1357 lines
65 KiB
Plaintext
1357 lines
65 KiB
Plaintext
|
Apache based WebDAV Server with LDAP and SSL
|
|||
|
|
|||
|
Saqib Ali
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><saqib@seagate.com>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
[http://www.xml-dev.com] Offshore XML/XHTML Development
|
|||
|
Revision History
|
|||
|
Revision v4.1.2 2003-10-17 Revised by: sa
|
|||
|
Added the SSL performance tuning section.
|
|||
|
Revision v4.1.1 2003-09-29 Revised by: sa
|
|||
|
Updated the SSL section based on the feedback received from readers.
|
|||
|
Revision v4.1.0 2003-09-02 Revised by: sa
|
|||
|
Updated the SSL section based on the feedback received from readers.
|
|||
|
Revision v4.0.2 2003-08-01 Revised by: sa
|
|||
|
Minor updates to the Apache configure cmd line. /dev/random referenced in the
|
|||
|
SSL section.
|
|||
|
Revision v4.0.1 2003-07-27 Revised by: sa
|
|||
|
Added more information to the SSL section.
|
|||
|
Revision v4.0 2003-06-29 Revised by: sa
|
|||
|
Updated the HOWTO for Apache 2.0. Also the source is in XML
|
|||
|
|
|||
|
|
|||
|
.This document is an HOWTO on installing a Apache based WebDAV server with
|
|||
|
LDAP for authentication and SSL encryption.
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Table of Contents
|
|||
|
1. Introduction
|
|||
|
1.1. About this document
|
|||
|
1.2. Contributions to the document
|
|||
|
1.3. What is Apache?
|
|||
|
1.4. What is WebDAV?
|
|||
|
1.5. What is PHP?
|
|||
|
1.6. What is mySQL?
|
|||
|
1.7. What do we need?
|
|||
|
1.8. Assumptions
|
|||
|
|
|||
|
|
|||
|
2. Requirements
|
|||
|
2.1. Basics
|
|||
|
2.2. Apache 2.0.46
|
|||
|
2.3. OpenSSL
|
|||
|
2.4. iPlanet LDAP Library
|
|||
|
2.5. mod_auth_ldap
|
|||
|
2.6. mySQL DB Engine
|
|||
|
2.7. PHP
|
|||
|
|
|||
|
|
|||
|
3. Installation
|
|||
|
3.1. Pre-requisites
|
|||
|
3.2. mySQL
|
|||
|
3.3. Apache 2.0
|
|||
|
3.4. mod_auth_ldap
|
|||
|
3.5. CERT DB for LDAPS://
|
|||
|
3.6. PHP
|
|||
|
|
|||
|
|
|||
|
4. Configuring and Setting up the WebDAV services
|
|||
|
4.1. Modifications to the /usr/local/apache/conf/httpd.conf
|
|||
|
4.2. Creating a directory for DAVLockDB
|
|||
|
4.3. Enabling DAV
|
|||
|
4.4. Create a Directory called DAVtest
|
|||
|
4.5. Restart Apache
|
|||
|
4.6. WebDAV server protocol compliance testing
|
|||
|
|
|||
|
|
|||
|
5. WebDAV server management
|
|||
|
5.1. Restricting access to DAV shares
|
|||
|
5.2. Restricting write access to DAV shares
|
|||
|
|
|||
|
|
|||
|
6. Implementing and using SSL to secure HTTP traffic
|
|||
|
6.1. Introduction to SSL
|
|||
|
6.2. Test Certificates
|
|||
|
6.3. Certificates for Production use
|
|||
|
6.4. How to generate a CSR
|
|||
|
6.5. Installing Server Private Key, and Server Certificate
|
|||
|
6.6. Removing passphrase from the RSA Private Key
|
|||
|
6.7. SSL Performance Tuning
|
|||
|
|
|||
|
|
|||
|
A. HTTP/HTTPS Benchmarking tools
|
|||
|
B. Hardware based SSL encryption solutions
|
|||
|
C. Certificate Authorities
|
|||
|
Glossary of PKI Terms
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
The Objective of this document in to Setup a Apache + mySQL + PHP + WebDAV
|
|||
|
based Web Application Server, that uses LDAP for Authentication. The
|
|||
|
documentation will also provide details on the encrypting LDAP transactions.
|
|||
|
|
|||
|
Note Note:
|
|||
|
<EFBFBD> If you encounter any problems installing Apache or any of the modules
|
|||
|
please feel free to contact me @ <saqib@seagate.com>
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.1. About this document
|
|||
|
|
|||
|
This document was originally written in 2001. Since then many updates and new
|
|||
|
additions have been made. Thanks to all the people who submitted updates and
|
|||
|
corrections.
|
|||
|
|
|||
|
The XML source of this document is available at [http://www.xml-dev.com:8080/
|
|||
|
cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml] http://www.xml-dev.com:
|
|||
|
8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml.
|
|||
|
|
|||
|
The latest version of the document is available at [http://www.xml-dev.com:
|
|||
|
8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html] http://
|
|||
|
www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.2. Contributions to the document
|
|||
|
|
|||
|
If you like to contribute to the HOWTO, you can d/l the XML source from
|
|||
|
[http://www.xml-dev.com:8080/cocoon/mount/docbook/
|
|||
|
Apache-WebDAV-LDAP-HOWTO.xml] http://www.xml-dev.com:8080/cocoon/mount/
|
|||
|
docbook/Apache-WebDAV-LDAP-HOWTO.xml , and send in the updated source to
|
|||
|
saqib@seagate.com ALONG WITH YOUR NAME IN THE LIST OF AUTHORS AND REVISION
|
|||
|
HISTORY :). That makes it easier for me contact the person if there are any
|
|||
|
updates/corrections. Thanks.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.3. What is Apache?
|
|||
|
|
|||
|
The Apache HTTP Server is an open-source HTTP server for modern operating
|
|||
|
systems including UNIX and Windows NT. It provides HTTP services in sync with
|
|||
|
the current HTTP standards.
|
|||
|
|
|||
|
Thei Apache WebServer is available for free download from [http://
|
|||
|
httpd.apache.org/] http://httpd.apache.org/
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.4. What is WebDAV?
|
|||
|
|
|||
|
WebDAV stands for Web enabled Distributed Authoring and Versioning. It
|
|||
|
provides a collaborative environment for users to edit/manage files on
|
|||
|
web-servers. Technically DAV is an extension to the http protocol.
|
|||
|
|
|||
|
Here is a brief description of the extensions provided by DAV:
|
|||
|
|
|||
|
Overwrite Protection: Lock and Unlock mechanism to prevent the "lost update
|
|||
|
problem". DAV protocol support both shared and exclusive locks.
|
|||
|
|
|||
|
Properties: Metadata (title, subject, creater, etc)
|
|||
|
|
|||
|
Name-space management: Copy, Rename, Move and Deletion of files
|
|||
|
|
|||
|
Access Control: Limit access to various resources. Currently DAV assumes
|
|||
|
access control is already in place, and does not provide strong
|
|||
|
authentication mechanism.
|
|||
|
|
|||
|
Versioning: Revision control for the documents. Versioning is not implemented
|
|||
|
yet.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.5. What is PHP?
|
|||
|
|
|||
|
PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used
|
|||
|
Open Source general-purpose scripting language that is especially suited for
|
|||
|
Web development and can be embedded into HTML.
|
|||
|
|
|||
|
PHP is available from [http://www.php.net] http://www.php.net
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.6. What is mySQL?
|
|||
|
|
|||
|
MySQL, the most popular Open Source SQL database, is developed, distributed,
|
|||
|
and supported by MySQL AB
|
|||
|
|
|||
|
mySQL DB Engine can be downloaded from [http://www.mysql.com/] http://
|
|||
|
www.mysql.com/
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.7. What do we need?
|
|||
|
|
|||
|
The tools needed to achieve this objective are:
|
|||
|
|
|||
|
i. C Compiler e.g. GCC
|
|||
|
|
|||
|
ii. Apache 2 Web Server
|
|||
|
|
|||
|
iii. LDAP Module for Apache
|
|||
|
|
|||
|
iv. iPlanet LDAP lib files
|
|||
|
|
|||
|
v. SSL engine
|
|||
|
|
|||
|
vi. PHP
|
|||
|
|
|||
|
vii. mySQL DB Engine
|
|||
|
|
|||
|
|
|||
|
Note Note:
|
|||
|
<EFBFBD> All of these packages are free and are available for download on the
|
|||
|
net.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.8. Assumptions
|
|||
|
|
|||
|
This document assumes that you have the following already installed on your
|
|||
|
system.
|
|||
|
|
|||
|
i. gzip or gunzip - available from [http://www.gnu.org] http://www.gnu.org
|
|||
|
|
|||
|
ii. gcc and GNU make - available from [http://www.gnu.org] http://www.gnu.org
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
2. Requirements
|
|||
|
|
|||
|
You'll have to download and compile several packages. This document will
|
|||
|
explain the compilation process, but you should be fimiliar with installing
|
|||
|
from source code.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.1. Basics
|
|||
|
|
|||
|
You will need a machine running Solaris / Linux and GCC Compiler. GNU gnzip
|
|||
|
and GNU tar is also needed.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.2. Apache 2.0.46
|
|||
|
|
|||
|
Apache is the HTTP server, it will be used to run the Web Application Server.
|
|||
|
Please download the Apache 2.0.46 source code from [http://www.apache.org/
|
|||
|
dist/httpd/] http://www.apache.org/dist/httpd/.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.3. OpenSSL
|
|||
|
|
|||
|
You will need to download the OpenSSL from [http://www.openssl.org/source/]
|
|||
|
http://www.openssl.org/source/ . Please download the latest version. OpenSSL
|
|||
|
installation will be used for SSL libraries for compiling mod_ssl with
|
|||
|
Apache, and for managing SSL certificates on the WebServer. Please download
|
|||
|
the OpenSSL source code gzipped file into /tmp/downloads
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.4. iPlanet LDAP Library
|
|||
|
|
|||
|
Download the iPlanet LDAP SDK from [http://wwws.sun.com/software/download/
|
|||
|
products/3ec28dbd.html] http://wwws.sun.com/software/download/products/
|
|||
|
3ec28dbd.html. We will use iPlanet LDAP SDK, because it includes libraries
|
|||
|
for ldaps:// (LDAP over SSL)
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.5. mod_auth_ldap
|
|||
|
|
|||
|
mod_auth_ldap will be used for compiling LDAP support into Apache. Please
|
|||
|
download mod_auth_ldap from [http://www.muquit.com/muquit/software/
|
|||
|
mod_auth_ldap/mod_auth_ldap_apache2.html] http://www.muquit.com/muquit/
|
|||
|
software/mod_auth_ldap/mod_auth_ldap_apache2.html
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.6. mySQL DB Engine
|
|||
|
|
|||
|
Download the appropriate mySQL build for your platform from [http://
|
|||
|
www.mysql.com/downloads/index.html] http://www.mysql.com/downloads/index.html
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.7. PHP
|
|||
|
|
|||
|
Download the PHP source code from [http://www.php.net/downloads.php] http://
|
|||
|
www.php.net/downloads.php
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3. Installation
|
|||
|
|
|||
|
First we hve take care of the few pre-requisites, and then we will get into
|
|||
|
the main installtion.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.1. Pre-requisites
|
|||
|
|
|||
|
The application server as we plan to install, requires the SSL libraries and
|
|||
|
LDAP libraries. SSL engine is also required for managing the SSL certs for
|
|||
|
Apache 2.x
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.1.1. iPlanet LDAP SDK
|
|||
|
|
|||
|
Become root by using the su command:
|
|||
|
$ su -
|
|||
|
|
|||
|
Create the /usr/local/iplanet-ldap-sdk.5 directory. Copy the
|
|||
|
ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar.gz form /tmp/downloads to /
|
|||
|
usr/local/iplanet-ldap-sdk.5 directory.
|
|||
|
# mkdir /usr/local/iplanet-ldap-sdk.5
|
|||
|
# cp /tmp/downloads/ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar /usr/local/iplanet-ldap-sdk.5
|
|||
|
# cd /usr/local/iplanet-ldap-sdk.5
|
|||
|
# tar -xvf ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar
|
|||
|
|
|||
|
Now you should have all the required iPlanet LDAP lib files in the correct
|
|||
|
directory
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.1.2. OpenSSL Engine
|
|||
|
|
|||
|
Next we need to install the OpenSSL Engine
|
|||
|
|
|||
|
OpenSSL is an open source implementation of the SSL/TLS protocol. It is
|
|||
|
required to create and manage SSL certificates on the webserver. The
|
|||
|
installion is also necessary for the lib files that will be used by the SSL
|
|||
|
module for apache.
|
|||
|
|
|||
|
Change to the directory where you placed the OpenSSL source code files
|
|||
|
# cd /tmp/download
|
|||
|
# gzip -d openssl.x.x.tar.gz
|
|||
|
# tar -xvf openssl.x.x.tar
|
|||
|
# cd openssl.x.x
|
|||
|
# make
|
|||
|
# make test
|
|||
|
# make install
|
|||
|
|
|||
|
Upon successful completion of the make install the openssl binaries should
|
|||
|
reside in /usr/local/ssl
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2. mySQL
|
|||
|
|
|||
|
Installaing mySQL is quite simple. The downloaded binaries have to be place
|
|||
|
in appropriate directory.
|
|||
|
|
|||
|
We start creating a user:group for mysql daemon, and copying the files to
|
|||
|
appropriate directories.
|
|||
|
# groupadd mysql
|
|||
|
# useradd -g mysql mysql
|
|||
|
# cd /usr/local
|
|||
|
# gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf -
|
|||
|
# ln -s full-path-to-mysql-VERSION-OS mysql
|
|||
|
|
|||
|
Next run the install_db script, and change permission on the files
|
|||
|
# cd mysql
|
|||
|
# scripts/mysql_install_db
|
|||
|
# chown -R mysql .
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2.1. Starting mySQL
|
|||
|
|
|||
|
Now start the mySQL server to verify the installation
|
|||
|
# bin/mysqld_safe --user=mysql &
|
|||
|
|
|||
|
Verify mySQL daemon is running, by using the ps -ef command. You should see
|
|||
|
the following output:
|
|||
|
# ps -ef | grep mysql
|
|||
|
root 3237 1 0 May29 ? 00:00:00 /bin/sh bin/safe_mysqld
|
|||
|
mysql 3256 3237 0 May29 ? 00:06:58 /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/downloa
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2.2. Stopping mySQL
|
|||
|
|
|||
|
To stop the MySQL server, follow the instructions below
|
|||
|
# cd /usr/local/mysql
|
|||
|
# ./bin/mysqladmin -u root -p shutdown
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2.3. Locating Data Directory
|
|||
|
|
|||
|
mySQL deamon stores all the information in a direcory called "Data
|
|||
|
Directory". If you followed the installation instructions above, your Data
|
|||
|
Directory should be located under /use/local/mysql/data.
|
|||
|
|
|||
|
To locate where your Data Directory is located, use the mysqladmin utility as
|
|||
|
follows:
|
|||
|
# /usr/local/mysql/bin/mysqladmin variables -u root --password={your_password} | grep datadir
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.3. Apache 2.0
|
|||
|
|
|||
|
Start by setting some FLAGS for the compiler
|
|||
|
# export LDFLAGS="-L/usr/local/iplanet-ldap-sdk.5/lib/ -R/usr/local/iplanet-ldap-sdk.5/lib/:/usr/local/lib"
|
|||
|
# export CPPFLAGS="-I/usr/local/iplanet-ldap-sdk.5/include"
|
|||
|
|
|||
|
Next UNTAR the apache 2.0 source files, and execute the configure script.
|
|||
|
# cd /tmp/download
|
|||
|
# gzip -d httpd-2.0.46.tar.gz
|
|||
|
# tar -xvf httpd-2.0.46.tar
|
|||
|
# cd httpd-2.0.46
|
|||
|
#./configure --enable-so --with-ssl --enable-ssl --enable-rewrite --enable-dav
|
|||
|
|
|||
|
Next run the make command
|
|||
|
# make
|
|||
|
# make install
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.3.1. Starting Apache
|
|||
|
|
|||
|
# /usr/local/apache2/bin/apachectl start
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.3.2. Stopping Apache
|
|||
|
|
|||
|
# /usr/local/apache2/bin/apachectl stop
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.4. mod_auth_ldap
|
|||
|
|
|||
|
Untar modauthldap_apache2.tar.gz
|
|||
|
cd /tmp/download
|
|||
|
# gzip -d modauthldap_apache2.tar.gz
|
|||
|
# tar -xvf modauthldap_apache2.tar
|
|||
|
# cd modauthldap_apache2
|
|||
|
|
|||
|
Now configure and install mod_auth_ldap
|
|||
|
# ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr/local/iplanet-ldap-sdk.5/
|
|||
|
# make
|
|||
|
# make install
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.5. CERT DB for LDAPS://
|
|||
|
|
|||
|
You will also need to get the cert7.db and key7.db from [http://
|
|||
|
www.xml-dev.com/xml/key3.db] http://www.xml-dev.com/xml/key3.db and [http://
|
|||
|
www.xml-dev.com/xml/cert7.db] http://www.xml-dev.com/xml/cert7.db and place
|
|||
|
it in the /usr/local/apache2/sslcert/directory.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.6. PHP
|
|||
|
|
|||
|
Unzip the PHP Source Files
|
|||
|
gzip -d php-xxx.tar.gz
|
|||
|
tar -xvf php-xxx.tar
|
|||
|
|
|||
|
Configure and run the make command
|
|||
|
cd php-xxx
|
|||
|
./configure --with-mysql --with-apxs=/usr/local/apache2/bin/apxs
|
|||
|
|
|||
|
Compile the source code
|
|||
|
# make
|
|||
|
# make install
|
|||
|
|
|||
|
Copy the php.ini file to the appropriate directory
|
|||
|
cp php.ini-dist /usr/local/lib/php.ini
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4. Configuring and Setting up the WebDAV services
|
|||
|
|
|||
|
Now for the easy part. In this section we will WebDAV enable a directory
|
|||
|
under Apache root.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.1. Modifications to the /usr/local/apache/conf/httpd.conf
|
|||
|
|
|||
|
Please verify that the following Apache directive appears in the /usr/local/
|
|||
|
apache/conf/httpd.conf :
|
|||
|
|
|||
|
Addmodule mod_dav.c
|
|||
|
|
|||
|
If it does not please add it. This directive informs Apache about DAV
|
|||
|
capability. The directive must be placed outside any container.
|
|||
|
|
|||
|
Next we must specify where Apache should store the DAVLockDB file. DAVLockDB
|
|||
|
is a lock database for the WebDAV. This directory should be writable by the
|
|||
|
httpd process.
|
|||
|
|
|||
|
I store the DAVLock file under /usr/local/apache/var. I use this directory
|
|||
|
for other purposes as well. Please add the following line to your /usr/local/
|
|||
|
apache/conf/httpd.conf to specify that the DAVLockDB file will be under /usr/
|
|||
|
local/apache/var :
|
|||
|
|
|||
|
DAVLockDB /usr/local/apache/var/DAVLock
|
|||
|
|
|||
|
The directive must be placed outside any container.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.2. Creating a directory for DAVLockDB
|
|||
|
|
|||
|
As mentioned above a directory must be created for DAVLockDB that can be
|
|||
|
written by the web server process. Usually web server process runs under the
|
|||
|
user 'nobody' . Please verify this for your system using the command:
|
|||
|
ps -ef | grep httpd
|
|||
|
Under /usr/local/apache create the directory and set the permissions on it
|
|||
|
using the following commands:
|
|||
|
|
|||
|
# cd /usr/local/apache
|
|||
|
# mkdir var
|
|||
|
# chmod -R 755 var/
|
|||
|
# chown -R nobody var/
|
|||
|
# chgrp -R nobody var/
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.3. Enabling DAV
|
|||
|
|
|||
|
Enabling DAV is a trivial task. To enable DAV for a directory under Apache
|
|||
|
root, just add the following directive in the container for that particular
|
|||
|
directory:
|
|||
|
|
|||
|
DAV On
|
|||
|
|
|||
|
This directive will enable DAV for the directory and its sub-directories.
|
|||
|
|
|||
|
The following is a sample configuration that will enable WebDAV and LDAP
|
|||
|
authentication on /usr/local/apache/htdocs/DAVtest. Place this in the /usr/
|
|||
|
local/apache/conf/httpd.conf file.
|
|||
|
DavLockDB /tmp/DavLock
|
|||
|
<Directory "/usr/local/apache2/htdocs/DAVtest">
|
|||
|
Options Indexes FollowSymLinks
|
|||
|
AllowOverride None
|
|||
|
order allow,deny
|
|||
|
allow from all
|
|||
|
AuthName "SMA Development server"
|
|||
|
AuthType Basic
|
|||
|
LDAP_Debug On
|
|||
|
#LDAP_Protocol_Version 3
|
|||
|
#LDAP_Deref NEVER
|
|||
|
#LDAP_StartTLS On
|
|||
|
LDAP_Server you.ldap.server.com
|
|||
|
#LDAP_Port 389
|
|||
|
# If SSL is on, must specify the LDAP SSL port, usually 636
|
|||
|
LDAP_Port 636
|
|||
|
LDAP_CertDbDir /usr/local/apache2/sslcert
|
|||
|
Base_DN "o=SDS"
|
|||
|
UID_Attr uid
|
|||
|
DAV On
|
|||
|
#require valid-user
|
|||
|
require valid-user
|
|||
|
#require roomnumber "123 Center Building"
|
|||
|
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
|
|||
|
#require group cn=rcs,ou=Groups
|
|||
|
</Directory>
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.4. Create a Directory called DAVtest
|
|||
|
|
|||
|
As mentioned in a earlier section, all DAV directories have to be writable by
|
|||
|
the WebServer process. In this example we assume WebServer is running under
|
|||
|
username 'nobody'. This is usually the case. To check httpd is running under
|
|||
|
what user, please use:
|
|||
|
# ps -ef | grep httpd
|
|||
|
|
|||
|
Create a test directory called 'DAVtest' under /usr/local/apache2/htdocs :
|
|||
|
|
|||
|
# mkdir /usr/local/apache/htdocs/DAVtest
|
|||
|
|
|||
|
Change the permissions on the directory to make it is read-writable by the
|
|||
|
httpd process. Assuming the httpd is running under username 'nobody', use the
|
|||
|
following commands:
|
|||
|
# cd /usr/local/apache/htdocs
|
|||
|
# chmod -R 755 DAVtest/
|
|||
|
# chown -R nobody DAVtest/
|
|||
|
# chgrp -R nobody DAVtest/
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.5. Restart Apache
|
|||
|
|
|||
|
Finally you must run the configuration test routine that comes with Apache to
|
|||
|
verify the syntax in httpd.conf :
|
|||
|
# /usr/local/apache/bin/apachectl configtest
|
|||
|
|
|||
|
If you get error messages please verify that you followed all of the above
|
|||
|
mentioned steps correctly. If you can not figure out the error message feel
|
|||
|
free to email me with the error message ([mailto:saqib@seagate.com]
|
|||
|
saqib@seagate.com).
|
|||
|
|
|||
|
If the configtest is successful start the apache web-server:
|
|||
|
|
|||
|
# /usr/local/apache/bin/apachectl restart
|
|||
|
|
|||
|
Now you have WebDAV enabled Apache Server with LDAP authentication and SSL
|
|||
|
encryption.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.6. WebDAV server protocol compliance testing
|
|||
|
|
|||
|
It is very important that the WebDAV that we just implemented be fully
|
|||
|
complaint with the WebDAV-2 protocol. If it is not fully compatible, the
|
|||
|
client side WebDAV applications will not function properly.
|
|||
|
|
|||
|
To test the complaince we will use a tool called Litmus. Litmus is a WebDAV
|
|||
|
server protocol compliance test suite, which aims to test whether a server is
|
|||
|
compliant with the WebDAV protocol as specified in RFC2518.
|
|||
|
|
|||
|
Please download the Litmus source code from [http://www.webdav.org/neon/
|
|||
|
litmus/] http://www.webdav.org/neon/litmus/ and place it in the /tmp/
|
|||
|
downloads directory.
|
|||
|
|
|||
|
Then use gzip and tar to extract the files:
|
|||
|
# cd /tmp/downloads
|
|||
|
# gzip -d litmus-0.6.x.tar.gz
|
|||
|
# tar -xvf litmus-0.6.x.tar
|
|||
|
# cd litmus-0.6.x
|
|||
|
|
|||
|
Compiling and installing Litmus is easy:
|
|||
|
# ./configure
|
|||
|
# make
|
|||
|
# make install
|
|||
|
|
|||
|
make install will install the Litmus binary files under /usr/local/bin and
|
|||
|
the help files under /usr/local/man
|
|||
|
|
|||
|
To the test the complaince of the WebDAV server that you just installed,
|
|||
|
please use the following command
|
|||
|
# /usr/local/bin/litmus http://you.dav.server/DAVtest userid passwd
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5. WebDAV server management
|
|||
|
|
|||
|
In this section we will discuss about the various management task - e.g.
|
|||
|
using LDAP for access control, and working with DAV method on Apache
|
|||
|
|
|||
|
Most of the configuration changes for the DAV will have to done using the
|
|||
|
httpd.conf file. This file is located at /usr/local/apache/conf/httpd.conf
|
|||
|
|
|||
|
httpd.conf is a text based configuration file that Apache uses. It can b
|
|||
|
editted using any text editor - I preffer using vi. Please make backup copy
|
|||
|
of this file, before changing it.
|
|||
|
|
|||
|
After making changes to the httpd.conf the Apache server has to be restarted
|
|||
|
using the /usr/local/apache/bin/apachectl restart command. However before
|
|||
|
restarting you test for the validity of the httpd.conf by using the /usr/
|
|||
|
local/apache/bin/apachectl configtest comand.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5.1. Restricting access to DAV shares
|
|||
|
|
|||
|
In the previous section when we created the DAVtest share, we used the LDAP
|
|||
|
for authentication purposes. However anyone who can authenticates using their
|
|||
|
LDAP useri/passwd will be able to access that folder.
|
|||
|
|
|||
|
Using the require directive in the httpd.conf file, we can limit access to
|
|||
|
certain individuals or groups of individuals.
|
|||
|
|
|||
|
If we look at the DAVtest configuration from the previosu section:
|
|||
|
<Directory /usr/local/apache/htdocs/DAVtest>
|
|||
|
Dav On
|
|||
|
#Options Indexes FollowSymLinks
|
|||
|
|
|||
|
AllowOverride None
|
|||
|
order allow,deny
|
|||
|
allow from all
|
|||
|
AuthName "LDAP_userid_password_required"
|
|||
|
AuthType Basic
|
|||
|
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
|
|||
|
Require valid-user
|
|||
|
</Limit>
|
|||
|
LDAP_Server ldap.server.com
|
|||
|
LDAP_Port 389
|
|||
|
Base_DN "o=ROOT"
|
|||
|
|
|||
|
UID_Attr uid
|
|||
|
</Directory>
|
|||
|
We see that the require is set to valid-user. Which means any valid
|
|||
|
authenticated user has access to this folder.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5.1.1. Restricting access based on Individual UID(s)
|
|||
|
|
|||
|
LDAP UID can be used to restrict access to DAV folder.
|
|||
|
|
|||
|
require valid-user directive can be changed to require user 334455 445566
|
|||
|
|
|||
|
This will restrict access to individuals with UID 334455 and 445566. Anyone
|
|||
|
else will not be able to access this folder.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5.1.2. Restricting access based on groups of individuals.
