SUNScholar/Secure Internet Connections

This wiki page relates to the system build and maintenance of: http://scholar.sun.ac.za

Requirements

The Tomcat server MUST be listening on ports 80 and 443. See link below.

• http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05

Introduction

This/These procedure/s assume/s that you have used the three step process to install an Ubuntu server with DSpace software.

Monopoly

Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.

• http://en.wikipedia.org/wiki/Thawte
• http://en.wikipedia.org/wiki/Geotrust
• http://en.wikipedia.org/wiki/Verisign
• http://en.wikipedia.org/wiki/Symantec

SSL Defaults

• The default location for certificates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.
• Secure internet connections are created using the secure port (443) which must be opened on the campus firewall.

Step 1. Create the SSL certificates

Login to the server:

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01

Become root as follows:

sudo -i

Make the scripts folder:

mkdir /root/scripts

Open the script file:

nano /root/scripts/make-new-certs

Then copy and paste the following into the nano editor. Please read the notes appended to this box below carefully.

#! /bin/bash

# Check for SSL binaries
test -x /usr/bin/openssl || apt-get install openssl

# Setup certificate variables
HOST="bib.sun.ac.za"
EMAIL="wklap@sun.ac.za"

# Set certs path
CERTS="/etc/ssl/certs/"

# Define the config file to be used to create certs
# Fill in your own values for "ST", "L", "O" and "OU"
CONF="\n
[ req ] \n
default_bits = 2048 \n
encrypt_key = yes \n
distinguished_name = req_dn \n
x509_extensions = cert_type \n
prompt = no \n
[ req_dn ] \n
C=ZA \n
ST=WP \n
L=Stellenbosch \n
O=Universiteit Stellenbosch \n
OU=JS Gericke Library \n
CN=$HOST \n
emailAddress=$EMAIL \n
[ cert_type ] \n
nsCertType = server \n
"

echo -e $CONF > $HOST.cnf
sleep 3

# Build path for certificate creation
CPATH="$CERTS$HOST"

# Create a large random seed for the new key
dd if=/dev/urandom of=$CPATH.rand count=1 2>/dev/null

# Generate the new key and certificate
openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup

# Create a large random seed for the signing
openssl gendh -rand $CPATH.rand 2048 > $CPATH.gendh || cleanup

# Create a new certficate request
openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr

# Create a "pem" file suitable for Apache2
cat $CPATH.key $CPATH.crt > $CPATH.pem

# Clean up
rm -f $HOST.rand

Change the following to suit your organisation

• $HOST - This is the registered hostname of the computer for which you are creating the SSL certificate.
• $EMAIL - This is the system admin email address of the computer.
• C = This is the country, ZA for South Africa
• ST = This is the state/province, WP for Western Province
• L = This is the locality/town/city, Stellenbosch for us
• O = This is the organisation, Stellenbosch University for us
• OU = This is the organisational unit, JSG Library for us

NANO Editor Help

1. Save the file by typing CTL+O and then pressing Enter.
2. To exit "nano" type CTL+X.

• Delete line = CTL+K
• Search = CTL+W
• Search and replace = CTL+\
• More info = http://en.wikipedia.org/wiki/Nano_(text_editor)

Now we make the script executeable as follows:

chmod 0755 /root/scripts/make-new-certs

Then we execute the script as follows:

/root/scripts/make-new-certs

Step 2. Apply for a signed certificate

Application

Send the file, %hostname%.csr in the /etc/ssl/certs folder to a recognised certificate authority for signing.

Try to shop around for the best prices. See: http://www.sslshopper.com

Activation

Assuming that the supplied signed certificate is called verisign.cer and is stored in the /root folder, follow the procedure below as the root user to activate the signed certificate.

cd /root

cp verisign.cer /etc/ssl/cert/%hostname%.crt

Replace %hostname% with the hostname of your server.

To extract details of the signed certificate, type the following.

openssl x509 -text -in /etc/ssl/certs/%hostname%.crt

Replace %hostname% with the hostname of your server.

