SUNScholar/Secure Internet Connections/S04

NEXT

PREVIOUS

Step 4. Configure Tomcat to use the SSL certs
Please note: This procedure differs from the official DSpace documentation.

Convert SSL cert to PKCS12
We convert the SSL signed certs, to a PKCS#12 compatible cert. See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat

See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.

To do this become the root user and change to the cert folder, by typing as follows: sudo -i

cd /etc/ssl/certs

Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs. openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in %hostname%.crt -inkey %hostname%.key -out %hostname%.pkcs12


 * 1) Replace %hostname% with the hostname of the server.
 * 2) You will be asked for a keystore password.
 * 3) Enter it and keep a careful record of it somewhere.

You can check the details of the PKCS12 cert by typing the following: keytool -list -v -storetype pkcs12 -keystore %hostname%.pkcs12

See example below: root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12 Enter keystore password:

Keystore type: PKCS12 Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2 Creation date: 09 Oct 2013 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03 Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014 Certificate fingerprints: MD5: 43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56 Signature algorithm name: SHA1withRSA Version: 3

Extensions:

KeyUsage [ DigitalSignature Key_Encipherment ]
 * 1: ObjectId: 2.5.29.15 Criticality=false

AuthorityInfoAccess [ [  accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer] ]
 * 2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false


 * 3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false

CRLDistributionPoints [ [DistributionPoint: [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl] ]]
 * 4: ObjectId: 2.5.29.31 Criticality=false

CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa
 * 5: ObjectId: 2.5.29.32 Criticality=false

]] ] ]

ExtendedKeyUsages [ serverAuth clientAuth ]
 * 6: ObjectId: 2.5.29.37 Criticality=false

BasicConstraints:[ CA:false PathLen: undefined ]
 * 7: ObjectId: 2.5.29.19 Criticality=false

AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H... 0010: 57 2D 7D 47                                       W-.G ]
 * 8: ObjectId: 2.5.29.35 Criticality=false

]

Certificate[2]: Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Serial number: 6e4ffab3c5e669c4d167c992abe858c4 Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019 Certificate fingerprints: MD5: AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69 SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D Signature algorithm name: SHA1withRSA Version: 3

Extensions:

KeyUsage [ Key_CertSign Crl_Sign ]
 * 1: ObjectId: 2.5.29.15 Criticality=true

BasicConstraints:[ CA:true PathLen:0 ]
 * 2: ObjectId: 2.5.29.19 Criticality=true

SubjectKeyIdentifier [ KeyIdentifier [ 0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H... 0010: 57 2D 7D 47                                       W-.G ] ]
 * 3: ObjectId: 2.5.29.14 Criticality=false

AuthorityInfoAccess [ [  accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.verisign.com] ]
 * 4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false


 * 5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false

CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.verisign.com/pca3-g2.crl] ]]
 * 6: ObjectId: 2.5.29.31 Criticality=false

CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 63 70 73        risign.com/cps
 * 7: ObjectId: 2.5.29.32 Criticality=false

], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 1E 1A 1C 68 74 74 70  73 3A 2F 2F 77 77 77 2E  0...https://www. 0010: 76 65 72 69 73 69 67 6E  2E 63 6F 6D 2F 72 70 61  verisign.com/rpa

]] ] ]

AuthorityKeyIdentifier [ [OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US] SerialNumber: [   7dd9fe07 cfa81eb7 107967fb a78934c6] ]
 * 8: ObjectId: 2.5.29.35 Criticality=false

SubjectAlternativeName [ CN=Class3CA2048-1-52 ]
 * 9: ObjectId: 2.5.29.17 Criticality=false



Setup Tomcat "server.xml" to use the converted certificate
Now the Tomcat server has to be told where to find this security key file. Edit the /etc/tomcat7/server.xml file as follows: nano /etc/tomcat7/server.xml Find the port 8443 connector section. keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" keystoreType="PKCS12" keystorePass="%SecretPassword%" />
 * 1) Remove the comments surrounding the section.
 * 2) Change the listening port to 443.
 * 3) Add the following keystore settings.


 * 1) Replace %SecretPassword% with the password you used when creating the keystore above.
 * 2) And add the %hostname% used when creating the keystore above.

Example "server.xml" secure settings
See full example below using a local PKCS12 keystore cert file with password embedded. 
 * 1)               ciphers="<>"

SSL Ciphers Notes:
''This is the heart of the secure link, however there is a trade off. Most users do not upgrade browsers regularly therefore if you implement a strong modern cipher suite they will not be able to connect.''


 * For more details about what cipher suite to use, check the following:
 * https://wiki.mozilla.org/Security/Server_Side_TLS
 * https://wiki.apache.org/tomcat/HowTo/SSLCiphers
 * https://bettercrypto.org
 * TLSv1.2 is only available when using JDK 7 and higher.
 * For Tomcat7 change "sslProtocols" to "sslEnabledProtocols".
 * To see what ciphers will be used, install sslscan and scan using sslscan --no-failed localhost:443.
 * See the links below for more help about Tomcat cipher setup:
 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 * https://weakdh.org/sysadmin.html
 * https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat
 * https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
 * http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
 * https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak