Below is a quick walk through on setting up an Apache virtual host with kerberos authentication.
If you use or are looking to integrate single sign on into your websites or web based applications in your environment, this will be for you.
In this article I will be setting up a new website called mysite.example.com, using the below details.
Web Server Name: web01.example.com Web Server Operating System: Red Hat Enterprise Linux 6.3 Kerberos Realm: EXAMPLE.COM Kerberos Username: testuser
This article is specifically based on setting up kerberised Apache hosts. It is assumed that you already have a fully functional kerberised realm with kerberised workstations.
This is required as we will be testing the Single Sign On capabilities from a kerberised workstation by using our kerberos test user.
To continue with the installation, please read on.
Step 1. Install packages
We need to install Apache and the kerberos module in order to continue.
Please run the following to install the packages we need.
[root@web02 ~]# yum install -y httpd mod_auth_kerb
Step 2. Start Apache
Make sure you enable Apache to start on boot, as well as starting the service.
[root@web01 ~]# chkconfig httpd on [root@web01 ~]# service httpd start Starting httpd: [ OK ] [root@web01 ~]#
Step 3. Open Firewall
You should open up tcp port 80 for Apache to be accessible through the firewall. If you wish to set up an SSL based website, you should also open tcp port 443.
[root@web01 ~]# iptables -I INPUT -p tcp –dport 80 -j ACCEPT [root@web01 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@web01 ~]#
Step 4. Create service principle keytab
Depending on your kerberos infrastructure, you will do this in differing ways.
If you are using FreeIPA, you can achieve this as follows.
On your IPA server, run the following:
[root@ds01 ~]# kinit admin Password for admin@EXAMPLE.COM: [root@ds01 ~]# ipa service-add HTTP/web01.example.com ————————————————– Added service “HTTP/web01.example.com@EXAMPLE.COM” ————————————————– Principal: HTTP/web01.example.com@EXAMPLE.COM Managed by: web01.example.com [root@ds01 ~]# ipa-getkeytab -s ds01.example.com -p HTTP/web01.example.com -k /root/web01.example.com-http.keytab Keytab successfully retrieved and stored in: /root/web01.example.com-http.keytab [root@ds01 ~]#
Step 5. Copy keytab to web server
Copy your new keytab file to your web server.
If your kerberos server happens to be a Linux based server, or if you ran the above steps in step 4, run the following.
[root@ds01 ~]# scp /root/web01.example.com-http.keytab email@example.com:/etc/httpd/
Step 6. Create directories for new website
As we a creating a new stand alone virtual host in Apache, we should create a new directory structure for our website.
To do this, run the following.
[root@web01 ~]# mkdir -p /var/www/mysite.example.com/html
Step 7. Create new Virtual Host configuration file.
Create a new text file called /etc/httpd/conf.d/mysite.example.com.conf with the below contents
<VirtualHost *:80> ServerAdmin firstname.lastname@example.org DocumentRoot /var/www/mysite.example.com/html ServerName mysite.example.com ErrorLog logs/mysite.example.com-error_log CustomLog logs/mysite.example.com-access_log common <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/web01.example.com-http.keytab KrbServiceName HTTP/web01.example.com KrbVerifyKDC off Require valid-user </Location> </VirtualHost>
Step 8. Restart Apache
Restart Apache to apply new configuration file.
[root@web01 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@web01 ~]#
Step 9. Update DNS
Your new website should now be working. The last thing that needs to be done is configure a DNS pointer record to point to your new web server.
I will leave you to do this yourself, however if you are using FreeIPA as your kerberos realm as well as your DNS infrastructure, you can do the following on one of your directory servers.
[root@ds01 ~]# ipa dnsrecord-add example.com mysite --cname-rec web01.example.com. Record name: mysite CNAME record: web01.example.com. [root@ds01 ~]#
Step 10. Test your setup is working
It is important of course, to verify that what we have set up above is actually working.
From your authenticated kerberised workstation, login as your test user and browse to your new site. http://mysite.example.com
You should now see your new website. Please be aware, that if you are receiving a username and password dialog box, that the kerberised login is not completing successfuly. You will need to go back and verify your details.
Just to be extra sure, on your web server, watch the logs as you make your requests from your workstation.
You should see entries along the lines as follows.
[root@web01 ~]# tail -f /var/log/httpd/* ==> /var/log/httpd/mysite.example.com-access_log <== 10.0.1.104 - - [24/Dec/2012:00:03:40 +0000] "GET / HTTP/1.1" 401 486 10.0.1.104 - testuser@EXAMPLE.COM [24/Dec/2012:00:03:40 +0000] "GET / HTTP/1.1" 304 -