2010/07/16

Cordys: Configuring Apache and BOP4 for SSL

Introduction

This blog item will show an example how to configure secure SSL with Apache 2.2.x and Cordys BOP4 (CU9) (on Windows).

Creating Test Certificate

First we will create a test certificate with Apache.
  1. Copy the <Apache>/conf/openssl.cnf to a temportary directory (<temp>)
  2. Because the EventService of Cordys uses the IP address as an alternate domain, you have to change the openssl.cnf file in the <temp> directory.
    Add the following line behind [ v3_req ]:
    subjectAltName=DNS: www.example.com,DNS: 192.168.2.103
    (Change localhost and IP address accordingly)
  3. First we will create the RSA Private Key:
    <Apache>/bin/openssl genrsa -des3 -out server.key 1024
  4. Now we must generate a Certificate Signed Request (CSR).
    During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
    <Apache>/bin/openssl req -config <temp>/openssl.cnf -new -key server.key -out server.csr
    Country Name (2 letter code) [GB]:NL
    State or Province Name (full name) [Berkshire]:Holland
    Locality Name (eg, city) [Newbury]:Geldrop
    Organization Name (eg, company) [My Company Ltd]:Roger
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:www.example.com
    Email Address []:rvdkimmenade
    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []: An optional company name []:

  5. We have to remove the Passphrase from the key because it is inconvenient to type the passphrase each time Apache is restarted:
    copy server.key server.key.org
    openssl rsa -in server.key.org -out server.key
  6. Normally you would sent the CSR to a Certificate Authority to sign the request, but for this example we will sign it ourself.
    <Apache>/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  7. Now the private key and the certificate need to be copied to Apache:
    copy <apache>\bin/server.crt <apache>\conf\server.crt
    copy <apache>\bin\server.key <apache>\conf\server.key
    Notice that these settings of the public- and private key are in the httpd-ssl.conf file.

Changing Apache settings

Now that the certificate is created we start to change the Apache settings (<Apache</conf/httpd.conf file).
  1. Uncomment or add:
    LoadModule ssl_module modules/mod_ssl.so
  2. Uncomment or add:
    Include conf/extra/httpd-ssl.conf
  3. Comment #listen 80
  4. Comment:
    #<IfModule ssl_module>
    # SSLRandomSeed startup builtin # SSLRandomSeed connect builtin # </IfModule>
  5. The SSL configurations are within the <Apache>/conf/extra/httpd-ssl.conf file and are good already.
  6. In the <Cordys>\components\webgateway\Apache\cordys_apache.conf replace the following line:
    <Directory "<Cordys>/Web">
       AllowOverride All   
       AuthName "Cordys"   

       AuthType Basic   
       #SSPIAuth On   
       #SSPIAuthoritative On   
       Allow from all   
       #Require valid-user   
       Anonymous anonymous
    </Directory>

    with
    <Directory "d:\local\programs\Cordys\defaultInst\Web">
       Anonymous_NoUserID on   
       Anonymous_VerifyEmail off   
       Anonymous_MustGiveEmail off   
       Anonymous_LogEmail off   
       Anonymous anonymous   
       Allow from all
    </Directory>
  7. Restart the Apache server.
  8. (This step can be ommitted be is just present for information) For client authentication (tow-way SSL) add the following line to cordys_apache.conf:
    <Directory  "<Cordys>\Web">
       SSLVerifyClient require   
       SSLVerifyDepth 2   
       SSLRequireSSL   
       SSLCACertificatePath conf/ssl/   
       AllowOverride All   
       Allow from all    
    </Directory>
    Note: The <Apache>/conf/ssl directory has to be present/created


Now you are able to connect through the https protocol.



No comments:

Post a Comment