Difference between revisions of "SUNScholar/Secure Internet Connections"

From Libopedia
Jump to navigation Jump to search
 
(442 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Introduction=
+
<center>
Secure internet connections are created using the secure port (443) of the Apache2 web server. Below are instructions for setting up the Apache2 web server for secure internet connections by DEFAULT.
+
'''[[SUNScholar/Internet Security|Back to Internet Security]]'''
  
=Defaults=
+
'''For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org
The default location for certficates is: '''/etc/ssl/certs'''. This is where we will put the certificates. Other services should point to this folder for the certificates.
 
  
=Step 1. Create the SSL certificates=
+
  '''To check if your internet connection is secure, use: https://www.eff.org/https-everywhere'''
Become root as follows:
+
</center>
  sudo -i
 
Make the scripts folder:
 
mkdir /root/scripts
 
Open the script file:
 
nano /root/scripts/make-new-certs
 
Then copy and paste the following into the nano editor:
 
<pre>
 
#! /bin/bash
 
  
# Check for SSL binaries
+
==Introduction==
test -x /usr/bin/openssl || apt-get install openssl
+
This wiki page describes a method of securing communications to a DSpace installation on the internet.
  
# Setup certificate variables
+
''To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.''
HOST="bib.sun.ac.za"
 
EMAIL="wklap@sun.ac.za"
 
  
# Set certs path
+
==Requirements==
CERTS="/etc/ssl/certs/"
+
<font color="red">
 +
*'''Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.'''
 +
*'''It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.'''
 +
</font>
 +
===Port 443 Firewall Access===
 +
Secure internet connections are created using the secure port (443) '''which must be opened on the campus and local server firewall'''.
 +
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall
  
# Define the config file to be used to create certs
+
===SSL Certificate Defaults===
# Fill in your own values for "ST", "L", "O" and "OU"
+
*The default location for certificates is: '''/etc/ssl/certs'''.
CONF="\n
+
*This is where we will put the certificates.
[ req ] \n
+
*Other services should point to this folder for the certificates.
default_bits = 1024 \n
 
encrypt_key = yes \n
 
distinguished_name = req_dn \n
 
x509_extensions = cert_type \n
 
prompt = no \n
 
[ req_dn ] \n
 
C=ZA \n
 
ST=WP \n
 
L=Stellenbosch \n
 
O=Universiteit Stellenbosch \n
 
OU=JS Gericke Library \n
 
CN=$HOST \n
 
emailAddress=$EMAIL \n
 
[ cert_type ] \n
 
nsCertType = server \n
 
"
 
  
echo -e $CONF > $HOST.cnf
+
==Procedure==
sleep 3
+
===[[SUNScholar/Secure Internet Connections/S01|Step 1 - Create the SSL certificates]]===
 +
===[[SUNScholar/Secure Internet Connections/S02|Step 2 - Apply for a signed certificate]]===
 +
===[[SUNScholar/Secure Internet Connections/S03|Step 3 - Get the intermediate CA certs]]===
 +
===[[SUNScholar/Secure Internet Connections/S04|Step 4 - Configure Tomcat to use the SSL certs]]===
 +
===[[SUNScholar/Secure Internet Connections/S05|Step 5 - Enable secure XMLUI logins]]===
 +
===[[SUNScholar/Secure Internet Connections/S06|Step 6 - Enable HTTPS by default]]===
 +
===[[SUNScholar/Secure Internet Connections/S07|Step 7 - Rebuild DSpace]]===
 +
===[[SUNScholar/Secure Internet Connections/S08|Step 8 - Check the secure connection]]===
  
# Build path for certificate creation
+
==YouTube Video==
CPATH="$CERTS$HOST"
+
<html5media width="560" height="315">https://www.youtube.com/watch?v=YtrdxiYUcOQ</html5media>
 +
==References==
 +
===Tomcat===
 +
*https://tomcat.apache.org/tomcat-8.0-doc
 +
*https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support
 +
----
 +
*https://tomcat.apache.org/tomcat-7.0-doc
 +
*https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 +
----
 +
*https://tomcat.apache.org/tomcat-6.0-doc
 +
*https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 +
----
 +
*http://wiki.apache.org/tomcat/FAQ/Security
 +
*http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 +
*http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
 +
*http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR
 +
*http://johnjianfang.blogspot.com/2009/06/ssl-configuration-for-tomcat.html
 +
*http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 +
*http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 +
*https://www.owasp.org/index.php/Securing_tomcat
 +
*https://www.mulesoft.com/tcat/tomcat-security
  
# Create a large random seed for the new key
+
===SSL/TLS===
dd if=/dev/urandom of=$CPATH.rand count=1 2>/dev/null
+
*'''http://www.openssl.org'''
 +
*http://www.openssl.org/docs/apps/pkcs12.html
 +
*http://www.madboa.com/geek/openssl/
 +
*http://news.netcraft.com/ssl-survey
 +
*http://www.mulesoft.com/tomcat-ssl
 +
*http://www.sslshopper.com
 +
*http://www.sslshopper.com/ssl-faq.html
 +
*http://www.sslshopper.com/article-most-common-openssl-commands.html
 +
*http://www.clintharris.net/2009/self-signed-certificates
 +
*https://www.ssllabs.com/projects/best-practices/index.html
 +
*https://www.feistyduck.com/books/openssl-cookbook/
 +
*http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 +
*https://www.maketecheasier.com/apache-server-ssl-support
 +
*https://mozilla.github.io/server-side-tls/ssl-config-generator
 +
*https://istlsfastyet.com
  
