CS526 S2012 Homework #3

Goal:

Learn how to clone a virtual machine using VMware vCenter web-based interface.
Learn how to create a server certifcate request and a personal certificate request.
Learn how to set up apache with signed server certificate and configure it with certificate-based mutual authentication
Learn how to set up a browser with signed personal certificate for certificate-based mutual authentication
Learn how to create password protected web directories and analyze the .htaccess control.

Assignment Date: 2/22/2012
Due Day: 2/29/2012 (revised)
Related documents:

VMware vSphere Basics.
http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
Web Access Authentication (cs526 as username; same password for vm)

Description:

Logistics:

A set of five IP addresses and related domain names were created for you to work on hw3 and hw4.

Name	rs1	rs2	rs3	vip	dip
Ahmad, Adil Mohammed	128.198.50.136	128.198.50.137	128.198.50.138	128.198.50.139	128.198.50.140
Ahmed, Mohammed	128.198.50.141	128.198.50.142	128.198.50.143	128.198.50.144	128.198.50.145
Altarouti, Feras Ali	128.198.50.146	128.198.50.147	128.198.50.148	128.198.50.149	128.198.50.150
Albahdal, Abdullah Abdulaziz	128.198.50.151	128.198.50.152	128.198.50.153	128.198.50.154	128.198.50.155
Alcorn, Joshua	128.198.50.156	128.198.50.157	128.198.50.158	128.198.50.159	128.198.50.160
Alharthi, Ahmed	128.198.50.161	128.198.50.162	128.198.50.163	128.198.50.164	128.198.50.165
Alkaoud, Hessah Hassan	128.198.50.166	128.198.50.167	128.198.50.168	128.198.50.169	128.198.50.170
Almutawa, Ammar Hussain	128.198.50.171	128.198.50.172	128.198.50.173	128.198.50.174	128.198.50.175
Alsaadi, Fawaz Eid	128.198.50.176	128.198.50.177	128.198.50.178	128.198.50.179	128.198.50.180
Alsahafi, Abdulrhman I	128.198.50.181	128.198.50.182	128.198.50.183	128.198.50.184	128.198.50.185
Alsolami, Fahad Jazi	128.198.50.186	128.198.50.187	128.198.50.188	128.198.50.189	128.198.50.190
Alzahrani, Hamdan	128.198.50.195	128.198.50.196	128.198.50.197	128.198.50.198	128.198.50.199
Alzahrani, Omar J	128.198.50.200	128.198.50.201	128.198.50.202	128.198.50.203	128.198.50.204
Anvesh, Raavi	128.198.50.205	128.198.50.206	128.198.50.207	128.198.50.208	128.198.50.209
Ayodele, Anthony Ojo	128.198.50.210	128.198.50.211	128.198.50.212	128.198.50.213	128.198.50.214
Best, Adam	128.198.50.215	128.198.50.216	128.198.50.217	128.198.50.218	128.198.50.219
Brachfeld, Lawrence Jay	128.198.50.220	128.198.50.221	128.198.50.222	128.198.50.223	128.198.50.224
Cheng, Dazhao	128.198.50.225	128.198.50.226	128.198.50.227	128.198.50.228	128.198.50.229
Gilbert, Sampson	128.198.50.230	128.198.50.231	128.198.50.232	128.198.50.233	128.198.50.234
Hanson, Cody Lawrence	128.198.50.235	128.198.50.236	128.198.50.237	128.198.50.238	128.198.50.239
Hofflander, Brian James	128.198.50.240	128.198.50.241	128.198.50.242	128.198.50.243	128.198.50.244
Kateb, Faris A	128.198.50.245	128.198.50.246	128.198.50.247	128.198.50.248	128.198.50.249
Kretschmer, William C	128.198.50.250	128.198.50.251	128.198.50.252	128.198.50.253	128.198.50.254
Lykins, Rodney D	128.198.49.67	128.198.49.68	128.198.49.69	128.198.49.70	128.198.49.71
Nash, Berck Erin	128.198.49.72	128.198.49.73	128.198.49.74	128.198.49.75	128.198.49.76
Nesterenko, Matthew Alexander	128.198.49.77	128.198.49.78	128.198.49.79	128.198.49.80	128.198.49.81
Odell, Craig James	128.198.49.82	128.198.49.83	128.198.49.84	128.198.49.85	128.198.49.86
Omar, El Shibani	128.198.49.87	128.198.49.88	128.198.49.89	128.198.49.90	128.198.49.91
Rajagopal, Suresh	128.198.49.92	128.198.49.93	128.198.49.94	128.198.49.95	128.198.49.96
Ravikumar, Roshnee	128.198.49.97	128.198.49.98	128.198.49.99	128.198.49.100	128.198.49.101
Tedla, Suneetha	128.198.49.102	128.198.49.103	128.198.49.104	128.198.49.105	128.198.49.106
Zhao, Rui	128.198.49.107	128.198.49.108	128.198.49.109	128.198.49.110	128.198.49.111

