Difference between revisions of "SUNScholar/Secure Internet Connections"

From Libopedia
Jump to navigation Jump to search
Line 37: Line 37:
  
 
==[[SUNScholar/Secure Internet Connections/S04|Step 4. Setup Tomcat to use the SSL certs]]==
 
==[[SUNScholar/Secure Internet Connections/S04|Step 4. Setup Tomcat to use the SSL certs]]==
===Convert SSL cert to PKCS12===
 
We convert the SSL signed certs, to a PKCS#12 compatible cert.
 
See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 
 
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.
 
 
To do this as the root user, change to the cert folder as follows:
 
cd /etc/ssl/certs
 
 
Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs mentioned above.
 
openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in '''%hostname%'''.crt -inkey '''%hostname%'''.key -out '''%hostname%'''.pkcs12
 
 
----
 
#Replace '''%hostname%''' with the [[SUNScholar/Install_Ubuntu/S02|hostname of the server]].
 
#You will be asked for a keystore password.
 
#Enter it and keep a careful record of it somewhere.
 
----
 
You can check the details of the PKCS12 cert by typing the following:
 
keytool -list -v -storetype pkcs12 -keystore '''%hostname%'''.pkcs12
 
 
See example below:
 
<pre>
 
root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12
 
Enter keystore password: 
 
 
Keystore type: PKCS12
 
Keystore provider: SunJSSE
 
 
Your keystore contains 1 entry
 
 
Alias name: 2
 
Creation date: 09 Oct 2013
 
Entry type: PrivateKeyEntry
 
Certificate chain length: 2
 
Certificate[1]:
 
Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA
 
Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
 
Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03
 
Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014
 
Certificate fingerprints:
 
MD5:  43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F
 
SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56
 
Signature algorithm name: SHA1withRSA
 
Version: 3
 
 
Extensions:
 
 
#1: ObjectId: 2.5.29.15 Criticality=false
 
KeyUsage [
 
  DigitalSignature
 
  Key_Encipherment
 
]
 
 
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 
AuthorityInfoAccess [
 
  [
 
  accessMethod: 1.3.6.1.5.5.7.48.1
 
  accessLocation: URIName: http://ocsp.verisign.com,
 
  accessMethod: 1.3.6.1.5.5.7.48.2
 
  accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer]
 
]
 
 
#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
 
 
#4: ObjectId: 2.5.29.31 Criticality=false
 
CRLDistributionPoints [
 
  [DistributionPoint:
 
    [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl]
 
]]
 
 
#5: ObjectId: 2.5.29.32 Criticality=false
 
CertificatePolicies [
 
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
 
[PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.1
 
  qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve
 
0010: 72 69 73 69 67 6E 2E 63  6F 6D 2F 72 70 61        risign.com/rpa
 
 
]]  ]
 
]
 
 
#6: ObjectId: 2.5.29.37 Criticality=false
 
ExtendedKeyUsages [
 
  serverAuth
 
  clientAuth
 
]
 
 
#7: ObjectId: 2.5.29.19 Criticality=false
 
BasicConstraints:[
 
  CA:false
 
  PathLen: undefined
 
]
 
 
#8: ObjectId: 2.5.29.35 Criticality=false
 
AuthorityKeyIdentifier [
 
KeyIdentifier [
 
0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
 
0010: 57 2D 7D 47                                        W-.G
 
]
 
 
]
 
 
Certificate[2]:
 
Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
 
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Serial number: 6e4ffab3c5e669c4d167c992abe858c4
 
Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019
 
Certificate fingerprints:
 
MD5:  AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69
 
SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D
 
Signature algorithm name: SHA1withRSA
 
Version: 3
 
 
Extensions:
 
 
#1: ObjectId: 2.5.29.15 Criticality=true
 
KeyUsage [
 
  Key_CertSign
 
  Crl_Sign
 
]
 
 
#2: ObjectId: 2.5.29.19 Criticality=true
 
BasicConstraints:[
 
  CA:true
 
  PathLen:0
 
]
 
 
#3: ObjectId: 2.5.29.14 Criticality=false
 
SubjectKeyIdentifier [
 
KeyIdentifier [
 
0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
 
0010: 57 2D 7D 47                                        W-.G
 
]
 
]
 
 
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 
AuthorityInfoAccess [
 
  [
 
  accessMethod: 1.3.6.1.5.5.7.48.1
 
  accessLocation: URIName: http://ocsp.verisign.com]
 
]
 
 
#5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
 
 
#6: ObjectId: 2.5.29.31 Criticality=false
 
CRLDistributionPoints [
 
  [DistributionPoint:
 
    [URIName: http://crl.verisign.com/pca3-g2.crl]
 
]]
 
 
#7: ObjectId: 2.5.29.32 Criticality=false
 
CertificatePolicies [
 
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
 
[PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.1
 
  qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve
 
0010: 72 69 73 69 67 6E 2E 63  6F 6D 2F 63 70 73        risign.com/cps
 
 
], PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.2
 
  qualifier: 0000: 30 1E 1A 1C 68 74 74 70  73 3A 2F 2F 77 77 77 2E  0...https://www.
 
