Cosign安装-iis过滤模块介绍


== Installation instructions for IIS 7 CosignModule ==

1) Configure SSL certificates and https.
 1.a) Install rewritemodule to redirect http traffic to https.
2) Modify permissions for ssl certs and private keys.
 2.a) Install any necessary certificate authority files.
3) Create cookie database directory.
4) Copy the cosignmodule files.
5) Modify applicationhost.config with cosign values.
 .a) Turn off cosign protection for /cosign/valid
6) Enable the cosignmodule.
 .a) 32-bit application pools.
7) Create the cosign validation handler.
 .a) 32-bit validation handler.
8) Test a cosign-protected page.
() Turn cosign protection on and off, factors
() Getting more help.
IIS7 CosignModule==安装说明==

1)配置SSL证书和HTTPS。
1.A)安装rewritemodule HTTP流量重定向到HTTPS。
2)修改为SSL证书和私钥的权限。
2.A)安装任何必要的证书颁发机构文件。
3)创建cookie数据库目录。
4)复制cosignmodule文件。
5)修改applicationHost.config的cosign值。
A)关闭cosign/ cosign/有效保护
6)启用cosignmodule。
A)32位的应用程序池。
7)创建cosign验证处理。
A)32位验证处理。
8)测试cosign受保护的页面。
()打开cosign保护和关闭的因素
()获取更多的帮助。

(1) Configure SSL and https (1)
===================================================
Generate an SSL certificate and have it signed, if needed:
http://technet.microsoft.com/en-us/library/cc732906(WS.10).aspx

Before proceeding, be sure that your web site is accessible over https. By default, the CosignModule marks its
cookies as secure. This means if a user logs in and browses to an http part of your web site, it will appear
to the cosignmodule that the user is not logged in. Being sure this works correctly now, as well as any redirects
from http to https (see below), will save you headaches later.


(1.a) Install RewriteModule to redirect http traffic to https (1.a)
To ensure users are sent to the secure, cosign-protected portion of your web site, it may be necessary to
intercept http requests and redirect them to their https equivalent. The Microsoft Rewrite Module is
recommended.
(1)配置SSL和HTTPS(1)
================================================== =
产生SSL证书,并已签署,如果需要的话:
http://technet.microsoft.com/en-us/library/cc732906(WS.10)。ASPX

在出发之前,确保你的网站是通过HTTPS访问。默认情况下,CosignModule标志着其
饼干为安全。这意味着如果用户登录并浏览到您的网站HTTP,它会出现
cosignmodule用户不登录英寸作为确保工作正常现在,以及任何重定向
从HTTP到HTTPS(见下文),将节省您的头痛后。


(1.A)安装RewriteModule HTTP流量重定向到HTTPS(1.A)
为了确保用户的安全,cosign保护您的网站的一部分被发送到,它可能是必要的
拦截HTTP请求重定向到他们的HTTPS相当于。微软重写模块
建议。

It can be downloaded here:
http://www.iis.net/download/urlrewrite
可以在以下地址下载到:


(2) Modify Permissions for SSL Private Keys (2)
===================================================
The account or group the application pool runs as needs Full Control and Read permissions in the
following Registry key:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY 

By default, this account is IIS AppPool\DefaultAppPool in Windows 2008 R2. "Network Services" should
work for Windows 2008.
(2)修改权限的SSL私钥(2)
================================================== =
应用程序池的运行需要完全控制和读取的权限的帐户或组
以下注册表项:
HKEY_LOCAL_MACHINE\ SOFTWARE \ MICROSOFT\ SystemCertificates\我的

默认情况下,此帐户是在Windows的IIS程序池\ DefaultAppPool2008。 “网络服务”
为Windows 2008。

在证书管理中给帐户权限。

Give said account permission from within certificate manager.
 Start -> Run
 "mmc" (or mmc /64)
 ctrl + M
 Select Certificates
 Add ->
 select Computer Account
 select Local Computer
 Finish, Ok
 点击[开始]—>[运行]—>输入mmc(或者是 mmc /64)—>按ctrl + M打开添加/删除单元管理—>选择证书—>添加—>选择计算机帐号—>选择本地计算机—>然后完成

 Select Certificates -> Personal -> Certificates
 Select the certificate that matches the one to use for cosign.  Right-click-> All Tasks -> Manage Private Keys
 Give IIS_IUSRS "Full Control" and "Read" permissions.
选择证书 - >个人 - >证书
选择证书相匹配的一个使用cosign。右键单击 - >所有任务 - >管理私人密钥
给IIS_IUSRS“完全控制”和“读取”权限。

(2.a) Install Any Necessary Certificate Authority Files (2.a)

Cosign needs a certificate authority file to verify the identity of the weblogin server it is talking to.