See the related csnet Domain DNS entries, created using

createClassIPAssignmentCS526.pl

and addhost.ps1
The five domain names are <yourLoginname>[rs1, rs2, rs3, vip, dip]. csnet.uccs.edu. For example, the IP address for Adam Best's vip server is 128.198.50.218 and its domain name is abestvip.csnet.uccs.edu. You can verify that but typing "nslookup abestvip.csnet.uccs.edu"
```
[root@gandalf named]# nslookup abestvip.csnet.uccs.edu
Server:         128.198.1.250
Address:        128.198.1.250#53

Non-authoritative answer:
Name:   abestvip.csnet.uccs.edu
Address: 128.198.50.218
```
For hw3, we will use the IP address and domain name of your vip sever to configure the virtual machine for the secure web access exercises.

Note that we are using three different subnets:

Network	Vlan	Description	Gateway	Host Start	Host End	Broadcast	NETMASK
128.198.50.128/26	Vlan 507	Class1	.50.129	.50.131	.50.190	.50.191	255.255.255.192
128.198.50.192/26	Vlan 508	Class2	.50.193	.50.195	.50.254	.50.255	255.255.255.192
128.198.49.64/26	Vlan 492	Class 3	.49.65	.49.67	.49.126	.49.127	255.255.255.192

Therefore for Adam Best, his vip server with 128.198.50.218 IP address is in the 2nd subnet with the network address 128.198.50.192/26, he needs to configure his server with 128.198.50.193 gateway address and 255.255.255.192 netmask and for all his virtual machines, he should select "VM Network -VLAN 508 Class 2" to connect to the network adapter.
subnet vlan gw netmask

Part 1. Create a folder and clone/configure a FC16 virtual machine.

login to https://eas-vcenter.uccs.edu:9443/vsphere-client with your ufp account/password (not the one with walrus)
Right click on CS526_fc16 and choose Inventory | Clone
Specify vm as <login>vip_fc16.
Select CS5260 as resource pool to run this vm.
Select CS5260 as datastore for saving the configuration files and virtual disks.
Click finish. Oberve the status of vm creation process on the upper right corner.
Edit VM Settings. We need to connect the Network Adapter of the vm to the designated VLAN or subnet shown in the table above.
Click the pull down menu associated with the network adapter and choose your designated VLAN or subnet.
Power on the vm by right click on the machine and choose Power | Power On.
Open Console Window.
Login to your fc16 machine using csnet account and same password for all our virtual machines, to be announced in class.
Open a shell window by selecting Applications | System Tools | Terminal
"su -" to switch to the root user for setting the network interface and secure web access configurations. Same password as csnet
Note that you need use your designated vip IP address and the gateway address.
Please suspend the virtual machine when you are not using it. Just like put it in standy. It can resume pretty quick. It will free the main memory and CPU for others using the same vSphere host. Right click on the vm, then select Power | Suspend.

Part 2. Setup FC16 virtual machine for Secure Web Access

Follow that in http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
Create a server certificate request and a personal certificate requests. Email me and ask for signing these certificates.
- Name the server certificate request as <login>vipReq.pem and name your personal certificate request as <login>Req.pem
Once received the signed certificates, install them the server and a browser for testing.
Copy caCert.pem file in https://128.198.161.163/cert/ to /etc/httpd/conf/ssl.crt as ca.crt. You need this file when set up mutual authentication.
Download and import cs526Client.p12 file from https://128.198.161.163/cert/ to your browser. Set up your secure web server to accept your own certificate but not that with cs526.
Capture the certificate presented by your secure web server as .png file and save in your walrus cs526 personal web site under image sub directory. Reference it in your hw3.html.
Capture the brower pop up window when prompt for selecting the right certificate.
Capture the secure site image. As above, save them in your walrus cs526 image directory.
Copy the /var/log/httpd/access_log to your cs526 web site and reference them in your hw3. Show the lines where your certificate got accepted and cs526 get rejected.
Please suspend the virtual machine when you are not using it. Just like put it in standy. It can resume pretty quick. It will free the main memory and CPU for others using the same vSphere host. Right click on the vm, then select Power | Suspend.

