This page provides guidelines for installing the Pubcookie Apache module and IIS ISAPI filter for use at the University of Washington. These guidelines supplement the detailed installation guides available on the pubcookie.org site.
Follow these registration, installation and configuration steps for each new participating server name:
Visit the Weblogin Server Registration service to register a new server name. To do so you must be a recognized owner of the name in UW DNS.
Important: The registered server name should match the name in your website's URL address and SSL certificate (Common Name field).
Once your server name has been successfully registered it will be authorized to obtain an encryption key from the UW Pubcookie keyserver.
Note: Servers already using classic 1.x/2.x versions of Pubcookie, using a classic c_key file obtained via email, do not need to be registered. Registration is only necessary for new server names.
Download the current stable release of the Pubcookie Apache module or ISAPI filter from the downloads page.
Use the platform-specific tips below as your guide through the appropriate Pubcookie Apache Module Installation or ISAPI Filter Installation guide. UW web server administrators new to Pubcookie should review these tips first and then consult the detailed installation guides.
On Windows, the installer's Site Information screen collects your server name and configuration information specific to use in the UW environment:
Substitute your registered server name into the Application Server DNS Name field. The name should match your website's URL address and SSL certificate (Common Name field).
Note: The installer uses your server name to find a matching certificate in the Windows certificate store. The installer then uses this certificate to obtain an encryption key from the UW Pubcookie keyserver. To succeed, the certificate must conform to the UW Pubcookie keyserver trust policy which accepts certificates issued only by Thawte and the UW Services CA.
Note: If you use a UW Services CA certificate on your server, the UW Services CA should be installed among your system's trusted root certificate authorities before running the Pubcookie installer.
Note: If you are installing Pubcookie for the first time for your server name, select "Obtain new key" as the Keyclient Behavior. If you are installing Pubcookie for a server name that already has a key and is running in production, select "Retrieve old key" so as not to generate a new key, which could break your current installation.
Note: Your system clock must be synchronized with the correct date and time in order to use Pubcookie successfully. On Windows 2003, use the w32tm command to check your clock against time.u.washington.edu:
w32tm /monitor /computers:time.u.washington.edu
Use the net command to synchronize your clock with time.u.washington.edu:
net time /setsntp:time.u.washington.edu
Also check and confirm your domain controllers have the correct time. Incorrect time on your domain controllers can also lead to problems with Pubcookie.
On Unix, your keyclient configuration will look something like this:
# ssl config ssl_key_file: /etc/httpd/conf/ssl.key/server.key ssl_cert_file: /etc/httpd/conf/ssl.crt/server.crt # keyclient-specific config keymgt_uri: https://weblogin.washington.edu:2222 ssl_ca_file: /etc/httpd/conf/ssl.crt/ca-bundle.crt
Note: Your ssl_cert_file must conform to the UW Pubcookie keyserver trust policy which accepts certificates only issued by Thawte and the UW Services CA.
Note: The UW Pubcookie keyserver identifies itself with a SSL certificate signed by Thawte, therefore your ssl_ca_file (or ssl_ca_path) must include Thawte as a trusted CA. The ca-bundle.crt file that comes with OpenSSL contains the Thawte root certificate(s). You can also download and use this ca-bundle.crt file.
On Unix, your Apache configuration will include something like this:
PubcookieGrantingCertFile /usr/local/pubcookie/keys/pubcookie_granting.cert PubcookieSessionKeyFile /etc/httpd/conf/ssl.key/appserver.key PubcookieSessionCertFile /etc/httpd/conf/ssl.crt/appserver.crt PubcookieLogin https://weblogin.washington.edu/ PubcookieLoginMethod POST PubcookieDomain .washington.edu PubcookieKeyDir /usr/local/pubcookie/keys/ PubcookieAuthTypeNames UWNetID null SecurID
Note: Local convention is to use UWNetID and SecurID as the first and third PubcookieAuthTypeNames values, respectively, corresponding with the UW "weblogin" service's two flavors of login: a basic single sign-on (SSO) flavor requiring UW NetID and password, and a non-SSO flavor requiring UW NetID, password, and SecurID.
Note: The UW "weblogin" service supports all the encryption methods defined by the optional PubcookieEncryption directive. It has been left out in the example above in favor of using the default value (AES).
With the configuration tips above and careful attention to the installation guides on pubcookie.org you should be up and running in no time.
The Pubcookie security model relies on SSL for message confidentiality between Web browser and server and for server authentication between the Pubcookie keyclient and keyserver. SSL certificates should be signed according to the following policies.
SSL Certificate Policy
When enabling browsers to connect to your server using SSL (https), use
a SSL certificate signed by (a) a well-known public CA such as Thawte (see tips here),
DST, or Versign; or (b) the UW Services CA. The
concern here is end-user usability, trust, and support costs. The UW Services
CA excepted, these CAs have high coverage in most browsers.
Keyserver Trust Policy: Approved Certificate Authorities
When requesting a symmetric encryption key from the UW Pubcookie keyserver,
use a SSL certificate signed by Thawte or
UW Services CA.
Trust is the primary concern for the keyserver. Just because some other CA
has good browser coverage doesn't mean it has transparent and rigorous
proof-of-ownership processes. We have to be conservative about trusting new
CAs. That said, please let us know if we should consider approving another
CA for use with the UW Pubcookie keyserver.
