Difference between revisions of "SUNScholar/Secure Internet Connections"

From Libopedia
Jump to navigation Jump to search
 
(93 intermediate revisions by the same user not shown)
Line 8: Line 8:
  
 
==Introduction==
 
==Introduction==
This wiki page describes a method of securing communications to a DSpace installation on the internet. It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace
+
This wiki page describes a method of securing communications to a DSpace installation on the internet.
 +
 
 +
''To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.''
 +
 
 
==Requirements==
 
==Requirements==
 
<font color="red">
 
<font color="red">
*'''This is not needed if doing an evaluation of the software on a test server behind your institutions firewall.'''
+
*'''Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.'''
 
+
*'''It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.'''
*'''The Tomcat server MUST be listening on ports 80 and 443. See link below.'''
 
 
</font>
 
</font>
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S05
+
===Port 443 Firewall Access===
 
+
Secure internet connections are created using the secure port (443) '''which must be opened on the campus and local server firewall'''.
===SSL Defaults===
+
  http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall
*The default location for certificates is: '''/etc/ssl/certs'''. This is where we will put the certificates. Other services should point to this folder for the certificates.
 
*Secure internet connections are created using the secure port (443) which must be opened on the campus firewall for your particular server by the central IT department.
 
 
 
==Step 1. Create the SSL certificates==
 
Login to the server:
 
  http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01
 
Become root as follows:
 
sudo -i
 
Make the scripts folder:
 
mkdir /root/scripts
 
===New Method - Create DSA with SHA 256 certificate request===
 
Open the script file:
 
nano /root/scripts/make-cert-dsa
 
Then copy and paste the following into the nano editor. ''Please read the config notes below carefully.''
 
<pre>
 
#! /bin/bash
 
 
 
# Check for SSL binaries
 
test -x /usr/bin/openssl || apt-get install openssl
 
 
 
# Setup certificate variables
 
HOST="XXXXXXXXXXXXXXX"
 
EMAIL="XXXXXXXXXXXXXX"
 
BITS="2048"
 
DAYS="365"
 
 
 
# Set certs path
 
CERTS="/etc/ssl/certs/"
 
 
 
# Define the config file to be used to create certs
 
# Fill in your own values for "ST", "L", "O" and "OU"
 
CONF="\n
 
[ req ] \n
 
default_bits = $BITS \n
 
encrypt_key = yes \n
 
distinguished_name = req_dn \n
 
x509_extensions = cert_type \n
 
prompt = no \n
 
[ req_dn ] \n
 
C=ZA \n
 
ST=WP \n
 
L=Stellenbosch \n
 
O=Universiteit Stellenbosch \n
 
OU=JS Gericke Library \n
 
CN=$HOST \n
 
emailAddress=$EMAIL \n
 
[ cert_type ] \n
 
nsCertType = server \n
 
"
 
 
 
echo -e $CONF > $HOST.cnf
 
sleep 3
 
 
 
# Build path for certificate creation
 
CPATH="$CERTS$HOST"
 
 
 
# Create a new key
 
openssl dsaparam -noout -out $CPATH.key -genkey $BITS
 
 
 
# Create the new certificate
 
openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt
 
 
 
# Create a new certficate request
 
openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr
 
 
 
# Create a "pem" file suitable for Apache2
 
cat $CPATH.key $CPATH.crt > $CPATH.pem
 
 
 
# Clean up
 
rm -f $HOST.rand
 
</pre>
 
 
 
===Old Method - Create simple RSA certificate request===
 
Open the script file:
 
nano /root/scripts/make-cert-rsa
 
Then copy and paste the following into the nano editor. ''Please read the config notes below carefully.''
 