Part 3. Create Password Protected Web Directory and Explore Apache .htaccess access control

Exercise A:

Create a confidential directory under /var/www/html. Under confidential directory create a secret subdirectory. Under secret directory create a topsecret directory.
Use htpasswd to create a password file called apacheticket in /var/www/ directory with three users: ceo, manager, staff, and paswords as #ceo, #man, and #sta.
In each of these three directories create a fyi.html which contain the name of the directory it is located. For example, the fyi.html in secret directory will have <h1>This is fyi in secret directory</h1>.
Create .htaccess file with basic authentication, realm or authentication name as "cs526realm", and apacheticket as password file like the one below in each of the three directories. Note that we would like to restrict the access to the confidential directory by only allowing ceo, manager, staff to access. Restrict secret directory access to just ceo and manager. Restrict topsecret directory to just ceo.

AuthType Basic
AuthName cs526realm
AuthUserFile /var/www/apacheticket
require ceo, manager, staff
From a brower, verify indeed that only proper users with the passwords can access the directory. We will use the access_log to prove that you have configured the .htaccess correctly. Please copy the /var/log/httpd/access_log file of your virtual machine to your cs526 directory on walrus and provide a link from hw3.html.

Exercise B:

In Unix file system, if the top directory is blocked from the access of a user, the user can not peak any file/directory below that. We wonder if that is the case in terms of the .htaccess access mechanism.
One discussion we have in class is what kind of the secure access control, apache implements. Here are two of the many possibilities:
1. Apache actually checks every top directory that contains the .htaccess file and try to restrict the deeper directory based on the top level .htaccess.
2. Apache only checks the .htaccess file of the current directory which the user is trying to access and does not care those .htaccess files in the top directories.
Please design and carry out a test to verify which of the above two are implemented by Apache.
Document your observation and analysis as Question 3.
Please suspend the virtual machine when you are not using it. Just like put it in standy. It can resume pretty quick. It will free the main memory and CPU for others using the same vSphere host. Right click on the vm, then select Power | Suspend.

Questions.

Using virtual machines in the context of hw3 has the following advantages/disadvantages:
1. Students has root privileges to configure the server certificate.
2. The web server can be configured to run on ports 80 and 443, which you cannot do on walrus with a normal user account.
3. Require a large collection dedicated IP addresses for vms and creating related DNS entries.
4. A student can install additional modules or services without interfering other students.
5. The virtual machines can be allocated to run on one of the seven vSphere host based on the load status and certain policy set by the system admin.
6. The virtual machines still share the computation and storage resources with others using the same hosts/networks.
7. It allows user to configure/install OS remotely which cannot be easy done on a real machine in the lab.
  
  Add two advantages and disadvantages to the above list.
Public Key Infrastructure (PKI) and secure web access.
1. What are its advantages compared with login/password based authentication? Name two and discuss briefly.
2. For PKI to work, what specific data or software modules we need to trust. List three of them from most critical to less critical and indicate who provides the data or software.
3. Why the private key of the web serve need to be decrypted? How it can be protected if the system has other "potential malicious" local users.
4. What are contained in a .p12 file for hw3 exercise?
5. Why the mutual authentication directives which govern the access of /var/www/html/secure cannot be inside /etc/httpd/conf.d/ssl.conf and have to be in /etc/httpd/conf/httpd.conf?
6. Not all personal certificates signed by CAcsnet can access your secure web site. For example the one in cs526.p12 cannot. How do you control that?
7. Briefly describe how to find out a certificate is revoked. For large organizations such as DoD, how can they detect the certificates presented are still legimate? Name one protocol and describe concisely its technique.
Htaccess.
1. Based on part 3 exercise B, describe your observation and analysis on how apache implements the .htaccess mechanism. Is it following Unix file access model?
2. What is the purpose of using DBM for authenticating user password?

Create a homework web page hw3.html in your cs526 personal web page directory. Email the url and anawers of the above questions to cchow@uccs.edu and aalmuray@uccs.edu with subject field "CS526 hw3".

Homework #3. Setup Virtual Machine using vCenter and Configure Apache for Certificate-based Mutual Authentication