Search


DASWG LAL Doxygen

Docs

How-To's
Technical
Software Docs
Minutes

Download

Browse CVS, Git, or SVN
Software Repositories
OS Security Updates
LIGO software virtual machine
VMware SL6 Install

Participate

SCCB - Software Change Control Board
Edit these pages
Sub-committees
Mailing List
Telecon

Projects

DMT
DQSEGDB
Glue
GraceDB
gstlal
LALSuite
LDAS Tools
LDG Client/Server
LDR
ligoDV
LIGOtools
LVAlert Administration
LVAlert
MatApps
Metaio
NDS Client
PyLAL
LSCSOFT VM

Legacy Projects

geopp
LDAS
LDM
LIGOtools
LSCGIS
Onasys
OSG-LIGO

Configuring Apache 2.x for Certificate Authentication

CHANGES TO /etc/httpd/conf/ssl.conf

Between the <VirtualHost _default_:443> and </VirtualHost> that are already found in the file:

  1. add line
DocumentRoot "/var/www/html/secure"

2) add line

SSLCACertificateFile /etc/httpd/conf/ssl.crt/DOEbundle.crt

3) add line

SSLOptions +FakeBasicAuth

4) add block

<Directory /var/www/html/secure>

        SSLVerifyClient optional
        SSLVerifyDepth 5
        SSLRequireSSL
        AuthName "Snake Oil Authentication"
        AuthType Basic
        AuthUserFile "/etc/httpd/conf/lsc.passwd"
        require valid-user

</Directory>

GENERATING SERVER CERTIFICATES

The installation of the httpd package in FC3 already has fake server certificates built in. These certs, however, are for localhost.localdomain, not your fully qualified domain name, and are self signed, which is kludgy. If you want a better solution, or if you have a distribution which does not have fake server certificates built in, you can generate a certificate as follows.

  1. Generate key (no passphrase):

# openssl genrsa -out server.key 1024

2) Create a certificate signing request:

# openssl req -new -key server.key -out server.csr

Answer the requisite questions. For "CommonName", put in the name by which the secure server will be accessed, i.e. if the server url is https://my.domain.com then enter "my.domain.com" for "CommonName".

3) Get your certificate signed. See the next item for more details.

4) Move the keys to the correct location:

# mv /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server.key.bak
# mv server.key /etc/httpd/conf/ssl.key/server.key
# chmod 0600 /etc/httpd/conf/ssl.key/server.key
# mv /etc/httpd/conf/ssl.crt/ /etc/httpd/conf/ssl.crt/server.crt.bak
# mv server.crt /etc/httpd/conf/ssl.crt/server.crt
# chmod 0600 /etc/httpd/conf/ssl.crt/server.crt

CREATING A CERTIFICATE AUTHORITY AND SIGNING CERTS

You have two choices for getting a certificate signed: you can get it signed by an existing certificate authority (CA) like the DOE CA or create your own CA. The former is better, however, you have to exchange info with someone running the CA which means jumping through some hoops (CA dependent) and waiting. Here is how to do the latter.

  1. Create a CA key:

# openssl genrsa -des3 -out ca.key 1024

Don't lose your passphrase!

2) Create a self-signed certificate for the CA:

# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Answer the requisite questions. You can leave "CommonName" blank or put in your own name (or whatever else you want) this time.

3) To sign server certificates, you need to create a shell script for signing (it is apparently not feasible to do it on the command line). The src distribution for mod_ssl comes with one that I modified slightly so that all the certificates, keys, signing requests and other associated paraphenalia can be kept in one directory (which is assumed to be the directory from which the script is run):

         #!/bin/sh
         ##
         ##  sign.sh -- Sign a SSL Certificate Request (CSR)
         ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
         ##

            argument line handling
         CSR=$1
         if [ $ -ne 1 ]; then
         echo "Usage: sign.sign <whatever>.csr"; exit 1
         fi
         if [ ! -f $CSR ]; then
         echo "CSR not found: $CSR"; exit 1
         fi
         case $CSR in
         *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
         * ) CERT="$CSR.crt" ;;
         esac

         #   make sure environment exists
         if [ ! -d ca.db.certs ]; then
         mkdir ca.db.certs
         fi
         if [ ! -f ca.db.serial ]; then
         echo '01' >ca.db.serial
         fi
         if [ ! -f ca.db.index ]; then
         cp /dev/null ca.db.index
         fi