<pre>
 
#! /bin/bash
 
 
 
# Check for SSL binaries
 
test -x /usr/bin/openssl || apt-get install openssl
 
 
 
# Setup certificate variables
 
HOST="XXXXXXXXXXXXXXXX"
 
EMAIL="XXXXXXXXXXXXXXX"
 
 
 
# Set certs path
 
CERTS="/etc/ssl/certs/"
 
 
 
# Define the config file to be used to create certs
 
# Fill in your own values for "ST", "L", "O" and "OU"
 
CONF="\n
 
[ req ] \n
 
default_bits = 2048 \n
 
encrypt_key = yes \n
 
distinguished_name = req_dn \n
 
x509_extensions = cert_type \n
 
prompt = no \n
 
[ req_dn ] \n
 
C=ZA \n
 
ST=WP \n
 
L=Stellenbosch \n
 
O=Universiteit Stellenbosch \n
 
OU=JS Gericke Library \n
 
CN=$HOST \n
 
emailAddress=$EMAIL \n
 
[ cert_type ] \n
 
nsCertType = server \n
 
"
 
 
 
echo -e $CONF > $HOST.cnf
 
sleep 3
 
 
 
# Build path for certificate creation
 
CPATH="$CERTS$HOST"
 
 
 
# Generate the new key and certificate
 
openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup
 
 
 
# Create a new certficate request
 
openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr
 
 
 
# Create a "pem" file suitable for Apache2
 
cat $CPATH.key $CPATH.crt > $CPATH.pem
 
 
 
# Clean up
 
rm -f $HOST.rand
 
</pre>
 
 
 
===NOTES: Change the following to suit your organisation:===
 
* $HOST - This is the hostname of the server for which you are creating the SSL certificate.
 
* $EMAIL - This is the system administrator email address.
 
* C = This is the country, '''ZA''' for South Africa
 
* ST = This is the state/province, '''WP''' for Western Province
 
* L = This is the locality/town/city, '''Stellenbosch''' for us
 
* O = This is the organisation, '''Stellenbosch University''' for us
 
* OU = This is the organisational unit, '''JSG Library''' for us
 
----
 
{{NANO}}
 
  
===Make the selected script executeable===
+
===SSL Certificate Defaults===
Now we make the script executeable as follows:
+
*The default location for certificates is: '''/etc/ssl/certs'''.
chmod 0755 /root/scripts/make-cert-rsa
+
*This is where we will put the certificates.
'''OR'''
+
*Other services should point to this folder for the certificates.
chmod 0755 /root/scripts/make-cert-dsa
 
Then we execute the script as follows:
 
/root/scripts/make-cert-rsa
 
'''OR'''
 
/root/scripts/make-cert-dsa
 
  
==Step 2. Apply for a signed certificate==
+
==Procedure==
===Application===
+
===[[SUNScholar/Secure Internet Connections/S01|Step 1 - Create the SSL certificates]]===
Send the file, '''%hostname%.csr''' in the '''/etc/ssl/certs''' folder to a recognised certificate authority for signing.
+
===[[SUNScholar/Secure Internet Connections/S02|Step 2 - Apply for a signed certificate]]===
 
+
===[[SUNScholar/Secure Internet Connections/S03|Step 3 - Get the intermediate CA certs]]===
Try to shop around for the best prices. See: http://www.sslshopper.com
+
===[[SUNScholar/Secure Internet Connections/S04|Step 4 - Configure Tomcat to use the SSL certs]]===
 
+
===[[SUNScholar/Secure Internet Connections/S05|Step 5 - Enable secure XMLUI logins]]===
===Activation===
+
===[[SUNScholar/Secure Internet Connections/S06|Step 6 - Enable HTTPS by default]]===
Assuming that the supplied signed certificate from your chosen SSL registrar above, is called '''verisign.cer''' and is stored in the '''/root''' folder, follow the procedure below as the '''root''' user to activate the signed certificate.
+
===[[SUNScholar/Secure Internet Connections/S07|Step 7 - Rebuild DSpace]]===
cd /root
+
===[[SUNScholar/Secure Internet Connections/S08|Step 8 - Check the secure connection]]===
 
 
cp verisign.cer /etc/ssl/cert/%hostname%.crt
 
{{HOSTNAME}}
 
 
 
To extract details of the signed certificate, type the following.
 
openssl x509 -text -in /etc/ssl/certs/%hostname%.crt
 
 
 
See example extraction below.
 
