Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Follow the instructions at http://otrs.github.io/doc/manual/admin/stable/en/html/index.html, do a standard install and make sure everything works.

Pay attention to the phrase "Please install OTRS from source, and do not use the OTRS packages that Debian/Ubuntu provides." (smile)

The docs all seem to assume that you'd want to run OTRS inside a subdirectory (https://example.com/otrs), but we want it to be the root of our vhost (https://otrs.example.com), in which case this configuration is a little bit different, see below (you should have the HTTPS stuff already configured, probably in /etc/apache2/mods-enabled/ssl.conf):

Code Block
themeRDark
languageerl
ServerName bartaliotrs.terenaexample.orgcom
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
Alias / "/opt/otrs/bin/cgi-bin/"
<IfModule mod_perl.c>
    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl
    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload
    # mod_perl2 options for GenericInterface
    <Location /nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>
</IfModule>
<Directory "/opt/otrs/bin/cgi-bin/">
        AllowOverride None
        DirectoryIndex customer.pl
        AddHandler  perl-script .pl .cgi
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        # mod_auth_mellon placeholder


    <IfModule mod_version.c>
   MellonEnable "info"     <IfVersion < 2.4>
        MellonSecureCookie On
   Order allow,deny
    MellonSessionDump Off
       Allow MellonSamlResponseDumpfrom Offall
        MellonEndpointPath "/mellon"</IfVersion>
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key<IfVersion >= 2.4>
        MellonSPCertFile /etc/apache2/mellon/sp.crt
   Require all granted
   MellonIdPMetadataFile /etc/apache2/mellon/idp.xml
    </IfVersion>
    #</IfModule>
 To avoid security holes, first unset any existing header
<IfModule !mod_version.c>
        Order allow,deny
   RequestHeader   unset eduPersonPrincipalName
 Allow from all
    </IfModule>
 # Then conditionally set it<IfModule mod_deflate.c>
        RequestHeader set eduPersonPrincipalName "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName

AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    <IfModule mod_version.c></IfModule>
</Directory>


<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>
</Directory>


<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js
    # Set Order allow,deny
            Allow from all
   explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff
</IfVersion>Directory>
        <IfVersion >= 2.4><IfModule mod_headers.c>
    # Cache css-cache for     Require all granted30 days
    <Directory    </IfVersion>"/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
    </IfModule>
    <IfModule !mod_version.c>
 <FilesMatch "\.(css|CSS)$">
       Order allow,deny
    Header set   Allow from allCache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </IfModule>Directory>
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json# Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
    </IfModule>
    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js
    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff
</Directory>
<IfModule mod_headers.c><FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>
    # Cache css-cachejs thirdparty for 304 dayshours
    <Directory "/opt/otrs/var/httpd/htdocs/skinsjs/*/*/css-cachethirdparty/">
        <FilesMatch "\.(cssjs|CSSJS)$">
            Header set Cache-Control "max-age=259200014400 must-revalidate"
        </FilesMatch>
    </Directory>
    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>
    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

 

The site is now configured so that the bare URL will go to the customer interface. This makes the most sense because typically customers will have less clue about where to go.

The agent interface is where you should log in to with the default root@localhost account.

 

 

 

mod_auth_mellon

mod_auth_mellon is an Apache module. To get this working I recompiled the Debian source packages from the University of Tilburg for Ubuntu 12.04 and made them available in our own APT repository. Ubuntu 14.04 and later have the module available as well.

Code Block
apt-get install libapache2-mod-auth-mellon
a2enmod auth_mellon

Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.

Create the cryptographic material for the mellon SP:

Code Block
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout sp.key -out sp.crt

 

Now add this to the configuration of the vhost (note that this is not the entire config - you should have the HTTPS stuff already configured, probably in /etc/apache2/mods-enabled/ssl.conf).

This is a slightly adapted version of the default config so that OTRS runs from the root and not from a subdirectory:

 

As you can see, the attribute eduPersonPrincipalName is being used as the username. This is the attribute that should always be send by the IdP.

By this time, you should be able to download the Service Provider metadata from https://example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship.

Confluence - part 2

Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.

...

Edit confluence/WEB-INF/classes/seraph-config.xml and change this section in the beginning: 

Code Block
languagehtml/xml
       <init-param>
            <param-name>login.url</param-name>
            <param-value>/login.action?os_destination=${originalurl}</param-value>
        </init-param>
        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/login.action</param-value>
        </init-param>

To this: 

Code Block
languagehtml/xml
        <init-param>
            <param-name>login.url</param-name>
            <param-value>/mellon/login?ReturnTo=${originalurl}</param-value>
        </init-param>
        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value>
        </init-param>

You should now be able to use federated logins.

Confluence - mobile theme

The new Confluence feature a dedicated theme for use on mobile devices. This is great, but unfortunately both the login and logout buttons in that theme do not work - they still point to the 'old' static login/logout links.

Login button

I couldn't find any way to do this in Confluence, so I ended up rewriting it in Apache. See the snippet in the Apache config above.

Logout button

Luckily the logout button can be configured in Confluence, but the configuration file is located inside a JAR file (Java ARchive), so it's a little bit of work. For starters, you need the jar command, which is part of openjdk-7-jdk:

 

Code Block
 apt-get --no-install-recommends install openjdk-7-jdk

Then do:

  • mkdir /tmp/jar
  • cd /tmp/jar
  • jar xf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar
Now tmp should contain the contents of the jar. Edit the file xwork.xml and change this part:

 

Code Block
languagehtml/xml
        <action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
            <interceptor-ref name="defaultStack"/>
            <result name="error" type="velocity">/logout.vm</result>
            <result name="success" type="redirect">/login.action?logout=true</result>
        </action>

to this:

...

languagehtml/xml

...

</IfModule>

 

The site is now configured so that the bare URL will go to the customer interface. This makes the most sense because typically customers will have less clue about where to go.

The agent interface is where you should log in to with the default root@localhost account.

Once you're in, you should create a new agent with full permissions, and make sure the username is your eduPersonPrincipalName.

 

mod_auth_mellon

mod_auth_mellon is an Apache module, which is available in Ubuntu 14.04 and later. To get this working with Ubuntu 12.04, I recompiled the Debian source packages from the University of Tilburg and made them available in our own APT repository. Either way, it's easy to install:

Code Block
apt-get install libapache2-mod-auth-mellon
a2enmod auth_mellon

Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.

Create the cryptographic material for mod_auth_mellon:

Code Block
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout sp.key -out sp.crt

 

Now add this to the configuration of the vhost at the mod_auth_mellon placeholder:

 

Code Block
themeMidnight
languageerl
        MellonEnable "info"
        MellonSecureCookie 

...

On
  

...

      MellonSessionDump Off
       

...

 

...

MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml
        # To avoid security holes, first unset any existing header
        RequestHeader unset eduPersonPrincipalName
        # Then conditionally set it
        RequestHeader set eduPersonPrincipalName "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName

 

 

As you can see, the attribute eduPersonPrincipalName is being used as the username. This is the attribute that should always be send by the IdP.

By this time, you should be able to download the Service Provider metadata from https://otrs.example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship.

Once that is done, you should be able to authenticate by going to https://otrs.example.org/mellon.

</action>

 

Now "jar" everything up again and replace the original jar:

Code Block
languagebash
cd /tmp/jar
jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar .

Restart Confluence. You should now also be able to use federated logins on your iPad/etc.

 

jsessionid errors

If unauthenticated users try to access content that is protected, Confluence tries to set jsessionid as part of the URL. This leads to 404 errors like this:

Code Block
NOT FOUND
The requested URL /mellon/login;jsessionid=8A736F43779F96249F6C3DC41067BB98 was not found on this server.

Since the jsessionid part isn't needed, it can be removed uses a rewrite statement (see apache config above).

 

Limit access to the unprotected TCP port

Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml:

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"