See example extraction below.

root@ar1:/etc/ssl/certs# openssl x509 -text -in /etc/ssl/certs/ar1.sun.ac.za.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            29:48:0a:37:5a:d7:bc:89:c8:87:61:a3:e3:74:75:c5
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
        Validity
            Not Before: Oct 23 00:00:00 2012 GMT
            Not After : Oct 24 23:59:59 2013 GMT
        Subject: C=ZA, ST=Western Cape, L=Stellenbosch, O=Universiteit Stellenbosch, OU=JS Gericke Library, CN=ar1.sun.ac.za
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:2a:22:98:c8:62:31:4b:6a:75:fd:7c:db:29:
                    0c:c4:5a:c4:93:bb:34:2a:72:2f:2a:cb:95:e8:60:
                    43:6d:72:f8:0b:e8:12:4c:8c:f3:47:13:69:2e:f8:
                    7b:cc:23:33:4d:06:fb:4d:a4:2f:34:2c:c4:0b:bc:
                    4a:73:bb:a2:ab:a1:88:59:a7:81:b8:85:b4:9b:c0:
                    92:2a:86:03:68:38:30:f7:ef:31:1b:8f:79:a7:12:
                    0d:fc:4a:3a:ab:62:03:07:e5:c0:c9:3a:c4:af:94:
                    6f:dd:87:d5:80:5e:41:b6:92:25:5b:7d:bc:f7:a4:
                    f9:82:ef:36:74:8d:a6:fa:39:7b:aa:23:ea:1d:97:
                    b1:c7:e3:a4:82:3f:19:88:33:56:34:1f:20:02:a0:
                    f7:fd:2e:2a:ec:a9:87:e7:26:1f:93:41:b0:65:f0:
                    1f:da:12:66:96:97:93:5f:42:bf:b6:bc:9b:7c:74:
                    6f:9c:09:6c:51:f6:fb:e2:78:4b:97:96:12:77:d2:
                    4a:ed:75:aa:e3:db:05:e5:8a:e5:3c:ea:a5:dd:34:
                    20:8f:27:e4:30:2e:58:17:30:dd:1c:06:ae:30:de:
                    89:08:7e:a5:a1:48:24:0a:be:5e:4e:fb:9f:1f:dc:
                    52:d0:51:df:99:c4:ab:fb:5c:b0:1d:72:cf:be:26:
                    d6:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:ar1.sun.ac.za
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.verisign.com/cps

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: 
                keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com
                CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer

    Signature Algorithm: sha1WithRSAEncryption
         02:14:7a:e5:21:81:4d:e9:6f:3a:45:38:cf:f5:0c:7c:88:0b:
         73:58:aa:d7:f9:c3:9e:32:2a:fa:76:15:a5:1d:15:4e:4c:44:
         11:d5:7c:25:c9:5f:f9:45:f9:a4:11:90:40:42:68:d4:28:7d:
         ed:08:67:6d:6c:3b:6e:d5:e0:cd:28:c7:54:7d:e5:61:cc:9d:
         5e:ab:0b:30:30:37:8e:55:ec:51:e6:f7:ff:d5:b4:fb:05:79:
         6e:46:44:1b:c8:4f:4d:6f:d5:53:d9:42:d7:00:93:38:0b:a0:
         48:99:ef:0c:15:29:16:e3:36:ca:e7:4c:61:72:23:36:69:89:
         cb:34:a0:7e:82:65:6f:35:d8:78:1a:d6:fd:34:60:c6:12:64:
         8d:76:85:a4:c0:88:17:7a:44:6e:95:3d:59:0d:96:1f:90:37:
         cd:02:b7:d2:77:d7:45:a0:57:03:b8:67:24:81:07:3d:f2:7f:
         07:6a:68:71:1f:72:df:77:2e:22:bf:ad:72:e0:bb:0b:4d:0a:
         0c:63:0e:9d:60:85:2f:eb:7a:c7:65:50:bb:59:06:4b:4a:5f:
         1f:2a:e2:75:2c:e9:f9:18:fc:f0:6d:e7:22:38:71:53:ea:f1:
         4b:66:dc:7b:8c:3a:45:b2:a6:e3:4d:2c:be:f9:2c:c2:3a:66:
         30:58:66:5f
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIQKUgKN1rXvInIh2Gj43R1xTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIxMDIz
MDAwMDAwWhcNMTMxMDI0MjM1OTU5WjCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTEVMBMGA1UEBxQMU3RlbGxlbmJvc2NoMSIwIAYDVQQKFBlV
bml2ZXJzaXRlaXQgU3RlbGxlbmJvc2NoMRswGQYDVQQLFBJKUyBHZXJpY2tlIExp
YnJhcnkxFjAUBgNVBAMUDWFyMS5zdW4uYWMuemEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC6KiKYyGIxS2p1/XzbKQzEWsSTuzQqci8qy5XoYENtcvgL
6BJMjPNHE2ku+HvMIzNNBvtNpC80LMQLvEpzu6KroYhZp4G4hbSbwJIqhgNoODD3
7zEbj3mnEg38SjqrYgMH5cDJOsSvlG/dh9WAXkG2kiVbfbz3pPmC7zZ0jab6OXuq
I+odl7HH46SCPxmIM1Y0HyACoPf9LirsqYfnJh+TQbBl8B/aEmaWl5NfQr+2vJt8
dG+cCWxR9vvieEuXlhJ30krtdarj2wXliuU86qXdNCCPJ+QwLlgXMN0cBq4w3okI
fqWhSCQKvl5O+58f3FLQUd+ZxKv7XLAdcs++JtbxAgMBAAGjggF9MIIBeTAYBgNV
HREEETAPgg1hcjEuc3VuLmFjLnphMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlz
aWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2
MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGC
fh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJl
LUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEB
BQUAA4IBAQACFHrlIYFN6W86RTjP9Qx8iAtzWKrX+cOeMir6dhWlHRVOTEQR1Xwl
yV/5RfmkEZBAQmjUKH3tCGdtbDtu1eDNKMdUfeVhzJ1eqwswMDeOVexR5vf/1bT7
BXluRkQbyE9Nb9VT2ULXAJM4C6BIme8MFSkW4zbK50xhciM2aYnLNKB+gmVvNdh4
Gtb9NGDGEmSNdoWkwIgXekRulT1ZDZYfkDfNArfSd9dFoFcDuGckgQc98n8Hamhx
H3Lfdy4iv61y4LsLTQoMYw6dYIUv63rHZVC7WQZLSl8fKuJ1LOn5GPzwbeciOHFT
6vFLZtx7jDpFsqbjTSy++SzCOmYwWGZf
-----END CERTIFICATE-----

See example listing below.

root@ir1:/etc/ssl/certs# ls -l scholar.sun.ac.za.*
-rw-r--r-- 1 root root 1864 2010-09-21 13:42 scholar.sun.ac.za.crt
-rw-r--r-- 1 root root  749 2010-09-15 09:31 scholar.sun.ac.za.csr
-rw-r--r-- 1 root root  245 2010-09-15 09:31 scholar.sun.ac.za.gendh
-rw-r--r-- 1 root root  887 2010-09-15 09:31 scholar.sun.ac.za.key
-rw-r--r-- 1 root root 1969 2010-09-15 09:31 scholar.sun.ac.za.pem
-rw-r--r-- 1 root root 3957 2012-10-01 09:35 scholar.sun.ac.za.pkcs12
-rw-r--r-- 1 root root  512 2010-09-15 09:31 scholar.sun.ac.za.rand

Step 3. Intermediate CA certs

If you choose Versign/Symantec as your cert provider, then follow this procedure to setup the intermediate CA certs. If not, then consult your cert provider on how to create the required intermediate CA certs.

The cert provided by Versign/Symantec is a "CN=VeriSign Class 3 Secure Server CA - G3" cert, so we need the appropriate Class 3 G3 intermediate certs that match our signed cert, see below for setup.

