<para>The Objective of this document in to Setup a Apache + mySQL + PHP + WebDAV based Web Application Server, that uses LDAP for Authentication. The documentation will also provide details on the encrypting LDAP transactions.</para>
<note><title>Note:</title><para>If you encounter any problems installing Apache or any of the modules please feel free to contact me @ <email>saqib@seagate.com</email></para></note>
<sect2><title>About this document</title>
<para>This document was originally written in 2001. Since then many updates and new additions have been made. Thanks to all the people who submitted updates and corrections.</para>
<para>The XML source of this document is available at <ulinkurl="http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml">http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml</ulink>.</para>
<para>The latest version of the document is available at <ulinkurl="http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html">http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html</ulink>.</para>
</sect2>
<sect2><title>Contributions to the document</title>
<para>If you like to contribute to the HOWTO, you can d/l the XML source from <ulinkurl="http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml">http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml</ulink> , and send in the updated source to saqib@seagate.com ALONG WITH YOUR NAME IN THE LIST OF AUTHORS AND REVISION HISTORY :). That makes it easier for me contact the person if there are any updates/corrections. Thanks.
</para>
</sect2>
<sect2><title>What is Apache?</title>
<para>The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX and Windows NT. It provides HTTP services in sync with the current HTTP standards. </para>
<para>Thei Apache WebServer is available for free download from <ulinkurl="http://httpd.apache.org/">http://httpd.apache.org/</ulink></para>
</sect2>
<sect2><title>What is WebDAV?</title>
<para> WebDAV stands for Web enabled Distributed Authoring and Versioning. It provides a collaborative environment for users to edit/manage files on web-servers. Technically DAV is an extension to the http protocol.</para>
<para>Here is a brief description of the extensions provided by DAV:</para>
<para><emphasisrole="bold">Overwrite Protection:</emphasis> Lock and Unlock mechanism to prevent the "lost update problem". DAV protocol support both shared and exclusive locks.</para>
<para><emphasisrole="bold">Name-space management:</emphasis> Copy, Rename, Move and Deletion of files</para>
<para><emphasisrole="bold">Access Control:</emphasis> Limit access to various resources. Currently DAV assumes access control is already in place, and does not provide strong authentication mechanism.</para>
<para><emphasisrole="bold">Versioning:</emphasis> Revision control for the documents. Versioning is not implemented yet.</para>
</sect2>
<sect2><title>What is PHP?</title>
<para>PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</para>
<para>PHP is available from <ulinkurl="http://www.php.net">http://www.php.net</ulink></para>
</sect2>
<sect2><title>What is mySQL?</title>
<para>MySQL, the most popular Open Source SQL database, is developed, distributed, and supported by MySQL AB</para>
<para>mySQL DB Engine can be downloaded from <ulinkurl="http://www.mysql.com/">http://www.mysql.com/</ulink></para>
</sect2>
<sect2><title>What do we need?</title>
<para>
The tools needed to achieve this objective are:</para>
<para>You'll have to download and compile several packages. This document will explain the compilation process, but you should be fimiliar with installing from source code.</para>
<sect2><title>Basics</title>
<para>You will need a machine running Solaris / Linux and GCC Compiler. GNU gnzip and GNU tar is also needed.</para>
</sect2>
<sect2><title>Apache 2.0.46</title>
<para>Apache is the HTTP server, it will be used to run the Web Application Server. Please download the Apache 2.0.46 source code from <ulinkurl="http://www.apache.org/dist/httpd/">http://www.apache.org/dist/httpd/</ulink>.</para>
</sect2>
<sect2><title>OpenSSL</title>
<para>You will need to download the OpenSSL from <ulinkurl="http://www.openssl.org/source/">http://www.openssl.org/source/</ulink> . Please download the latest version. OpenSSL installation will be used for SSL libraries for compiling mod_ssl with Apache, and for managing SSL certificates on the WebServer. Please download the OpenSSL source code gzipped file into /tmp/downloads</para>
