With censhare 4.5 a new authentication method is released. For logon of system users (server to server login) a private/public key process with a signed token is offered as an alternative to the password authentication.

2391129.jpg



Note: Only RSA as key algorithm is supported.

Public Key naming

The keys are managed via

For more information, see this java's keytool

and follow a naming convention: @_ _ is optional.


The following client types are valid:

 javaclient javaadmin javarender webclient webtunnel service-client online-channel remote-server shelladmin client

Example

master server CSS_ID = master remote server CSS_ID = remote

RemoteServer

Prepare everything on the master server and sync to the remote server.

  • Create a keypair for the authentication

    keytool -genkeypair -alias system@remote-server -keyalg RSA -keysize 2048 \-keystore ~/cscs/app/config/keystore -storepass corpus \-validity 36500 -dname "CN=system, OU=Remote-Server, O=censhare AG, L=MUC, S=BY, C=DE"

  • Sync to remote server

    rsync -axz --delete ~/cscs/app/config/ corpus@remote-server:cscs/app/config

  • Restart censhare-Server on each host

    censhare.rc restart

WebClient

  • Create a new key

     keytool -genkeypair -alias web-default@webclient -keyalg RSA -keysize 2048 \ -keystore ~/cscw/keystore -storepass corpus \ -validity 36500 -dname "CN=system, OU=Remote-Server, O=censhare AG, L=MUC, S=BY, C=DE"

  • Export of the public key from the keystore

     keytool -exportcert -alias web-default@webclient \ -keystore ~/cscw/keystore -storepass corpus \ -file ~/cscw/web-default_webclient.cert

  • Import the public key

     keytool -importcert -alias web-default@webclient \ -keystore ~/cscs/app/config/keystore -storepass corpus \ -file ~/cscw/web-default_webclient.cert

  • Build and deploy new WebClient

    ~/csw/bin/build.sh custom.signjar.war #build signed war ~/csw/bin/build.sh custom.war #build unsigned war cp -p ~/csw/release/censhare-WebClient.war ~/jetty/webapps/ROOT.war

  • Restart jetty

    css_jetty.rc restart

Download-Tunnel

  • Create a new key

     keytool -genkeypair -alias web-default@webtunnel -keyalg RSA -keysize 2048 \ -keystore ~/cscw/keystore -storepass corpus \ -validity 36500 -dname "CN=system, OU=Remote-Server, O=censhare AG, L=MUC, S=BY, C=DE"

  • Export the public key from the keystore

     keytool -exportcert -alias web-default@webtunnel \ -keystore ~/cscw/keystore -storepass corpus \ -file ~/cscw/web-default_webtunnel.cert

  • Import the public key

     keytool -importcert -alias web-default@webtunnel \ -keystore ~/cscs/app/config/keystore -storepass corpus \ -file ~/cscw/web-default_webtunnel.cert

  • Build and deploy new Download-Tunnel

    ~/csw/bin/build.sh downloadtunnel.war cp -p ~/csw/release/downloadtunnel.war ~/jetty/webapps/downloadtunnel.war

  • Restart jetty

    css_jetty.rc restart