<pre>
 
root@ar1:/etc/ssl/certs# openssl x509 -text -in /etc/ssl/certs/ar1.sun.ac.za.crt
 
Certificate:
 
    Data:
 
        Version: 3 (0x2)
 
        Serial Number:
 
            29:48:0a:37:5a:d7:bc:89:c8:87:61:a3:e3:74:75:c5
 
    Signature Algorithm: sha1WithRSAEncryption
 
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
 
        Validity
 
            Not Before: Oct 23 00:00:00 2012 GMT
 
            Not After : Oct 24 23:59:59 2013 GMT
 
        Subject: C=ZA, ST=Western Cape, L=Stellenbosch, O=Universiteit Stellenbosch, OU=JS Gericke Library, CN=ar1.sun.ac.za
 
        Subject Public Key Info:
 
            Public Key Algorithm: rsaEncryption
 
                Public-Key: (2048 bit)
 
                Modulus:
 
                    00:ba:2a:22:98:c8:62:31:4b:6a:75:fd:7c:db:29:
 
                    0c:c4:5a:c4:93:bb:34:2a:72:2f:2a:cb:95:e8:60:
 
                    43:6d:72:f8:0b:e8:12:4c:8c:f3:47:13:69:2e:f8:
 
                    7b:cc:23:33:4d:06:fb:4d:a4:2f:34:2c:c4:0b:bc:
 
                    4a:73:bb:a2:ab:a1:88:59:a7:81:b8:85:b4:9b:c0:
 
                    92:2a:86:03:68:38:30:f7:ef:31:1b:8f:79:a7:12:
 
                    0d:fc:4a:3a:ab:62:03:07:e5:c0:c9:3a:c4:af:94:
 
                    6f:dd:87:d5:80:5e:41:b6:92:25:5b:7d:bc:f7:a4:
 
                    f9:82:ef:36:74:8d:a6:fa:39:7b:aa:23:ea:1d:97:
 
                    b1:c7:e3:a4:82:3f:19:88:33:56:34:1f:20:02:a0:
 
                    f7:fd:2e:2a:ec:a9:87:e7:26:1f:93:41:b0:65:f0:
 
                    1f:da:12:66:96:97:93:5f:42:bf:b6:bc:9b:7c:74:
 
                    6f:9c:09:6c:51:f6:fb:e2:78:4b:97:96:12:77:d2:
 
                    4a:ed:75:aa:e3:db:05:e5:8a:e5:3c:ea:a5:dd:34:
 
                    20:8f:27:e4:30:2e:58:17:30:dd:1c:06:ae:30:de:
 
                    89:08:7e:a5:a1:48:24:0a:be:5e:4e:fb:9f:1f:dc:
 
                    52:d0:51:df:99:c4:ab:fb:5c:b0:1d:72:cf:be:26:
 
                    d6:f1
 
                Exponent: 65537 (0x10001)
 
        X509v3 extensions:
 
            X509v3 Subject Alternative Name:
 
                DNS:ar1.sun.ac.za
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            X509v3 Key Usage: critical
 
                Digital Signature, Key Encipherment
 
            X509v3 CRL Distribution Points:
 
 
 
                Full Name:
 
                  URI:http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
 
 
 
            X509v3 Certificate Policies:
 
                Policy: 2.16.840.1.113733.1.7.54
 
                  CPS: https://www.verisign.com/cps
 
 
 
            X509v3 Extended Key Usage:
 
                TLS Web Server Authentication, TLS Web Client Authentication
 
            X509v3 Authority Key Identifier:
 
                keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
 
 
 
            Authority Information Access:
 
                OCSP - URI:http://ocsp.verisign.com
 
                CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
 
 
 
    Signature Algorithm: sha1WithRSAEncryption
 
        02:14:7a:e5:21:81:4d:e9:6f:3a:45:38:cf:f5:0c:7c:88:0b:
 
        73:58:aa:d7:f9:c3:9e:32:2a:fa:76:15:a5:1d:15:4e:4c:44:
 
        11:d5:7c:25:c9:5f:f9:45:f9:a4:11:90:40:42:68:d4:28:7d:
 
        ed:08:67:6d:6c:3b:6e:d5:e0:cd:28:c7:54:7d:e5:61:cc:9d:
 
        5e:ab:0b:30:30:37:8e:55:ec:51:e6:f7:ff:d5:b4:fb:05:79:
 
