[APACHE DOCUMENTATION]

mod_securid: FAQ

$Revision: 1.1 $ ($Date: 2002/08/30 16:25:09 $)

The Questions

  1. Where can I find the ACE libraries?
  2. Why am I getting "[error] SecurID: ACE syntax error (no handle)" in my error log?
  3. Why am I getting "[emerg] (24)Too many open files: SecurID: could not attach shared memory segment #nnn" in my error log?
  4. I'am using "./configure ... --enable-shared=max" to compile Apache/mod_securid and I have core dumped on restart. What's wrong?
  5. How to test mod_securid without any ACE/Server?
  6. Is there some more help? (from RSA)

The Answers

  1. Where can I find the ACE libraries?

    ACE libraries are released by RSA in ACE/Server or ACE/Agent distribution (see http://www.rsasecurity.com/products/securid/ for RSA/SecurID informations).

    Currently, the following Unix operating systems can be found on CD-ROM:

    1. Solaris
    2. HP/UX
    3. Aix

    ACE libraries for Linux are not on "standard" distributions but can be downloaded from RSA web site at http://www.rsasecurity.com/go/linux.html.

    Another link is ftp://ftp.rsasecurity.com/pub/agents/.


  2. Why am I getting "[error] SecurID: ACE syntax error (no handle)" in my error log?

    Please read the documentation... See error messages and AuthSecurID_SecureCookie directive


  3. Why am I getting "[emerg] (24)Too many open files: SecurID: could not attach shared memory segment #nnn" in my error log?

    Note: this is only for mod_securid < 1.8.0.

    mod_securid uses shared memory for ACE init. Each time you use one server (main server or virtual server), you need one shared memory segment.

    On Solaris, the default number of shared memory segments that any one process can create is set with shmsys:shminfo_shmseg in the system file /etc/system. Default value is 6; so if you need more than 5 virtual servers (1 segment for the main server and 5 for the virtual servers), you need to adjust your system file. Use for example:

      set shmsys:shminfo_shmseg=50


  4. I'am using "./configure ... --enable-shared=max" to compile Apache/mod_securid and I have core dumped on restart. What's wrong?

    This is a configuration problem: just use "LoadModule securid_module ..." first, before any other module.


  5. How to test mod_securid without any ACE/Server?

    Just compile mod_securid with the "ace_simul" library: you will then control the "authentication" with the value of the PASSCODE. See ace_simul/ directory, included with the mod_securid distribution.


  6. Is there some more help? (from RSA)

    Quoting Gene Lee (glee@rsasecurity.com):

    
    Disclaimer: Apache is not yet an official RSA Security-supported platform
    for SecurID. Personally, I have gotten ACE/Server working with it, but
    please note that RSA Security is in no way responsible for the usage
    or support of what I am providing here. In this instance, I had to
    re-compile the Apache server to take advantage of mod_securid. Here are
    the step-by-step instructions:
    
    Pre-reqs for this particular install:
    
    Solaris 8
    gcc-2.95.2 binaries (http://www.sunfreeware.com)
    apache 1.3.19 source code (http://www.apache.org)
    mod_securid 1.5.2.1 source code
    (http://www.deny-all.com/mod_securid/)
    ACE/Server v4.1
    
    Steps:
    
    1) Install Solaris ACE/agent from the ACE/Server v4.1 CD
    
    2) gunzip/untar the apache and mod_securid tarballs into subdirectories
    in a common top-level dir (in my case, it's /usr/local/src/apache-1.3.19
    and /usr/local/src/mod_securid-1.5.2.1)
    
    3) Set the directories where mod_securid can find the sdiclient.a and the
    header files through the ACE_INC and ACE_LIB environment variables. You
    have to manually set this variable, or mod_securid will try /var/ace by
    default and fail on the configure. Then go to ace/data directory and
    perform these links:
    
