SUNScholar/Secure Internet Connections
For the need to use https, check: https://pressfreedomfoundation.org/encryption-works and https://ssd.eff.org
To check if your internet connection is secure, use: https://www.eff.org/https-everywhere
- 1 Introduction
- 2 Requirements
- 3 Step 1. Create the SSL certificates
- 4 Step 2. Apply for a signed certificate
- 5 Step 3. Intermediate CA certs
- 6 Step 4. Setup Tomcat to use the SSL certs
- 7 Step 5. Enable secure XMLUI logins
- 8 Step 6. Enable HTTPS by default
- 9 Step 7. Rebuild DSpace
- 10 Step 8. Check the secure connection
- 11 References
- 12 News
This wiki page describes a method of securing communications to a DSpace installation on the internet.
To protect the user credentials of the members of the research community that your repository will serve, it is highly recommended that all logins to the system are encrypted using the procedure detailed below.
It is assumed that DSpace has been installed according to the suggested guidelines here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/DSpace
- Update - 2014/11/18
A free certificate authority service is launching in 2015 that will greatly simplify the configuration of a secure server. See the link below.
- This is not needed if doing an evaluation of the software on a test server behind your institutions firewall.
- The Tomcat server MUST be listening on port 443. See link below.
- The default location for certificates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.
- Secure internet connections are created using the secure port (443) which must be opened on the campus firewall for your particular server by the central IT department.
Become the dspace user
Open the DSpace config file for editing as follows:
Go to the following section of the DSpace config file:
# Force all authenticated connections to use SSL, only non-authenticated # connections are allowed over plain http. If set to true, then you need to # ensure that the 'dspace.hostname' parameter is set to the correctly. xmlui.force.ssl = true
Enable logins by changing "xmlui.force.ssl" to true.
- NANO Editor Help
|CTL+O||= Save the file and then press Enter|
|CTL+X||= Exit "nano"|
|CTL+K||= Delete line|
|CTL+U||= Undelete line|
|CTL+W||= Search for %%string%%|
|CTL+\||= Search for %%string%% and replace with $$string$$|
|CTL+C||= Show line numbers|
More info = http://en.wikipedia.org/wiki/Nano_(text_editor)
If using the default Mirage theme, you can enable HTTPS by default by modifying the "baseUrl". See link below.
You can also enable HTTPS by modifying the "dspace.baseUrl" in the "build.properties" file. Change http to https. See link below.
Rebuild the DSpace webapps using the custom rebuild script.
Please note: A quiet monopoly has been created in the SSL cert business. Verisign buys Thawte, Verisign buys Geotrust, Symantec buys Verisign.
Update - 2013/10/09. Now we know why a monopoly, so that the NSA can spy on everyone even with SSL certs. What a joke these certs are.