Difference between revisions of "SUNScholar/Secure Internet Connections/S04"
Jump to navigation
Jump to search
m |
|||
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
<center> | <center> | ||
'''[[SUNScholar/Secure_Internet_Connections/S05|NEXT]]''' | '''[[SUNScholar/Secure_Internet_Connections/S05|NEXT]]''' | ||
| + | |||
'''[[SUNScholar/Secure_Internet_Connections/S03|PREVIOUS]]''' | '''[[SUNScholar/Secure_Internet_Connections/S03|PREVIOUS]]''' | ||
</center> | </center> | ||
==Step 4. Configure Tomcat to use the SSL certs== | ==Step 4. Configure Tomcat to use the SSL certs== | ||
| + | ''Please note: This procedure differs from the official DSpace documentation.'' | ||
{{Tomcat7}} | {{Tomcat7}} | ||
===Convert SSL cert to PKCS12=== | ===Convert SSL cert to PKCS12=== | ||
| Line 11: | Line 13: | ||
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file. | See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file. | ||
| − | To do this | + | To do this become the root user and change to the cert folder, by typing as follows: |
sudo -i | sudo -i | ||
cd /etc/ssl/certs | cd /etc/ssl/certs | ||
| − | Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs | + | Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs. |
openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in '''%hostname%'''.crt -inkey '''%hostname%'''.key -out '''%hostname%'''.pkcs12 | openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in '''%hostname%'''.crt -inkey '''%hostname%'''.key -out '''%hostname%'''.pkcs12 | ||
| − | + | <!-- | |
| + | openssl pkcs12 -export -in /etc/letsencrypt/live/%hostname%/fullchain.pem -inkey /etc/letsencrypt/live/%hostname%/privkey.pem -out %hostname%.pkcs12 -name tomcat | ||
| + | --> | ||
---- | ---- | ||
#Replace '''%hostname%''' with the [[SUNScholar/Install_Ubuntu/S02|hostname of the server]]. | #Replace '''%hostname%''' with the [[SUNScholar/Install_Ubuntu/S02|hostname of the server]]. | ||
| Line 191: | Line 195: | ||
===Setup Tomcat "server.xml" to use the converted certificate=== | ===Setup Tomcat "server.xml" to use the converted certificate=== | ||
| − | Now the Tomcat server has to be told where to find this security key file. Edit the '''/etc/ | + | Now the Tomcat server has to be told where to find this security key file. Edit the '''/etc/tomcat7/server.xml''' file as follows: |
| − | nano /etc/ | + | nano /etc/tomcat7/server.xml |
Find the port 8443 connector section. | Find the port 8443 connector section. | ||
#Remove the comments surrounding the section. | #Remove the comments surrounding the section. | ||
| Line 225: | Line 229: | ||
====SSL Ciphers Notes:==== | ====SSL Ciphers Notes:==== | ||
| − | + | ''This is the heart of the secure link, however there is a trade off. Most users do not upgrade browsers regularly therefore if you implement a strong modern cipher suite they will not be able to connect.'' | |
| + | |||
| + | *For more details about what cipher suite to use, check the following: | ||
| + | **https://wiki.mozilla.org/Security/Server_Side_TLS | ||
| + | **https://wiki.apache.org/tomcat/HowTo/SSLCiphers | ||
| + | **https://bettercrypto.org | ||
*TLSv1.2 is only available when using JDK 7 and higher. {{Java7}} | *TLSv1.2 is only available when using JDK 7 and higher. {{Java7}} | ||
*For Tomcat7 change "sslProtocols" to "sslEnabledProtocols". | *For Tomcat7 change "sslProtocols" to "sslEnabledProtocols". | ||
| − | |||
*To see what ciphers will be used, install <tt>'''sslscan'''</tt> and scan using '''<tt>sslscan --no-failed localhost:443</tt>'''. | *To see what ciphers will be used, install <tt>'''sslscan'''</tt> and scan using '''<tt>sslscan --no-failed localhost:443</tt>'''. | ||
| − | *See the links below for help about Tomcat cipher setup: | + | *See the links below for more help about Tomcat cipher setup: |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
**https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml | **https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml | ||
| − | **https:// | + | **https://weakdh.org/sysadmin.html |
| − | |||
**https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat | **https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat | ||
**https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html | **https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html | ||
**http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA | **http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA | ||
**https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak | **https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak | ||
| + | |||
| + | ==References== | ||
| + | *https://en.wikipedia.org/wiki/Cipher | ||
| + | *https://en.wikipedia.org/wiki/Cipher_suite | ||
| + | *https://en.wikipedia.org/wiki/Cryptography | ||
| + | *https://en.wikipedia.org/wiki/Public-key_cryptography | ||
| + | *https://en.wikipedia.org/wiki/Transport_Layer_Security | ||
| + | [[Category:System Administration]] | ||
Latest revision as of 06:32, 22 July 2016
NEXT
PREVIOUS
Contents
Step 4. Configure Tomcat to use the SSL certs
Please note: This procedure differs from the official DSpace documentation.