</sect2>
<sect2><title>iPlanet LDAP Library</title>
<para>
Download the iPlanet LDAP SDK from <ulinkurl="http://wwws.sun.com/software/download/products/3ec28dbd.html">http://wwws.sun.com/software/download/products/3ec28dbd.html</ulink>. We will use iPlanet LDAP SDK, because it includes libraries for ldaps:// (LDAP over SSL)
</para>
</sect2>
<sect2><title>mod_auth_ldap</title>
<para>mod_auth_ldap will be used for compiling LDAP support into Apache. Please download mod_auth_ldap from <ulinkurl="http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html">http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html</ulink>
</para>
</sect2>
<sect2><title>mySQL DB Engine</title>
<para>Download the appropriate mySQL build for your platform from <ulinkurl="http://www.mysql.com/downloads/index.html">http://www.mysql.com/downloads/index.html</ulink></para>
</sect2>
<sect2><title>PHP</title>
<para>Download the PHP source code from <ulinkurl="http://www.php.net/downloads.php">http://www.php.net/downloads.php</ulink></para>
</sect2>
</sect1>
<sect1><title>Installation</title>
<para>First we hve take care of the few pre-requisites, and then we will get into the main installtion.</para>
<sect2><title>Pre-requisites</title>
<para>The application server as we plan to install, requires the SSL libraries and LDAP libraries. SSL engine is also required for managing the SSL certs for Apache 2.x</para>
<para>Create the <filenameclass="directory">/usr/local/iplanet-ldap-sdk.5</filename> directory. Copy the <filename>ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar.gz</filename> form <filenameclass="directory">/tmp/downloads</filename> to <filenameclass="directory">/usr/local/iplanet-ldap-sdk.5</filename> directory.</para>
<para>OpenSSL is an open source implementation of the SSL/TLS protocol. It is required to create and manage SSL certificates on the webserver. The installion is also necessary for the lib files that will be used by the SSL module for apache.</para>
<para>Upon successful completion of the <command>make install</command> the openssl binaries should reside in <filenameclass="directory">/usr/local/ssl</filename></para>
<para>mySQL deamon stores all the information in a direcory called "Data Directory". If you followed the installation instructions above, your Data Directory should be located under <filenameclass="directory">/use/local/mysql/data</filename>.</para>
<para>You will also need to get the cert7.db and key7.db from <ulinkurl="http://www.xml-dev.com/xml/key3.db">http://www.xml-dev.com/xml/key3.db</ulink> and <ulinkurl="http://www.xml-dev.com/xml/cert7.db">http://www.xml-dev.com/xml/cert7.db</ulink> and place it in the <filename>/usr/local/apache2/sslcert/</filename>directory.</para>
<para>Please download the Litmus source code from <ulinkurl="http://www.webdav.org/neon/litmus/">http://www.webdav.org/neon/litmus/</ulink> and place it in the /tmp/downloads directory.</para>
<para>Then use gzip and tar to extract the files:</para>
<screen>
<command># cd /tmp/downloads</command>
<command># gzip -d litmus-0.6.x.tar.gz</command>
<command># tar -xvf litmus-0.6.x.tar</command>
<command># cd litmus-0.6.x</command>
</screen>
<para>Compiling and installing Litmus is easy:</para>
<screen>
<command># ./configure</command>
<command># make</command>
<command># make install</command>
</screen>
<para><command>make install</command> will install the Litmus binary files under <filename>/usr/local/bin</filename> and the help files under <filename>/usr/local/man</filename></para>
<para>To the test the complaince of the WebDAV server that you just installed, please use the following command</para>
<para>In this section we will discuss about the various management task - e.g. using LDAP for access control, and working with DAV method on Apache</para>
<para>Most of the configuration changes for the DAV will have to done using the <filename>httpd.conf</filename> file. This file is located at <filename>/usr/local/apache/conf/httpd.conf</filename></para>
<para><filename>httpd.conf</filename> is a text based configuration file that Apache uses. It can b editted using any text editor - I preffer using vi. Please make backup copy of this file, before changing it.</para>
<para>After making changes to the <filename>httpd.conf</filename> the Apache server has to be restarted using the <command>/usr/local/apache/bin/apachectl restart</command> command.
