Difference between revisions of "Luxtrust"

From LiluxWiki
Jump to navigationJump to search
(Created page with 'As of June 2012, Luxtrust now fully supports 64 bit systems. A 64-bit middleware is available from their site, and moreover they've made available a "wrapper" to allow bank appl…')
 
Line 22: Line 22:
 
Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.
 
Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.
  
A [http://prophecy.lu/pipermail/lilux-help/2012-June/001622.html workaround] exists though.
+
A [http://prophecy.lu/pipermail/lilux-help/2012-June/001622.html workaround] exists though:
 +
 
 +
1. In <code>/etc/hosts</code> , add the following line:
 +
 
 +
127.0.0.1      bcee.snet.lu
 +
 
 +
2. If not yet there, install Apache.
 +
 
 +
3. Create a file with the following contents in <code>/etc/apache2/sites-available/bcee</code> :
 +
 
 +
  <VirtualHost *:443>
 +
        ServerName bcee.snet.lu
 +
 +
        SSLEngine on
 +
        SSLCertificateFile /etc/apache2/ssl/server.crt
 +
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
 +
 +
        ProxyPreserveHost on
 +
        ProxyPass /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar !
 +
        ProxyPass / https://195.46.224.5/
 +
 +
        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.1.jar
 +
  </VirtualHost>
 +
 
 +
 
 +
For 64 bit, the redirect line should be as follows instead:
 +
        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN64_1.4.1.jar
 +
 
 +
(note: we're still redirecting LIN32 due to BCEE's other error...)
 +
 
 +
The SSL certifcates in <code>/etc/apache2/ssl/server.crt</code> and <code>server.key</code> should exist (but don't need to be valid, just add them as an exception into firefox when prompted).
 +
 
 +
4. Activate the site:
 +
 
 +
a2ensite bcee
 +
service apache2 reload
 +
 
 +
5. Now, connect to SNET as usual, add the certificate to Apache as an exception when prompted, and off you go!
 +
 
 +
A note of CAUTION: Apache doesn't check whether the certificate for 195.46.224.5 is authentic, theoretically making your connection to BCEE vulnerable to snooping. So don't use this if you don't trust your ISP, or any other ISP between you and BCEE. It is possible to secure the connection from your Apache proxy to BCEE using SSLProxyVerify on, but this is too complex to fit into this short note.

Revision as of 21:49, 13 June 2012

As of June 2012, Luxtrust now fully supports 64 bit systems.

A 64-bit middleware is available from their site, and moreover they've made available a "wrapper" to allow bank applets to call this middleware.

As an end user, you only need to download and install the middleware. Banks install the wrapper jar on their site, as an end user you do normally not need to worry about this, unless banks did a mistake setting up the wrapper.

The following versions of the wrapper are relevant to the discussions below:

  • 1.3 : last version without 64 bit support
  • 1.4 : first version with 64 bit support, but with buggy 32 bit support
  • 1.4.1 : 64 bit support, bug with 32 bit support fixed.

BGL, CCP, Raiffeisen

As of June 13th 2012, BGL, CCP and Raiffeisen still use the 1.3 version of the Luxtrust wrapper, which does not yet support 32 bit.

However, this mail explains how to set up a program which automatically replaces the 32 bit JNI with a 64 bit version downloaded from Luxtrust's site.

BCEE

As of June 13th 2012, BCEE has deployed the buggy 1.4 version of the wrapper. Moreover, their javascript responsible for detecting the browser's architecture and loading the appropriate wrapper does not distinguish between Linux 32 bit and Linux 64 bit, and always loads the 32 bit version.

Which means that BCEE's SNET now works neither in 32 bits, nor in 64 bits.

A workaround exists though:

1. In /etc/hosts , add the following line:

127.0.0.1       bcee.snet.lu

2. If not yet there, install Apache.

3. Create a file with the following contents in /etc/apache2/sites-available/bcee :

 <VirtualHost *:443>
       ServerName bcee.snet.lu

       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/server.crt
       SSLCertificateKeyFile /etc/apache2/ssl/server.key

       ProxyPreserveHost on
       ProxyPass /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar !
       ProxyPass / https://195.46.224.5/

       Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.1.jar
 </VirtualHost>


For 64 bit, the redirect line should be as follows instead:

       Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN64_1.4.1.jar

(note: we're still redirecting LIN32 due to BCEE's other error...)

The SSL certifcates in /etc/apache2/ssl/server.crt and server.key should exist (but don't need to be valid, just add them as an exception into firefox when prompted).

4. Activate the site:

a2ensite bcee
service apache2 reload

5. Now, connect to SNET as usual, add the certificate to Apache as an exception when prompted, and off you go!

A note of CAUTION: Apache doesn't check whether the certificate for 195.46.224.5 is authentic, theoretically making your connection to BCEE vulnerable to snooping. So don't use this if you don't trust your ISP, or any other ISP between you and BCEE. It is possible to secure the connection from your Apache proxy to BCEE using SSLProxyVerify on, but this is too complex to fit into this short note.