        6e:46:44:1b:c8:4f:4d:6f:d5:53:d9:42:d7:00:93:38:0b:a0:
 
        48:99:ef:0c:15:29:16:e3:36:ca:e7:4c:61:72:23:36:69:89:
 
        cb:34:a0:7e:82:65:6f:35:d8:78:1a:d6:fd:34:60:c6:12:64:
 
        8d:76:85:a4:c0:88:17:7a:44:6e:95:3d:59:0d:96:1f:90:37:
 
        cd:02:b7:d2:77:d7:45:a0:57:03:b8:67:24:81:07:3d:f2:7f:
 
        07:6a:68:71:1f:72:df:77:2e:22:bf:ad:72:e0:bb:0b:4d:0a:
 
        0c:63:0e:9d:60:85:2f:eb:7a:c7:65:50:bb:59:06:4b:4a:5f:
 
        1f:2a:e2:75:2c:e9:f9:18:fc:f0:6d:e7:22:38:71:53:ea:f1:
 
        4b:66:dc:7b:8c:3a:45:b2:a6:e3:4d:2c:be:f9:2c:c2:3a:66:
 
        30:58:66:5f
 
-----BEGIN CERTIFICATE-----
 
MIIFVDCCBDygAwIBAgIQKUgKN1rXvInIh2Gj43R1xTANBgkqhkiG9w0BAQUFADCB
 
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
 
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
 
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
 
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIxMDIz
 
MDAwMDAwWhcNMTMxMDI0MjM1OTU5WjCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT
 
DFdlc3Rlcm4gQ2FwZTEVMBMGA1UEBxQMU3RlbGxlbmJvc2NoMSIwIAYDVQQKFBlV
 
bml2ZXJzaXRlaXQgU3RlbGxlbmJvc2NoMRswGQYDVQQLFBJKUyBHZXJpY2tlIExp
 
YnJhcnkxFjAUBgNVBAMUDWFyMS5zdW4uYWMuemEwggEiMA0GCSqGSIb3DQEBAQUA
 
A4IBDwAwggEKAoIBAQC6KiKYyGIxS2p1/XzbKQzEWsSTuzQqci8qy5XoYENtcvgL
 
6BJMjPNHE2ku+HvMIzNNBvtNpC80LMQLvEpzu6KroYhZp4G4hbSbwJIqhgNoODD3
 
7zEbj3mnEg38SjqrYgMH5cDJOsSvlG/dh9WAXkG2kiVbfbz3pPmC7zZ0jab6OXuq
 
I+odl7HH46SCPxmIM1Y0HyACoPf9LirsqYfnJh+TQbBl8B/aEmaWl5NfQr+2vJt8
 
dG+cCWxR9vvieEuXlhJ30krtdarj2wXliuU86qXdNCCPJ+QwLlgXMN0cBq4w3okI
 
fqWhSCQKvl5O+58f3FLQUd+ZxKv7XLAdcs++JtbxAgMBAAGjggF9MIIBeTAYBgNV
 
HREEETAPgg1hcjEuc3VuLmFjLnphMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
 
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlz
 
aWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2
 
MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYD
 
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGC
 
fh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
 
L29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJl
 
LUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEB
 
BQUAA4IBAQACFHrlIYFN6W86RTjP9Qx8iAtzWKrX+cOeMir6dhWlHRVOTEQR1Xwl
 
yV/5RfmkEZBAQmjUKH3tCGdtbDtu1eDNKMdUfeVhzJ1eqwswMDeOVexR5vf/1bT7
 
BXluRkQbyE9Nb9VT2ULXAJM4C6BIme8MFSkW4zbK50xhciM2aYnLNKB+gmVvNdh4
 
Gtb9NGDGEmSNdoWkwIgXekRulT1ZDZYfkDfNArfSd9dFoFcDuGckgQc98n8Hamhx
 
H3Lfdy4iv61y4LsLTQoMYw6dYIUv63rHZVC7WQZLSl8fKuJ1LOn5GPzwbeciOHFT
 
6vFLZtx7jDpFsqbjTSy++SzCOmYwWGZf
 
-----END CERTIFICATE-----
 
</pre>
 
See example listing below.
 
