Links

• mod_auth_pubtkt - Pubtkt Apache Module

mod_auth_pubtkt with Debian-Apache

• we assume, apache is already installed and you are familiar with apache configuration
• we assume you have read the mod_auth_pubtkt documentation
• in debian install the package libapache2-mod-auth-pubtkt

  # apt-get install libapache2-mod-auth-pubtkt

• generate a pub/private keypair. We use DSA, see pubtkt manual

  # openssl dsaparam -out dsaparam.pem 1024
  # openssl gendsa -out privkey.pem dsaparam.pem
  # openssl dsa -in privkey.pem -out pubkey.pem -pubout

  • the pubkey.pem is needed by the pubtkt apache module
  • the privkey.pem must be installed on the B-Fabric Server (keep it secret!!!)
• copy pubkey.pem to /etc/apache2/pubkey.pem
• create a apache config file for pubtkt with the reference to the public key
• add a alias to the data downloaded via downloadmanager in the apache config
• add the AuthType and some configuration options for mod_auth_pubtkt to the apache config
  • TKTAuthCookieName correspond to the cookie name generated by B-Fabric
• apache config example:

  <IfModule mod_auth_pubtkt.c>
  TKTAuthPublicKey /etc/apache2/pubkey.pem
  Alias /dm /srv/www/DownloadManager
  <Directory /srv/www/DownloadManager>
          AuthType mod_auth_pubtkt
          TKTAuthCookieName auth_cookie
          TKTAuthDigest SHA256
          require valid-user
  </Directory>
  </IfModule>

• every project directory needs its own security token, which can be configured in an apache config file

  <IfModule mod_auth_pubtkt.c>
    <Location /dm/p1>
      TKTAuthToken "1"
    </Location>
    <Location /dm/p2>
      TKTAuthToken "2"
    </Location>
  </IfModule>

Configure B-Fabric for Downloadmanager

Storage

• add an access to the storage of type "dm" with protocol "http"

System Properties

• the property "downloadManagerEnabled" needs to be set to "true"
• the property "pubtktGeneratorFilePath" must point to the script which generates the cookie, as described in the pubtkt manual

Create cookie script

• There is a script in bfabric source: downloadmanager/src/misc/mkpubtkt.sh
• Best build one on your own based this piece of bash code

  # first argument is the username
  _UID="$1"
  # second argument are the comma seperated tokens
  _TOKENS="$2"
  
  # check for openssl 
  _OPENSSL=$( which openssl )
  [ -z "${_OPENSSL}" ] && exit 1
  
  # check for the privat key 
  _PRIVKEY="/path/to/privkey.pem"
  [ -r "${_PRIVKEY}" ] || exit 1
  
  # same as  in apache pubtkt config TKTAuthCookieName 
  _TKTNAME="auth_cookie"
  # generate the time in seconds the cookie is valid (1 day)
  _VALIDUNTIL=$( date --date='tomorrow' +%s )
  _GRACEPERIOD=$_VALIDUNTIL
  _UDATA=""
  
  # generate the cookie data
  _COOKIE="uid=${_UID};validuntil=${_VALIDUNTIL};graceperiod=${_GRACEPERIOD};tokens=${_TOKENS};udata=${_UDATA}" 
  # sign it
  _SIG=$( echo -n "${_COOKIE}" | "${_OPENSSL}" dgst -sha256 -sign "${_PRIVKEY}" | "${_OPENSSL}" enc -base64 -A )
  
  # echo to stdout
  echo "${_TKTNAME}=${_COOKIE};sig=${_SIG}"