Login Process

1. Login Process edh.cern.ch 1. access a protected page 2a. Redirect to login page Browser Web Server plugin 3b. Access the protected page again; send login cookie 2b. Redirect to login page 3a. Set login cookie; redirect back to the protected page Users DB Login Web Server (https) Users DB copy aislogin.cern.ch

2. Login application • Verify username & password • create MD5 hash and check against database • get other user information (CERNID, PERSONID, IP, ….) 2. Encrypt user information • typedef struct { • UINT4 cksum; • UINT4 dateOfIssue; • UINT4 IP; • UINT4 HRId; • UINT4 CERNId; • char username[27]; • char language; • unsigned char version; • unsigned char flags[40]; • }; /* 89 bytes */ AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 Private Key 800 bits 3. Set AI_SESSION cookie /*200 chars*/ Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch 4. Verify that browser accepts cookies

3. Webserver Plugin Operation 1. Verify and decrypt AI_SESSION cookie • typedef struct { • UINT4 cksum; • UINT4 dateOfIssue; • UINT4 IP; • UINT4 HRId; • UINT4 CERNId; • char username[27]; • char language; • unsigned char version; • unsigned char flags[40]; • }; /* 89 bytes */ AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 Public Key 2. If any errors, redirect to the login page 3. Create server-side cookies AI_USER=50070;AI_USERNAME=AWIECEK;AI_HRID=493034;AI_LANG=EN;AI_XRESOLUTION=0;AI_YRESOLUTION=0

4. GET http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 302 AIS login required Connection: close Date: Thu, 21 Sep 2000 04:28:43 GMT Location: https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies Server: Netscape-Enterprise/3.6 SP3 Client-Date: Thu, 21 Sep 2000 04:28:43 GMT Client-Peer: 137.138.180.19:80 <HTML> <HEAD><TITLE>An Error Occurred</TITLE></HEAD> <BODY> <H1>An Error Occurred</h1> 302 AIS login required </BODY> </HTML> BROWSER request Login step 1 WEBSERVER response

5. Login step 2 BROWSER request GET https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 200 OK Cache-Control: no-cache Date: 21 Sep 2000 04:26:12 GMT Pragma: No-cache Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html; charset=iso-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Client-Date: Thu, 21 Sep 2000 04:28:44 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Title: Common Login <html><head> <title>Common Login</title> </head> . <form name="form1" method="post" action="Login"> <div align="left"> WEBSERVER response

6. Login step 3 POST https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Content-Length: 47 Content-Type: application/x-www-form-urlencoded 302 Moved temporarily Date: 21 Sep 2000 04:26:13 GMT Location: CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:45 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch Set-Cookie: SECURE_LOGIN=1; expires=Sat, 22-Nov-2003 14:12:52 GMT; path=/; domain=.cern.ch <HTML> BROWSER request WEBSERVER response

7. Login step 4 BROWSER request GET https://aislogin.cern.ch/login-servlet/CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Cache-Control: no-cache Date: 21 Sep 2000 04:26:14 GMT Pragma: No-cache Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html; charset=iso-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Client-Date: Thu, 21 Sep 2000 04:28:46 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Title: Login Succeeded <html><head><title>Login Succeeded</title></head> <td><font face="Arial, Helvetica, sans-serif"><b>You may now proceed to <a href="http://aisws7.cern.ch/protected/showcookies"> http://aisws7.cern.ch/protected/showcookies</a> WEBSERVER response

8. Login step 5 BROWSER request GET http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Connection: close Date: Thu, 21 Sep 2000 04:28:47 GMT Server: Netscape-Enterprise/3.6 SP3 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:47 GMT Client-Peer: 137.138.180.19:80 <PRE> Cookies: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73; AI_USER=50070; AI_USERNAME=AWIECEK; AI_HRID=493034; AI_LANG=EN; AI_XRESOLUTION=0; AI_YRESOLUTION=0 </PRE> WEBSERVER response

9. Login step 6 BROWSER request GET http://aisws7.cern.ch/not-protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Connection: close Date: Thu, 21 Sep 2000 04:28:47 GMT Server: Netscape-Enterprise/3.6 SP3 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:47 GMT Client-Peer: 137.138.180.19:80 <PRE> Cookies: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73; </PRE> WEBSERVER response

10. Features: • Any cookie-enabled browser • Password is requested only once and encrypted (SSL) • Does not use standard HTTP authentication • Supports HTTP & HTTPS • Supports clients inside and outside of CERN • Does authentication only, authorization is handled by applications • Requires a Web Server plugin The AIS Common Login