March 20, 2007
This document lists late-breaking information for RSA Authentication Agent 5.3 for Web for Apache Web Server on Red Hat Linux 4.0. Read this document before installing the software.
This document contains the following sections:
Security Contexts on Apache Web Server
If you use Security Enhanced Linux (SELinux) to protect the Apache Web Server, you must set the security context for all of the Web Agent shared libraries to the same value as those used by other Apache Web Sever modules. To do this, use ls -Z to determine the security context, then use chcon to set the security context. For example:
/usr/bin/chcon -u system_u -r object_r -t httpd_modules_t $RSAWebAgentInstallPath/mod_rsawa_apache.so
/usr/bin/chcon -u system_u -r object_r -t httpd_modules_t $RSAWebAgentInstallPath/librsawa_apache.so
/usr/bin/chcon -u system_u -r object_r -t httpd_modules_t $RSAWebAgentInstallPath/Plugins/libaceauth.so
/usr/bin/chcon -u system_u -r object_r -t httpd_modules_t $RSAWebAgentInstallPath/Plugins/libaceauth_pre_fork.mpm.so.org
where RSAWebAgentInstallPath is the location where you installed the Web Agent.
You also need to make sure that the security context allows the Apache Web Server to read and write to the sdconf.rec and sdstatus.12 files. Do this by either changing the location of the sdconf.rec and sdstatus.12 files from the default location, $VAR_ACE, to a location where read/write access is allowed (for example, the log directory), or change your policy to allow read/write access to $VAR_ACE.
If you are setting up multi-domain authentication, you must use the same WebID URL across all web servers. When using IIS web servers and Apache web servers, change the WebID URL on the Apache servers to /WebID/IISWebAgentIF.dll. For more information, see the Installation and Configuration Guide.
For security purposes, instruct end users to disable caching in their browsers.
Tracking Number: 16432
Problem: If you log on to a protected web site, then attempt to access a different page of the web site after the initial cookie expires, you must reauthenticate. This happens because the refresh cookie generated by the Web Agent after the initial cookie expires is not detected by the Apache Web Server software.
RSA SecurCare Online: https://knowledge.rsasecurity.com/
Customer Support Information: www.rsa.com/support
RSA Secured Partner Solutions Directory: http://www.rsasecured.com/
© 2007 RSA Security Inc. All rights reserved.
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, see www.rsasecurity.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.