For example, the University of Michigan weblogin servers' certificates are signed by the UM Web Certificate authority.
To install UMWebCA.pem certificate:
    Download the file: http://www.umich.edu/~umweb/umwebCA.pem
 Open Certificates from local machine (see above).
 Action | All tasks | Import ...
 Select the umwebca.pem file.
(2.A)安装任何必要的证书颁发机构文件(2.A)

Cosign需要一个证书颁发机构的文件,以验证weblogin服务器,它正在与身份。

例如,密歇根weblogin服务器证书的大学签署UM Web证书的权威。
要安装UMWebCA.pem证书:
    下载文件:http://www.umich.edu/?umweb/ umwebCA.pem
从本地机器上打开证书(见上文)。
行动|所有任务|导入...
选择umwebca.pem文件。


(3) Create a Directory for the Cookie Cache (3)
===================================================
Create a folder for the service cookie cache:
 md C:\inetpub\temp\Cosign Cookie DB

Permissions: IIS_IUSRS, full control
(3)创建一个cookie缓存目录(3)
================================================== =
服务cookie缓存中创建一个文件夹:
md C:\inetpub\temp\Cosign Cookie数据库

权限:IIS_IUSRS,完全控制


(4) Copy the CosignModule Files (4)
===================================================

copy /Y x64/CosignModule.dll C:\Windows\System32\inetsrv
copy /Y x86/CosignModule.dll C:\Windows\SysWOW64\inetsrv
copy /Y Cosign_Schema.xml C:\Windows\System32\inetsrv\config\schema
(4) 复制过滤模块到指定的目录下 (4)


(5) Modify applicationhost.config with cosign values.
===================================================

In the applicationhost.config file, add the following options. Note that the
proxyCookies section can be ignored. Only add this line, uncommented, of course
if your weblogin servers are configured to provide your web site with
proxy cookies.
(5)修改applicationHost.config的cosign值。
================================================== =

在applicationHost.config文件,添加以下选项。请注意,
proxyCookies部分可以忽略不计。只有加入这一行注释掉,当然,
如果您weblogin的服务器配置为提供您的网站。
代理cookies。


 <configSections>
  ...
  <sectionGroup name="system.webServer">
   ...
   <section name="cosign" overrideModeDefault="Allow" />
   ...
  </sectionGroup>
    </configSections>

 ...
 
    <system.webServer>

      ...

      <cosign>
        <webloginServer name="weblogin.example.org" loginUrl="https://weblogin.example.org/?" port="6663"
   postErrorRedirectUrl="https://weblogin.example.org/post_error.html" />
        <crypto certificateCommonName="http://www.example.org/" />
        <cookieDb directory="%systemDrive%\inetpub\temp\Cosign Cookie DB\" expireTime="120" />
     <!-- proxyCookies directory="%SystemDrive%\inetpub\temp\Cosign Proxy DB" / -->
        <validation validReference="https?://www\.example\.org(/.*)?"
                    errorRedirectUrl="http://weblogin.example.org/validation_error.html" />     
        <cookies secure="true" httpOnly="true" />
        <service name="cosign-www.example.org" />
        <protected status="on" />
      </cosign>

      ...
     
   </system.webServer>


(5.a) Turn Off Cosign Protection for /cosign/valid (5.a)

For the validation handler (see below) to work correctly, cosign protection
needs to be turned off for the /cosign/valid location. This can be done by
adding the following XML to applicationHost.config:
(5.A)关闭/cosign/valid(5.A)Cosign保护

为验证处理程序(见下文)才能正常工作,cosign保护
需要打开/cosign/valid 的位置。这可以通过
下面的XML添加到applicationHost.config的:

<location path="Default Web Site/cosign/valid">
    <system.webServer>
     <cosign>
            <protected status="off" />
     </cosign>
    </system.webServer>
</location> 


(6) Enable the CosignModule.(5)
===================================================
启用CosignModule
Here are the command line options for adding and removing the cosign module.
If appcmd.exe is not in your %PATH%, you can find it in
%windier%\system32\inetsrv

下面是通过命令行添加和移除CosignModule的方法,如果appcmd.exe不在环境变量中,你可以在%windier%\system32\inetsrv目录中找到

appcmd delete module "Cosign" /app.name:"Default Web Site/"
appcmd uninstall module "Cosign"
appcmd install module /name:"Cosign" /image:"CosignModule.dll" /add:"false"
appcmd add module /name:"Cosign" /app.name:"Default Web Site/"

The module can also be added and removed from the IIS Manager interface.
该模块同样也可以从IIS管理界面中添加和移除

(6.a) 32-bit Application Pools (6.a)
If you have 32-bit applications enabled and want to use cosign with these sites
you will need to add the 32-bit module as well.