When using the Ubuntu 16.04 LTS server change all instances of tomcat to tomcat8.
When using the Ubuntu 14.04 LTS server change all instances of tomcat to tomcat7.
When using the Ubuntu 12.04 LTS server change all instances of tomcat to tomcat6.
Convert SSL cert to PKCS12
We convert the SSL signed certs, to a PKCS#12 compatible cert.
See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.
To do this become the root user and change to the cert folder, by typing as follows:
sudo -i
cd /etc/ssl/certs
Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs.
openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in %hostname%.crt -inkey %hostname%.key -out %hostname%.pkcs12
- Replace %hostname% with the hostname of the server.
- You will be asked for a keystore password.
- Enter it and keep a careful record of it somewhere.
You can check the details of the PKCS12 cert by typing the following:
keytool -list -v -storetype pkcs12 -keystore %hostname%.pkcs12
See example below:
root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 2
Creation date: 09 Oct 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA
Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03
Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014
Certificate fingerprints:
MD5: 43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F
SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer]
]
#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H...
0010: 57 2D 7D 47 W-.G
]
]
Certificate[2]:
Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Serial number: 6e4ffab3c5e669c4d167c992abe858c4
Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019
Certificate fingerprints:
MD5: AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69
SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H...
0010: 57 2D 7D 47 W-.G
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com]
]
#5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3-g2.crl]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www.
0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa
]] ]
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US]
SerialNumber: [ 7dd9fe07 cfa81eb7 107967fb a78934c6]
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-52
]
*******************************************
*******************************************
Setup Tomcat "server.xml" to use the converted certificate
Now the Tomcat server has to be told where to find this security key file. Edit the /etc/tomcat7/server.xml file as follows:
nano /etc/tomcat7/server.xml
Find the port 8443 connector section.
- Remove the comments surrounding the section.
- Change the listening port to 443.
- Add the following keystore settings.
keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
keystoreType="PKCS12"
keystorePass="%SecretPassword%" />
- Replace %SecretPassword% with the password you used when creating the keystore above.
- And add the %hostname% used when creating the keystore above.
Example "server.xml" secure settings
See full example below using a local PKCS12 keystore cert file with password embedded.
<Connector port="443" protocol="HTTP/1.1"
enableLookups="false"
maxThreads="150"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
# ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>"
keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
keystoreType="PKCS12"
keystorePass="%SecretPassword%" />
SSL Ciphers Notes:
This is the heart of the secure link, however there is a trade off. Most users do not upgrade browsers regularly therefore if you implement a strong modern cipher suite they will not be able to connect.
- For more details about what cipher suite to use, check the following:
- TLSv1.2 is only available when using JDK 7 and higher. Please see: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Java_Version_7
- For Tomcat7 change "sslProtocols" to "sslEnabledProtocols".
- To see what ciphers will be used, install sslscan and scan using sslscan --no-failed localhost:443.
- See the links below for more help about Tomcat cipher setup:
- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
- https://weakdh.org/sysadmin.html
- https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat
- https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
- https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak
