- use https with mutual authentication;
- use single sign on by client certificates.
At first, enable mod_ssl on apache:
a2enmod ssl
Then add to apache configuration file httpd.conf next strings:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
SSLCARevocationFile /etc/apache2/ssl/crl.pem
SSLVerifyClient require
SSLVerifyDepth 1
< Location />
SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "infosec" )
< /Location>
Then disable http-server on apache:
a2dissite default
and edit ports.conf:
#NameVirtualHost *:80 - comment or delete
#Listen 80 - comment or delete
After this restart apache:
apache2ctl graceful
To configure SSL authentication on mediawiki using certificate CN as username you need to add these strings in your apache config:
< Directory "/var/lib/mediawiki/">
Options None
AllowOverride None
Order allow,deny
Allow from all
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN} =~ m/.*serialNumber=
< /Directory>
Then you need to use SSLAuthPlugin.php from guide: http://www.mediawiki.org/wiki/Extension:SSL_authentication depends on your version of mediawiki and add in LocalSettings.php these strings:
#Load SSLAuthPlugin
require_once('extensions/SSLAuthPlugin.php');
#Feel free to use extra PHP code to munge the variables if you'd like
#Additionally if you wish to only map some of the name data, set this to true
#and either blank ssl_RN and ssl_email or comment them out entirely.
$ssl_map_info = false;
#Ssssh.... quiet down errors
#$olderror = error_reporting(E_ALL ^ E_NOTICE);
#Map Real Name from certificate
#Can be DN but is it right?
$ssl_RN = $_SERVER['SSL_CLIENT_S_DN_CN'];
#MW username is required to map to something
#You should beware of possible namespace collisions, it is best to chose
#something that will not violate MW's usual restrictions on characters
#Just using Firstname + Lastname (CN) from Certificate 'will' make collisions... but what to use?
#UN could be md5-hash of DN, but its ugly to use...
$ssl_UN = $_SERVER['SSL_CLIENT_S_DN_CN'];
#Map e-mail to something close?
#Will throw warnings if E-Mail is not set in certificate.
#If so, comment out the next three lines and set $ssl_email empty.
if ($_SERVER['SSL_CLIENT_S_DN_Email'] != )
$ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
else
$ssl_email = ;
#Turn error reporting back on
#error_reporting($olderror);
#Activate SSL Plugin
SSLAuthSetup();
