000022555 - Configure an Apache web server to allow mixed use of both RSA ClearTrust and Apache/mod_auth security

Document created by RSA Customer Support Employee on Feb 23, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022555
Applies ToRSA Product Set: RSA Access Manager Agent for Apache
RSA Version/Condition: Apache 2.x
IssueConfigure an Apache web server to allow mixed use of both RSA ClearTrust and Apache/mod_auth security
Apache pass_realms functionality to mix RSA ClearTrust protection with HTTP Basic authentication does not function
Security Realm definitions in .htaccess files are ignored
A user is not challenged to authenticate when accessing pages intended to be protected by Apache's HTTP Basic authentication; a user is challenged to authenticate when accessing pages protected by RSA ClearTrust. When the ClearTrust Agent is uninstalled, the Apache HTTP Basic protected pages function correctly.
Cause.htaccess files are read by Apache at the same time as <Directory> blocks in the httpd.conf main configuration file; they are "merged" together provided AllowOverride is set for the directory in which the .htaccess file is contained. ClearTrust's protection is applied, in ct-httpd.conf, in a Location block which applies to the entire server. Location blocks in Apache are read after Directory blocks and thus take precedence. Because .htaccess is implicitly a Directory block, one can't add a Location block within it since it would be incorrect syntactically (like nesting a Location block within a Directory block).  See "Merging of .htaccess with the main configuration files": http://httpd.apache.org/docs/2.0/howto/htaccess.html#how
ResolutionDefine security realms in ct-httpd.conf, after the initial <Location /> block which defines the default RSA ClearTrust realm. Alternatively, modify the default ClearTrust realm to protect only the URLs you intend to be protected by ClearTrust, rather than the entire server. Finally, the ClearTrust realm definition can be completely removed from the main configuration files (httpd.conf and ct-httpd.conf) and the ClearTrust realm defined in each relevant .htaccess file in directories which you require ClearTrust to protect.
To partially mimic the de-centralized functionality of .htaccess without removing the ClearTrust realm from the main Apache configuration, a series of Include directives at the end of the httpd.conf file will allow multiple Location blocks to be defined in other files, but this will require modification of httpd.conf, which is not required with .htaccess, so this is not an ideal workaround. 
WorkaroundAuthType and AuthName parameters are added to .htaccess to create an Apache HTTP Basic security realm on a page that is not a ClearTrust-defined resource
cleartrust.agent.apache.pass_realms was set to pass anything not in the RSA ClearTrust realm to the HTTP Basic authentication module in Apache (mod_auth), i.e. the parameter is defined as !CT,*
Legacy Article IDa29112