Upgrading Your Cosign Filter to Cosign V3

  1. Overview
  2. New Filter Requirements
    1. Synopsis
    2. Matching Configuration Values
    3. Reserved URL
  3. V3 WebAccess Test System
  4. Updating Filters to V3
    1. Apache
    2. IIS 7
    3. IIS 5/6
    4. Java
  5. ChangeLog for this page
Overview

Cosign v3 provides an enhanced security architecture and stricter requirements for the configuration of filters. Since the production WebAccess login system was upgraded to v3 on 2009/07/07 (Alert 1151), you may use it to test your v3 Cosign filters.

It is recommended that you verify the proper operation of your test, non-production web site with the same version of the Cosign filter as you've been using, and then you can test upgrading that site to v3, and check your back-out procedures. Once you are satisfied with your site remaining at v3, contact us and request that we mark your test site as upgraded.

Support for v2 filters is not going away: v2 filters will be supported for the foreseeable future. The only date mentioned, August 18, only refers to requiring the CN, Service Name, and FQDN to match.

New Filter Requirements
Synopsis

Details of new requirements are below, but in brief: For a Penn State site serving cosign-protected content, if there's any variance to the following, an exception must be added to the production WebAccess login system. Given a site www.example.psu.edu:

  1. Its URL is: https://www.example.psu.edu/... (i.e., using SSL with the default port number.)
  2. The Certificate Common Name (CN) used by Cosign is: www.example.psu.edu
  3. The Cosign Service Name is: cosign-www.example.psu.edu (Apache/Java: www.example.psu.edu)
Matching Configuration Values

The stricter requirements in a fully-implemented v3 Cosign service require three elements to match on your protected site. Those elements are

  1. Fully qualified domain name (FQDN) used in URLs on your protected site.
  2. Cosign Service Name (aka cookie name, cosign-your-FQDN).
  3. Common Name (CN) of the certificate used by the Cosign filter.

For the WebAccess protected site www.example.psu.edu, the corresponding values would be

  1. www.example.psu.edu (e.g., https://www.example.psu.edu/).
  2. cosign-www.example.psu.edu (for IIS and Java; just "www.example.psu.edu" for Apache).
  3. Subject:…CN=www.example.psu.edu (abridged output from command line tool "openssl x509 -text …").

You can verify and correct the above on your sites today, in preparation for the upgrade.

When the production login systems are upgraded to v3, they will be run in a "relaxed" mode until Tuesday, August 18, 2009, which will allow mismatches among those elements. Older v2 filters will continue work after that date, provided that the values above do match, or an exception has been added to the WebAccess login system.

Also, note that DNS names and IP address mappings are not part of the checks. This means that a load-balanced WebAccess-protected web site, where two or more systems serve the same FQDN and use the same certificate and Cosign Service Name, will continue to work without any special requirements.

Should you have a configuration that doesn't fit the above model, you may request an exception, noting your FQDN(s), Cosign Service Name(s), and certificate CN(s). Some exceptions would be

Reserved URL

On each protected site, the URL path /cosign/valid is used by the Cosign filter and is reserved for it. Should your site have a conflict with that, please contact us to discuss the problem. For the WebAccess protected (and encrypted) site www.example.psu.edu, the full URL reserved by v3 would be

https://www.example.psu.edu/cosign/valid

If your site does not use SSL or uses a non-standard port number, this reserved URL would match that.

V3 WebAccess Test System

Since the production WebAccess system was upgraded to v3 on 2009/07/07 (Alert 1151), use of this test system is no longer needed to test your v3 Cosign filters.

To have your test site's non-V3 Cosign filter use the WebAccess test system, save your current Cosign configuration, and in it change all references of

webaccess.psu.edu
to
webaccess-test.ait.psu.edu

The WebAccess test system uses the same base of information as the production system: any currently registered CN should be able to use it. However, some slightly shorter values are in place for maximum session lifetime (9 hours) and idle time (30 minutes).

To help differentiate the test system from the production one, you'll notice that the large graphic is slightly different, as well the html page titles having the word "test" inserted.

Also, to minimize delays in your testing, the configuration of the WebAccess test system will be updated during the day as requests are received. Such restarts may cause very short outages (3-5 seconds) of the service, as only one server is active.

Updating Filters to V3

These instructions are in addition to the current documentation for installing filters, and are constructed for sites using secure browsing (https:); non-secure sites will be slightly different, and should ask us about the differences.

