Introduction
This blog item will show an example how to configure secure SSL with Apache 2.2.x and Cordys BOP4 (CU9) (on Windows).Creating Test Certificate
First we will create a test certificate with Apache.- Copy the <Apache>/conf/openssl.cnf to a temportary directory (<temp>)
- Because the EventService of Cordys uses the IP address as an alternate domain, you have to change the openssl.cnf file in the <temp> directory.
Add the following line behind [ v3_req ]: subjectAltName=DNS: www.example.com,DNS: 192.168.2.103
(Change localhost and IP address accordingly) - First we will create the RSA Private Key:
<Apache>/bin/openssl genrsa -des3 -out server.key 1024 - Now we must generate a Certificate Signed Request (CSR).
During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. <Apache>/bin/openssl req -config <temp>/openssl.cnf -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:Holland
Locality Name (eg, city) [Newbury]:Geldrop
Organization Name (eg, company) [My Company Ltd]:Roger
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:rvdkimmenade
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: An optional company name []: - We have to remove the Passphrase from the key because it is inconvenient to type the passphrase each time Apache is restarted:
copy server.key server.key.org
openssl rsa -in server.key.org -out server.key - Normally you would sent the CSR to a Certificate Authority to sign the request, but for this example we will sign it ourself.
<Apache>/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt - Now the private key and the certificate need to be copied to Apache:
copy <apache>\bin/server.crt <apache>\conf\server.crt
copy <apache>\bin\server.key <apache>\conf\server.key Notice that these settings of the public- and private key are in the httpd-ssl.conf file.
Changing Apache settings
Now that the certificate is created we start to change the Apache settings (<Apache</conf/httpd.conf file).- Uncomment or add:
LoadModule ssl_module modules/mod_ssl.so - Uncomment or add:
Include conf/extra/httpd-ssl.conf - Comment #listen 80
- Comment:
#<IfModule ssl_module>
# SSLRandomSeed startup builtin # SSLRandomSeed connect builtin # </IfModule> - The SSL configurations are within the <Apache>/conf/extra/httpd-ssl.conf file and are good already.
- In the <Cordys>\components\webgateway\Apache\cordys_apache.conf replace the following line:
<Directory "<Cordys>/Web">
AllowOverride All
AuthName "Cordys"
AuthType Basic
#SSPIAuth On
#SSPIAuthoritative On
Allow from all
#Require valid-user
Anonymous anonymous
</Directory>
with
<Directory "d:\local\programs\Cordys\defaultInst\Web">
Anonymous_NoUserID on
Anonymous_VerifyEmail off
Anonymous_MustGiveEmail off
Anonymous_LogEmail off
Anonymous anonymous
Allow from all
</Directory> - Restart the Apache server.
- (This step can be ommitted be is just present for information) For client authentication (tow-way SSL) add the following line to cordys_apache.conf:
<Directory "<Cordys>\Web">
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequireSSL
SSLCACertificatePath conf/ssl/
AllowOverride All
Allow from all
</Directory>
Note: The <Apache>/conf/ssl directory has to be present/created
Now you are able to connect through the https protocol.
Reacties
Een reactie posten