Difference between revisions of "Panel authentication"

From Luna Node
Jump to: navigation, search
(Setting up client-side SSL certificate)
Line 13: Line 13:
  
 
== Setting up client-side SSL certificate ==
 
== Setting up client-side SSL certificate ==
 +
 +
Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/.
  
 
=== Linux ===
 
=== Linux ===

Revision as of 05:34, 29 June 2014

Luna Node Dynamic supports two panel authentication methods: password and client-side certificate.

  • Password: this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
  • Client-side certificate: this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.

Authentication policies

There are three available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the Account tab in the top right of the panel.

  • Any authentication method: if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
  • Both password and certificate: you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
  • Certificate, with password for unrecognized IPs: use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.

Setting up client-side SSL certificate

Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/.

Linux

You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on a gist by mtigas found on Github.

First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it). When generating the certificate signing request, make sure to enter your panel e-mail address (case sensitive) for the organization, organization unit, and common name fields, or else the CSR will be rejected. For the other fields, you can enter whatever you want.

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate". This will cause the server to verify the CSR and then, if verification succeeds, sign it. If signed successfully, the newly produced certificate will be available. You should copy and paste this into client.crt in the same directory where you made client.key and client.csr. Once client.crt exists, run:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
rm client.crt client.key client.csr

Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12.

Other operating systems

We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions. If you get information, do let us know and we can add it here.

Alternatively, you can complete the steps to create client.p12 on any Linux machine, and then copy the resulting file to your machine that has some other OS, and import it to your browser.