Web Security, Restricted Access, and Bluestem

	ACADEMIC COMPUTING and COMMUNICATIONS CENTER

Web Security, Restricted Access, and Bluestem
0 Contents	1 Introduction	2 Config File Format	3 App Server	A1 Related Links

Running Your Own Bluestem Server

Why Run Your Own Bluestem Server?

Tigger and icarus already provide bluestem for protecting files, and for personal CGI scripts. However, you may have data that requires extra-special protection (e.g. financial or medical), or you may want to run a web application (e.g. database) or write in a language for which tigger is not adequate.

In such a case, if you are capable of running your own web server (i.e. physically secure room, maintain security patches, manage user accounts, run backups, install and troubleshoot software, keep and inspect logs), you can make your web server into a bluestem application server. This will allow your web scripts to authenticate users, using their normal bluestem netid and password, in a very secure manner.

Requirements

You must run an SSL-capable web server. Apache and IIS are fine. And, of course, the web server must be configured to run CGI scripts.
You must obtain an SSL certificate from a vendor such as Verisign or Thawte. ACCC has a program to purchase certs if you need one for your server.
You must install perl.
You must maintain a correct clock setting on your server. Use something like NTP, so that your server and the ACCC bluestem ID servers do not have any significant clock skew.
It should go without saying, you must be able to maintain your server, providing all the functions that a good sysadmin would provide.

Must My Scripts be Perl?

What?? You don't like perl? I do, but if you can't stand it, don't worry. You have to run perl, but you don't have to write it. You can make bluestem calls from ASP, using the little bluestem protocol. And if needed, you can probably adapt this to other languages as well.

Security Consideration

One of the main features of Bluestem is that the user's password is never sent to the application server, not even encrypted or used as an encryption key. So it's not possible for a rogue application server to compromise a user's password.

However, all bluestem applications on a given server need write access to the internal bluestem cache. Suppose you have two developers writing web scripts (with or without bluestem) for your server. Each of them has access to the bluestem cache, because their scripts run with the identity of the web server. This means that Developer A can poison the bluestem cache, and therefore can impersonate Person X to any bluestem application on your server. He can't affect bluestem applications on other servers like tigger, but he can certain affect all applications on your server.

Moral of Story: don't let just anyone write CGI scripts on your server.

You may wonder how we allow normal users on tigger or icarus to use bluestem with their own CGI safely. The answer is that we insist on using a modified version of Cgiwrap. Cgiwrap launches as root, runs the bluestem code, puts the authenticated netid into the environment, then changes uid to the user and exec's the user's script. The point is, by the time the user's code runs, it no longer has read or write access to the bluestem cache, so all is well.

Installation

See Detailed Installation Instructions at UIUC. In brief, the steps are:

Set up your web server, and get a certificate. The cert will have to specify a machine name, and run on that machine. Consider getting a special DNS CNAME for this purpose, so you can later move your bluestem server and cert to a different machine without hassle.
Contact bluestem@uic.edu to indicate your interest, and get a copy of the bluestem perl library.
Unzip or untar the library as appropriate. Adjust the configuration file to suit your local needs. Some of the entries (at the top) are for your machine, and determine what OS you have, what directories you use for scripts, logs, etc. Modify them accordingly. Other entries (at the bottom) are for UIC use; leave them alone.
Run the install script.
Contact UIC Bluestem key generator to generate a server key. Copy this key back to your server. NOTE: Use the local key generator, not the one at UIUC.
Test it. Everything will work perfectly. Or not, but at least we can fix it.

Running Bluestem'ed Scripts

Just look at the test1.cgi script that comes with the bluestem library for an example. The basic idea is:

     ## get the library
require 'bluestem.pl';
...

     ## check for bluestem ID
($ID, $IdleTime, $SessionTime) = bluestem_id();

     ## If no ID, force login
bluestem_login unless $ID;

     ## If ID is too old, force login
if  ($IdleTime > $IdleMax ) {
    bluestem_login('', "$Client idle more than $IdleMax seconds.") ;
}
     ## ID is known.  Carry on.
...

Note: Bluestem provides an authenticated netid. Period. It does not tell you if the person is staff or student, it does not tell you what department they are in, it does not tell you what privileges they have. Just the netid. It is up to your script to decide what privileges to allow the person, based on the netid.

Alternative Ways to Run Bluestem

Bluestem is ultimately a protocol, and can be run in different ways. Some possibilities:

Make calls to the perl library directly from a perl CGI script.
Use Cgiwrap (on tigger or icarus) and therefore have some other CGI script make the calls.
Run bluestem before cgi scripts run. I made a mod_bluestem for apache, for example. In this case, apache can be made to invoke bluestem based on a url or directory. Consider using mod_bluestem from UIUC if you like this idea.
Use the little bluestem protocol, and run from other languages such as VB/ASP.

