SubversionOverHttps: Difference between revisions

From Cheaha
Jump to navigation Jump to search
(Started page, instrs for getting cert and configuring svn client)
 
(→‎Download UABgrid CA certificate: Remove sub-menu target on CA URL)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
You need to configure subversion client to use UABgrid CA certificate and your user certificate to access repository. Following are steps to download certificates and configure subversion client.  
Following instructions document how to configure subversion client to use HTTPS/SSL for accessing UABgrid repository. The setup has been tested on Linux CentOS 5.4 and Tortoise SVN with Windows XP. The setup may not work with Max OS-X 10.6.  


== Download certificates ==  
== Download certificates ==  
=== Download user certificate ===  
=== Download user certificate ===  
*  Log in to [https://ca.uabgrid.uab.edu/user/ UABgrid Certificate Authority ]  
*  Log in to [https://ca.uabgrid.uab.edu/user/ UABgrid Certificate Authority ] (PHPki)
* Request UABgrid certificate from Certificate Management Menu.  
* Request UABgrid certificate from Certificate Management Menu. After completing certificate request you will be prompted to download the certificate, but ignore this prompt as you will need the certificate in different format to use with SVN client.  
* Download certificate in 'Cert+Key PKCS12' format and save it in safe location (home directory) on your system. This certificate is referred as usercert.pfx in rest of this documentation.  
* Now go back to Certificate Management Menu and click on download link for 'Cert+Key PKCS12' file format.  The download link will prompt you for a passphrase to protect your private key. For security reasons, you should use a a strong passphrase to protect private key in this file. Please remember this passphrase as you will need to enter it for interacting with SVN repository.
* Save this PKCS12 file in a safe location (home directory) on your system. This certificate is referred as usercert.pfx in rest of this documentation.


=== Download UABgrid CA certificate ===
=== Download UABgrid CA certificate ===
* Visit [http://uabgrid.uab.edu/UABgridCA UABgrid CA] page to download UABgrid root CA certificate. Right-click on 'FireFox, Konqueror, and similar browsers (PEM format)' link and select 'Save as..' option to save certificate on your system. This certificate is referred as cacert.pem.  
* Visit [https://ca.uabgrid.uab.edu/user UABgrid CA] page to download UABgrid root CA certificate. Right-click on 'FireFox, Konqueror, and similar browsers (PEM format)' link and select 'Save as..' option to save certificate on your system. This certificate is referred as cacert.pem. Firefox may save this file as 'cacert.pem.xhtml', so you may need to use filename as cacert.pem.xhtml. IE saves this certificate as 'cacert.cer'.


== Configure SVN client to use certificates ==
== Configure SVN client to use certificates ==
=== Edit SVN servers file ===  
=== Edit SVN servers file ===  
* Now you will need to configure Subversion client to use certificates for repository access. Edit 'C:\Documents and Settings\Administrator\Application Data\Subversion' file on Windows XP and edit '~/.subversion/servers' file on Linux. We will be adding a group for uabgrid repositories with usercert.pfx to establish user identify and also trust UABgrid CA by adding cacert.pem in this file.  
* Now you will need to configure Subversion client to use certificates for repository access. This configuration is added in servers file.
* On Windows XP with Tortoise SVN this file is
<pre>
C:\Documents and Settings\<Username>\Application Data\Subversion\servers
</pre>
and on Linux this file is
<pre>
~/.subversion/servers
</pre>
We will add a group for uabgrid repositories with usercert.pfx to establish user identity and also add cacert.pem to trust UABgrid CA.  
* Add usercert.pfx entry:   
* Add usercert.pfx entry:   
<pre>  
<pre>  
Line 33: Line 43:
[global]  
[global]  
ssl-authority-files = /path/to/certificate/cacert.pem  
ssl-authority-files = /path/to/certificate/cacert.pem  
</pre>
For certificate downloaded in IE, add cacert.cer entry to 'global' section. This is typically last section in the file:
<pre>
[global]
ssl-authority-files = /path/to/certificate/cacert.cer
</pre>
</pre>


