Doorgaan naar hoofdcontent

Cordys: Configuring Apache and BOP4 for SSL

Introduction

This blog item will show an example how to configure secure SSL with Apache 2.2.x and Cordys BOP4 (CU9) (on Windows).

Creating Test Certificate

First we will create a test certificate with Apache.
  1. Copy the <Apache>/conf/openssl.cnf to a temportary directory (<temp>)
  2. Because the EventService of Cordys uses the IP address as an alternate domain, you have to change the openssl.cnf file in the <temp> directory.
    Add the following line behind [ v3_req ]:
    subjectAltName=DNS: www.example.com,DNS: 192.168.2.103
    (Change localhost and IP address accordingly)
  3. First we will create the RSA Private Key:
    <Apache>/bin/openssl genrsa -des3 -out server.key 1024
  4. Now we must generate a Certificate Signed Request (CSR).
    During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
    <Apache>/bin/openssl req -config <temp>/openssl.cnf -new -key server.key -out server.csr
    Country Name (2 letter code) [GB]:NL
    State or Province Name (full name) [Berkshire]:Holland
    Locality Name (eg, city) [Newbury]:Geldrop
    Organization Name (eg, company) [My Company Ltd]:Roger
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:www.example.com
    Email Address []:rvdkimmenade
    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []: An optional company name []:

  5. We have to remove the Passphrase from the key because it is inconvenient to type the passphrase each time Apache is restarted:
    copy server.key server.key.org
    openssl rsa -in server.key.org -out server.key
  6. Normally you would sent the CSR to a Certificate Authority to sign the request, but for this example we will sign it ourself.
    <Apache>/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  7. Now the private key and the certificate need to be copied to Apache:
    copy <apache>\bin/server.crt <apache>\conf\server.crt
    copy <apache>\bin\server.key <apache>\conf\server.key
    Notice that these settings of the public- and private key are in the httpd-ssl.conf file.

Changing Apache settings

Now that the certificate is created we start to change the Apache settings (<Apache</conf/httpd.conf file).
  1. Uncomment or add:
    LoadModule ssl_module modules/mod_ssl.so
  2. Uncomment or add:
    Include conf/extra/httpd-ssl.conf
  3. Comment #listen 80
  4. Comment:
    #<IfModule ssl_module>
    # SSLRandomSeed startup builtin # SSLRandomSeed connect builtin # </IfModule>
  5. The SSL configurations are within the <Apache>/conf/extra/httpd-ssl.conf file and are good already.
  6. In the <Cordys>\components\webgateway\Apache\cordys_apache.conf replace the following line:
    <Directory "<Cordys>/Web">
       AllowOverride All   
       AuthName "Cordys"   

       AuthType Basic   
       #SSPIAuth On   
       #SSPIAuthoritative On   
       Allow from all   
       #Require valid-user   
       Anonymous anonymous
    </Directory>

    with
    <Directory "d:\local\programs\Cordys\defaultInst\Web">
       Anonymous_NoUserID on   
       Anonymous_VerifyEmail off   
       Anonymous_MustGiveEmail off   
       Anonymous_LogEmail off   
       Anonymous anonymous   
       Allow from all
    </Directory>
  7. Restart the Apache server.
  8. (This step can be ommitted be is just present for information) For client authentication (tow-way SSL) add the following line to cordys_apache.conf:
    <Directory  "<Cordys>\Web">
       SSLVerifyClient require   
       SSLVerifyDepth 2   
       SSLRequireSSL   
       SSLCACertificatePath conf/ssl/   
       AllowOverride All   
       Allow from all    
    </Directory>
    Note: The <Apache>/conf/ssl directory has to be present/created


Now you are able to connect through the https protocol.



Reacties

Populaire posts van deze blog

OSB 10gR3 and SWA and MTOM

This blog is about using soap with attachments and the use of MTOM within the OSB (10gR3). A service is created that accepts a soap with attachment (DocumentService) and translates it to a service that accepts a binary element. MTOM is used for performance reasons for the second. Some notes: * For the use of attachments you need RPC-style document instead of the usual document-style. This due to the fact that the document-style limits a message to a single . * A service can not have both SWA and MTOM within OSB. First a WSDL is setup for the DocumentService: The $attachments variable holds the attachments and the body holds the attachment data. Also other data is stored within the attachment element (see h...

Microservices mindmap

"The tree" - See also   my photo page When you are fairly new within the Microservices land, there are a lot of terms fired at you. So also for my own understanding i have made a mindmap. I think it has a good status now, so that i can share it with you. As always feedback is very welcome ! You can download the mindmap here .

Book review: Data Management at Scale (Piethein Strengholt)

 This blog is a review of the book "Data Management at Scale (See also at bol.com ) Data Management is a hot topic nowadays and this book does a fantastic job at adding value to this topic. It is a must read and one of the few technical books I finished reading in a weekend. The book gives a fantastic overview on how to implement a Data Mesh data architecture. The Data Mesh concept is explained by Martin Fowler here . The book is a good mix between conceptual and implementation architecture level. It gives a lot of examples of how this architecture at scale can work, for both small and big companies. It is practical and I used it to implement it at one of my customers. The book describes an architecture in which the focus is on the DIAL (Data- and Integration Access Layer).  On a high level the book covers the following topics: The key principles for data management at scale - Domain-Driven Design  - Domain Data Stores - Meta data management Ready Data Store The concept ...