Welcome to docs.opsview.com

Differences

This shows you the differences between two versions of the page.

opsview4.6:client_ssl_cert [2014/09/09 12:19] (current)
Line 1: Line 1:
 +====== Authentication By Client SSL Certificate ======
 +Opsview can be configured to authenticate users with an SSL Client Certificate instead of or in addition to an AuthTKT cookie, LDAP or the in-built authentication routine. Note that each user must still exist in the Opsview system, with a username matching that in the SSL Client Certificate Common Name field.
 +
 +===== Apache Configuration =====
 +
 +The first step is to set up Apache for SSL Client Certificate authentication. That process is outside the scope of this document, but there are many examples on-line to help.
 +
 +Once this is done, you must add some additional configuration so that the Opsview application is able to see the Username of the authenticated user. The following directives should be added to the Opsview SSL configuration file for Apache, and then Apache should be restarted:
 + 
 +<code>
 +# Headers added to the proxy request to Opsview, as Opsview cannot see the external
 +# user certificate nor the Apache environment. Make sure to unset headers first to avoid abuse.
 +RequestHeader unset X-REMOTE_USER
 +RequestHeader set X-REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
 +RequestHeader unset X-SSL_CLIENT_S_DN_CN
 +RequestHeader set X-SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
 +</code>
 +
 +When Apache authenticates a user itself, it sets the ''REMOTE_USER'' environment variable. However the Opsview application cannot see the server environment, so the above configuration copies that variable into an HTTP Request Header which Opsview can see. Note that first the Request Header is erased (unset), to prevent remote clients from forging the authenticated username.
 +
 +===== Opsview Configuration =====
 +
 +The next step is to configure a new authentication realm for Opsview which uses the Apache authenticated username. This is similar to setting up an [[opsview4.6:ldap|authentication realm for LDAP]].
 +
 +You need to edit ''/usr/local/opsview-web/opsview_web_local.yml'' on your Opsview master server to include the following, and then restart the ''opsview-web'' service:
 +
 +<code>
 +authentication:
 +  realms:
 +    certificate:
 +      credential:
 +        class: 'Upstream::Headers'
 +        user_header: 'X-REMOTE_USER'
 +</code>
 +
 +===== Users Configuration in Opsview =====
 +
 +For each user in the Opsview application that you wish to use this feature, the user Realm configuration must be changed.
 +
 +Go to Settings, Contacts, then select the user. Change the [[opsview4.6:contact|Authentication Realm]] to be "''certificate''".
 +
 +You will notice that on the Opsview login page, when a client visits with a trusted SSL Certificate, the username field will automatically be filled-in. If the user is configured with the "''certificate''" realm, then they can immediately click the "Sign in" button (without a password). If the user is not configured with this authentication realm, then they must still enter a password.
 +
 +===== Authentication Fallback =====
 +
 +If you'd like users to have the choice of either using Client SSL Certificate, or traditional Password, this is also possible.
 +
 +You should configure at least two Authentication Realms. One will be for normal password authentication, and the other is the "''certificate''" entry shown above. To these we add a third realm to configure the fallback list.
 +
 +For example, the ''/usr/local/opsview-web/opsview_web_local.yml'' file on your Opsview master server could look like this:
 +
 +<code>
 +authentication:
 +  realms:
 +    certificate:
 +      credential:
 +        class: 'Upstream::Headers'
 +        user_header: 'X-REMOTE_USER'
 +    ldap:
 +      credential:
 +        class: Password
 +        password_field: password
 +        password_type: self_check
 +      store:
 +        class: LDAP
 +        # etc...
 +    fallback:
 +      credential:
 +        class: Fallback
 +        realms: ['certificate', 'ldap']
 +</code>
 +
 +For the example above, if the user's browser has access to a compatible Client SSL Certificate then they can use it, or else enter a normal Password.
 +
 +To enable this feature for a user, go to Settings, Contacts, then select the user. Change the [[opsview4.6:contact|Authentication Realm]] to be "''fallback''".
 +
 +More realms can be configured and added to the "''realms''" list. Opsview will try each entry in turn until either one succeeds for authenticaiton, or all fail.
Navigation
Print/export
Toolbox