         # ACE_INC=/usr/ace/examples
         # ACE_LIB=/usr/ace/examples
         # export ACE_INC
         # export ACE_LIB
    
    4) Compile Apache:
    
         # pwd
         /usr/local/src/apache-1.3.19
         # ./configure --add-module=../mod_securid-1.5.2.1/mod_securid.c
         [..]
         # make
         [..]
         # make install
    
    5) By default, mod_securid is hardcoded to point to /var/ace to find
    sdconf.rec and to write the node secret file. These days on the client
    installation, /var/ace is actually the ace/data directory. You can either
    use the AuthSecurID_VarAce directive to adjust this, by adding this line
    in your httpd.conf:
    
         AuthSecurID_VarAce     /usr/ace/data
    
    Or, you can create a link to the ace/data directory from /var
    
         # cd /var
         # ln -sf /usr/ace/data ace
    
    The first solution is much cleaner, but since I was unaware of this
    option at the time of this particular install, the rest of this document
    assumes /var/ace.
    
    6) Configure Apache (add the "AuthSecurID_SecureCookie Off" and create
    a directive in httpd.conf as per the mod_securid documentation). You can
    add this to the end of httpd.conf to get you going:
    
         <Directory /usr/local/apache/htdocs/private>     
           AuthType     "SecurID"
           require      valid-user
         </Directory>
    
    Just make sure your Apache machine is a client in ACE/Server, that you've
    enabled users on this client and that the directory you've just SecurID
    protected exists. You might get a node verification error if this is the
    first time you're using SecurID at all on this machine. To fix it, set the
    permissions properly on the node secret directory (/var/ace in this case)
    to be world-writeable. Then in your ACE/Server, unclick "Node Secret Sent"
    for the Apache machine, and perform an authentication. To be safe, set the 
    node secret directory to be read-only again after the node secret has been
    sent (the node secret filename is "securid", if this file doesn't exist,
    the node secret has not been successfully sent - check your permissions
    again).
    
    The nice thing about mod_securid is that there is fine-grained authentication
    to who gets access to which directory (as opposed to allowing all SecurID
    authenticated users in).
    
    Note for mod_perl users:
    ------------------------
    
    For some users using a downloaded perl binary (ie. you did not compile this
    version of perl yourself), you may have a problem configuring mod_perl with
    any other Apache modules, mod_securid included. Symptoms include
    non-responsive web requests and this msg in your $(apache_dir)/logs/error_log
    file:
    
    [current date] [notice] child pid xxxxx exit signal Segmentation Fault (11)
    
    This happens because the version of perl you've downloaded is most likely
    USELARGEFILES enabled, but Apache is not. Short of rebuilding perl, you
    can have mod_perl build Apache correctly. These are the steps:
    
    1) Copy the source of mod_securid into your Apache source tree:
    
           # cp /usr/local/src/mod_securid-1.5.2.1/mod_securid.c \
             /usr/local/src/apache-1.3.19/src/modules/extra
    
    2) Edit the /usr/local/src/apache-1.3.19/src/Configuration file and add
    this line to the bottom of the file:
    
           AddModule modules/extra/mod_securid.o
    
    3) Let mod_perl set the configuration and compile Apache for you (don't
    forget to set those ACE_INC and ACE_LIB variables):
    
           # cd /usr/local/src/mod_perl-1.5.2.1
           # perl Makefile.PL
           Configure mod_perl with ../apache_1.3.19/src ? [y] y
           Shall I build httpd in ../apache_1.3.19/src for you? [y] y
           [..]
           # make
           [..]
           # make install
    
    4) Then install Apache from your apache source tree:
    
           # cd /usr/local/src/apache-1.3.19
           # make install
    
    The above was tested using mod_perl-1.25 (http://perl.apache.org) on the
    system outlined above, but should work for some of the earlier versions
    as well. The perl binary used was the perl-5.6.0 distribution downloaded
    from http://www.sunfreeware.com.
    
      

Apache HTTP Server Version 1.3

Index