       czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g       Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD       VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0       ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl       ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD       ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52       7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P       f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH       xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p       qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF       RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6       0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG       CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w       gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh       IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg       aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH       AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy       BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j       cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL       d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs       L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ       KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR       4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h       //jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9       MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS       jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv       BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=     </Trust>   </PKI>  <!-- Add certificate to saml assertion -->   <Subject KeyInfoConfirmationData="true"/>  <!-- Add attributes to saml assertion -->   <Attributes>    <!-- SHA-1 fingerprint -->     <Add name="username">         <Digest source="subject" algorithm="sha1" />     </Add>    <!-- Subject's distinguished name -->     <Add name="username.dn">       <Field source="subject"/>     </Add>    <!-- Attribute 2.5.4.5 (satu in HST-certificates) -->     <Add name="satu">       <Attribute source="subject" oid="2.5.4.5"/>     </Add>  </Attributes></Policy>
<Policy xmlns="http://ubisecure.com/schema/certagent.xsd"> <PKI> <!-- GlobalSign PersonalSign 2 CA - G2 --> <Trust> .... </Trust> <OCSP uri="http://ocsp2.globalsign.com/gspersonalsign2g2" /> </PKI> </Policy>