Introduction

Secure internet connections are created using the secure port (443) of the Apache2 web server. Below are instructions for setting up the Apache2 web server for secure internet connections by DEFAULT.

Defaults

The default location for certficates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.

Step 1. Create the SSL certificates

Become root as follows:

sudo -i

Make the scripts folder:

mkdir /root/scripts

Open the script file:

nano /root/scripts/make-new-certs

Then copy and paste the following into the nano editor:

#! /bin/bash

# Check for SSL binaries
test -x /usr/bin/openssl || apt-get install openssl

# Setup certificate variables
HOST="bib.sun.ac.za"
EMAIL="wklap@sun.ac.za"

# Set certs path
CERTS="/etc/ssl/certs/"

# Define the config file to be used to create certs
# Fill in your own values for "ST", "L", "O" and "OU"
CONF="\n
[ req ] \n
default_bits = 1024 \n
encrypt_key = yes \n
distinguished_name = req_dn \n
x509_extensions = cert_type \n
prompt = no \n
[ req_dn ] \n
C=ZA \n
ST=WP \n
L=Stellenbosch \n
O=Universiteit Stellenbosch \n
OU=JS Gericke Library \n
CN=$HOST \n
emailAddress=$EMAIL \n
[ cert_type ] \n
nsCertType = server \n
"

echo -e $CONF > $HOST.cnf
sleep 3

# Build path for certificate creation
CPATH="$CERTS$HOST"

# Create a large random seed for the new key
dd if=/dev/urandom of=$CPATH.rand count=1 2>/dev/null

# Generate the new key and certificate
openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup

# Create a large random seed for the signing
openssl gendh -rand $CPATH.rand 1024 > $CPATH.gendh || cleanup

# Create a new certficate request
openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr

# Create a "pem" file suitable for Apache2
cat $CPATH.key $CPATH.crt > $CPATH.pem

# Clean up
rm -f $HOST.rand

Change the following to suit your organisation:

• $HOST
• $EMAIL
• C=
• ST=
• L=
• O=
• OU=

Save the file and exit

Now we make the script executeable as follows:

chmod 0755 /root/scripts/make-new-certs

Then we execute the script as follows:

/root/scripts/make-new-certs

After the script is complete we make the versign cert as follows:

nano /etc/ssl/certs/verisign-ca.crt

Copy and paste the following to the nano editor:

-----BEGIN CERTIFICATE-----
MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB
wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh
c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu
7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/
RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX
gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI
XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4
3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF
BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS
BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF
BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud
DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw
ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n
by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX
LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5
OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G
CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu
OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e
YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf
-----END CERTIFICATE-----

Save the file and exit.

Step 2. Setup Tomcat6 to use the SSL certs

After creating the certs above, type the following to create the Java security cert.

/usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key

You will be asked for a keystore password. Enter it and keep a careful recoerd of it somewhere.

Now Tomcat6, has to be told where to find this security key file. Edit the /etc/tomcat6/server.xml file as follows:

nano /etc/tomcat6/server.xml

Find the port 443 connector section and add the following keystore settings:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

Step 3. Setup Apache2 mod_jk to use the SSL certs

Create the config file as follows:

nano /etc/apache2/conf.d/tomcat-ssl.conf

Copy and paste the following to the nano editor:

<IfModule mod_jk.c>
JkWorkersFile           /etc/tomcat5.5/workers.properties
JkLogFile               /var/log/apache2/mod_jk.log
JkLogLevel              info
JkLogStampFormat        "[%a %b %d %H:%M:%S %Y] "
JkRequestLogFormat      "%w %V %T"

# JkMount directive is: JkMount [URL prefix] [Worker name]
# send all requests ending in .jsp to ajp13_worker
JkMount                 /*.jsp localhost

# send all requests ending /servlet to ajp13_worker
JkMount                 /*/servlet/ localhost

#   OWN ADDITIONS
#######################################
JkExtractSSL            On
JkHTTPSIndicator        HTTPS

JkMount         / localhost
JkMount         /* localhost

JkMount         /manager localhost
JkMount         /manager/* localhost

JkMount         /jspui localhost
JkMount         /jspui/* localhost

JkMount         /xmlui localhost
JkMount         /xmlui/* localhost

JkMount         /oai localhost
JkMount         /oai/* localhost

JkMount         /sword localhost
JkMount         /sword/* localhost

</IfModule>

Save the file and exit.

Step 4. Automatically redirect to the secure port

Add the following after the <VirtualHost *:80> line in the /etc/apache/sites-enabled/000-default file.

        RewriteEngine   on
        RewriteCond     %{SERVER_PORT} ^80$
        RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Now restart Apache2 as follows:

/etc/init.d/apache2 restart

Please note: The OAI-PMH protocol does not support HTTPS connections. So enabling this means you will lose the ability to have your items listed by the OAIster.

Step 5. Setup trusted secure connections

Send the file ending with .csr created above in the /etc/ssl/certs folder to a recognised certificate authority for signing.

The following can supply signed certificates for an annual fee.

• http://www.thawte.com
• http://www.verisign.com
• http://www.geotrust.com
• http://www.rapidssl.com

Try to shop around for the best prices.

After payment they will send you the signed certificate which you copy to the /etc/ssl/certs folder. See the mod_ssl config section above for the proper file name to use. Then restart your Apache2 web server.

Command Line Help

Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.

References

• http://www.linode.com/wiki/index.php/Apache2_SSL_in_Ubuntu
• http://linuxgravity.com/configuring-apache-for-ssl
• http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
• http://www.tc.umn.edu/~brams006/selfsign.html

Back to IR Help