[Lilux-help] Workaround for Luxtrust issue on BCEE site

[Alain Knaff]

Hi,

For those of you who don't want to wait until BCEE deploys the correct 
LuxTrust jars, here is a workaround.

1. In /etc/hosts, add the following line:

127.0.0.1       bcee.snet.lu

2. If not yet there, install Apache.

3. Create a file with the following contents in 
/etc/apache2/sites-available/bcee :

  <VirtualHost *:443>
        ServerName bcee.snet.lu

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        ProxyPreserveHost on
        ProxyPass /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar !
        ProxyPass / https://195.46.224.5/

        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.1.jar
  </VirtualHost>


For 64 bit, the redirect line should be as follows instead:
        Redirect /ssogate/LuxTrust_Gemalto_CryptoTI_Adapter_LIN32_1.4.jar https://managing.luxtrust.lu/applets/public/LuxTrust_Gemalto_CryptoTI_Adapter_LIN64_1.4.1.jar

(note: we're still redirecting LIN32 due to BCEE's other error...)

The SSL certifcates in /etc/apache2/ssl/server.crt and server.key 
should exist (but don't need to be correct, just add them as exception 
into firefox when prompted).

4. Activate the site:

 a2ensite bcee
 service apache2 reload

5. Now, connect to SNET as usual, add the certificate to Apache as 
an exception when prompted, and off you go!

A note of CAUTION: Apache doesn't check whether the certificate for 
195.46.224.5 is authentic, theoretically making your connection to BCEE 
vulnerable to snooping. So don't use this if you don't trust your ISP,
or any other ISP between you and BCEE. It is possible to secure the
connection from your Apache proxy to BCEE using SSLProxyVerify on, but
this is too complex to fit into this short note. In case of interest,
please drop me a mail

Regards,

Alain