Copies of v3 filters are available from the Cosign site, on its "download" page (linked from the navigation area on the left side of the home page). The linked icons at the top of that page may not refer to the v3 version.

The regular expressions in the CosignValidReference (or ValidReference) directives below must be adjusted if you are using an IP address for the "FQDN" in your site's URL, if your FQDN doesn't end in "psu.edu", or if you're using a non-standard port number. The expression is used by your Cosign filter to determine what URLs are to be handled by it (are valid to it); it can be made very specific.

Apache
  1. Download the v3 source, build as you built the previous version.
  2. Save your current Apache config file(s), and mod_cosign.so apache module, in case you need to revert.
  3. Install the filter (you may need to stop Apache to do this.)
  4. Edit your Apache Cosign-related directives. (For multi-homed hosts, review the above section on "New Filter Requirements".) Where you define the CosignHostname, add the following directives (remember to update the reference to the test login server as needed):
    CosignValidReference              ^https?:\/\/.*\.psu\.edu(\/.*)?
CosignValidationErrorRedirect      https://webaccess.psu.edu/validation_error.html
<Location /cosign/valid>
     SetHandler          cosign
     CosignProtected     Off
     Allow from all
     Satisfy any
</Location>
  5. Delete all service cookies files from the cookies database to invalidate existing service cookies. The default directory is /var/cosign/filter .

    NO EFFECT ON THOSE CURRENTLY CONNECTED: They will automatically be issued v3 service cookies and not experience any difficulties.

  6. Restart your service, and test a Cosign-protected URL.
  7. After you're satisfied with leaving the v3 filter in place, inform us that you've switched to v3, so that we may remove any v2 exceptions in place.
IIS 7

A v3 Cosign module for IIS 7 is now (2009-06-11) available. Until detailed instructions are available, use http://www.itcs.umich.edu/itcsdocs/s4364/ as a reference for changes, and the other filter sections in this document for the Penn State-specific adjustments.

IIS 5/6
  1. Backup the current contents of your IISCosign folder.
  2. Stop the IIS service.
  3. Download and extract the v3 zip file into your IISCosign folder.
  4. Validate that the permission changes listed in the README are still in place.
  5. Update the cosign.dll.config. Insert the following two XML lines between a </Cookies> (if it exists) and the <ConnectionPoolSize> tags (remember to update the reference to the test login server if needed):
    <ValidReference>^https?:\/\/.*\.psu\.edu(\/.*)?</ValidReference>
<ValidationErrorRedirect>https://webaccess.psu.edu/validation_error.html</ValidationErrorRedirect>
  6. Delete all service cookies files from the cookies database (…\IISCosign\CookieDB) to invalidate existing service cookies.

    NO EFFECT ON THOSE CURRENTLY CONNECTED: They will automatically be issued v3 service cookies and not experience any difficulties.

  7. Start the IIS Service, and test a Cosign-protected URL.
  8. After you're satisfied with leaving the v3 filter in place, inform us that you've switched to v3, so that we may remove any v2 exceptions in place.
  9. Some sites have needed to add
    <RedirectToHttps>true</RedirectToHttps>
    to their config in order to get non-SSL attempts to fetch protected content properly redirected to the SSL side of their site. The sample config that's distributed with the filter shows where this tag must be defined.
Java

Until detailed instructions are available, use http://www.itcs.umich.edu/itcsdocs/s4364/ as a reference for changes, and the other filter sections in this document for the Penn State-specific adjustments.

ChangeLog
2009-10-22
Change IIS 5/6 CosignValidationErrorRedirect to https (http also works).
2009-08-06
Change strict checking date to 8/18 (was 8/11).
Fixed "true" (lower case) in RedirectToHttps.
2009-07-30
Clarify v2 filter support, and significance of 8/11.
2009-07-23
Deprecate Test System section.
Since production system now v3, update references.
Expanded info for requirements, etc.
Mention RedirectToHttps for IIS
2009-06-11
Add ChangeLog section.
Add reference in exception examples to non-standard port .
Mention IP addresses and non-psu.edu names for ValidReference reg-ex's.
Mention updating reference to login system for IIS 5/6 changes.
IIS 7 module available.
Give Java section some help.

This document based, in part, on http://www.itcs.umich.edu/itcsdocs/s4364/.


The Pennsylvania State University ©2009. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.

For assistance please write to helpdesk@psu.edu or see our Help Sources.

Last revised: Thursday, October 22, 2009.