Download the Versign public CA Class 3G3 certs from the following links by typing as follows:

cd /etc/ssl/certs

Get the root/primary CA cert:

wget http://web.lib.sun.ac.za/style/sunscholar/PCA-3G3.pem

Get the intermediate CA cert:

wget http://web.lib.sun.ac.za/style/sunscholar/ICA-3G3.pem

For more intermediate CA cert info see the following links:

• http://www.verisign.com/support/roots.html
• https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR657
• https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1732
• https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR234
• http://en.wikipedia.org/wiki/Intermediate_certificate_authorities

Do not continue until you have all the required certs from a trusted authority.

Step 4. Setup Tomcat to use the SSL certs

Convert SSL cert to PKCS12

We convert the SSL signed certs, to a PKCS#12 compatible cert.

See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat

See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.

To do this as the root user, change to the cert folder as follows:

cd /etc/ssl/certs

Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs mentioned above.

openssl pkcs12 -export -certfile PCA-3G3.pem -certfile ICA-3G3.pem -in %hostname%.crt -inkey %hostname%.key -out %hostname%.pkcs12

1. Replace %hostname% with the hostname of the server.
2. You will be asked for a keystore password.
3. Enter it and keep a careful record of it somewhere.

You can check the details of the PKCS12 cert by typing the following:

keytool -list -v -storetype pkcs12 -keystore %hostname%.pkcs12

Setup Tomcat "server.xml" to use converted cert

Now the Tomcat server has to be told where to find this security key file. Edit the /etc/tomcat6/server.xml file as follows:

nano /etc/tomcat6/server.xml

Find the port 8443 connector section.

1. Remove the comments surrounding the section.
2. Change the listening port to 443.
3. Add the following keystore settings.

	       keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

1. Replace %SecretPassword% with the password you used when creating the keystore above.
2. And add the %hostname% used when creating the keystore above.

See full example below using a local PKCS12 keystore cert file with password embedded.

    <Connector port="443" protocol="HTTP/1.1"
	       enableLookups="false"
               maxThreads="150"
               URIEncoding="UTF-8"
               SSLEnabled="true"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslProtocol="TLS" 
	       keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

NANO Editor Help

1. Save the file by typing CTL+O and then pressing Enter.
2. To exit "nano" type CTL+X.

• Delete line = CTL+K
• Search = CTL+W
• Search and replace = CTL+\
• More info = http://en.wikipedia.org/wiki/Nano_(text_editor)

Step 5. Enable secure XMLUI logins

Become the dspace user

su dspace

Open the DSpace config file for editing as follows:

nano /home/dspace/dspace-1.8.2-src-release/dspace/config/dspace.cfg

Go to the following section of the DSpace config file:

# Force all authenticated connections to use SSL, only non-authenticated
# connections are allowed over plain http. If set to true, then you need to
# ensure that the 'dspace.hostname' parameter is set to the correctly.
xmlui.force.ssl = true

Enable logins by changing "xmlui.force.ssl" to true.

NANO Editor Help

1. Save the file by typing CTL+O and then pressing Enter.
2. To exit "nano" type CTL+X.

• Delete line = CTL+K
• Search = CTL+W
• Search and replace = CTL+\
• More info = http://en.wikipedia.org/wiki/Nano_(text_editor)

Step 6. Rebuild DSpace

Rebuild the DSpace webapps using the custom rebuild script.

Step 7. Check the secure connection

• http://www.sslshopper.com/ssl-checker.html
• http://www.digicert.com/help

Below is an example screenshot of testing a secure connection using the sslshopper website SSL checker.

References

• http://www.openssl.org/docs/apps/pkcs12.html
• http://www.madboa.com/geek/openssl/
• http://news.netcraft.com/ssl-survey
• http://en.wikipedia.org/wiki/Secure_Sockets_Layer
• http://www.mulesoft.com/tomcat-ssl
• http://www.sslshopper.com
• http://www.sslshopper.com/ssl-faq.html
• http://www.sslshopper.com/article-most-common-openssl-commands.html
• http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
• http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR
• http://johnjianfang.blogspot.com/2009/06/ssl-configuration-for-tomcat.html
• http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
• http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html

Command Line Help

Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.

Back to Internet Security