Adding Trust for InCommon Certificates to an Existing Cosign Installation

In August 2017, the Cosign back-end service will switch from a certificate signed by UMWebCA to an InCommon certificate that uses the AddTrust Certificate Authority. InCommon certificates are free for the university and are commonly used on U-M websites.

To facilitate this change, webmasters of any U-M websites that use Cosign need to update their configurations to accept InCommon certificates, in addition to the UMWebCA certificate. Your Cosign setup may already trust InCommon certificates.

Refer to the following to either verify your websites already trust InCommon or to add the InCommon certificates. You can apply the changes at any time. Testing facilities will be available in July 2017.

Contents

Apache on Linux

Locate the CosignCrypto directive in your Apache configuration files:

CosignCrypto <SSLCertificateKeyFile> <SSLCertificateFile> <CA bundle>

Note: Although not required, we strongly recommend blocking JavaScript access to the Cosign cookie by adding this to your configuration:

CosignHttpOnlyCookies On

The CA bundle may be either a directory or a file, and the instructions below will vary accordingly.

CA path is a directory (recent Linux versions)

OpenSSL 1.0.0 uses a hash of 5cc1e784 for the umwebCA, so your CA path will contain, at a minimum, these two files:

lrwxrwxrwx. 1 root root 11 Apr 19 2016 5cc1e784.0 -> umwebCA.pem
-rw-r--r--. 1 root root 1334 Apr 19 2016 umwebCA.pem

Your server may already have the AddTrust External CA Root certificate. If not, download it into the CA path and create a link to it:

lrwxrwxrwx. 1 root root 26 Apr 19 2016 157753a5.0 ->
AddTrustExternalCARoot.pem
lrwxrwxrwx. 1 root root 11 Apr 19 2016 5cc1e784.0 -> umwebCA.pem
-rw-r--r--. 1 root root 1521 Apr 19 2016 AddTrustExternalCARoot.pem
-rw-r--r--. 1 root root 1334 Apr 19 2016 umwebCA.pem

You will still need the umwebCA for the remainder of 2017.

CA path is a directory (RHEL5 era)

OpenSSL 0.9.8 uses a hash of 4700e8dd for the umwebCA, so your CA path will contain, at a minimum, these two files:

lrwxrwxrwx 1 root root 11 Apr 24 2013 4700e8dd.0 ->
umwebCA.pem -rw-r--r-- 1 root root 1334 Mar 27 2013 umwebCA.pem

Your server may already have the AddTrust External CA Root certificate. If not, download it into the CA path and create a link to it:

lrwxrwxrwx 1 root root 26 Apr 24 2013 3c58f906.0 ->
AddTrustExternalCARoot.pem
lrwxrwxrwx 1 root root 11 Apr 24 2013 4700e8dd.0 -> umwebCA.pem
-rw-r--r-- 1 root root 1522 Mar 27 2013 AddTrustExternalCARoot.pem
-rw-r--r-- 1 root root 1334 Mar 27 2013 umwebCA.pem

You will still need the umwebCA for the remainder of 2017.

CA path is a file

The CA file is simply one or more certificate files concatenated together. If AddTrust External CA Root is not already in the file, you can download it and add it to the end with any text editor.

CosignModule (IIS7+) on Windows

The InCommon root CA has been included in Windows since Server 2003. No changes are required.

IISCosign (IIS6) on Windows

Note:The IISCosign filter does not support recent security improvements. It is strongly recommended that you switch to CosignModule or migrate to Shibboleth for authentication.

The Cosign configuration is, by default, in an XML file named C:\Program Files\IISCoSign\CoSign.dll.config. The CA certificates are located in a folder set with CAFilePath:

<CAFilePath>C:\Program Files\CoSignFilter\SSL\</CAFilePath>

The umwebCA certificate is stored in a file named 4700e8dd.0 (the OpenSSL hash value), so the folder should contain at least this file:

10/11/2016  3:17 PM         1334 4700e8dd.0

Your server may already have the AddTrust External CA Root certificate. If not, download it into the CA path and rename it to 3c58f906.0:

10/11/2016  3:17 PM         1521 3c58f906.0
10/11/2016  3:17 PM         1334 4700e8dd.0

You will still need the umwebCA for the remainder of 2017.

Java Cosign

Note:Java Cosign does not support recent security improvements. It is strongly recommended that you use an Apache HTTPD proxy for authentication.

The Cosign configuration is stored in a cosignConfig.xml file. The keystore location and password are among the settings:

  <KeyStorePath>conf/jcosign_keystore.jks</KeyStorePath>
  <KeyStorePassword>changeit</KeyStorePassword>

Download the AddTrust External CA Root certificate and use keytool to add it to your keystore:

keytool -importcert -keystore $keystore -storepass $storepass -noprompt -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.pem
Tags: 
Last Updated: 
Tuesday, April 18, 2017