<pre>
 
root@ir1:/etc/ssl/certs# ls -l scholar.sun.ac.za.*
 
-rw-r--r-- 1 root root 1864 2010-09-21 13:42 scholar.sun.ac.za.crt
 
-rw-r--r-- 1 root root  749 2010-09-15 09:31 scholar.sun.ac.za.csr
 
-rw-r--r-- 1 root root  245 2010-09-15 09:31 scholar.sun.ac.za.gendh
 
-rw-r--r-- 1 root root  887 2010-09-15 09:31 scholar.sun.ac.za.key
 
-rw-r--r-- 1 root root 1969 2010-09-15 09:31 scholar.sun.ac.za.pem
 
-rw-r--r-- 1 root root 3957 2012-10-01 09:35 scholar.sun.ac.za.pkcs12
 
-rw-r--r-- 1 root root  512 2010-09-15 09:31 scholar.sun.ac.za.rand
 
</pre>
 
 
 
==Step 3. Intermediate CA certs==
 
If you choose Versign/Symantec as your cert provider, then follow this procedure to setup the intermediate CA certs. If not, then consult your cert provider on how to create the required intermediate CA certs.
 
 
 
Download the certs from the following links by typing as follows:
 
cd /etc/ssl/certs
 
Get the primary intermediate Symantec CA cert:
 
wget http://web.lib.sun.ac.za/style/sunscholar/certs/PCA-3G3.pem
 
;OR
 
wget http://web.lib.sun.ac.za/style/sunscholar/certs/PCA-3G5.pem
 
Get the secondary intermediate Symantec CA cert:
 
wget http://web.lib.sun.ac.za/style/sunscholar/certs/ICA-3G3.pem
 
;OR
 
wget http://web.lib.sun.ac.za/style/sunscholar/certs/ICA-3G5.pem
 
===Intermediate CA certs links===
 
For more intermediate CA cert info see the following links:
 
*https://en.wikipedia.org/wiki/Certificate_authority
 
*https://en.wikipedia.org/wiki/Public_key_certificate
 
*https://en.wikipedia.org/wiki/Web_of_trust
 
*http://en.wikipedia.org/wiki/Intermediate_certificate_authorities
 
;RSA Certs
 
*https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1732
 
*https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR657
 
;Tomcat Help
 
*https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR234
 
;DSA Certs
 
*https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1884
 
*https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1885
 
;Old links
 
*https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
 
*http://www.verisign.com/support/roots.html
 
----
 
'''<font color="red">Do not continue until you have all the required certs from a trusted authority.</font>'''
 
----
 
 
 
==Step 4. Setup Tomcat to use the SSL certs==
 
===Convert SSL cert to PKCS12===
 
We convert the SSL signed certs, to a PKCS#12 compatible cert.
 
See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 
 
 
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.
 
 
 
To do this as the root user, change to the cert folder as follows:
 
cd /etc/ssl/certs
 
 
 
Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs mentioned above.
 
openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in '''%hostname%'''.crt -inkey '''%hostname%'''.key -out '''%hostname%'''.pkcs12
 
 
 
----
 
#Replace '''%hostname%''' with the [[SUNScholar/Install_Ubuntu/S02|hostname of the server]].
 
#You will be asked for a keystore password.
 
#Enter it and keep a careful record of it somewhere.
 
----
 
You can check the details of the PKCS12 cert by typing the following:
 
keytool -list -v -storetype pkcs12 -keystore '''%hostname%'''.pkcs12
 
 
 
See example below:
 
<pre>
 
root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12
 
Enter keystore password: 
 
 
 
Keystore type: PKCS12
 
Keystore provider: SunJSSE
 
 
 
Your keystore contains 1 entry
 
 
 
Alias name: 2
 
Creation date: 09 Oct 2013
 
Entry type: PrivateKeyEntry
 
Certificate chain length: 2
 
Certificate[1]:
 
Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA
 
Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
 
Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03
 
Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014
 
Certificate fingerprints:
 
MD5:  43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F
 
SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56
 
Signature algorithm name: SHA1withRSA
 
Version: 3
 
 
 
Extensions:
 
 
 