However before restarting you test for the validity of the <filename>httpd.conf</filename> by using the <command>/usr/local/apache/bin/apachectl configtest</command> comand. </para>
<sect2><title>Restricting access to DAV shares</title>
<para>In the previous section when we created the DAVtest share, we used the LDAP for authentication purposes. However anyone
who can authenticates using their LDAP useri/passwd will be able to access that folder. </para>
<para>Using the <command>require</command> directive in the httpd.conf file, we can limit access to certain individuals or groups of individuals.</para>
<para>If we look at the DAVtest configuration from the previosu section:
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require valid-user
</Limit>
LDAP_Server ldap.server.com
LDAP_Port 389
Base_DN "o=ROOT"
UID_Attr uid
</Directory>
</screen>
We see that the <command>require</command> is set to <command>valid-user</command>. Which means any valid authenticated user
has access to this folder.
</para>
<sect3><title>Restricting access based on Individual UID(s)</title>
<para>LDAP UID can be used to restrict access to DAV folder.</para>
<para><command>require valid-user</command> directive can be changed to <command>require user 334455 445566</command></para>
<para>This will restrict access to individuals with UID 334455 and 445566. Anyone else will not be able to access this folder.</para>
</sect3>
<sect3><title>Restricting access based on groups of individuals.</title>
<para><command>require</command> can also be used to restrict access to groups of individuals. This can be either done using LDAP groups or LDAP filters. The filter must be valid LDAP filter syntax.</para>
</sect3>
</sect2>
<sect2><title>Restricting write access to DAV shares</title>
<para>It maybe be required that the editting for the resources on the DAV shares be restricted to certain individual, however anyone can view the resources. This can be easily done using the <command><Limit></command> tags in the httpd.conf file</para>
<para>Basically we are limiting the PUT POST DELETE PROPPATH MKCOL COPY MOVE LOCK and UNLOCK to an individual who has the UID of 334455. Everyone else will be able to use the methods GET and PROPFIND on the resources, but not any other method.</para>
There are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and <linklinkend="digitsign">Digital Signature</link>.
<emphasisrole="strong">Public-Private Key Crytography - Initiating SSL connection: </emphasis> In this algorithm, encryption and decryption is performed using a pair of private and public keys. The Web-server holds the private Key, and sends the Public key to the client in the Certificate.
