Reviewed June 2010. This information is mostly up to date, but needs to be refactored as part of a comprehensive update to weblogin documentation.
Reviewed November 2012. Updated references on use of UW CA certificates and the Pubcookie keyserver trust policy.
This page provides guidelines for installing the Pubcookie Apache module and IIS ISAPI filter for use at the University of Washington. These guidelines supplement the detailed installation guides available on pubcookie.org.
Registration, Installation, and Configuration
Follow these registration, installation and configuration steps for each new participating server name:
1. Visit the Weblogin Server Registration service to register a new server name. To do so you must be a recognized owner of the name in UW DNS.
Important: The registered server name should match the name in your website's URL address and SSL certificate (Common Name field).
Once your server name has been successfully registered it will be authorized to obtain an encryption key from the UW Pubcookie keyserver.
2. Download the current stable release of the Pubcookie Apache module or ISAPI filter from the downloads page.
Tip: UW web server administrators new to Pubcookie should review these tips first and then consult the detailed installation guides on pubcookie.org.
On Windows, the installer's Site Information screen collects your server name and configuration information specific to use in the UW environment:
Substitute your registered server name into the Application Server DNS Name field. The name should match your website's URL address and SSL certificate (Common Name field).
Note: The installer uses your server name to find a matching certificate in the Windows certificate store. The installer then uses this certificate to obtain an encryption key from the UW Pubcookie keyserver. To succeed, the certificate must conform to the UW Pubcookie keyserver trust policy which accepts certificates issued only by InCommon, Thawte and the UW Services CA.
Note: If you are installing Pubcookie for the first time for your server name, select "Obtain new key" as the Keyclient Behavior. If you are installing Pubcookie for a server name that already has a key and is running in production, select "Retrieve old key" so as not to generate a new key and cause problems with current user sessions.
Note: Your system clock must be synchronized with the correct date and time in order to use Pubcookie successfully. On Windows 2003, use the w32tm command to check your clock against time.u.washington.edu:
Use the net command to synchronize your clock with time.u.washington.edu:
Also check and confirm your domain controllers have the correct time. Incorrect time on your domain controllers can also lead to problems with Pubcookie.
On Unix, your keyclient configuration will look something like this:
ssl_cert_file must conform to the UW Pubcookie keyserver trust policy (below) which allows use of certificates issued by InCommon, Thawte and the UW Services CA.
Note: The UW Pubcookie keyserver identifies itself with a SSL certificate signed by InCommon, therefore your ssl_ca_file (or ssl_ca_path) must include InCommon as a trusted CA. The CA cert bundle file that comes with OpenSSL contains the InCommon root certificate(s).
On Unix, your Apache configuration will include something like this:
Note: Local convention is to use
SecurID as the first and third PubcookieAuthTypeNames values, respectively, corresponding with the UW "weblogin" service's two flavors of login: a basic single sign-on (SSO) flavor requiring UW NetID and password, and a non-SSO flavor requiring UW NetID, password, and SecurID.
Note: The UW "weblogin" service supports all the encryption methods defined by the optional PubcookieEncryption directive. It has been left out in the example above in favor of using the default value (AES).
With the configuration tips above and careful attention to the installation guides on pubcookie.org you should be up and running in no time.
SSL Certificate Policies
The Pubcookie security model relies on SSL for message confidentiality between Web browser and server and for server authentication between the Pubcookie keyclient and keyserver. SSL certificates should be signed according to the following policies.
Website SSL Certificate Policy
When enabling browsers to connect to your server using SSL (https), use a SSL certificate signed by a well-known public CA such as the InCommon CA (see UW Certificate Services). The concern here is end-user usability, trust, and support costs.
Pubcookie Keyserver Trust Policy: Approved Certificate Authorities
When requesting a symmetric encryption key from the UW Pubcookie keyserver, use a SSL certificate signed by InCommon, Thawte or UW Services CA. Those are the only trusted CAs. Trust is the primary concern for TLS client authentication to the keyserver. Just because some other CA has good browser coverage doesn't mean it has transparent and rigorous proof-of-ownership processes for issuing certificates. We have to be conservative about trusting new CAs. That said, please let us know if we should consider approving another CA for use with the UW Pubcookie keyserver.
Support & Announcements
Questions, comments, and inquiries about the UW NetID "weblogin" service or use of Pubcookie at the University of Washington may be sent to email@example.com.
The UW uwash-pubcookie-announce list provides occasional news and updates to UW computing staff about the use of Pubcookie at the UW, including significant changes to Pubcookie modules, the central UW NetID "weblogin" service, documentation, policies, and support.
General questions that may concern Pubcookie users at other institutions can be posted to the pubcookie-users email list where the replies have a chance of benefiting others.