#1: ObjectId: 2.5.29.15 Criticality=false
 
KeyUsage [
 
  DigitalSignature
 
  Key_Encipherment
 
]
 
 
 
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 
AuthorityInfoAccess [
 
  [
 
  accessMethod: 1.3.6.1.5.5.7.48.1
 
  accessLocation: URIName: http://ocsp.verisign.com,
 
  accessMethod: 1.3.6.1.5.5.7.48.2
 
  accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer]
 
]
 
 
 
#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
 
 
 
#4: ObjectId: 2.5.29.31 Criticality=false
 
CRLDistributionPoints [
 
  [DistributionPoint:
 
    [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl]
 
]]
 
 
 
#5: ObjectId: 2.5.29.32 Criticality=false
 
CertificatePolicies [
 
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
 
[PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.1
 
  qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve
 
0010: 72 69 73 69 67 6E 2E 63  6F 6D 2F 72 70 61        risign.com/rpa
 
 
 
]]  ]
 
]
 
 
 
#6: ObjectId: 2.5.29.37 Criticality=false
 
ExtendedKeyUsages [
 
  serverAuth
 
  clientAuth
 
]
 
 
 
#7: ObjectId: 2.5.29.19 Criticality=false
 
BasicConstraints:[
 
  CA:false
 
  PathLen: undefined
 
]
 
 
 
#8: ObjectId: 2.5.29.35 Criticality=false
 
AuthorityKeyIdentifier [
 
KeyIdentifier [
 
0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
 
0010: 57 2D 7D 47                                        W-.G
 
]
 
 
 
]
 
 
 
Certificate[2]:
 
Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
 
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Serial number: 6e4ffab3c5e669c4d167c992abe858c4
 
Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019
 
Certificate fingerprints:
 
MD5:  AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69
 
SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D
 
Signature algorithm name: SHA1withRSA
 
Version: 3
 
 
 
Extensions:
 
 
 
#1: ObjectId: 2.5.29.15 Criticality=true
 
KeyUsage [
 
  Key_CertSign
 
  Crl_Sign
 
]
 
 
 
#2: ObjectId: 2.5.29.19 Criticality=true
 
BasicConstraints:[
 
  CA:true
 
  PathLen:0
 
]
 
 
 
#3: ObjectId: 2.5.29.14 Criticality=false
 
SubjectKeyIdentifier [
 
KeyIdentifier [
 
0000: A5 EF 0B 11 CE C0 41 03  A3 4A 65 90 48 B2 1C E0  ......A..Je.H...
 
0010: 57 2D 7D 47                                        W-.G
 
]
 
]
 
 
 
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 
AuthorityInfoAccess [
 
  [
 
  accessMethod: 1.3.6.1.5.5.7.48.1
 
  accessLocation: URIName: http://ocsp.verisign.com]
 
]
 
 
 
#5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
 
 
 
#6: ObjectId: 2.5.29.31 Criticality=false
 
CRLDistributionPoints [
 
  [DistributionPoint:
 
    [URIName: http://crl.verisign.com/pca3-g2.crl]
 
]]
 
 
 
#7: ObjectId: 2.5.29.32 Criticality=false
 
CertificatePolicies [
 
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
 
[PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.1
 
  qualifier: 0000: 16 1C 68 74 74 70 73 3A  2F 2F 77 77 77 2E 76 65  ..https://www.ve
 
0010: 72 69 73 69 67 6E 2E 63  6F 6D 2F 63 70 73        risign.com/cps
 
 
 
], PolicyQualifierInfo: [
 
  qualifierID: 1.3.6.1.5.5.7.2.2
 
  qualifier: 0000: 30 1E 1A 1C 68 74 74 70  73 3A 2F 2F 77 77 77 2E  0...https://www.
 