<para>Then the client checks if the Certificate Authority that signed the certificate, is a trusted authority listed in the browser. This explains why we need to get a certificate from a a trusted CA.</para>
<para>The client then checks to see if the Fully Qualified Domain Name (FQDN) of the web server matches the Comman Name (CN) on the certificate?</para>
<note><title>Note:</title><para>Anything encrypted with Private Key can only be decrypted by using the Public Key. Similarly anything encrypted using the Public Key can only be decrypted using the Private Key. There is a common mis-conception that only the Public Key is used for encryption and Private Key is used for decryption. This is not case. Any key can be used for encryption/decryption. However if one key is used for encryption then the other key must be used for decryption. e.g. A message can not encrypted and then decrypted using only the Public Key.</para>
<para><emphasis>Using Private Key to encrypt and a Public Key to decrypt ensures the integrity of the sender (owner of the Private Key) to the recipients. Using Public Key to encrypt and a Private Key to decrypt ensures that only the inteded recipient (owner of the Private Key) will have access to the data.</emphasis>(i.e. only the person who holds the Private Key will be able to decipher the message).</para></note>
<emphasisrole="strong">Symmetric Cryptography - Actual transmission of data</emphasis>: After the SSL connection has been established, Symmetric cryptography is used for encrypting data as it uses less CPU cycles. In symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography is exchanged during the initiation process, using Public Key Cryptography. </para>
<para><emphasisrole="strong">Message Digest</emphasis> The server uses message digest algoritm such as <linklinkend="hmac">HMAC</link>, <linklinkend="sha1">SHA-1</link>, <linklinkend="md5">MD5</link> to verify the integrity of the transferred data.</para>
<listitem><para>Step1: In this step the Original "Clear Text" message is encrypted using the Sender's Private Key, which results in Cipher Text 1. This ensures the Authenticity of the sender.</para></listitem>
<listitem><para>Step2: In this step the "CipherText 1" is encrypted using Receiver's Public Key resulting in "CipherText 2". This will ensure the Authenticity of the Receiver i.e. only the Receiver can decipher the Messsage using his Private Key.</para></listitem>
<listitem><para>Step3: Here the SHA1 Message Digest of the "Clear Text" is created.</para></listitem>
<listitem><para>Step4: SHA1 Message Digest is then encrypted using Sender's Private Key resulting in the Digital Signature of the "ClearText". This Digital Signature can be used by the receiver to ensure the Integrity of the message and authenticity of the Sender.</para></listitem>
<listitem><para>Step5: The "Digital Signature" and the "CipherText 2" are then send to the Receiver.</para></listitem>
<listitem><para>Step1: In this step the "CipherText 2" message is decrypted using the Receiver's Private Key, which results in Cipher Text 1.</para></listitem>
<listitem><para>Step2: In this step the "CipherText 1" is decrypted using Sender's Public Key resulting in "ClearText".</para></listitem>
<listitem><para>Step3: Here the SHA1 Message Digest of the "Clear Text" is created.</para></listitem>
<listitem><para>Step4: The "Digital Signature" is then decrypted using Sender's Public Key, resulting the "SHA 1 MSG Digest".</para></listitem>
<listitem><para>Step5: The "SHA1 MsgDigest #1" is then compared against "SHA1 MsgDigest #2". If they are equal, the data was not modified during transmission, and the integrity of the Original "Clear Text" has been maintained</para></listitem>
For production use you will need a certificate from a Certificate Authority (hereafter CA). Certificate Authorities are certificate vendors, who are listed as a Trusted CA in the user's browser. As mentioned in the Encryption Algorithms section, if the CA is not listed as a trusted authority, your user will get a warning message when trying to connect to a secure location.
<note><title>"PRNG not seeded"</title><para>If you do not have <filename>/dev/random</filename> on your system you will get a <emphasis>"PRNG not seeded"</emphasis> error message. In that case you can use the following command:</para>
<para>Replace some_file.ext with the name of a existing file on your file system. Any file can be specified. Openssl will use that file to generate the seed</para>
<para>Solaris 9 comes with <filename>/dev/random</filename>. However on Solaris you might have to install the <ulinkurl="http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112438">112438</ulink> patch to get the /dev/random</para>
Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webserver e.g. dav.server.com . If you put in anything else, it will NOT work. Remember the password that you use, for future reference.
