SUNScholar/Secure Internet Connections

Back to Internet Security

'''For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org

To check if your internet connection is secure, use: https://www.eff.org/https-everywhere

Introduction
This wiki page describes a method of securing communications to a DSpace installation on the internet.

To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.

Requirements

 * Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.
 * It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.

Port 443 Firewall Access
Secure internet connections are created using the secure port (443) which must be opened on the campus and local server firewall. http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall

SSL Certificate Defaults

 * The default location for certificates is: /etc/ssl/certs.
 * This is where we will put the certificates.
 * Other services should point to this folder for the certificates.

YouTube Video
https://www.youtube.com/watch?v=YtrdxiYUcOQ

Tomcat

 * https://tomcat.apache.org/tomcat-8.0-doc
 * https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support


 * https://tomcat.apache.org/tomcat-7.0-doc
 * https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support


 * https://tomcat.apache.org/tomcat-6.0-doc
 * https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html


 * http://wiki.apache.org/tomcat/FAQ/Security
 * http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 * http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
 * http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR
 * http://johnjianfang.blogspot.com/2009/06/ssl-configuration-for-tomcat.html
 * http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 * http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 * https://www.owasp.org/index.php/Securing_tomcat
 * https://www.mulesoft.com/tcat/tomcat-security

SSL/TLS

 * http://www.openssl.org
 * http://www.openssl.org/docs/apps/pkcs12.html
 * http://www.madboa.com/geek/openssl/
 * http://news.netcraft.com/ssl-survey
 * http://www.mulesoft.com/tomcat-ssl
 * http://www.sslshopper.com
 * http://www.sslshopper.com/ssl-faq.html
 * http://www.sslshopper.com/article-most-common-openssl-commands.html
 * http://www.clintharris.net/2009/self-signed-certificates
 * https://www.ssllabs.com/projects/best-practices/index.html
 * https://www.feistyduck.com/books/openssl-cookbook/
 * http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 * https://www.maketecheasier.com/apache-server-ssl-support
 * https://mozilla.github.io/server-side-tls/ssl-config-generator
 * https://istlsfastyet.com

Letsencrypt/Certbot

 * https://letsencrypt.org
 * https://certbot.eff.org/#ubuntuxenial-other
 * https://certbot.eff.org/#ubuntutrusty-other
 * https://hostpresto.com/community/tutorials/how-to-secure-your-apache-using-certbot-ssl
 * https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
 * http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu
 * https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/1
 * https://github.com/StuAtGit/LetsEncrypt
 * https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds
 * https://www.sslforfree.com

Monopoly Notes
Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.
 * http://en.wikipedia.org/wiki/Thawte
 * http://en.wikipedia.org/wiki/Geotrust
 * http://en.wikipedia.org/wiki/Verisign
 * http://en.wikipedia.org/wiki/Symantec

''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''

''Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!''

News

 * https://www.youtube.com/watch?v=3G8dPAdmyss
 * http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361-druck.html