0010: 76 65 72 69 73 69 67 6E  2E 63 6F 6D 2F 72 70 61  verisign.com/rpa
 
 
 
]]  ]
 
]
 
 
 
#8: ObjectId: 2.5.29.35 Criticality=false
 
AuthorityKeyIdentifier [
 
[OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US]
 
SerialNumber: [    7dd9fe07 cfa81eb7 107967fb a78934c6]
 
]
 
 
 
#9: ObjectId: 2.5.29.17 Criticality=false
 
SubjectAlternativeName [
 
  CN=Class3CA2048-1-52
 
]
 
 
 
 
 
 
 
*******************************************
 
*******************************************
 
</pre>
 
 
 
===Setup Tomcat "server.xml" to use the converted certificate===
 
Now the Tomcat server has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows:
 
nano /etc/tomcat6/server.xml
 
Find the port 8443 connector section.
 
#Remove the comments surrounding the section.
 
#'''Change the listening port to 443.'''
 
#Add the following keystore settings.
 
<pre>
 
      keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="%SecretPassword%" />
 
</pre>
 
----
 
#Replace '''%SecretPassword%''' with the password you used when creating the keystore above.
 
#And add the '''%hostname%''' used when creating the keystore above.
 
 
 
{{NANO}}
 
 
 
====Example "server.xml" secure settings====
 
See full example below using a local PKCS12 keystore cert file with password embedded.
 
<pre>
 
    <Connector port="443" protocol="HTTP/1.1"
 
      enableLookups="false"
 
              maxThreads="150"
 
              URIEncoding="UTF-8"
 
              SSLEnabled="true"
 
              scheme="https"
 
              secure="true"
 
              clientAuth="false"
 
              sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
 
#              ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>"
 
      keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
 
      keystoreType="PKCS12"
 
              keystorePass="%SecretPassword%" />
 
</pre>
 
 
 
====SSL Ciphers Note:====
 
*For more detail about what cipher suite to use, check: https://wiki.mozilla.org/Security/Server_Side_TLS and https://bettercrypto.org.
 
*To see what ciphers will be used, install <tt>'''sslscan'''</tt> and scan using '''<tt>sslscan --no-failed localhost:443</tt>'''.
 
*See the links below for help about Tomcat cipher setup:
 
**https://en.wikipedia.org/wiki/Cipher
 
**https://en.wikipedia.org/wiki/Cipher_suite
 
**https://en.wikipedia.org/wiki/Cryptography
 
**https://en.wikipedia.org/wiki/Public-key_cryptography
 
**https://en.wikipedia.org/wiki/Transport_Layer_Security
 
**https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 
**https://wiki.apache.org/tomcat/HowTo/SSLCiphers
 
**https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
 
**https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat
 
**https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
 
**http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
 
**https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak
 
 
 
==Step 5. Enable secure XMLUI logins==
 
Become the dspace user
 
su dspace
 
Open the DSpace config file for editing as follows:
 
nano /home/dspace/<u>[[SUNScholar/Install_DSpace/S03#Step_3.2|source]]</u>/dspace/config/dspace.cfg
 
Go to the following section of the DSpace config file:
 
<pre>
 
# Force all authenticated connections to use SSL, only non-authenticated
 
# connections are allowed over plain http. If set to true, then you need to
 
# ensure that the 'dspace.hostname' parameter is set to the correctly.
 
xmlui.force.ssl = true
 
</pre>
 
Enable logins by changing "xmlui.force.ssl" to true.
 
 
 
{{NANO}}
 
 
 
==Step 6. Enable HTTPS by default==
 
If using the default Mirage theme, you can enable HTTPS by default by modifying the "baseUrl". See link below.
 
https://github.com/DSpace/DSpace/blob/dspace-4.1/dspace-xmlui/src/main/webapp/themes/Mirage/lib/xsl/core/page-structure.xsl#L671-681
 
You can also enable HTTPS by modifying the "dspace.baseUrl" in the "build.properties" file. Change '''http''' to '''https'''. See link below.
 
https://github.com/DSpace/DSpace/blob/dspace-4.1/build.properties#L30-L31
 
 
 
==Step 7. Rebuild DSpace==
 
{{REBUILD}}
 
 
 
==Step 8. Check the secure connection==
 
*https://www.ssllabs.com/ssltest
 
*https://www.ssllabs.com/ssltest/analyze.html?d=demo.dspace.org
 
*https://www.ssllabs.com/ssltest/analyze.html?d=dspace.mit.edu
 
*http://www.sslshopper.com/ssl-checker.html
 
*http://www.digicert.com/help
 
 
 
Below is an example screenshot of testing a secure connection using the sslshopper website SSL checker.
 
