Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Semenenko2017-08-01 13:32:07
linux
Alexander Semenenko, 2017-08-01 13:32:07

How to set up 1C OpenID authentication?

We have an Apache2.4 web server on Centos 7, works on https. The certificate is self-signed. 2 bases are published on it.
I created the certificate like this:

spoiler
# Генерирую ключ
openssl genrsa -des3 -out ca.key 4096
# На основе ключа создаю сертификат для CA
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Генерирую ключ
openssl genrsa -out server.key 4096
# На основе предыдущего ключа создаю файл запроса (csr)
openssl req -new -key server.key -config openssl-csr.cnf -reqexts req_ext -out server.csr
# Создаю сертификат сервера (подписываю .csr своим ca.crt)
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -extfile openssl-csr.cnf -extensions req_ext -in server.csr -out server.crt

The default.vrd file for the provider base:
spoiler
<?xml version="1.0" encoding="UTF-8"?>
<point xmlns="http://v8.1c.ru/8.2/virtual-resource-system"
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                base="/openidprov"
                ib="Srvr=srv1c;Ref=OpenIDProv;">
        <standardOdata enable="false"
                        reuseSessions="autouse"
                        sessionMaxAge="20"
                        poolSize="10"
                        poolTimeout="5"/>
<b><openid>
        <provider>
                <lifetime>86400</lifetime>
        </provider>
</openid></b>
</point>

The default.vrd file for the OpenID client base:
spoiler
<?xml version="1.0" encoding="UTF-8"?>
<point xmlns="http://v8.1c.ru/8.2/virtual-resource-system"
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                base="/test-openid-client"
                ib="Srvr=srv1c;Ref=test-openid-client;">
        <standardOdata enable="false"
                        reuseSessions="autouse"
                        sessionMaxAge="20"
                        poolSize="10"
                        poolTimeout="5"/>
        <openid>
                <rely url="https://srv1c-cl-testssl2-web/openidprov/e1cib/oid2op" />
        </openid>
</point>

In base provider, got users with passwords. (An empty new 1C database, I did not find that some special configuration was needed, but suddenly.)
In the client database, I started users of the same name. Disabled 1C authentication, enabled OpenID.
When the client base is launched by a thin client, it throws me into the OpenID base. If I enter a wrong password, I will be notified. If I enter the correct password, I get an error: "Error connecting to the OpenID provider https://srv1c-cl-testssl2-web/openidprov/e1cib/oid2op ".
In the technological log, there is such an error: "Error working with the Internet: The remote host did not pass the test."
Server 1C and Web server, this is Linux (CentOS 7). On Windows client machines, the ca.crt certificate is added to the trusted root certificate store. In the database browser, both client and provider open without errors on https.
If you go to https://srv1c-cl-testssl2-web/openidprov/e1cib/oid2op the file is downloaded:
spoiler
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority='0'>
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://srv1c-cl-testssl2-web/openidprov/e1cib/oid2op</URI>
</Service>
</XRD>
</xrds:XRDS>

Also, if I go to the client database with a web browser, then it doesn’t transfer me to the provider, unlike the thin client.
I suspect that the problem is in an incorrectly generated certificate, or incorrectly installing it on the web server (I'm talking about the ca.crt certificate), but it says on the ITS that 1c looks for client certificates in the certificate store, and there is no single store in CentOS.
By the way, if you open its page with some console browser from a web server:
https://srv1c-cl-testssl2-web/openidprov/e1cib/oid2op , then the file that is downloaded on desktop machines also opens, it does not swear at the certificate.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexander Semenenko, 2017-08-02
@semenenko88

I solved the issue by moving to Ubuntu16.04. The problem is that I can't install ca.crt (the certificate with which web server certificates are signed) in the Centos7 storage, 1C can't find it in any way. But on Ubuntu, this certificate is installed like this:
sudo install -m 0644 ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo reboot
With this answer and the question, where it is described how I set up OpenID for 1C, you can solve the problem.

Report
D
Dmitry Aleksandrov, 2017-08-01
@jamakasi666

Do clients trust your self-signed certificate? Are you sure that all clients had the root certificate imported correctly? It won't take off without it.

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
S
Serg4452020-07-14 11:58:06
How to reallocate space in Ceph? 2Reply
A
Anonymous2016-03-04 14:36:59
How to increase cursor speed in editors? 3Reply
D
DVoropaev2018-07-24 11:30:04
How to understand which nginx.conf is being used? 3Reply
D
Dango2013-11-26 20:10:20
Why leak local IP addresses to external interface through NAT in Linux with KVM? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question