![[APACHE DOCUMENTATION]](apache-sub.gif)
$Revision: 1.1 $ ($Date: 2002/08/30 16:25:09 $)
ACE libraries are released by RSA in ACE/Server or ACE/Agent distribution (see http://www.rsasecurity.com/products/securid/ for RSA/SecurID informations).
Currently, the following Unix operating systems can be found on CD-ROM:
ACE libraries for Linux are not on "standard" distributions but can be downloaded from RSA web site at http://www.rsasecurity.com/go/linux.html.
Another link is ftp://ftp.rsasecurity.com/pub/agents/.
Please read the documentation... See error messages and AuthSecurID_SecureCookie directive
Note: this is only for mod_securid < 1.8.0.
mod_securid uses shared memory for ACE init. Each time you use one server (main server or virtual server), you need one shared memory segment.
On Solaris, the default number of shared memory segments that any one process can create is set with shmsys:shminfo_shmseg in the system file /etc/system. Default value is 6; so if you need more than 5 virtual servers (1 segment for the main server and 5 for the virtual servers), you need to adjust your system file. Use for example:
This is a configuration problem: just use "LoadModule securid_module ..." first, before any other module.
Just compile mod_securid with the "ace_simul" library: you will then control the "authentication" with the value of the PASSCODE. See ace_simul/ directory, included with the mod_securid distribution.
Quoting Gene Lee (glee@rsasecurity.com):
Disclaimer: Apache is not yet an official RSA Security-supported platform
for SecurID. Personally, I have gotten ACE/Server working with it, but
please note that RSA Security is in no way responsible for the usage
or support of what I am providing here. In this instance, I had to
re-compile the Apache server to take advantage of mod_securid. Here are
the step-by-step instructions:
Pre-reqs for this particular install:
Solaris 8
gcc-2.95.2 binaries (http://www.sunfreeware.com)
apache 1.3.19 source code (http://www.apache.org)
mod_securid 1.5.2.1 source code
(http://www.deny-all.com/mod_securid/)
ACE/Server v4.1
Steps:
1) Install Solaris ACE/agent from the ACE/Server v4.1 CD
2) gunzip/untar the apache and mod_securid tarballs into subdirectories
in a common top-level dir (in my case, it's /usr/local/src/apache-1.3.19
and /usr/local/src/mod_securid-1.5.2.1)
3) Set the directories where mod_securid can find the sdiclient.a and the
header files through the ACE_INC and ACE_LIB environment variables. You
have to manually set this variable, or mod_securid will try /var/ace by
default and fail on the configure. Then go to ace/data directory and
perform these links:
# ACE_INC=/usr/ace/examples
# ACE_LIB=/usr/ace/examples
# export ACE_INC
# export ACE_LIB
4) Compile Apache:
# pwd
/usr/local/src/apache-1.3.19
# ./configure --add-module=../mod_securid-1.5.2.1/mod_securid.c
[..]
# make
[..]
# make install
5) By default, mod_securid is hardcoded to point to /var/ace to find
sdconf.rec and to write the node secret file. These days on the client
installation, /var/ace is actually the ace/data directory. You can either
use the AuthSecurID_VarAce directive to adjust this, by adding this line
in your httpd.conf:
AuthSecurID_VarAce /usr/ace/data
Or, you can create a link to the ace/data directory from /var
# cd /var
# ln -sf /usr/ace/data ace
The first solution is much cleaner, but since I was unaware of this
option at the time of this particular install, the rest of this document
assumes /var/ace.
6) Configure Apache (add the "AuthSecurID_SecureCookie Off" and create
a directive in httpd.conf as per the mod_securid documentation). You can
add this to the end of httpd.conf to get you going:
<Directory /usr/local/apache/htdocs/private>
AuthType "SecurID"
require valid-user
</Directory>
Just make sure your Apache machine is a client in ACE/Server, that you've
enabled users on this client and that the directory you've just SecurID
protected exists. You might get a node verification error if this is the
first time you're using SecurID at all on this machine. To fix it, set the
permissions properly on the node secret directory (/var/ace in this case)
to be world-writeable. Then in your ACE/Server, unclick "Node Secret Sent"
for the Apache machine, and perform an authentication. To be safe, set the
node secret directory to be read-only again after the node secret has been
sent (the node secret filename is "securid", if this file doesn't exist,
the node secret has not been successfully sent - check your permissions
again).
The nice thing about mod_securid is that there is fine-grained authentication
to who gets access to which directory (as opposed to allowing all SecurID
authenticated users in).
Note for mod_perl users:
------------------------
For some users using a downloaded perl binary (ie. you did not compile this
version of perl yourself), you may have a problem configuring mod_perl with
any other Apache modules, mod_securid included. Symptoms include
non-responsive web requests and this msg in your $(apache_dir)/logs/error_log
file:
[current date] [notice] child pid xxxxx exit signal Segmentation Fault (11)
This happens because the version of perl you've downloaded is most likely
USELARGEFILES enabled, but Apache is not. Short of rebuilding perl, you
can have mod_perl build Apache correctly. These are the steps:
1) Copy the source of mod_securid into your Apache source tree:
# cp /usr/local/src/mod_securid-1.5.2.1/mod_securid.c \
/usr/local/src/apache-1.3.19/src/modules/extra
2) Edit the /usr/local/src/apache-1.3.19/src/Configuration file and add
this line to the bottom of the file:
AddModule modules/extra/mod_securid.o
3) Let mod_perl set the configuration and compile Apache for you (don't
forget to set those ACE_INC and ACE_LIB variables):
# cd /usr/local/src/mod_perl-1.5.2.1
# perl Makefile.PL
Configure mod_perl with ../apache_1.3.19/src ? [y] y
Shall I build httpd in ../apache_1.3.19/src for you? [y] y
[..]
# make
[..]
# make install
4) Then install Apache from your apache source tree:
# cd /usr/local/src/apache-1.3.19
# make install
The above was tested using mod_perl-1.25 (http://perl.apache.org) on the
system outlined above, but should work for some of the earlier versions
as well. The perl binary used was the perl-5.6.0 distribution downloaded
from http://www.sunfreeware.com.
