Identify Cosign on a System

This document is intended to help system administrators determine whether or not their systems are using Cosign. There are multiple options available to identify the presence of Cosign being configured on your system.

Contents

Step 1: Identify communication with Cosign servers

Use netstat

Use netstat to check for connections to port 6663, which is the backchannel to the cosign servers.

Linux example

Run netstat from a shell prompt:

[user@host]$ netstat -an|grep 6663

tcp 1 0 141.211.28.118:60384 141.211.243.174:6663 CLOSE_WAIT
tcp 1 0 141.211.28.118:57420 141.211.243.174:6663 CLOSE_WAIT
tcp 1 0 141.211.28.118:60432 141.211.243.174:6663 CLOSE_WAIT

For more information see How to Use netstat on Linux.

Windows example

Search the output of a netstat command for a specific port:

# Windows CMD

C:\> netstat -na | findstr /c:"6663"

tcp 141.211.28.118:60384 141.211.243.174:6663 CLOSE_WAIT
tcp 141.211.28.118:57420 141.211.243.174:6663 CLOSE_WAIT
tcp 141.211.28.118:60432 141.211.243.174:6663 CLOSE_WAIT

# Windows PowerShell

PS C:\> netstat -na | Select-String "6663"

tcp 141.211.28.118:60384 141.211.243.174:6663 CLOSE_WAIT
tcp 141.211.28.118:57420 141.211.243.174:6663 CLOSE_WAIT
tcp 141.211.28.118:60432 141.211.243.174:6663 CLOSE_WAIT

For more information see How to use netstat command on Windows 10 or Windows: `Grep` Equivalent – CMD & PowerShell.

Visit the Cosign validation URL on your hostname

To visit the Cosign validation URL for your system, add /cosign/valid?cosign-test=123 to the end of your hostname. For example, in https://www.umich.edu/cosign/valid?cosign-test=123, replace www.umich.edu with the hostname of the service you want to test.

  • If Cosign is installed, you will see a "page not found" message.
  • If Cosign is not installed, you have fed it a bad request and you will be redirected to weblogin.umich.edu and get the “URL validation failed” message.

Step 2: Look at configuration files to determine if Cosign is configured

Microsoft IIS

Option 1: Check the applicationHost.config file

If Cosign was loaded, the C:\windows\system32\inetsrv\config\applicationHost.config file would include the bolded text below.

<?xml version="1.0" encoding="UTF-8"?>
[...]

<configuration>
[...]

    <configSections>
        <sectionGroup name="system.applicationHost">
            <section name="applicationPools" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="configHistory" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="customMetadata" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="listenerAdapters" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="log" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="serviceAutoStartProviders" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="sites" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
            <section name="webLimits" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
        </sectionGroup>

        <sectionGroup name="system.webServer">
            <section name="cosign" overrideModeDefault="Allow" />
            <section name="asp" overrideModeDefault="Deny" />
            <section name="caching" overrideModeDefault="Allow" />
            <section name="cgi" overrideModeDefault="Deny" />
[...]
    <system.webServer>
        <cosign>
          <webloginServer name=
"weblogin-test.itcs.umich.edu" loginUrl="https://weblogin-test.itcs.umich.edu/?" port="6663" postErrorRedirectUrl="https://weblogin-test.itcs.umich.edu/post_error.html" />
          <crypto certificateCommonName="newsite.it.umich.edu" />
          <cookieDb directory="%systemDrive%\inetpub\temp\Cosign Cookie DB\" expireTime="120" />
          <validation validReference="^https?:\/\/.*\.umich\.edu(\/.*)?" errorRedirectUrl="https://
weblogin-test.itcs.umich.edu/cosign/validation_error.html" />
          <cookies secure="true" httpOnly="true" />
          <service name="newsite.it" />
          <protected status="off" />
        </cosign>

        <asp />

        <caching enabled="true" enableKernelCache="true">
        </caching>

Option 2: Check the web.config file

If Cosign was loaded, the bolded text below must be included in the web.config file, since Weblogin delivers authenticated users to /cosign/valid. The rest of the example demonstrates how Cosign could be set up to protect specific areas or the site as a whole.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <!-- It's VERY IMPORTANT that cosign/valid is excluded from Cosign protection -->
    <location path="cosign/valid">
      <system.webServer>
        <cosign>
          <protected status="off" />
        </cosign>
      </system.webServer>
    </location>

    <!-- A simple example of Cosign-protecting an area -->
    <location path="test/simple">
      <system.webServer>
        <cosign>
          <protected status="on" />
        </cosign>
      </system.webServer>
    </location>

    <!-- This example requires two-factor (Duo) -->
    <location path="test/mfa">
      <system.webServer>
        <cosign>
          <protected status="on" />
          <service>
            <add factor="two-factor" />
          </service>
        </cosign>
      </system.webServer>
    </location>

    <system.webServer>
                <!-- The system.webServer cosign section is the site default -->
        <cosign>
            <protected status="off" />
        </cosign>

        <handlers>
           <!-- Configure CosignModule.dll to handle /cosign/valid -->
           <add name="Cosign Validation" path="/cosign/valid*" verb="*" modules="Cosign" resourceType="Unspecified" />

        </handlers>
        <modules>
            <add name="Cosign" />
        </modules>

    </system.webServer>

</configuration>

Option 3: Check the Internet Information Server (IIS) Manager application

Go into the Internet Information Server (IIS) Manager application. If you click on the server name, it will bring up a window with multiple icons. There are sections for ASP.NET, IIS, and Management icons.

In the IIS section, click Modules and look for a CosignModule in that list.

IIS Manager Application with Cosign Module

Apache Web Server

Option 1: Diagnostic check

RHEL/Centos

Use Apache's test mode to see if cosign_module loads.

sudo httpd -t -D DUMP_MODULES | grep cosign

Debian/Ubuntu

Use Apache's test mode to see if cosign_module loads.

. /etc/apache2/envvars /usr/sbin/apache2 -t -D DUMP_MODULES | grep cosign

Option 2: Check different locations for Cosign

You can check for the following to see if Cosign authentication was added to the VirtualHost itself, or Location, Directory, and Files resources within it.

<Location /protected>
    CosignProtected On
    AuthType Cosign
    Require valid-user
    # Uncomment this to *require* Duo two-factor authentication
    # CosignRequireFactor two-factor
</Location>

Diagnostic Check

Restart Apache and browse to a protected area of your site. Apache should redirect you to Weblogin for authentication.

Option 3: Additional checks

  • Search for "Cosign" in the configuration files (often in /etc/httpd).
  • Check the file system for artifacts (e.g., /var/cosign).
Tags: 
Last Updated: 
Wednesday, August 31, 2022