 
 
[[File:Sunscholar-ssl.png|border]]
 
  
 +
==YouTube Video==
 +
<html5media width="560" height="315">https://www.youtube.com/watch?v=YtrdxiYUcOQ</html5media>
 
==References==
 
==References==
 
===Tomcat===
 
===Tomcat===
 +
*https://tomcat.apache.org/tomcat-8.0-doc
 +
*https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support
 +
----
 
*https://tomcat.apache.org/tomcat-7.0-doc
 
*https://tomcat.apache.org/tomcat-7.0-doc
 
*https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 
*https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 +
----
 
*https://tomcat.apache.org/tomcat-6.0-doc
 
*https://tomcat.apache.org/tomcat-6.0-doc
 
*https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 
*https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 +
----
 +
*http://wiki.apache.org/tomcat/FAQ/Security
 
*http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 
*http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 +
*http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
 
*http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR
 
*http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR
 
*http://johnjianfang.blogspot.com/2009/06/ssl-configuration-for-tomcat.html
 
*http://johnjianfang.blogspot.com/2009/06/ssl-configuration-for-tomcat.html
 
*http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 
*http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 
*http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 
*http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 +
*https://www.owasp.org/index.php/Securing_tomcat
 +
*https://www.mulesoft.com/tcat/tomcat-security
  
 
===SSL/TLS===
 
===SSL/TLS===
*http://www.openssl.org
+
*'''http://www.openssl.org'''
 
*http://www.openssl.org/docs/apps/pkcs12.html
 
*http://www.openssl.org/docs/apps/pkcs12.html
 
*http://www.madboa.com/geek/openssl/
 
*http://www.madboa.com/geek/openssl/
Line 638: Line 72:
 
*https://www.feistyduck.com/books/openssl-cookbook/
 
*https://www.feistyduck.com/books/openssl-cookbook/
 
*http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 
*http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 +
*https://www.maketecheasier.com/apache-server-ssl-support
 +
*https://mozilla.github.io/server-side-tls/ssl-config-generator
 +
*https://istlsfastyet.com
 +
 +
===Letsencrypt/Certbot===
 +
*'''https://letsencrypt.org'''
 +
*https://certbot.eff.org/#ubuntuxenial-other
 +
*https://certbot.eff.org/#ubuntutrusty-other
 +
*https://hostpresto.com/community/tutorials/how-to-secure-your-apache-using-certbot-ssl
 +
*https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
 +
*http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu
 +
*https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/1
 +
*https://github.com/StuAtGit/LetsEncrypt
 +
*https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds
 +
*https://www.sslforfree.com
  
 
===Monopoly Notes===
 
===Monopoly Notes===
Line 647: Line 96:
  
 
''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''
 
''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''
 +
 +
''Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!''
 +
 +
==News==
 +
*https://www.youtube.com/watch?v=3G8dPAdmyss
 +
*http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361-druck.html
 +
[[Category:System Administration]]

Latest revision as of 13:18, 27 March 2017

Back to Internet Security
For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org
To check if your internet connection is secure, use: https://www.eff.org/https-everywhere

Introduction

This wiki page describes a method of securing communications to a DSpace installation on the internet.

To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.

Requirements

  • Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.
  • It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.

Port 443 Firewall Access

Secure internet connections are created using the secure port (443) which must be opened on the campus and local server firewall.

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall

SSL Certificate Defaults

  • The default location for certificates is: /etc/ssl/certs.
  • This is where we will put the certificates.
  • Other services should point to this folder for the certificates.

Procedure

Step 1 - Create the SSL certificates

Step 2 - Apply for a signed certificate

Step 3 - Get the intermediate CA certs

Step 4 - Configure Tomcat to use the SSL certs

Step 5 - Enable secure XMLUI logins

Step 6 - Enable HTTPS by default

Step 7 - Rebuild DSpace

Step 8 - Check the secure connection

YouTube Video

References

Tomcat




SSL/TLS

Letsencrypt/Certbot

Monopoly Notes

Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.

Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.

Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!

News