(6.A)32位的应用程序池(6.A)
如果您有启用32位应用程序,要使用这些网站的cosign
你将需要添加32位模块以及。

appcmd install module /name:"Cosign-x86" /image:"%windir%\SysWOW64\inetsrv\CosignModule.dll" /add:"false" /precondition="bitness32"
appcmd add module /name:"Cosign-x86" /app.name:"32-bit legacy app"


(7) Create the Cosign Validation Handler.
===================================================

This can be done from within the IIS Manager under "Sites", "[name of your web site]", Handler Mappings, then select
"Add Module Mapping...", and specify the following items:

(7)创建Cosign验证处理程序。
================================================== =

这可以从在IIS管理器下“网站”,“[网站名称]”,处理程序映射,然后选择
“添加模块映射...",并载明下列事项:

RequestPath:
/cosign/valid*

Module:
Cosign

Name:
Cosign Validation


The validation handler can also be added with the following command:
appcmd set config "Default Web Site" /section:handlers /+[name='Cosign-Validation',path='/cosign/valid*',verb='*',modules='Cosign']

(7.a) 32-bit Validation Handler (7.a)
Same as above, but be sure to specify the 32-bit CosignModule and set the
precondition to bitness32.

appcmd set config "32-bit legacy app" /section:handlers /+[name='Cosign-Validation',path='/cosign/valid*',verb='*',modules='Cosign-x86',precondition='bitness32']

验证处理,也可以添加以下命令:
appcmd set config "Default Web Site" /section:handlers /+[name='Cosign-Validation',path='/cosign/valid*',verb='*',modules='Cosign']

(7.A)32位的验证处理程序(7.A)
同上,但可以肯定的,到指定的32位CosignModule设置
先决条件bitness32
appcmd set config "32-bit legacy app" /section:handlers /+[name='Cosign-Validation',path='/cosign/valid*',verb='*',modules='Cosign-x86',precondition='bitness32']


(8) Test a cosign-protected page.
===================================================

Load up your favorite, modern web browser and navigate to a cosign-protected
page on your web site. If everything went smoothly, you should be redirected
to your weblogin server and back to your cosign-protected web site.

Also see the included example scripts to get an idea of how to access the
cosign server variables.
(8)测试cosign受保护的页面。
================================================== =

载入您最喜爱的,现代的Web浏览器并导航到cosign保护
您的网站页面上。如果一切顺利的话,你应该重定向
weblogin服务器和您cosign保护的网站。

还可以看到包含的示例脚本的想法如何访问
cosign服务器变量。


() Turn cosign protection on and off, factors ()
===================================================

Each directory can also have a web.config file that overrides inherited configuration options:

()打开cosign保护和关闭,这些因素()
================================================== =

每个目录也可以有一个web.config文件,覆盖继承的配置选项:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
       <cosign>
            <protected status="off" />
        </cosign>
    </system.webServer>
</configuration>


If your server needs to configure specific authentication factors, you'll need
to add some items to the <service> tag.
如果您的服务器需要配置特定的身份验证因素,您需要
添加一些项目的<service>标签。

<service name="cosign-www.example.org" />
 <add factor="rsatoken" />
</service>

If you need to enable the optional ignore suffix, it will look like this:
如果您需要启用可选忽略后缀,它会看起来像这样:

<service name="cosign-www.example.org" />
 <add factor="rsatoken" />
 <add ignoreSuffix="-magic" />
</service>

Note that the "factor" items must all be satisfied, the "ignoreSuffix" will be
matched to any factor. For example, this configuration...
需要注意的是“生产要素”的项目都必须满意,“ignoreSuffix”将
相匹配的任何因素。例如,此配置...

<service name="cosign-www.example.org" />
 <add factor="rsatoken" />
 <add factor="kerberos" />
 <add ignoreSuffix="-magic" />
</service>

... will match the following factor combinations:
... ...将符合下列因素组合:
rsatoken kerberos
rsatoken-magic kerberos-magic
rsatoken-magic kerberos
rsatoken kerberos-magic


NOTE: Running an application pool in "classic mode" may result in the server variables not being available to ASP scripts.  There is a compatibilityMode
option to correct this.  You can add it to the <cosign> section of your config file.
注:在“经典模式”运行的应用程序池,可能会导致在服务器变量不可用的ASP脚本。有一个compatibilityMode
选项??,以正确的。你可以把它添加到你的config文件<cosign>节。

<cosign>
...
    <compatibilityMode mode="true" />
</cosign>


() Getting More Help ()
===================================================
更多帮助
http://weblogin.org/
http://webapps.itcs.umich.edu/cosign/index.php/Troubleshooting

Please join the discussion list before sending e-mail:
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
cosign-discuss@lists.sourceforge.net

To receive announcements, please join:
https://lists.sourceforge.net/lists/listinfo/cosign-announce
cosign-announce@lists.sourceforge.net

 

posted on 2011-12-28 04:01  s3  阅读(656)  评论(0编辑  收藏  举报