Difference between revisions of "Panel authentication"
(→Setting up client-side SSL certificate) |
(→Setting up client-side SSL certificate) |
||
Line 14: | Line 14: | ||
== Setting up client-side SSL certificate == | == Setting up client-side SSL certificate == | ||
− | Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/. | + | Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/ (or select "Authenticate with client-side certificate" on login screen). |
− | === Linux === | + | You have two options when setting up a certificate: using your modern browser (won't work with Internet Explorer; Firefox/Chrome both work fine) via the keygen tag, or manually generating and submitting a CSR. The first way is much easier, it should only take you sixty seconds! |
+ | |||
+ | === Generate certificate via browser === | ||
+ | |||
+ | Make sure you are using Firefox or Chrome, or a similar non-IE modern browser that supports the keygen tag. | ||
+ | |||
+ | Head to the [https://dynamic.lunanode.com/panel/account.php?tab=account_auth_csc Account tab] and select Client-side certificates tab. Under "Add certificate via browser", configure any certificate key options that your browser provides, enter a number of days to sign for (between 5 and 730 days), and hit the generate option. Your browser should display a brief dialog about generating a keypair, and then after a bit more time you'll be prompted to add the certificate to your browser. | ||
+ | |||
+ | Once added, you can login via https://dynamic.lunanode.com/secure/. | ||
+ | |||
+ | === Manually generate a CSR === | ||
+ | |||
+ | If you decided you want to manually generate a CSR, follow the instructions below. | ||
+ | |||
+ | ==== Linux ==== | ||
You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on [https://gist.github.com/mtigas/952344 a gist by mtigas found on Github]. | You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on [https://gist.github.com/mtigas/952344 a gist by mtigas found on Github]. | ||
Line 32: | Line 46: | ||
Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12. | Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12. | ||
− | === Other operating systems === | + | ==== Other operating systems ==== |
We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions. If you get information, do let us know and we can add it here. | We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions. If you get information, do let us know and we can add it here. | ||
Alternatively, you can complete the steps to create client.p12 on any Linux machine, and then copy the resulting file to your machine that has some other OS, and import it to your browser. | Alternatively, you can complete the steps to create client.p12 on any Linux machine, and then copy the resulting file to your machine that has some other OS, and import it to your browser. |
Revision as of 20:51, 4 October 2014
Luna Node Dynamic supports two panel authentication methods: password and client-side certificate.
- Password: this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
- Client-side certificate: this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.
Contents
Authentication policies
There are three available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the Account tab in the top right of the panel.
- Any authentication method: if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
- Both password and certificate: you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
- Certificate, with password for unrecognized IPs: use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.
Setting up client-side SSL certificate
Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/ (or select "Authenticate with client-side certificate" on login screen).
You have two options when setting up a certificate: using your modern browser (won't work with Internet Explorer; Firefox/Chrome both work fine) via the keygen tag, or manually generating and submitting a CSR. The first way is much easier, it should only take you sixty seconds!
Generate certificate via browser
Make sure you are using Firefox or Chrome, or a similar non-IE modern browser that supports the keygen tag.
Head to the Account tab and select Client-side certificates tab. Under "Add certificate via browser", configure any certificate key options that your browser provides, enter a number of days to sign for (between 5 and 730 days), and hit the generate option. Your browser should display a brief dialog about generating a keypair, and then after a bit more time you'll be prompted to add the certificate to your browser.
Once added, you can login via https://dynamic.lunanode.com/secure/.
Manually generate a CSR
If you decided you want to manually generate a CSR, follow the instructions below.
Linux
You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on a gist by mtigas found on Github.
First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it). When generating the certificate signing request, make sure to enter your panel e-mail address (case sensitive) for the organization, organization unit, and common name fields, or else the CSR will be rejected. For the other fields, you can enter whatever you want.
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr
Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate". This will cause the server to verify the CSR and then, if verification succeeds, sign it. If signed successfully, the newly produced certificate will be available. You should copy and paste this into client.crt in the same directory where you made client.key and client.csr. Once client.crt exists, run:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 rm client.crt client.key client.csr
Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12.
Other operating systems
We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions. If you get information, do let us know and we can add it here.
Alternatively, you can complete the steps to create client.p12 on any Linux machine, and then copy the resulting file to your machine that has some other OS, and import it to your browser.