0010: 76 65 72 69 73 69 67 6E  2E 63 6F 6D 2F 72 70 61  verisign.com/rpa
 
 
]]  ]
 
]
 
 
#8: ObjectId: 2.5.29.35 Criticality=false
 
AuthorityKeyIdentifier [
 
[OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US]
 
SerialNumber: [    7dd9fe07 cfa81eb7 107967fb a78934c6]
 
]
 
 
#9: ObjectId: 2.5.29.17 Criticality=false
 
SubjectAlternativeName [
 
  CN=Class3CA2048-1-52
 
]
 
 
 
 
*******************************************
 
*******************************************
 
</pre>
 
 
===Setup Tomcat "server.xml" to use the converted certificate===
 
Now the Tomcat server has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows:
 
nano /etc/tomcat6/server.xml
 
Find the port 8443 connector section.
 
#Remove the comments surrounding the section.
 
#'''Change the listening port to 443.'''
 
#Add the following keystore settings.
 
<pre>
 
      keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="%SecretPassword%" />
 
</pre>
 
----
 
#Replace '''%SecretPassword%''' with the password you used when creating the keystore above.
 
#And add the '''%hostname%''' used when creating the keystore above.
 
 
{{NANO}}
 
 
====Example "server.xml" secure settings====
 
See full example below using a local PKCS12 keystore cert file with password embedded.
 
<pre>
 
    <Connector port="443" protocol="HTTP/1.1"
 
      enableLookups="false"
 
              maxThreads="150"
 
              URIEncoding="UTF-8"
 
              SSLEnabled="true"
 
              scheme="https"
 
              secure="true"
 
              clientAuth="false"
 
              sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
 
#              ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>"
 
      keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="%SecretPassword%" />
 
</pre>
 
 
====SSL Ciphers Note:====
 
*TLSv1.2 is only available when using JDK 7 and higher.
 
*For Tomcat7 change "sslProtocols" to "sslEnabledProtocols".
 
*For more detail about what cipher suite to use, check: https://wiki.mozilla.org/Security/Server_Side_TLS and https://bettercrypto.org.
 
*To see what ciphers will be used, install <tt>'''sslscan'''</tt> and scan using '''<tt>sslscan --no-failed localhost:443</tt>'''.
 
*See the links below for help about Tomcat cipher setup:
 
**https://en.wikipedia.org/wiki/Cipher
 
**https://en.wikipedia.org/wiki/Cipher_suite
 
**https://en.wikipedia.org/wiki/Cryptography
 
**https://en.wikipedia.org/wiki/Public-key_cryptography
 
**https://en.wikipedia.org/wiki/Transport_Layer_Security
 
**https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 
**https://wiki.apache.org/tomcat/HowTo/SSLCiphers
 
**https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
 
**https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat
 
**https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
 
**http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
 
**https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak
 
  
 
==[[SUNScholar/Secure Internet Connections/S05|Step 5. Enable secure XMLUI logins]]==
 
==[[SUNScholar/Secure Internet Connections/S05|Step 5. Enable secure XMLUI logins]]==

Revision as of 21:32, 29 December 2014

Back to Internet Security
For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org
To check if your internet connection is secure, use: https://www.eff.org/https-everywhere

Introduction

This wiki page describes a method of securing communications to a DSpace installation on the internet.

To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.

It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace

Update - 2014/11/18

A free certificate authority service is launching in 2015 that will greatly simplify the configuration of a secure server. See the link below.

https://letsencrypt.org

Requirements

  • This is not needed if doing an evaluation of the software on a test server behind your institutions firewall.
  • The Tomcat server MUST be listening on port 443. See link below.

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05

SSL Defaults

  • The default location for certificates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.
  • Secure internet connections are created using the secure port (443) which must be opened on the campus firewall for your particular server by the central IT department.

Step 1. Create the SSL certificates

Step 2. Apply for a signed certificate

Step 3. Intermediate CA certs

Step 4. Setup Tomcat to use the SSL certs

Step 5. Enable secure XMLUI logins

Become the dspace user

su dspace

Open the DSpace config file for editing as follows:

nano /home/dspace/source/dspace/config/dspace.cfg

Go to the following section of the DSpace config file:

# Force all authenticated connections to use SSL, only non-authenticated
# connections are allowed over plain http. If set to true, then you need to
# ensure that the 'dspace.hostname' parameter is set to the correctly.
xmlui.force.ssl = true

Enable logins by changing "xmlui.force.ssl" to true.


NANO Editor Help
CTL+O = Save the file and then press Enter
CTL+X = Exit "nano"
CTL+K = Delete line
CTL+U = Undelete line
CTL+W = Search for %%string%%
CTL+\ = Search for %%string%% and replace with $$string$$
CTL+C = Show line numbers

More info = http://en.wikipedia.org/wiki/Nano_(text_editor)


Step 6. Enable HTTPS by default

If using the default Mirage theme, you can enable HTTPS by default by modifying the "baseUrl". See link below.

https://github.com/DSpace/DSpace/blob/dspace-4.1/dspace-xmlui/src/main/webapp/themes/Mirage/lib/xsl/core/page-structure.xsl#L671-681

You can also enable HTTPS by modifying the "dspace.baseUrl" in the "build.properties" file. Change http to https. See link below.

https://github.com/DSpace/DSpace/blob/dspace-4.1/build.properties#L30-L31

Step 7. Rebuild DSpace

Rebuild the DSpace webapps using the custom rebuild script.

Step 8. Check the secure connection

References

Tomcat

SSL/TLS

Monopoly Notes

Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.

Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.

News