         #   create an own SSLeay config
         cat >ca.config <<EOT
         [ ca ]
         default_ca     = CA_own
         [ CA_own ]
         dir    = .
         certs  = .
         new_certs_dir  = ./ca.db.certs
         database       = ./ca.db.index
         serial         = ./ca.db.serial
         RANDFILE       = ./ca.db.rand
         certificate    = ./ca.crt
         private_key    = ./ca.key
         default_days   = 365
         default_crl_days       = 30
         default_md     = md5
         preserve       = no
         policy = policy_anything
         [ policy_anything ]
         countryName    = optional
         stateOrProvinceName    = optional
         localityName   = optional
         organizationName       = optional
         organizationalUnitName = optional
         commonName     = supplied
         emailAddress   = optional
         EOT

         #  sign the certificate
         echo "CA signing: $CSR -> $CERT:"
         openssl ca -config ca.config -out $CERT -infiles $CSR
         echo "CA verifying: $CERT <-> CA cert"
         openssl verify -CAfile ./ca.crt $CERT

         #  cleanup after SSLeay 
         rm -f ca.config
         rm -f ca.db.serial.old
         rm -f ca.db.index.old

         #  die gracefully
         exit 0

Copy it into a file named sign.sh. Make the file executable:

# chmod u+x sign.sh

4) To sign a server key with it:

# ./sign.sh server.csr

Answer the questions.

Note that your users will not be aware of the CA you created, and this will lead to them having a warning when they try to access your server about the server being untrusted. There are two solutions to this - have them import your CA certificate to their browsers or have them check the "accept permanently" flag on the dialog.

IMPORT THE DOE CA CERTIFICATE

  1. Create a file called /etc/httpd/conf/ssl.crt/DOEbundle.crt. It needs to be filled with the current DOE certificate bundle. At the moment, that means this content:

-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIBCzANBgkqhkiG9w0BAQUFADB1MRMwEQYKCZImiZPyLGQB GRYDbmV0MRIwEAYKCZImiZPyLGQBGRYCRVMxDjAMBgNVBAoTBUVTbmV0MSAwHgYD VQQLExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGllczEYMBYGA1UEAxMPRVNuZXQgUm9v dCBDQSAxMB4XDTAyMTIwNTA4MDAwMFoXDTA4MDExMDA4MDAwMFowaTETMBEGCgmS JomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCERPRUdyaWRzMSAwHgYDVQQL ExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGllczEWMBQGA1UEAxMNRE9FR3JpZHMgQ0Eg MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT11iNho9sIPma1uJBv sprfLWoCbRlyooIVyJZx97wrBy7L22Me4iwt/1ki12QNbjHLyy5r2cmXHcqXCO26 ZMy062DfkpkKSdR3wozhUZNIV0tUb0Bs1rJ5/vpxpUIYzX6PIXQurTeRq4Y49Nw1 9l7VNlrd7Vz2tzyWNXk5JZr+Z+wIALJLnMUha7TIgM3Il1/6fSHBo83nfCWWknfS 1oP4kGNDuHaTjFFbN5rOcs5v07O1lVED/WxXN76JzMWHbHBrhV0bLR4gg/DWl+9j DE7fqubRLXT2q9uw2Vqug9FvF6s8pqRAukp7TfhdzHuAE+pST8XGhFFaKfkRY3ev P0sCAwEAAaOBnjCBmzARBglghkgBhvhCAQEEBAMCAIcwDgYDVR0PAQH/BAQDAgHG MB0GA1UdDgQWBBTKGR0Sjm6kOF1C1DEOCNvZjRcNXTAfBgNVHSMEGDAWgBS8XU1I L/g1lFmrXIlLPtGyOhQB6jAPBgNVHRMBAf8EBTADAQH/MCUGA1UdEQQeMByBGkRP RUdyaWRzLUNBLTFAZG9lZ3JpZHMub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAqO2KZ PhCNM3B7KTVWI4MrsbYoPXbOApQ1CzOMob8oQjfiCnhRrXvCDqQVAQW0YC0jlGfd S/hqMXEu4+uYONPVtgXZ8FJhNdSJgmq9QkaaucON49pdPcKjM05R62ppX2cSjGvd RbQVtKp4/cpezbi/B7T+Qmvq28658e6lQBrHGHfoqCh2tmO2kUrKAkjVAmRqghON 3TFySaX/v6OwD/TOpb0R0N0gdTxp+7JAeDHuwAPRvK8ShjtE2pHqChypHVq1azuW PtV6W71U2e88eEcQhbgtKhrVI8UpZVPHFAy9ugm3sZkI+/7q3yj0/IFZeQOdpxdA 6cBHZqLl/y4jEUG7
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBDDANBgkqhkiG9w0BAQUFADB1MRMwEQYKCZImiZPyLGQB GRYDbmV0MRIwEAYKCZImiZPyLGQBGRYCRVMxDjAMBgNVBAoTBUVTbmV0MSAwHgYD VQQLExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGllczEYMBYGA1UEAxMPRVNuZXQgUm9v dCBDQSAxMB4XDTAyMTAwODA3MDAwMFoXDTEyMTAwODA3MDAwMFowdTETMBEGCgmS JomT8ixkARkWA25ldDESMBAGCgmSJomT8ixkARkWAkVTMQ4wDAYDVQQKEwVFU25l dDEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxGDAWBgNVBAMTD0VT bmV0IFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKF PX1QK86g62z/KX0pRAtRnS8VXmrLUDaFMwZyKEeueWxkrymyvnuDo4hCDPrIfEzI cAWnJyE1ev4aWw3l3Qm75GDUiyV401Op598iPT5bbCMlHJcYBANwRNKnvtZ8DcoU 9Ba75tqUQHV1TRx6Nkw1AQ5gNMQSuZ5wCsDREGs+Be3JRa06RJf8k5gw5odqBjCT kGmIwCcx1qEuLGXOcQoM+yEKZvD485MiPKaEKYJBRDHi0h+vvj1j8ge9SJ8Jy6ML 4B+2QNLb7fTjSutMF5qGJKlCgHw6dNLHuW2glS1KZ3Dt1iXkO6SdowclsKvpFhW9 fDIftu/TOcMLOJi5fgUCAwEAAaOBmjCBlzARBglghkgBhvhCAQEEBAMCAAcwIQYD VR0RBBowGIEWRVNuZXQtUm9vdC1DQS0xQGVzLm5ldDAPBgNVHRMBAf8EBTADAQH/ MB0GA1UdDgQWBBS8XU1IL/g1lFmrXIlLPtGyOhQB6jAfBgNVHSMEGDAWgBS8XU1I L/g1lFmrXIlLPtGyOhQB6jAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEFBQAD ggEBACbdDx8PansOUpst3ewnXubYgx6L66wqey2LsM9rC4TubDQFn7SrFVsmiktb yXZd3Fd6PC4J7P66AvKpsOfIVISelvNF524GIn0kyYPVWmbKIVeoYImxVDH1JkHh 95/9pK8BJIwGcuPU++UCXmh2TYlA/k63yyzYFpe1Da29VO5zW2nExO8RvlY0n5fD ZZ8z7Kk4vW0F8HfecoMtI62QQEsS71R1e8Kap9STjLU0EgcNlxGUmAufetnlAOKY yAD0rAbf0x6nmVjp7nY9HtndBML3Z1NBSO43tPhojzG4IuHmwneA+lRHQmYD9M7W sbCIvythH/PcLltvQYZRKgigokc=
-----END CERTIFICATE-----

CREATE NEEDED DIRECTORIES

  1. Make a home for secure files:

# mkdir /var/www/html/secure

2) Move the files you want protected by passwords and/or certs that directory.

CREATE A PASSWORD FILE

  1. Create a file called /etc/httpd/conf/lsc.passwd
  2. For users with certificates, create the following type of entry from their subject line:

/DC=org/DC=doegrids/OU=People/CN=Warren G Anderson 620767:xxj31ZMTZzkVA

The part following the : is not part of the subject line and it MUST be xxj31ZMTZzkVA for all certificate entries.

3) Create a default username and password:

# httpasswd /etc/httpd/conf/lsc.passwd username

where username is replaced by whatever you want the default username to be. Enter a password when asked.

4) Make the passwords (which are already encrypted) readable:

# chmod 0644 /etc/httpd/conf/lsc.passwd

You might also be able to make them 0600 if you change the user/group that the server runs under to root, but I haven't tried it. You can decide which is the greater security risk.

TO ACCESS FILE /var/www/html/secure/file.html

  1. Direct a supported browser (e.g. firefox) to:

https://my.domain.com/file.html

where "my.domain.com" should be the fully qualified domain name of your host and "file.html" is whatever file you want to access from the secure server.

2) If you have a DOE certificate which is already in /etc/httpd/conf/lsc.passwd you will have transparent access.

3) If not, you can login with the default username and password created above.

$Id$