LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2003-10-17 20:58:48 +00:00
parent 974d1f22c7
commit d6e9d47f57
3 changed files with 169 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.xml
View File

@ -23,6 +23,17 @@
<revhistory>
<revision>
<revnumber>v4.1.2</revnumber>
<date>2003-10-17</date>
<authorinitials>sa</authorinitials>
<revremark>
Added the SSL performance tuning section.
</revremark>
</revision>
<revision>
<revnumber>v4.1.1</revnumber>
<date>2003-09-29</date>
@ -79,6 +90,7 @@
</articleinfo>
<sect1 id="intro"><title>Introduction</title>
<para>The Objective of this document in to Setup a Apache + mySQL + PHP + WebDAV based Web Application Server, that uses LDAP for Authentication. The documentation will also provide details on the encrypting LDAP transactions.</para>
<note><title>Note:</title><para>If you encounter any problems installing Apache or any of the modules please feel free to contact me @ <email>saqib@seagate.com</email></para></note>
@ -493,7 +505,7 @@ fully compatible, the client side WebDAV applications will not function properly
<para>To test the complaince we will use a tool called Litmus. Litmus is a WebDAV server protocol compliance test suite,
which aims to test whether a server is compliant with the WebDAV protocol as specified in RFC2518. </para>
<para>Please download the Litmus source code from http://www.webdav.org/neon/litmus/ and place it in the /tmp/downloads directory.</para>
<para>Please download the Litmus source code from <ulink url="http://www.webdav.org/neon/litmus/">http://www.webdav.org/neon/litmus/</ulink> and place it in the /tmp/downloads directory.</para>
<para>Then use gzip and tar to extract the files:</para>
<screen>
@ -644,7 +656,7 @@ The following is a over-simplified structure of the layers involved in SSL.
</para>
<sect3><title>Encryption algorithms used in SSL</title>
<para>
There are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and Message Digest.
There are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and <link linkend="digitsign">Digital Signature</link>.
</para>
<para>
<emphasis role="strong">Public-Private Key Crytography - Initiating SSL connection: </emphasis> In this algorithm, encryption and decryption is performed using a pair of private and public keys. The Web-server holds the private Key, and sends the Public key to the client in the Certificate.
@ -675,7 +687,7 @@ The following is a over-simplified structure of the layers involved in SSL.
<para>
<emphasis role="strong">Symmetric Cryptography - Actual transmission of data</emphasis>: After the SSL connection has been established, Symmetric cryptography is used for encrypting data as it uses less CPU cycles. In symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography is exchanged during the initiation process, using Public Key Cryptography. </para>
<para><emphasis role="strong">Message Digest</emphasis> The server uses message digest algoritm such as HMAC, SHA, MD5 to verify the integrity of the transferred data.</para>
<para><emphasis role="strong">Message Digest</emphasis> The server uses message digest algoritm such as <link linkend="hmac">HMAC</link>, <link linkend="sha1">SHA-1</link>, <link linkend="md5">MD5</link> to verify the integrity of the transferred data.</para>
</sect3>
<sect3><title>Ensuring Authenticity and Integrity</title>
<para>Encryption Process</para>
@ -777,7 +789,8 @@ mod_ssl to create this custom Certificate. We used the command:
<para>
Similarly the test certificates will also cause a warning message to appear on the user's browser.
</para>
</sect2>
<sect2><title>How to generate a CSR</title>
@ -821,6 +834,7 @@ An optional company name []:
<screen><command># /usr/local/ssl/bin/openssl req -rand <filename>some_file.ext</filename> -new -nodes -keyout private.key -out public.csr </command>
</screen>
<para>Replace some_file.ext with the name of a existing file on your file system. Any file can be specified. Openssl will use that file to generate the seed</para>
<para>Solaris 9 comes with <filename>/dev/random</filename>. However on Solaris you might have to install the <ulink url="http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112438">112438</ulink> patch to get the /dev/random</para>
</note>
<para>
At this point you will be asked several questions about your server to generate the Certificate Singning Request</para>
@ -839,7 +853,7 @@ Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webse
</sect2>
<sect2><title>Installing Server Private Key, and Server Certificate</title>
<sect2 id="InstallingServerCert"><title>Installing Server Private Key, and Server Certificate</title>
<para>Once the Certification Authority processes your request, they will send an encoded certificate (Digital Certificate) back to you. The Digital Certificate is in the format defined by X.509 v3. The following shows the structure of a typical X509 v3 Digital Certificate</para>
<itemizedlist mark='opencircle'>
@ -847,12 +861,12 @@ Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webse
<itemizedlist mark='opencircle'><listitem><para>Version</para></listitem><listitem><para>Serial Number</para></listitem><listitem><para>Algorithm ID</para></listitem><listitem><para>Issuer</para></listitem></itemizedlist>
<itemizedlist mark='opencircle'>
<listitem><para>Validity</para></listitem>
<listitem><para><itemizedlist mark='opencircle'><listitem><para>Not Before</para></listitem><listitem><para>Not After</para></listitem></itemizedlist></para></listitem>
<listitem><itemizedlist mark='opencircle'><listitem><para>Not Before</para></listitem><listitem><para>Not After</para></listitem></itemizedlist></listitem>
</itemizedlist>
<itemizedlist mark='opencircle'><listitem><para>Subject</para></listitem></itemizedlist>
<itemizedlist mark='opencircle'>
<listitem><para>Subject Public Key Info</para></listitem>
<listitem><para><itemizedlist mark='opencircle'><listitem><para>Public Key Algorithm</para></listitem><listitem><para>RSA Public Key</para></listitem></itemizedlist></para></listitem>
<listitem><itemizedlist mark='opencircle'><listitem><para>Public Key Algorithm</para></listitem><listitem><para>RSA Public Key</para></listitem></itemizedlist></listitem>
</itemizedlist>
<itemizedlist mark='opencircle'><listitem><para>Extensions</para></listitem></itemizedlist>
</para></listitem>
@ -868,7 +882,7 @@ server.crt: OK </screen>
<para>Where <filename>server.crt</filename> is the name of the file that contains the Digital Certificate</para>
</sect3>
<sect3><title>Viewing the contents of a Digital Certificate</title>
<sect3 id="viewingdigitcertcontent"><title>Viewing the contents of a Digital Certificate</title>
<para>The contents of a Digital Certificate can be viewed by using the <command># openssl x509</command> command as follows:</para>
<screen><command># openssl x509 -text -in <filename>server.crt</filename></command>
Certificate:
@ -893,8 +907,8 @@ Certificate:
............
</screen>
</sect3>
<sect3><title>Modifying the httpd.conf to Install the Certificates</title>
<para> You will need to place this certificate on the server, and tell Apache where to find it.</para>
<para>For this example, the Private Key is placed in the <filename class="directory">/usr/local/apache2/conf/ssl.key/</filename> directory, and the Sever Certificate is placed in the <filename class="directory">/usr/local/apache2/conf/ssl.crt/</filename>.</para>
<para>Copy the file received from the Certification to a file called <filename>server.crt</filename> in the <filename class="directory">/usr/local/apache2/conf/ssl.crt/</filename>.</para>
@ -965,7 +979,88 @@ One way to secure the decrypted Private Key is to make readable only by the root
</para>
</sect2>
<sect2><title>Trusted Certificate Authorities</title>
<sect2><title>SSL Performance Tuning</title>
<sect3><title>Inter Process SSL Session Cache</title>
<para>Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to to handshake information. SSLSessionCache Directive the in <filename>/usr/local/apache2/conf/ssl.conf</filename> file can be used to specify the location of the SSL Session Cache:</para>
<screen>
SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
</screen>
<para>Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk.</para>
<para>Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment</para>
<note><title>shmht vs shmcb</title>
<para>shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory</para>
<para>shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory</para>
</note>
<note><title>Note:</title>
<para>Not all platforms/OS support creation of Hash table in the Shared Memory. So dbm:logs/ssl_scache must be used instead</para>
</note>
</sect3>
<sect3><title>Verifying SSLSession Cache</title>
<para>To verify if the SSLSessionCache is working properly, you can use the <command>openssl</command> utility with the <command>-reconnect</command> as follows:</para>
<screen>
<command># openssl s_client -connect your.server.dom:443 -state -reconnect</command>
CONNECTED(00000003)
.......
.......
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
</screen>
<para><command>-reconnect</command> forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above. </para>
</sect3>
</sect2>
</sect1>
<appendix><title>HTTP/HTTPS Benchmarking tools</title>
<para>The following is a list of some of the OpenSource BenchMarking tools for WebServers</para>
<orderedlist numeration="lowerroman">
<listitem>
<para><ulink url="http://distcache.sourceforge.net/">SSLswamp</ulink> - For stress-testing/benchmarking connction to a SSL enable server</para>
</listitem>
<listitem>
<para><ulink url="http://www.hpl.hp.com/personal/David_Mosberger/httperf.html">HTTPERF</ulink> - A Tool for Measuring Web Server Performance</para>
</listitem>
<listitem>
<para><ulink url="http://httpd.apache.org/docs-2.1/en/programs/ab.html">ab</ulink> - Apache HTTP server benchmarking tool</para>
</listitem>
</orderedlist>
</appendix>
<appendix><title>Hardware based SSL encryption solutions</title>
<para>The following is a Hardware Based SSL encryption solution available:</para>
<orderedlist numeration="lowerroman">
<listitem>
<para><ulink url="http://www.ncipher.com">CHIL (Cryptographic Hardware Interface Library)</ulink> by nCipher</para>
</listitem>
<listitem>
<para><ulink url="http://httpd.apache.org/docs-2.1/en/programs/ab.html">ab</ulink> - Apache HTTP server benchmarking tool</para>
</listitem>
</orderedlist>
</appendix>
<appendix><title>Certificate Authorities</title>
<para>The following is list of Certificate Authorities that are trusted by the various browsers:</para>
<orderedlist numeration="lowerroman">
<listitem>
@ -974,17 +1069,18 @@ One way to secure the decrypted Private Key is to make readable only by the root
<listitem>
<para><ulink url="http://www.entrust.com/">Entrust</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.globalsign.net/">GeoTrust</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.thawte.com">Thawte</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.verisign.com">Verisign</ulink></para>
<para><ulink url="http://www.trustcenter.de/">TrustCenter</ulink></para>
</listitem>
</orderedlist>
</appendix>
</sect2>
</sect1>
<glossary id="glossary"><title>Glossary of PKI Terms</title>
@ -992,7 +1088,7 @@ One way to secure the decrypted Private Key is to make readable only by the root
<glossentry id="asymmetric_crypt"><glossterm>Asymmetric Cryptography</glossterm>
<glossdef>
<para>In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distrbuted.</para>
<para>In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distributed.</para>
</glossdef>
</glossentry>
</glossdiv>
@ -1000,6 +1096,14 @@ One way to secure the decrypted Private Key is to make readable only by the root
<glossdiv><title>C</title>
<glossentry id="certificate"><glossterm>Certificate</glossterm>
<glossdef>
<para>A Data Record that contains the information as defined in the <link linkend="InstallingServerCert">X.509 Format</link>. </para>
</glossdef>
</glossentry>
<glossentry id="ca"><glossterm>Certificate Authority (CA)</glossterm>
<acronym>CA</acronym>
<glossdef>
@ -1026,16 +1130,16 @@ One way to secure the decrypted Private Key is to make readable only by the root
<glossdiv><title>D</title>
<glossentry id="dig_cert"><glossterm>Digital Certificate</glossterm>
<glossentry id="digitcert"><glossterm>Digital Certificate</glossterm>
<glossdef>
<para>Public Key of the End-Entity + the identifying information of the End-Entity (owner of the Public Key). It certifies the Identity of the owner (End-Entity). It is signed by Issuing CA.</para>
<para>A certificate that binds a Public Key to a Subject (end-entity). This certificate also contains other indentifying information about the subject as defined in the <link linkend="InstallingServerCert">X.509 Format</link>. It is signed by Issuing CA, using CA's pivate key. e.g. of a <link linkend="viewingdigitcertcontent">digital certificate</link></para>
</glossdef>
</glossentry>
<glossentry id="dig_sign"><glossterm>Digital Signature</glossterm>
<glossentry id="digitsign"><glossterm>Digital Signature</glossterm>
<glossdef>
<para>A Digital Signature is created by signing the Message Digest using the Private Key. It ensures the Identity of the Sender, and the Integrity of the Data.</para>
<para>A Digital Signature is created by signing the Message Digest (Message Hash) using the Private Key. It ensures the Identity of the Sender, and the Integrity of the Data.</para>
</glossdef>
</glossentry>
</glossdiv>
@ -1048,6 +1152,41 @@ One way to secure the decrypted Private Key is to make readable only by the root
</glossentry>
</glossdiv>
<glossdiv><title>H</title>
<glossentry id="hash"><glossterm>Hash</glossterm>
<glossdef>
<para>A hash is Hexadecimal number generated from a string of text such that, no two different strings can produce the same hash.</para>
</glossdef>
</glossentry>
<glossentry id="hmac"><glossterm>HMAC: Keyed Hashing for Message Authentication</glossterm>
<acronym>HMAC</acronym>
<glossdef>
<para>HMAC is an implementation of Message Authentication Code Algorithm.</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv><title>M</title>
<glossentry id="mac"><glossterm>Message Authentication Code</glossterm>
<acronym>MAC</acronym>
<glossdef>
<para>Similar to a Message Digest (Hash/Fingerprint), except the Shared Secret Key is used in the process of calculating the Hash. Since a shared secret key is used, an attacker can not change the Message Digest. However the shared secret key has to be first communicated to the participating entities, unlike Digital Signature where Message Digest is signed using the Private Key. HMAC is an example of a Message Authentication Code Algorithm.</para>
</glossdef>
</glossentry>
<glossentry id="md5"><glossterm>Message Digest 5 - MD5</glossterm>
<acronym>MD5</acronym>
<glossdef>
<para>Message Digest 5 (MD5) is a 128-bit one-way hash function</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv><title>P</title>
@ -1072,6 +1211,14 @@ One way to secure the decrypted Private Key is to make readable only by the root
<glossdiv><title>S</title>
<glossentry id="sha1"><glossterm>SHA-1: Secure Hash Algorithm</glossterm>
<acronym>MD5</acronym>
<glossdef>
<para>Secure Hash Algorithm (SHA-1) is a 160-bit one-way hash function. Maximum message is 2^64 bits.</para>
</glossdef>
</glossentry>
<glossentry id="sslayer"><glossterm>Secure Socket Layer (SSL)</glossterm>
<acronym>SSL</acronym>
<glossdef>

2
LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml
View File

@ -910,7 +910,7 @@ M$Frontpage Server Extensions. </Para>
Apache-WebDAV-LDAP-HOWTO</ULink>,
<CiteTitle>Apache based WebDAV Server with LDAP and SSL HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Sep 2003</CiteTitle>.
<CiteTitle>Updated: Oct 2003</CiteTitle>.
A HOWTO on implementing WebDAV services using Apache - with LDAP for
authentication and SSL for ensuring security of the DAV stores. </Para>
</ListItem>

2
LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
View File

@ -262,7 +262,7 @@ MS Frontpage Server Extensions. </Para>
Apache-WebDAV-LDAP-HOWTO</ULink>,
<CiteTitle>Apache based WebDAV Server with LDAP and SSL HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Sep 2003</CiteTitle>.
<CiteTitle>Updated: Oct 2003</CiteTitle>.
A HOWTO on implementing WebDAV services using Apache - with LDAP for
authentication and SSL for ensuring security of the DAV stores. </Para>
</ListItem>