<para>Once the process is complete, you will have <filename>private.key</filename> and a <filename>public.csr</filename> . You will need to submit the <filename>public.csr</filename> to the Certification Authority. At this pointe the public.key is not encrypted. To encrypt:
<para>Once the Certification Authority processes your request, they will send an encoded certificate (Digital Certificate) back to you. The Digital Certificate is in the format defined by X.509 v3. The following shows the structure of a typical X509 v3 Digital Certificate</para>
<listitem><itemizedlistmark='opencircle'><listitem><para>Public Key Algorithm</para></listitem><listitem><para>RSA Public Key</para></listitem></itemizedlist></listitem>
<para>For this example, the Private Key is placed in the <filenameclass="directory">/usr/local/apache2/conf/ssl.key/</filename> directory, and the Sever Certificate is placed in the <filenameclass="directory">/usr/local/apache2/conf/ssl.crt/</filename>.</para>
<para>Copy the file received from the Certification to a file called <filename>server.crt</filename> in the <filenameclass="directory">/usr/local/apache2/conf/ssl.crt/</filename>.</para>
<para>And place the private.key generated in the previous step in the <filenameclass="directory">/usr/local/apache2/conf/ssl.key/</filename></para>
<para>Then modify the <filenameclass="directory">/usr/local/apache2/conf/ssl.conf</filename> to point to the correct Private Key and Server Certificate files:</para>
<para>Encrypting the RSA Private Key is very important. If a cracker gets hold of your "Unencrypted RSA Private Key" he/she can easily impersonate your webserver. If the Key is encrypted, the cracker can not do anything without brute forcing the passphrase. Use of a strong (ie: long) passphrase is encouraged. </para>
<para>However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Especially if you are using rc scripts to start the webserver at boot time. The prompt for a passphrase will stop the boot process, waiting for your input.</para>
<para>Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to the handshake information. SSLSessionCache Directive the in <filename>/usr/local/apache2/conf/ssl.conf</filename> file can be used to specify the location of the SSL Session Cache:</para>
<para>Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk.</para>
<para>Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment</para>
<note><title>shmht vs shmcb</title>
<para>shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory</para>
<para>shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory</para>
</note>
<note><title>Note:</title>
<para>Not all platforms/OS support creation of Hash table in the Shared Memory. So dbm:logs/ssl_scache must be used instead</para>
</note>
</sect3>
<sect3><title>Verifying SSLSession Cache</title>
<para>To verify if the SSLSessionCache is working properly, you can use the <command>openssl</command> utility with the <command>-reconnect</command> as follows:</para>
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
</screen>
<para><command>-reconnect</command> forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above. </para>
<para>Certificate Signing Request (CSR) is what you send to a Certifiate Authority (CA) to get enrolled. A CSR contains the Public Key of the End-Entity that is a requesting the Digital Certificate.</para>
</glossdef>
</glossentry>
<glossentryid="cn"><glossterm>Common Name (CN)</glossterm>
<acronym>CN</acronym>
<glossdef>
<para>Common Name is the name of the End-Entity e.g. Saqib Ali. If the End-Entity is a WebServer the CN is the Fully Qualified Domain Name (FQDN) of the WebServer</para>
<para>A certificate that binds a Public Key to a Subject (end-entity). This certificate also contains other indentifying information about the subject as defined in the <linklinkend="InstallingServerCert">X.509 Format</link>. It is signed by Issuing CA, using CA's pivate key. e.g. of a <linklinkend="viewingdigitcertcontent">digital certificate</link></para>
<para>A Digital Signature is created by signing the Message Digest (Message Hash) using the Private Key. It ensures the Identity of the Sender, and the Integrity of the Data.</para>
<para>An entity that participates in the PKI. Usually a Server, Service, Router, or a Person. A CA is not a End-Entity. An RA is an End-Entity to the CA</para>
<para>Similar to a Message Digest (Hash/Fingerprint), except the Shared Secret Key is used in the process of calculating the Hash. Since a shared secret key is used, an attacker can not change the Message Digest. However the shared secret key has to be first communicated to the participating entities, unlike Digital Signature where Message Digest is signed using the Private Key. HMAC is an example of a Message Authentication Code Algorithm.</para>
<para>Secure Socket Layer (SSL) is a security protocol that provides authentication (Digital Certificate), confidentiality (encryption), and data integrity (Message Digest - MD5, SHA etc).</para>
<para>In this cryptography the message the encrypted and decrypted by the same key. (((n^2-n))/2) keys are required for n users who want to participate in this system of cryptography. </para>