SubversionOverHttps

From UABgrid Documentation
Revision as of 09:38, 13 February 2012 by Curtish@uab.edu (Talk | contribs)

Jump to: navigation, search

Following instructions document how to configure subversion client to use HTTPS/SSL for accessing UABgrid repository. The setup has been tested on Linux CentOS 5.4 and Tortoise SVN with Windows XP. The setup may not work with Max OS-X 10.6.

Contents

Download certificates

Download user certificate

  • Log in to UABgrid Certificate Authority (PHPki)
  • Request UABgrid certificate from Certificate Management Menu. After completing certificate request you will be prompted to download the certificate, but ignore this prompt as you will need the certificate in different format to use with SVN client.
  • Now go back to Certificate Management Menu and click on download link for 'Cert+Key PKCS12' file format. The download link will prompt you for a passphrase to protect your private key. For security reasons, you should use a a strong passphrase to protect private key in this file. Please remember this passphrase as you will need to enter it for interacting with SVN repository.
  • Save this PKCS12 file in a safe location (home directory) on your system. This certificate is referred as usercert.pfx in rest of this documentation.

Download UABgrid CA certificate

  • Visit UABgrid CA page to download UABgrid root CA certificate. Right-click on 'FireFox, Konqueror, and similar browsers (PEM format)' link and select 'Save as..' option to save certificate on your system. This certificate is referred as cacert.pem. Firefox may save this file as 'cacert.pem.xhtml', so you may need to use filename as cacert.pem.xhtml. IE saves this certificate as 'cacert.cer'.

Configure SVN client to use certificates

Edit SVN servers file

  • Now you will need to configure Subversion client to use certificates for repository access. This configuration is added in servers file.
  • On Windows XP with Tortoise SVN this file is
C:\Documents and Settings\<Username>\Application Data\Subversion\servers 

and on Linux this file is

~/.subversion/servers

We will add a group for uabgrid repositories with usercert.pfx to establish user identity and also add cacert.pem to trust UABgrid CA.

  • Add usercert.pfx entry:
 
### In the 'groups' section, the URL of the repository you're
### trying to access is matched against the patterns on the right.
### If a match is found, the server options are taken from the
### section with the corresponding name on the left.

[groups]
uabgrid = *.uabgrid.uab.edu 
# othergroup = repository.blarggitywhoomph.com
# thirdgroup = *.example.com

[uabgrid]
ssl-client-cert-file = /path/to/certificate/usercert.pfx 

  • Add cacert.pem entry to 'global' section. This is typically last section in the file:
 
[global] 
ssl-authority-files = /path/to/certificate/cacert.pem 

For certificate downloaded in IE, add cacert.cer entry to 'global' section. This is typically last section in the file:

 
[global] 
ssl-authority-files = /path/to/certificate/cacert.cer 


  • Additionally you may have following configuration parameters available depending on your Subversion client. This includes whether you want to store your passphrase. You may want disable storing your passphrase. Here is a link to SSL certificate management topic in SVN book.
# Password / passphrase caching parameters:
# store-passwords = no
# store-plaintext-passwords = no
# store-ssl-client-cert-pp = no
# store-ssl-client-cert-pp-plaintext = no

Test your setup

  • Test your setup by listing remote repository contents.
 
svn list https://repository-url> 
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox