Page 2 of 3
Re: x509 SSO Authentication
Posted: Tuesday 02 February 2016 21:24
by nayr
awesome! thanks for the feedback
looks like I got some more wiking to do
Re: x509 SSO Authentication
Posted: Tuesday 23 February 2016 20:28
by Fred78
Great job!!
Thanks for the Wiki. I easily secured my Domoticz behing nginx, but I'm still waiting to activate x509 authentication.
The configuration parameters aren't in Domoticz's stable release yet and there is not android application that supports this kind of authentication (I didn't manage to find the Domoticz Lite conf params).
But I still think that this should be the prefered authentication method since we're exposing our homes to the Internet. Strong authentication should be mandatory.
Just one thing : I had to create my server certificate using the https_server template. Otherwise, there are missing extensions and Chrome browser on my Nexus5 just didn't want to accept the certificate.
Re: x509 SSO Authentication
Posted: Wednesday 24 February 2016 0:16
by nayr
Thanks for the feedback, Ive updated that screenshot in the Wiki (force refresh) so people use the https_server template.
What configuration parameters? There are none. You can enable x509 in the current stable, the only thing thats been added since then is SSO.. all that does is associate certificates with user accounts. Until the next stable (coming soon I believe) you can just disable domoticz auth and rely on Nginx, unless you really need the user accounts.. then you can still enable the built in auth and do it after providing a cert, still works just not automatically.
the next stable release will simply detect when nginx's x509 token and associate it with any matching users.. all configuration is done in nginx really.
I've been using x509 for a couple years like this, I decided to add a shared tablet to the house I wanted to lock it down so it could not access protected switches/configs.. then it just took a few lines of code to get Domoticz to accept a x509 commonName for credentials.
ProTip: Get a battery backed up RTC if you setup x509 on a Pi.. guess what you cant do when the system time is set to zero, well before your cert was issued.. yeah, it just throws errors until you fix the time... your Pi will likely recover before your network and internet after a long power outage.
Re: x509 SSO Authentication
Posted: Wednesday 24 February 2016 11:02
by Fred78
Yeah, I misspoke about the x509 authentication.
I was taking about the SSO parameters in domoticz (these ones are missing in the stable release).
I did manage to setup x509 authentication through nginx, but I had to go backwards since no Android app supports this authentication method.
Thanks for the battery tip.
I didn't think of that potential issue...
Re: x509 SSO Authentication
Posted: Sunday 28 February 2016 14:58
by BakSeeDaa
nayr wrote:awesome! thanks for the feedback
looks like I got some more wiking to do
Thanks for this @nayr
I'm running Domoticz on a Raspberry Pi2 model B. I'm a bit confused after reading the wiki
Prerequisites
Debian derived Linux Server (Debian/Rasbian/Ubuntu/etc)
Running Domoticz installation
Sometimes the domoticz installation is referred to as the "Domoticz Server"
Do I need a separate web server or can I run everything on my single RPi2?
Shall nginx-full always be installed on the machine running Domoticz?
I'll buy an additional web server if adivised by You.
Thanks!
Re: x509 SSO Authentication
Posted: Sunday 28 February 2016 21:57
by nayr
run it on same as your Pi right along side it.. unless you already have a webserver on the edge of your network you can use there is no reason not to.
Re: x509 SSO Authentication
Posted: Sunday 28 February 2016 22:15
by BakSeeDaa
nayr wrote:run it on same as your Pi right along side it.. unless you already have a webserver on the edge of your network you can use there is no reason not to.
OK, thanks!
Re: x509 SSO Authentication
Posted: Monday 29 February 2016 9:50
by BakSeeDaa
I followed your excellent wiki. I believe there is no reference to how to create the file /etc/ssl/ca/ca.crt on the server. I figured it out though. Since I'm running my Domoticz on the same machine,
I had to disable Domoticz from using port 443.
Re: x509 SSO Authentication
Posted: Tuesday 01 March 2016 12:27
by BakSeeDaa
Things are working quite well here now. I just need to set up a NAT Hairpin (Nat Inside-to-Inside / Loopback / Reflection).
Anyway, first I made my own certificates using XCA. I spent a day or so first trying to get rid of the pescy warnings on my Android device. Then I decided to try out to generate certs on CACert. That worked fine and installed on the Android as expected by I couldn't generate client certificates to log in to Domotics with a username and password (e-mail). So I'm back using the XCA certs that are valid for the next 100 years. EgiGeoZone seems to work fine, I will test it further but it seems to be able to log in using X509 without user intervention. I'd like to thank You very much once again @nayr for your work to document this. Without You I couldn't have done it.

