unity-idm-discuss

[Unity-idm-discuss] Handle multiple certificates/domains for webserver part

[Sander A. <sa....@fz...>]

Dear Krzysztof,

we switched in one of our instances the domain this summer. All
connected services already use the new domain, but users still found
the old domain and got a certificate mismatch warning from the browser.
Because the different domains are owned by different centres, we can't
use a certificate containing both domains.

Is it possible to use two certificates and domain names in unity for
the webserver part? SAML and OAuth should be still handled with one
domain/entity ID. Separating webserver certificates from SAML/OAuth
should be possible with different credential definitions.

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Handle multiple certificates/domains for webserver part

[Krzysztof B. <kb...@un...>]

Dear Sander,

W dniu 23.09.2020 o 14:09, Sander Apweiler pisze:
> Dear Krzysztof,
>
> we switched in one of our instances the domain this summer. All
> connected services already use the new domain, but users still found
> the old domain and got a certificate mismatch warning from the browser.
> Because the different domains are owned by different centres, we can't
> use a certificate containing both domains.
>
> Is it possible to use two certificates and domain names in unity for
> the webserver part? SAML and OAuth should be still handled with one
> domain/entity ID. Separating webserver certificates from SAML/OAuth
> should be possible with different credential definitions.

Technically it is possible. The feature you are asking for is SNI 
extension of the TLS protocol. It is supported by Jetty and Java which 
Unity is using but Unity currently doesn't offer a way to setup Jetty 
with multiple credentials.

We can have it implemented, however I can point you out to an 
alternative solution: you can expose Unity behind a (reverse) proxy 
server, like Apache. Unity supports it pretty well, we use it in 
production often. Then you get access to all features of the Apache (or 
other) server, where you can setup for instance SNI.

HTH
Krzysztof

Re: [Unity-idm-discuss] Handle multiple certificates/domains for webserver part

[Sander A. <sa....@fz...>]

Dear Krzysztof,
thanks for the feedback. When we started with our first unity, it did
not work behind a reverse proxy. I'll give it a new try, when I find
some time.

Cheers,
Sander

On Thu, 2020-09-24 at 13:13 +0200, Krzysztof Benedyczak wrote:
> Dear Sander,
> 
> W dniu 23.09.2020 o 14:09, Sander Apweiler pisze:
> > Dear Krzysztof,
> > 
> > we switched in one of our instances the domain this summer. All
> > connected services already use the new domain, but users still
> > found
> > the old domain and got a certificate mismatch warning from the
> > browser.
> > Because the different domains are owned by different centres, we
> > can't
> > use a certificate containing both domains.
> > 
> > Is it possible to use two certificates and domain names in unity
> > for
> > the webserver part? SAML and OAuth should be still handled with one
> > domain/entity ID. Separating webserver certificates from SAML/OAuth
> > should be possible with different credential definitions.
> 
> Technically it is possible. The feature you are asking for is SNI 
> extension of the TLS protocol. It is supported by Jetty and Java
> which 
> Unity is using but Unity currently doesn't offer a way to setup
> Jetty 
> with multiple credentials.
> 
> We can have it implemented, however I can point you out to an 
> alternative solution: you can expose Unity behind a (reverse) proxy 
> server, like Apache. Unity supports it pretty well, we use it in 
> production often. Then you get access to all features of the Apache
> (or 
> other) server, where you can setup for instance SNI.
> 
> HTH
> Krzysztof
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Handle multiple certificates/domains for webserver part

[Krzysztof B. <kb...@un...>]

W dniu 24.09.2020 o 13:25, Sander Apweiler pisze:
> Dear Krzysztof,
> thanks for the feedback. When we started with our first unity, it did
> not work behind a reverse proxy. I'll give it a new try, when I find
> some time.

Note that there are options in Unity config file to configure it properly.