SUNScholar/Secure Internet Connections/S04

From Libopedia
Jump to navigation Jump to search
 NEXT
 PREVIOUS

Step 4. Configure Tomcat to use the SSL certs

Please note: This procedure differs from the official DSpace documentation.

When using the Ubuntu 16.04 LTS server change all instances of tomcat to tomcat8.
When using the Ubuntu 14.04 LTS server change all instances of tomcat to tomcat7.
When using the Ubuntu 12.04 LTS server change all instances of tomcat to tomcat6.

Convert SSL cert to PKCS12

We convert the SSL signed certs, to a PKCS#12 compatible cert.

See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.

To do this become the root user and change to the cert folder, by typing as follows:

sudo -i
cd /etc/ssl/certs

Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs.

openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in %hostname%.crt -inkey %hostname%.key -out %hostname%.pkcs12

  1. Replace %hostname% with the hostname of the server.
  2. You will be asked for a keystore password.
  3. Enter it and keep a careful record of it somewhere.

You can check the details of the PKCS12 cert by typing the following:

keytool -list -v -storetype pkcs12 -keystore %hostname%.pkcs12

See example below:

root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12 
Enter keystore password:  

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: 09 Oct 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA
Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03
Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014
Certificate fingerprints:
	 MD5:  43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F
	 SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.verisign.com, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer]
]

#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa

]]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03   A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
0010: 57 2D 7D 47                                        W-.G
]

]

Certificate[2]:
Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Serial number: 6e4ffab3c5e669c4d167c992abe858c4
Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019
Certificate fingerprints:
	 MD5:  AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69
	 SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03   A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
0010: 57 2D 7D 47                                        W-.G
]
]

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.verisign.com]
]

#5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false

#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.verisign.com/pca3-g2.crl]
]]

#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 63 70 73        risign.com/cps

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 1E 1A 1C 68 74 74 70   73 3A 2F 2F 77 77 77 2E  0...https://www.
0010: 76 65 72 69 73 69 67 6E   2E 63 6F 6D 2F 72 70 61  verisign.com/rpa

]]  ]
]

#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US]
SerialNumber: [    7dd9fe07 cfa81eb7 107967fb a78934c6]
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  CN=Class3CA2048-1-52
]



*******************************************
*******************************************

Setup Tomcat "server.xml" to use the converted certificate

Now the Tomcat server has to be told where to find this security key file. Edit the /etc/tomcat7/server.xml file as follows:

nano /etc/tomcat7/server.xml

Find the port 8443 connector section.

  1. Remove the comments surrounding the section.
  2. Change the listening port to 443.
  3. Add the following keystore settings.
	       keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

  1. Replace %SecretPassword% with the password you used when creating the keystore above.
  2. And add the %hostname% used when creating the keystore above.

Example "server.xml" secure settings

See full example below using a local PKCS12 keystore cert file with password embedded.

    <Connector port="443" protocol="HTTP/1.1"
	       enableLookups="false"
               maxThreads="150"
               URIEncoding="UTF-8"
               SSLEnabled="true"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
#               ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>" 
	       keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

SSL Ciphers Notes:

This is the heart of the secure link, however there is a trade off. Most users do not upgrade browsers regularly therefore if you implement a strong modern cipher suite they will not be able to connect.

References