* Additionally you may have following configuration parameters available depending on your Subversion client. This includes whether you want to store your passphrase. You may want disable storing your passphrase.  Here is a link to [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts  SSL certificate management topic in SVN book].  
* Additionally you may have following configuration parameters available depending on your Subversion client. This includes whether you want to store your passphrase. You may want disable storing your passphrase.  Here is a link to [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts  SSL certificate management topic in SVN book].  
Line 42: Line 58:
# store-ssl-client-cert-pp = no
# store-ssl-client-cert-pp = no
# store-ssl-client-cert-pp-plaintext = no
# store-ssl-client-cert-pp-plaintext = no
</pre>  
</pre>
 


=== Test your setup ===   
=== Test your setup ===   

Latest revision as of 17:16, 13 February 2012

Following instructions document how to configure subversion client to use HTTPS/SSL for accessing UABgrid repository. The setup has been tested on Linux CentOS 5.4 and Tortoise SVN with Windows XP. The setup may not work with Max OS-X 10.6.

Download certificates

Download user certificate

  • Log in to UABgrid Certificate Authority (PHPki)
  • Request UABgrid certificate from Certificate Management Menu. After completing certificate request you will be prompted to download the certificate, but ignore this prompt as you will need the certificate in different format to use with SVN client.
  • Now go back to Certificate Management Menu and click on download link for 'Cert+Key PKCS12' file format. The download link will prompt you for a passphrase to protect your private key. For security reasons, you should use a a strong passphrase to protect private key in this file. Please remember this passphrase as you will need to enter it for interacting with SVN repository.
  • Save this PKCS12 file in a safe location (home directory) on your system. This certificate is referred as usercert.pfx in rest of this documentation.

Download UABgrid CA certificate

  • Visit UABgrid CA page to download UABgrid root CA certificate. Right-click on 'FireFox, Konqueror, and similar browsers (PEM format)' link and select 'Save as..' option to save certificate on your system. This certificate is referred as cacert.pem. Firefox may save this file as 'cacert.pem.xhtml', so you may need to use filename as cacert.pem.xhtml. IE saves this certificate as 'cacert.cer'.

Configure SVN client to use certificates

Edit SVN servers file

  • Now you will need to configure Subversion client to use certificates for repository access. This configuration is added in servers file.
  • On Windows XP with Tortoise SVN this file is
C:\Documents and Settings\<Username>\Application Data\Subversion\servers 

and on Linux this file is

~/.subversion/servers

We will add a group for uabgrid repositories with usercert.pfx to establish user identity and also add cacert.pem to trust UABgrid CA.

  • Add usercert.pfx entry:
 
### In the 'groups' section, the URL of the repository you're
### trying to access is matched against the patterns on the right.
### If a match is found, the server options are taken from the
### section with the corresponding name on the left.

[groups]
uabgrid = *.uabgrid.uab.edu 
# othergroup = repository.blarggitywhoomph.com
# thirdgroup = *.example.com

[uabgrid]
ssl-client-cert-file = /path/to/certificate/usercert.pfx 

  • Add cacert.pem entry to 'global' section. This is typically last section in the file:
 
[global] 
ssl-authority-files = /path/to/certificate/cacert.pem 

For certificate downloaded in IE, add cacert.cer entry to 'global' section. This is typically last section in the file:

 
[global] 
ssl-authority-files = /path/to/certificate/cacert.cer 


  • Additionally you may have following configuration parameters available depending on your Subversion client. This includes whether you want to store your passphrase. You may want disable storing your passphrase. Here is a link to SSL certificate management topic in SVN book.
# Password / passphrase caching parameters:
# store-passwords = no
# store-plaintext-passwords = no
# store-ssl-client-cert-pp = no
# store-ssl-client-cert-pp-plaintext = no

Test your setup

  • Test your setup by listing remote repository contents.
 
svn list https://repository-url>