SUNScholar/Secure Internet Connections

This procedure assumes that you have used the three step process to install DSpace.

Introduction

Secure internet connections are created using the secure port (443) of the Apache2 web server. Below are instructions for setting up the Apache2 web server for secure internet connections by DEFAULT.

Defaults

The default location for certficates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.

Step 1. Create the SSL certificates

Become root as follows:

sudo -i

Make the scripts folder:

mkdir /root/scripts

Open the script file:

nano /root/scripts/make-new-certs

Then copy and paste the following into the nano editor. Please read the notes appended to this box below carefully.

#! /bin/bash

# Check for SSL binaries
test -x /usr/bin/openssl || apt-get install openssl

# Setup certificate variables
HOST="bib.sun.ac.za"
EMAIL="wklap@sun.ac.za"

# Set certs path
CERTS="/etc/ssl/certs/"

# Define the config file to be used to create certs
# Fill in your own values for "ST", "L", "O" and "OU"
CONF="\n
[ req ] \n
default_bits = 1024 \n
encrypt_key = yes \n
distinguished_name = req_dn \n
x509_extensions = cert_type \n
prompt = no \n
[ req_dn ] \n
C=ZA \n
ST=WP \n
L=Stellenbosch \n
O=Universiteit Stellenbosch \n
OU=JS Gericke Library \n
CN=$HOST \n
emailAddress=$EMAIL \n
[ cert_type ] \n
nsCertType = server \n
"

echo -e $CONF > $HOST.cnf
sleep 3

# Build path for certificate creation
CPATH="$CERTS$HOST"

# Create a large random seed for the new key
dd if=/dev/urandom of=$CPATH.rand count=1 2>/dev/null

# Generate the new key and certificate
openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup

# Create a large random seed for the signing
openssl gendh -rand $CPATH.rand 1024 > $CPATH.gendh || cleanup

# Create a new certficate request
openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr

# Create a "pem" file suitable for Apache2
cat $CPATH.key $CPATH.crt > $CPATH.pem

# Clean up
rm -f $HOST.rand

PLEASE NOTE

Change the following to suit your organisation:

• $HOST - This is the registered hostname of the computer for which you are creating the SSL certificate.
• $EMAIL - This is the system admin email address of the computer.
• C= (This is the country, ZA for South Africa)
• ST= (This is the state/province, WP for Western Province)
• L= (This is the locality/town/city, Stellenbosch for us)
• O= (This is the organisation, Stellenbosch University for us)
• OU= (This is the organisational unit, JSG Library for us)

Save the file and exit

Now we make the script executeable as follows:

chmod 0755 /root/scripts/make-new-certs

Then we execute the script as follows:

/root/scripts/make-new-certs

After the script is complete we make the versign cert as follows:

nano /etc/ssl/certs/verisign-ca.crt

Copy and paste the following to the nano editor:

-----BEGIN CERTIFICATE-----
MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB
wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh
c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu
7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/
RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX
gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI
XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4
3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF
BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS
BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF
BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud
DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw
ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n
by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX
LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5
OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G
CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu
OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e
YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf
-----END CERTIFICATE-----

Save the file and exit.

Step 2. Setup Tomcat to use the SSL certs

You must complete step 1 above for this to work.

Change to cert folder as follows:

cd /etc/ssl/certs

Type the following to create the Java security cert.

/usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key

Replace %hostname% with the hostname of the server. You will be asked for a keystore password. Enter it and keep a careful record of it somewhere.

Now Tomcat6, has to be told where to find this security key file. Edit the /etc/tomcat6/server.xml file as follows:

nano /etc/tomcat6/server.xml

Find the port 443 connector section and add the following keystore settings:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" 
	       keystoreType="PKCS12"
               keystorePass="%SecretPassword%" />

Replace %SecretPassword% with the password you used when creating the keystore above. And add the %hostname% used when creating the keystore above.

Step 3. Apply for a signed certificate

Send the file ending with .csr created above in the /etc/ssl/certs folder to a recognised certificate authority for signing.

The following can supply signed certificates for an annual fee.

• http://www.thawte.com
• http://www.verisign.com
• http://www.geotrust.com
• http://www.rapidssl.com

Try to shop around for the best prices.

After payment they will send you the signed certificate which you copy to the /etc/ssl/certs folder.

Command Line Help

Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.

References

• http://www.linode.com/wiki/index.php/Apache2_SSL_in_Ubuntu
• http://linuxgravity.com/configuring-apache-for-ssl
• http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
• http://www.tc.umn.edu/~brams006/selfsign.html

Back to IR Help