Re: x509 SSO Authentication
Posted: Wednesday 02 March 2016 14:22
by BakSeeDaa
@nayr, now I need to find out a way to access my domoticz server via API/JSON URL's using Tasker. (Tasker seems to lack support for X.509 authentication). Do You have any ideas how to do that?
Re: x509 SSO Authentication
Posted: Thursday 03 March 2016 6:04
by nayr
tasker have a ssh plugin? mebe u can ssh w/a key and do a http get to localhost..
install fail2ban and/or configure ssh to only use keys if your going to also expose it to the internet.
Re: x509 SSO Authentication
Posted: Friday 04 March 2016 8:43
by BakSeeDaa
Re: x509 SSO Authentication
Posted: Friday 15 April 2016 20:32
by woody4165
Hi all
very nice job for security!
I'm trying to follow the wiki, but I'm stuck at
Code: Select all
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
My RPi 3 goes in timeout and I never get the dhparam.pem
As far as I understood, it should take something like more than 12hours to complete or am I wrong?
I've tried with 2048 and it takes 5 minutes, but is it secure?
How can I solve it?
Thanks
Re: x509 SSO Authentication
Posted: Friday 15 April 2016 20:40
by nayr
This should help alot:
apt-get install haveged
Code: Select all
Description-en: Linux entropy source using the HAVEGE algorithm
haveged is a userspace entropy daemon which is not dependent upon the
standard mechanisms for harvesting randomness for the system entropy
pool. This is important in systems with high entropy needs or limited
user interaction (e.g. headless servers).
.
haveged uses HAVEGE (HArdware Volatile Entropy Gathering and Expansion)
to maintain a 1M pool of random bytes used to fill /dev/random
whenever the supply of random bits in dev/random falls below the low
water mark of the device.
Re: x509 SSO Authentication
Posted: Friday 15 April 2016 20:41
by woody4165
I have already installed
With 2048 it takes less than 5 minutes...
Re: x509 SSO Authentication
Posted: Friday 15 April 2016 20:44
by nayr
2048 is secure, I havent tried on a RPi3, but my CuBox made it within 20mins..
Re: x509 SSO Authentication
Posted: Wednesday 20 April 2016 13:20
by woody4165
I've tried to follow your guide, but I got lost.
My fault, I'm not so techy to understand all the steps.
I followed the guide, easy from a step-by-step point of view, but I don't know how to check if everything on the RPi, server side, has went well, and most of my doubts are from the client side.
Can you help me understand if on the server side everything is ok?
It seems to me that nginx is ok
Code: Select all
xx@xxxxxx:~$ sudo service nginx status
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Active: active (running) since Wed 2016-04-20 12:48:09 CEST; 11min ago
Process: xxx ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: xxx ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: xxx (nginx)
CGroup: /system.slice/nginx.service
├─xxx nginx: master process /usr/sbin/nginx -g daemon on; master_p...
├─xxx nginx: worker process
├─xxx nginx: worker process
├─xxx nginx: worker process
└─xxx nginx: worker process
Is there anything else I should check?
First question is if from now on I have to go thru nginx also from my internal network doing something on the computers and tablet that will always remain home.
And, main thing is what I have to do and how on tablet/smartphone/Computers I will use externally.
Thanks in advance
Ps: at this moment I have activated a VPN within my router, Fritzbox, so I do not open any port on domoticz and go thru it.
But probably is more secure this way.
Re: x509 SSO Authentication
Posted: Friday 22 April 2016 19:37
by indy
nayr wrote:2048 is secure, I havent tried on a RPi3, but my CuBox made it within 20mins..
I appologize for my post here

, but I wanted to try and contact you about your zwave thermostat controlling a swamp cooler and could't find any contact info. My email address is my post name with a 747 at the end @gmail.com - would really love to see your circuit, looks like you have done a lot of cool stuff with automation and cameras.
Thanks! Indy
Re: x509 SSO Authentication
Posted: Monday 19 September 2016 7:33
by anasazi
Hi and thanks for a great Wiki guide!
I'm just wondering about a thing in the nginx configuration.
See the attached image, what kind of CA cert are you referring to?
The one I previous created in the guide?
Is it still not possible to use x509 certificate with other iOS apps?
I would like to use the app Locative to send URL request and also use the x509 authentication...
Thanks!
Re: x509 SSO Authentication
Posted: Monday 05 December 2016 8:52
by lightman
when does the App going to support x509?