Satya's blog - 2009/07/

Jul 19 2009 11:13 Netscaler-based content-switcher with Shibboleth support

Notes on setting up a content-switching Citrix Netscaler with Shibboleth support. I use Netscaler 9, I think.

Assume two servers, S1 and S2, that I want to present as www.example.com. They have Shibboleth. I want SSL and non-SSL both.

           /----> s1-lb ---> s1-int ---> (server or server farm 1)
www-ext--->
           \----> s2-lb ---> s2-int ---> (server or server farm 2)

Set up Shibboleth Service Providers on both servers. The Host can be S1 and S2, doesn't matter. Set the HandlerURL to /S1Shibboleth.sso or something, rather than /Shibboleth.sso, because some way to distinguish them is needed.

On the Netscaler device, set up S1 and S2 as servers/services with their real internal IP. Call these s1-int and s2-int. Type HTTP, port 80. Set up similar ones called s1-int-ssl and s2-int-ssl with type SSL, port 443.

add service s1-int 10.0.0.43 HTTP 80
add service s1-int-ssl 10.0.0.43 SSL 443
add service s2-int 10.0.0.44 HTTP 80
add service s2-int-ssl 10.0.0.44 SSL 443

Set up load balancers, of types and port HTTP/80 and SSL/443, called s1-lb, s2-lb, s1-lb-ssl, s2-lb-ssl. Their IPs can be private 10-subnet IPs. The s1 IP is same for both SSL and non-SSL, and the s2 IP is also the same (but different from s1's). Example: set s1-lb and s1-lb-ssl as 10.0.0.4, and set s2-lb and s2-lb-ssl as 10.0.0.5. Bind the services s1-int s1-int-ssl etc. to the appropriate load balancers. You'll need SSL certificates to associate with each one.

add lb vserver s1-lb HTTP 10.100.1.10 80
add lb vserver s1-lb-ssl SSL 10.100.1.10 443
add lb vserver s2-lb HTTP 10.100.1.11 80
add lb vserver s2-lb-ssl SSL 10.100.1.11 443
# bind services:
bind lb vserver s1-lb s1-int
bind lb vserver s1-lb-ssl s1-int-ssl
bind lb vserver s2-lb s2-int
bind lb vserver s2-lb-ssl s2-int-ssl

Set up content switching policies for your apps on s1 and s2. (See Netscaler manual.) Set up policies for the /S1Shibboleth.sso and /S2Shibboleth.sso as well!

add cs policy s1-shib -rule 
"REQ.HTTP.URL == /S1Shibboleth.sso || REQ.HTTP.URL == '/S1Shibboleth.sso/*'"

add cs policy s2-shib -rule 
"REQ.HTTP.URL == /S2Shibboleth.sso || REQ.HTTP.URL == '/S2Shibboleth.sso/*'"

Set up two content switchers: www-ext and www-ext-ssl. Add all the policies to each one, the targets being the appropriate load balancers. That should do it. I don't think you need to set up Apache on the boxes any different. Using S1 as the ServerName should be fine.

add cs vserver www-cs HTTP 10.0.0.90 80
add cs vserver www-cs-ssl SSL 10.0.0.90 443
# add policies:
bind cs vserver www-cs s1-lb -policyName s1-shib
bind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shib
bind cs vserver www-cs s2-lb -policyName s2-shib
bind cs vserver www-cs-ssl s2-lb-ssl -policyName s2-shib

You'll need SSL certificates for the SSL vservers. See the Netscaler manual. If you've set up a certificate (www.crt) and key (www.key), you can scp the files to /nsconfig/ssl on the Netscaler and then add them like so:

add ssl certKey www-cert -cert www.crt -key www.key
bind ssl certKey s1-lb-ssl www-cert
bind ssl certKey www-cs-ssl www-cert

Update Aug 22 2009: Summary:

add service s1-int 10.0.0.43 HTTP 80
add service s1-int-ssl 10.0.0.43 SSL 443

add lb vserver s1-lb HTTP 10.100.1.10 80
add lb vserver s1-lb-ssl SSL 10.100.1.10 443

add cs vserver www-cs HTTP 10.0.0.90 80
add cs vserver www-cs-ssl SSL 10.0.0.90 443

bind cs vserver www-cs s1-lb
bind cs vserver www-cs-ssl s1-lb-ssl

bind lb vserver s1-lb s1-int
bind lb vserver s1-lb-ssl s1-int-ssl

bind cs vserver www-cs s1-lb -policyName s1-shib
bind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shib

add ssl certKey www-cert -cert www.crt -key www.key
bind ssl certKey s1-lb-ssl www-cert
bind ssl certKey www-cs-ssl www-cert

Update Nov 17 2009: To add a root CA, copy the CA file (e.g. CA.pem) to /nsconfig/ssl and issue this command from the Netscaler command line:

link ssl certKey www-cert CA.pem

Last updated: Nov 17 2009 07:22

Tag: geeky

Jul 15 2009 10:45 Elaborate security is not better security

I've been trying to set up an online account to access a mutual fund brokerage.