What, exactly, is a Bluestem ID?

A Bluestem ID has three parts, and can look like this:

adabyron@uic.edu/tacacs

Part	Value	Default	Meaning
Netid	bobg	no default	Which person, within a given domain and authmethod
Domain	@uic.edu	@uic.edu	Which Bluestem ID server to contact
Authmethod	tacacs	tacacs	What method is used to verify the password

The Bluestem Id usually has the defaults removed, so the above would simply be: adabyron. Note that the following could all represent different people:

adabyron
adabyron@uiuc.edu
adabyron/kerberos
adabyron@uis.edu/tacacs

Troubleshooting

Check your log file.
Do non-bluestem CGI scripts run ok on your server? Do they run correctly from the Bluestem CGI directory? If this doesn't work, nothing else will.
Your webserver runs as some identity. (On unix, this is often the nobody account.) Make sure this user has write access to the bluestem cache and to the bluestem log file. And be sure that only trusted accounts have read or write access to this cache.
Check your system clock. If you are out of sync with the bluestem ID servers, bluestem can't properly calculate cache ages. If the clocks are skewed by 5 minutes, bluestem will fail. Use NTP to keep this adjusted.
You did check your log file, didn't you?
If you still need assistance, send:
- Name of your server
- Description of the problem, including a url where we can verify the problem
- Small relevant selection from the log file (Just cut-and-paste a few lines, don't attach the whole thing.)
to bluestem@uic.edu

Example Config File

# Bluestem Application Server Installation Configuration
#
#  format: <symbol><singlewhitespace><value>\n 
#

# --- OS Platform
#
#   Supported values - aix3, aix4, bsdi2, bsdi3, digital4, hpux9, hpux10,
#                      linux, solaris2, sunos4
#
Platform aix4

# --- directory for Bluestem CGI files
#
BluestemCGI /usr/local/apache/cgi-ssl/bluestem

# --- URL Prefix for Bluestem CGI files
#
BluestemPfx /htbin/bluestem

# --- directory for Bluestem utilities, configuration files, cache, master key
#
BluestemLib /usr/local/lib/bluestem

# --- Directory for Bluestem log files
#
LogDir /var/log/httpd

# --- directory for Bluestem 'require' files
#
PerlLib /usr/local/lib/perl5/site_perl/5.6.0

# --- path to Perl on system
#
Perl /usr/local/bin/perl

# --- HTTP Server User and Group
#
User nobody
Group nobody

# --- Netscape Client Redirect Flag
#
#     D: Direct via HTTP Location Header
#     I: Indirect via intermediate screen
#
#     Choose 'I' if Netscape clients generate a bogus 'Security
#     warning' popup when redirected to the campus server for login
NetscapeRedirect I

#====================================================
#   ID Server Parameters -- should only be
#   changed by the ID server manager  
#====================================================
AlertEmail www\@uic.edu
HomePage http://www.uic.edu/
Title UIC WWW Identification Service
DefaultDomain uic.edu
DefaultAuth tacacs
AuthMethods tacacs,pwf,ntlm
AuthMethodsDNS tacacs,pwf,ntlm
TermServerRE
PathSHA1 /usr/local/bin/sha1
PathVmstat /bin/vmstat
PathTacacs /usr/local/lib/tacacs
PathRdist /bin/rdist
BluestemImg1 <img src=https://ness.uic.edu/uic-icons/UIbar.gif border=none width=468 height=20>
BluestemImg2 <img src=https://ness.uic.edu/uic-icons/UIthinbar.gif width=468 height=6>
BgColors BGcolor="#ffffff" TEXT="#000000" VLINK="#cc6633" ALINK="#ff6633"
NetIDURL http://www.uic.edu/depts/accc/accts/netids.html
UnsupportedRE AOL-IWENG|MSIE 2
NetscapeURL ftp://uiarchive.uiuc.edu/pub/www/netscape/communicator/4.06/shipping/english/
ExplorerURL http://www.microsoft.com/ie/download/
IconDirURL https://www-s.uiuc.edu/ns-icons
CookieSep ~
NTLMDaemon www2.hospital.uic.edu:7884
#
ClusterId ness.uic.edu:443:444
BluestemIDPfx /htbin/bluestem

More Info

If you need more details, the bluestem protocol and details about installation are described at UIUC. (But do note that UIC has some differences, particularly that the key generation url is at UIC.) Don't contact UIUC directly about bluestem. Questions at UIC should go to bluestem@uic.edu

Web Security Previous: 2 Config File Format Next: A1 Related Links

2008-1-28 wwwtech@uic.edu