[clue-tech] Mod_nss question

Mike Staver staver at fimble.com
Wed May 26 08:27:51 MDT 2010 

No problem - you're pretty close with the single sign on part.  Every user
of the web applications I work on is issued an ID card. Think a DirecTV
access card almost exactly, but with barcodes on the back, a magnetic
strip, and the chip on the card contains a personal certificate.  That
certificate is read with some hardware hooked up to each desktop being
used, and the cert is passed through IE / Firefox to the web server.  In
the past I have used Apache with mod_ssl to request the cert and make it
available to the web applications being hosted on our servers.  The
applications can use the certificate to authenticate the user and
automagically sign them into the application.  Well, this just one flaw
with this model - and that is the user may have had their certificate
revoked, yet still manage to keep their card. I needed a way to maintain
and hit a Certificate Revocation List to ensure the users are still
authorized to view the websites in question. Apparently Netscape took the
mod_ssl code and enhanced it so that it was FIPS 140-2 compliant, which is
a must for where I work. They also built in some functionality to allow me
to query a local certificate database, or CRL if you will, that I can
check every user against as they hit the website.  If they are on the
list, they are allowed through and then authenticated against the specific
application they are trying to access. Eventually, we plan to move to OCSP
- but a simple CRL will work for now.

I think this link can actually explain it better than I have just done:

http://directory.fedoraproject.org/wiki/Mod_nss

I am basically trying to use this model for Solaris using the latest
version of Apache. It's been a challenge and I'd much prefer sticking to
what I know - RedHat / CentOS, but I've been over-ruled :)

> Hi Mike,
>
> For those of us who haven't used mod_nss and aren't familiar with it
> could you say a bit about what you're going to use it for and how you
> are going to configured it? I do not know much about it and am curious
> about what you are doing. Is it some sort of single sign-on scheme for a
> web site?
>
> Thanks,
> Jim
>
> Mike Staver wrote:
>> Thanks for the info. I ended up finally getting it compiled today after
>> many days of trying various things. Turns out, when configuring, I had
>> to specify odd locations for both the include and library folders.  For
>> the lib, I had to point it at the lib folder of the actual nss folder I
>> built from. The include config wanted to be pointed at the output
>> folder, under the "dist/Sun" folder - I forgot the exact path. The nspr
>> lib and include paths were also within the actual directory I built the
>> binaries from.
>>
>> The next road block I hit was the actual make command. It would seem to
>> compile for a few minutes, then barf on a lex command. I then had to
>> install a bit of software called flex, and then locate the binary lex
>> and rename it. Then I created an lex link back to the flex binary so the
>> compiler could call it and not know the difference.
>>
>> Now I have a compiled mod_nss ready for configuration.
>>
>> On 5/24/2010 4:23 PM, Chris Tubutis wrote:
>>
>>>> I read also that I
>>>>
>>>> need to edit my profile to include the path to the library or include
>>>> paths for these packages... But I'm not sure where those are.
>>>>
>>> Just a shot in the dark...
>>>
>>> I'm imagining the compiled&  installed stuff is ending up in /usr/local
>>> and
>>> you need to add that directory to your LD_LIBRARY_PATH environment
>>> variable (which you can do in your .profile). Just a guess....
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> clue-tech mailing list
>>> clue-tech at cluedenver.org
>>> http://cluedenver.org/mailman/listinfo/clue-tech
>>>
>> _______________________________________________
>> clue-tech mailing list
>> clue-tech at cluedenver.org
>> http://cluedenver.org/mailman/listinfo/clue-tech
>>
>
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list