The registration page asks for my social and account number, among a few other unimportant details. Strike zero point five.

Then they deliver the next set of instructions through a web-based "secure" system called zixmail. Third-party, strike one. And haven't they heard of PGP, GPG, and so forth?

Okay. The "email" contains instructions for first login, which do NOT tell me where to go. Anti-phising, or just lame? Anyway, the web site has at least 3 different logins, each slightly different. I'm not even sure I'm using the right one (mutual funds, brokerage, or managed investment? Who knows.)

The login name involves my last name and social. The password involves my mother's name and my date of birth. Strike two. Naturally, I use slightly different names on each site. It doesn't work. I call to have it reset. It doesn't work. They reset again. It works.

At least that was the initial password. I'm asked to change it, and new password must be between 8-12 characters, CANNOT contain special characters (strike 2.5). The instructions include "not contain any special characters. For example, AA-BB-CC". I didn't know what to make of that.

After passing that hurdle, it asked for security questions four. I could pick a question each, out of 4 different lists (one per security question). I happened to pick two questions that had the same answer. Bzzt. The rules say: 1. All four questions must be answered. 2. All four answers must be unique. 3. Answers must contain minimum of 3 alphanumeric characters. 4. Answers must contain only alphanumeric characters and spaces. So I had violated rule 2. Sigh.

After getting through all that, they wanted me to set up a personalized security passphrase and an image from their image library. (The security phrase must be between 3-50 characters.) This is for anti-phishing purposes.

Now is all that stuff actually going to protect my account? Maybe. Better than just username+password, plus a one-time pad that they snail-mail to me? Heck, no. (The US Treasury does that one-time pad thing. It's cool, but then they fail with their random-order on-screen keyboard thing.)

Go go gadget Schneier. Debunk this!

Tag: rant security

Jul 06 2009 16:15 Rails and Sybase

I just spent 4 hours trying to get Ruby on Rails to talk to Sybase. This is Rails 2.1-ish on Ubuntu 9.04, installed from the debian system (not gems).

It wouldn't work.

No matter what.

I tried installing the sybase adapter:

  gem install activerecord-sybase-adapter -s http://gems.rubyonrails.org

Nope. And that's after freetds was already installed. It wasn't a freetds error -- it kept yelling about activerecord versions, just like odbc below.

I tried the odbc driver:

    gem install activerecord-odbc-adapter

It kept pulling in activerecord 2.3.2 (remember, I have 2.1.0 from Ubuntu's debs). And then borking on mismatched versions.

Note that those two gem commands work. The breakage happens when you try to actually access something, such as User.find(:first) from script/console:

Gem::Exception: can't activate activerecord (>= 2.0.2, runtime), already
activated activerecord-2.1.0

This is because those gems pull in a gem version of activerecord, which is 2.3.2. The apt-get version is 2.1.0. So I ripped out rails and installed it as a gem:

sudo apt-get remove rails
sudo gem install -V rails activerecord-odbc-adapter odbc-rails
# (takes a long time)
sudo apt-get autoremove
sudo apt-get install irb libdbd-odbc-ruby

(You'll need ruby-dev if you want to install a gem like 'mysql', which I do. What, you think Sybase is my database of choice? Hah! Oh wait, the mysql gem won't install. WTF? Oh, ok, I can apt-get install libdbd-mysql-ruby, and that gets me a find() on a mysql database. If that hadn't worked, I'd be yelling.)

I stuck this in ~/odbc and ran "odbcinst -i -s -d ~/odbc" (I have tdsodbc and unixodbc, dunno how much of that is required):

[d]
Description     = d server, name elided
Driver      = /usr/lib/odbc/libtdsodbc.so
Server=fqdn.example.com
Port=4100
TDS Version      = 5.0
[a]
Description     = a server, name elided
Driver      = /usr/lib/odbc/libtdsodbc.so
Server=fqdn2.example.com
Port=4100
TDS Version      = 5.0

Test with this command: isql -v d user pass where d is the 'd' from the odbc file, and user and pass are the actual ones.

Oh, and you have to add /var/lib/gems/*/bin to your path. * is 1.8 in my case. And remove the symlinks from my vendor/ directory, and maybe regenerate a few files with "rails .", as I was doing this to an existing project.

Update: Formatting!

Update: Added the Gem::Exception error as google-bait.

Last updated: Jul 06 2009 16:44

Tag: geeky rant howto