White dot for spacing only
The Dice Project

The Informatics Cosign Service

This page gives a brief overall description of the cosign service running in Informatics.

We currently run two cosign servers - on kaplan and hubley - using the hostname weblogin.inf.ed.ac.uk. We use service level IP addresses for both these machines with the corresponding names weblogin3.inf.ed.ac.uk and weblogin4.inf.ed.ac.uk. Our DNS is configured so that there are two A records for weblogin.inf.ed.ac.uk - pointing to the IP addresses of weblogin3 and weblogin4.

The cosign servers are configured using the <dice/options/cosign-server.h> header file. This file, and the others that it includes, contain a lot of useful documentation on the configuration of the service. Notably, the cosign service uses the apacheconf component to configure its web server. For more information on the cosign and apacheconf components, see their respective man pages.

The two cosign servers are set up to replicate cookies and cookie data between themselves. This is to provide load balancing and failover of service, should one server become available. Cosign clients will try each server in turn.

For details of how cosign works, consult the cosignd(8), monster(8) and cosign.conf(5) man pages. Also, the cosign web pages have more detailed information on the protocol used by cosign.

Informatics have added SPNEGO support to cosign. This means that compatible browsers (currently Firefox and Chrome, on all platforms) will use SPNEGO to authenticate users to the backend, with their existing kerberos credentials and without prompting the user for username/password. Safari does support SPNEGO, but unfortunately doesn't support ticket delegation. This means SPNEGO on Safari cannot be enabled as some sites require delegation in order to function correctly.

One important thing to note here is that the cosign.httpd_keytab resource (used to authenticate incoming HTTP-Negotiate (SPNEGO) requests) currently points to a keytab file (/etc/httpd-constructed.keytab) which has to be manually constructed so that it contains the following keys:

... where X and Y are replaced by the corresponding digits for the addresses currently used by the weblogin.inf.ed.ac.uk DNS record (currently weblogin3.inf.ed.ac.uk and weblogin4.inf.ed.ac.uk). Note that the keytab file will contain more than one key for each principal (one for each supported encryption type). It may also contain principals for other webloginZ keys. All of these keys have to be generated and extracted manually using either kdcregister or directly using ktadd within kadmin. ktutil can be used to combine the keys in one keytab. By far the easiest approach, if possible, is to copy it from another cosign server.

For information on configuring clients to use SPNEGO, please see Cosign SPNEGO.

A page on configuring cosign clients (i.e. web servers using cosign-protection) is here.

 : Units : Infrastructure : Documentation 

Mini Informatics Logo - Link to Main Informatics Page
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh
Spacing Line