$Revision: 1.1 $ ($Date: 2002/08/30 16:25:09 $)
ACE libraries are released by RSA in ACE/Server or ACE/Agent distribution (see http://www.rsasecurity.com/products/securid/ for RSA/SecurID informations).
Currently, the following Unix operating systems can be found on CD-ROM:
ACE libraries for Linux are not on "standard" distributions but can be downloaded from RSA web site at http://www.rsasecurity.com/go/linux.html.
Another link is ftp://ftp.rsasecurity.com/pub/agents/.
Please read the documentation... See error messages and AuthSecurID_SecureCookie directive
Note: this is only for mod_securid < 1.8.0.
mod_securid uses shared memory for ACE init. Each time you use one server (main server or virtual server), you need one shared memory segment.
On Solaris, the default number of shared memory segments that any one process can create is set with shmsys:shminfo_shmseg in the system file /etc/system. Default value is 6; so if you need more than 5 virtual servers (1 segment for the main server and 5 for the virtual servers), you need to adjust your system file. Use for example:
This is a configuration problem: just use "LoadModule securid_module ..." first, before any other module.
Just compile mod_securid with the "ace_simul" library: you will then control the "authentication" with the value of the PASSCODE. See ace_simul/ directory, included with the mod_securid distribution.
Quoting Gene Lee (glee@rsasecurity.com):
Disclaimer: Apache is not yet an official RSA Security-supported platform for SecurID. Personally, I have gotten ACE/Server working with it, but please note that RSA Security is in no way responsible for the usage or support of what I am providing here. In this instance, I had to re-compile the Apache server to take advantage of mod_securid. Here are the step-by-step instructions: Pre-reqs for this particular install: Solaris 8 gcc-2.95.2 binaries (http://www.sunfreeware.com) apache 1.3.19 source code (http://www.apache.org) mod_securid 1.5.2.1 source code (http://www.deny-all.com/mod_securid/) ACE/Server v4.1 Steps: 1) Install Solaris ACE/agent from the ACE/Server v4.1 CD 2) gunzip/untar the apache and mod_securid tarballs into subdirectories in a common top-level dir (in my case, it's /usr/local/src/apache-1.3.19 and /usr/local/src/mod_securid-1.5.2.1) 3) Set the directories where mod_securid can find the sdiclient.a and the header files through the ACE_INC and ACE_LIB environment variables. You have to manually set this variable, or mod_securid will try /var/ace by default and fail on the configure. Then go to ace/data directory and perform these links: # ACE_INC=/usr/ace/examples # ACE_LIB=/usr/ace/examples # export ACE_INC # export ACE_LIB 4) Compile Apache: # pwd /usr/local/src/apache-1.3.19 # ./configure --add-module=../mod_securid-1.5.2.1/mod_securid.c [..] # make [..] # make install 5) By default, mod_securid is hardcoded to point to /var/ace to find sdconf.rec and to write the node secret file. These days on the client installation, /var/ace is actually the ace/data directory. You can either use the AuthSecurID_VarAce directive to adjust this, by adding this line in your httpd.conf: AuthSecurID_VarAce /usr/ace/data Or, you can create a link to the ace/data directory from /var # cd /var # ln -sf /usr/ace/data ace The first solution is much cleaner, but since I was unaware of this option at the time of this particular install, the rest of this document assumes /var/ace. 6) Configure Apache (add the "AuthSecurID_SecureCookie Off" and create a directive in httpd.conf as per the mod_securid documentation). You can add this to the end of httpd.conf to get you going: <Directory /usr/local/apache/htdocs/private> AuthType "SecurID" require valid-user </Directory> Just make sure your Apache machine is a client in ACE/Server, that you've enabled users on this client and that the directory you've just SecurID protected exists. You might get a node verification error if this is the first time you're using SecurID at all on this machine. To fix it, set the permissions properly on the node secret directory (/var/ace in this case) to be world-writeable. Then in your ACE/Server, unclick "Node Secret Sent" for the Apache machine, and perform an authentication. To be safe, set the node secret directory to be read-only again after the node secret has been sent (the node secret filename is "securid", if this file doesn't exist, the node secret has not been successfully sent - check your permissions again). The nice thing about mod_securid is that there is fine-grained authentication to who gets access to which directory (as opposed to allowing all SecurID authenticated users in). Note for mod_perl users: ------------------------ For some users using a downloaded perl binary (ie. you did not compile this version of perl yourself), you may have a problem configuring mod_perl with any other Apache modules, mod_securid included. Symptoms include non-responsive web requests and this msg in your $(apache_dir)/logs/error_log file: [current date] [notice] child pid xxxxx exit signal Segmentation Fault (11) This happens because the version of perl you've downloaded is most likely USELARGEFILES enabled, but Apache is not. Short of rebuilding perl, you can have mod_perl build Apache correctly. These are the steps: 1) Copy the source of mod_securid into your Apache source tree: # cp /usr/local/src/mod_securid-1.5.2.1/mod_securid.c \ /usr/local/src/apache-1.3.19/src/modules/extra 2) Edit the /usr/local/src/apache-1.3.19/src/Configuration file and add this line to the bottom of the file: AddModule modules/extra/mod_securid.o 3) Let mod_perl set the configuration and compile Apache for you (don't forget to set those ACE_INC and ACE_LIB variables): # cd /usr/local/src/mod_perl-1.5.2.1 # perl Makefile.PL Configure mod_perl with ../apache_1.3.19/src ? [y] y Shall I build httpd in ../apache_1.3.19/src for you? [y] y [..] # make [..] # make install 4) Then install Apache from your apache source tree: # cd /usr/local/src/apache-1.3.19 # make install The above was tested using mod_perl-1.25 (http://perl.apache.org) on the system outlined above, but should work for some of the earlier versions as well. The perl binary used was the perl-5.6.0 distribution downloaded from http://www.sunfreeware.com.