Difference between revisions of "SUNScholar/Secure Internet Connections"

From Libopedia
Jump to navigation Jump to search
m (Please Note)
m (Port 443 Firewall Access)
 
(44 intermediate revisions by the same user not shown)
Line 12: Line 12:
 
''To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.''
 
''To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.''
  
;Update - 2014/11/18
+
==Requirements==
A ''free certificate authority service'' is launching in 2015 that will greatly simplify the configuration of a secure server. See the link below.
 
'''https://letsencrypt.org'''
 
 
 
==Please Note==
 
 
<font color="red">
 
<font color="red">
 +
*'''Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.'''
 
*'''It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.'''
 
*'''It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.'''
 
*'''This is not needed if doing an evaluation of the software on a test server behind your institutions firewall.'''
 
 
*'''The Tomcat server MUST be listening on port 443 and your local server firewall must allow access to port 443. See links below.'''
 
 
</font>
 
</font>
#http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections/S04
+
===Port 443 Firewall Access===
#http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall
+
Secure internet connections are created using the secure port (443) '''which must be opened on the campus and local server firewall'''.
 
+
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall
===SSL Defaults===
 
*The default location for certificates is: '''/etc/ssl/certs'''. This is where we will put the certificates. Other services should point to this folder for the certificates.
 
*Secure internet connections are created using the secure port (443) which must be opened on the campus firewall for your particular server by the central IT department.
 
 
 
==[[SUNScholar/Secure Internet Connections/S01|Step 1. Create the SSL certificates]]==
 
 
 
==[[SUNScholar/Secure Internet Connections/S02|Step 2. Apply for a signed certificate]]==
 
 
 
==[[SUNScholar/Secure Internet Connections/S03|Step 3. Intermediate CA certs]]==
 
 
 
==[[SUNScholar/Secure Internet Connections/S04|Step 4. Setup Tomcat to use the SSL certs]]==
 
 
 
==[[SUNScholar/Secure Internet Connections/S05|Step 5. Enable secure XMLUI logins]]==
 
 
 
==[[SUNScholar/Secure Internet Connections/S06|Step 6. Enable HTTPS by default]]==
 
  
==[[SUNScholar/Secure Internet Connections/S07|Step 7. Rebuild DSpace]]==
+
===SSL Certificate Defaults===
 +
*The default location for certificates is: '''/etc/ssl/certs'''.
 +
*This is where we will put the certificates.
 +
*Other services should point to this folder for the certificates.
  
==[[SUNScholar/Secure Internet Connections/S08|Step 8. Check the secure connection]]==
+
==Procedure==
 +
===[[SUNScholar/Secure Internet Connections/S01|Step 1 - Create the SSL certificates]]===
 +
===[[SUNScholar/Secure Internet Connections/S02|Step 2 - Apply for a signed certificate]]===
 +
===[[SUNScholar/Secure Internet Connections/S03|Step 3 - Get the intermediate CA certs]]===
 +
===[[SUNScholar/Secure Internet Connections/S04|Step 4 - Configure Tomcat to use the SSL certs]]===
 +
===[[SUNScholar/Secure Internet Connections/S05|Step 5 - Enable secure XMLUI logins]]===
 +
===[[SUNScholar/Secure Internet Connections/S06|Step 6 - Enable HTTPS by default]]===
 +
===[[SUNScholar/Secure Internet Connections/S07|Step 7 - Rebuild DSpace]]===
 +
===[[SUNScholar/Secure Internet Connections/S08|Step 8 - Check the secure connection]]===
  
 +
==YouTube Video==
 +
<html5media width="560" height="315">https://www.youtube.com/watch?v=YtrdxiYUcOQ</html5media>
 
==References==
 
==References==
 
===Tomcat===
 
===Tomcat===
 +
*https://tomcat.apache.org/tomcat-8.0-doc
 +
*https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support
 +
----
 
*https://tomcat.apache.org/tomcat-7.0-doc
 
*https://tomcat.apache.org/tomcat-7.0-doc
 
*https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 
*https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 +
----
 
*https://tomcat.apache.org/tomcat-6.0-doc
 
*https://tomcat.apache.org/tomcat-6.0-doc
 
*https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 
*https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 +
----
 +
*http://wiki.apache.org/tomcat/FAQ/Security
 
*http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 
*http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
 
*http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
 
*http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
Line 59: Line 56:
 
*http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 
*http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
 
*http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 
*http://blog.lesc.se/2009/09/how-to-makejava-ssl-trust-certificate.html
 +
*https://www.owasp.org/index.php/Securing_tomcat
 +
*https://www.mulesoft.com/tcat/tomcat-security
  
 
===SSL/TLS===
 
===SSL/TLS===
*http://www.openssl.org
+
*'''http://www.openssl.org'''
 
*http://www.openssl.org/docs/apps/pkcs12.html
 
*http://www.openssl.org/docs/apps/pkcs12.html
 
*http://www.madboa.com/geek/openssl/
 
*http://www.madboa.com/geek/openssl/
Line 73: Line 72:
 
*https://www.feistyduck.com/books/openssl-cookbook/
 
*https://www.feistyduck.com/books/openssl-cookbook/
 
*http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 
*http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
 +
*https://www.maketecheasier.com/apache-server-ssl-support
 +
*https://mozilla.github.io/server-side-tls/ssl-config-generator
 +
*https://istlsfastyet.com
 +
 +
===Letsencrypt/Certbot===
 +
*'''https://letsencrypt.org'''
 +
*https://certbot.eff.org/#ubuntuxenial-other
 +
*https://certbot.eff.org/#ubuntutrusty-other
 +
*https://hostpresto.com/community/tutorials/how-to-secure-your-apache-using-certbot-ssl
 +
*https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
 +
*http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu
 +
*https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/1
 +
*https://github.com/StuAtGit/LetsEncrypt
 +
*https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds
 +
*https://www.sslforfree.com
  
 
===Monopoly Notes===
 
===Monopoly Notes===
Line 82: Line 96:
  
 
''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''
 
''Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.''
 +
 +
''Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!''
  
 
==News==
 
==News==
 +
*https://www.youtube.com/watch?v=3G8dPAdmyss
 
*http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361-druck.html
 
*http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361-druck.html
 +
[[Category:System Administration]]

Latest revision as of 13:18, 27 March 2017

Back to Internet Security
For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org
To check if your internet connection is secure, use: https://www.eff.org/https-everywhere

Introduction

This wiki page describes a method of securing communications to a DSpace installation on the internet.

To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.

Requirements

  • Secure connections are not needed if doing an evaluation of the software on a test server behind your institutions firewall.
  • It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace.

Port 443 Firewall Access

Secure internet connections are created using the secure port (443) which must be opened on the campus and local server firewall.

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Firewall

SSL Certificate Defaults

  • The default location for certificates is: /etc/ssl/certs.
  • This is where we will put the certificates.
  • Other services should point to this folder for the certificates.

Procedure

Step 1 - Create the SSL certificates

Step 2 - Apply for a signed certificate

Step 3 - Get the intermediate CA certs

Step 4 - Configure Tomcat to use the SSL certs

Step 5 - Enable secure XMLUI logins

Step 6 - Enable HTTPS by default

Step 7 - Rebuild DSpace

Step 8 - Check the secure connection

YouTube Video

References

Tomcat




SSL/TLS

Letsencrypt/Certbot

Monopoly Notes

Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.

Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.

Update - 2016/09/01. Letsencrypt is now allowing us to protect ourselves from the NSA!

News