# Generate the new key and certificate
+
===Letsencrypt/Certbot===
openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup
+
*'''https://letsencrypt.org'''
 +
*https://certbot.eff.org/#ubuntuxenial-other
 +
*https://certbot.eff.org/#ubuntutrusty-other
 +
*https://hostpresto.com/community/tutorials/how-to-secure-your-apache-using-certbot-ssl
 +
*https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
 +
*http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu
 +
*https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/1
 +
*https://github.com/StuAtGit/LetsEncrypt
 +
*https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds
 +
*https://www.sslforfree.com
  
# Create a large random seed for the signing
+
===Monopoly Notes===
openssl gendh -rand $CPATH.rand 1024 > $CPATH.gendh || cleanup
+
'''Please note:''' A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.
 +
*http://en.wikipedia.org/wiki/Thawte
 +
*http://en.wikipedia.org/wiki/Geotrust
 +
*http://en.wikipedia.org/wiki/Verisign
 +
*http://en.wikipedia.org/wiki/Symantec
  
# Create a new certficate request
+
''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''
openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr
 
  
# Create a "pem" file suitable for Apache2
+
''Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!''
cat $CPATH.key $CPATH.crt > $CPATH.pem
 
  
# Clean up
+
==News==
rm -f $HOST.rand
+
*https://www.youtube.com/watch?v=3G8dPAdmyss
</pre>
+
*http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361-druck.html
Change the following to suit your organisation:
+
[[Category:System Administration]]
* $HOST
 
* $EMAIL
 
* C=
 
* ST=
 
* L=
 
* O=
 
* OU=
 
 
 
Save the file and exit
 
 
 
Now we make the script executeable as follows:
 
chmod 0755 /root/scripts/make-new-certs
 
 
 
Then we execute the script as follows:
 
/root/scripts/make-new-certs
 
 
 
After the script is complete we make the versign cert as follows:
 
nano /etc/ssl/certs/verisign-ca.crt
 
 
 
Copy and paste the following to the nano editor:
 
<pre>
 
-----BEGIN CERTIFICATE-----
 
MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB
 
wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
 
EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
 
IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
 
dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
 
cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC
 
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
 
cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93
 
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh
 
c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 
DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu
 
7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/
 
RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX
 
gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI
 
XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4
 
3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF
 
BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS
 
BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo
 
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF
 
BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
 
KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud
 
DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw
 
ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n
 
by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
 
AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX
 
LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK
 
Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
 
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5
 
OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
 
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G
 
CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu
 
OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e
 
YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf
 
-----END CERTIFICATE-----
 
</pre>
 
Save the file and exit.
 
 
 
=Step 2. Setup Tomcat6 to use the SSL certs=
 
You must complete step 1 above for this to work.
 
 
 
Change to cert folder as follows:
 
cd /etc/ssl/certs
 
 
 
Type the following to create the Java security cert.
 
/usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key
 
Replace %hostname% with the hostname of the server. You will be asked for a keystore password. Enter it and keep a careful recoerd of it somewhere.
 
 
 
Now Tomcat6, has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows:
 
nano /etc/tomcat6/server.xml
 
Find the port 443 connector section and add the following keystore settings:
 
<pre>
 
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
 
              maxThreads="150" scheme="https" secure="true"
 
              clientAuth="false" sslProtocol="TLS"
 
      keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="%SecretPassword%" />
 
</pre>
 
Replace %SecretPassword% with the password you used when creating the keystore above. And add the %hostname% used when creating the keystore above.
 
 
 
=Step 3. Apply for a signed certificate=
 
Send the file ending with '''.csr''' created above in the '''/etc/ssl/certs''' folder to a recognised certificate authority for signing.
 
 
 
The following can supply signed certificates for an annual fee.
 
* http://www.thawte.com
 
* http://www.verisign.com
 
* http://www.geotrust.com
 
* http://www.rapidssl.com
 
 
 
Try to shop around for the best prices.
 
 
 
After payment they will send you the signed certificate which you copy to the '''/etc/ssl/certs''' folder.
 
 
 
=Command Line Help=
 
'''<font color="red">Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.</font>'''
 
=References=
 
* http://www.linode.com/wiki/index.php/Apache2_SSL_in_Ubuntu
 
* http://linuxgravity.com/configuring-apache-for-ssl
 
* http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
 
* http://www.tc.umn.edu/~brams006/selfsign.html
 
 
 
'''[[SUNScholar/IR|Back to IR Help]]'''
 

Latest revision as of 13:18, 27 March 2017

Back to Internet Security

For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org

To check if your internet connection is secure, use: https://www.eff.org/https-everywhere

Introduction

This wiki page describes a method of securing communications to a DSpace installation on the internet.

To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.

Requirements

  • Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.
  • It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.

Port 443 Firewall Access

Secure internet connections are created using the secure port (443) which must be opened on the campus and local server firewall. 

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall

SSL Certificate Defaults

  • The default location for certificates is: /etc/ssl/certs.
  • This is where we will put the certificates.
  • Other services should point to this folder for the certificates.

Procedure

Step 1 - Create the SSL certificates

Step 2 - Apply for a signed certificate

Step 3 - Get the intermediate CA certs

Step 4 - Configure Tomcat to use the SSL certs

Step 5 - Enable secure XMLUI logins

Step 6 - Enable HTTPS by default

Step 7 - Rebuild DSpace

Step 8 - Check the secure connection

YouTube Video

References

Tomcat

SSL/TLS

Letsencrypt/Certbot

Monopoly Notes

Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.

Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.

Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!

News

Retrieved from "http://wiki.lib.sun.ac.za/index.php?title=SUNScholar/Secure_Internet_Connections&oldid=44727"