|
|||
|
|
|||
|
require can also be used to restrict access to groups of individuals. This
|
|||
|
can be either done using LDAP groups or LDAP filters. The filter must be
|
|||
|
valid LDAP filter syntax.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5.2. Restricting write access to DAV shares
|
|||
|
|
|||
|
It maybe be required that the editting for the resources on the DAV shares be
|
|||
|
restricted to certain individual, however anyone can view the resources. This
|
|||
|
can be easily done using the <Limit> tags in the httpd.conf file
|
|||
|
|
|||
|
<Directory /usr/local/apache/htdocs/DAVtest>
|
|||
|
Dav On
|
|||
|
#Options Indexes FollowSymLinks
|
|||
|
|
|||
|
AllowOverride None
|
|||
|
order allow,deny
|
|||
|
allow from all
|
|||
|
AuthName "LDAP_userid_password_required"
|
|||
|
AuthType Basic
|
|||
|
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
|
|||
|
Require valid-user
|
|||
|
</Limit>
|
|||
|
LDAP_Server ldap.server.com
|
|||
|
LDAP_Port 389
|
|||
|
Base_DN "o=ROOT"
|
|||
|
|
|||
|
UID_Attr uid
|
|||
|
</Directory>
|
|||
|
|
|||
|
You restrict write access to certain individuals by changing the <limit> to
|
|||
|
<Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
|
|||
|
Require 334455
|
|||
|
</Limit>
|
|||
|
|
|||
|
Basically we are limiting the PUT POST DELETE PROPPATH MKCOL COPY MOVE LOCK
|
|||
|
and UNLOCK to an individual who has the UID of 334455. Everone else will be
|
|||
|
able to use the methods GET and PROPFIND on the resources, but not any other
|
|||
|
method.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6. Implementing and using SSL to secure HTTP traffic
|
|||
|
|
|||
|
Security of the data stored on a file server is very important these days.
|
|||
|
Compromised data can cost thousands of dollars to company. In the last
|
|||
|
section, we compiled LDAP authentication module into the Apache build to
|
|||
|
provide a Authentication mechanism. However HTTP traffic is very insecure,
|
|||
|
and all data is transferred in clear text - meaning, the LDAP authentication
|
|||
|
(userid/passwd) will be transmitted as clear text as well. This creates a
|
|||
|
problem. Anyone can sniff these userid/passwd and gain access to DAV store.
|
|||
|
To prevent this we have to encrypt HTTP traffic, essentially HTTP + SSL or
|
|||
|
HTTPS. Anything transferred over HTTPS is encrypted, so the LDAP userid/
|
|||
|
passwd can not be easily deciphered. HTTPS runs on port 443. The resulting
|
|||
|
build from the last section's compilation process will have Apache to listen
|
|||
|
to both port 80 (normal HTTP) and 443 (HTTPS). If you are just going to use
|
|||
|
this server for DAV, then I will highly suggest that you close port 80. In
|
|||
|
this section of the HOWTO I will provide some information regarding SSL and
|
|||
|
maintaining SSL on a Apache HTTP server.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.1. Introduction to SSL
|
|||
|
|
|||
|
SSL (Secure Socket Layer) is a protocol layer that exists between the
|
|||
|
Network Layer and Application layer. As the name suggest SSL provides a
|
|||
|
mechanism for encrypting all kinds of traffic - LDAP, POP, IMAP and most
|
|||
|
importantly HTTP.
|
|||
|
|
|||
|
The following is a over-simplified structure of the layers involved in SSL.
|
|||
|
+-------------------------------------------+
|
|||
|
| LDAP | HTTP | POP | IMAP |
|
|||
|
+-------------------------------------------+
|
|||
|
| SSL |
|
|||
|
+-------------------------------------------+
|
|||
|
| Network Layer |
|
|||
|
+-------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.1.1. Encryption algorithms used in SSL
|
|||
|
|
|||
|
There are three kinds of cryptographic techniques used in SSL:
|
|||
|
Public-Private Key, Symmetric Key, and Digital Signature.
|
|||
|
|
|||
|
Public-Private Key Crytography - Initiating SSL connection: In this
|
|||
|
algorithm, encryption and decryption is performed using a pair of private and
|
|||
|
public keys. The Web-server holds the private Key, and sends the Public key
|
|||
|
to the client in the Certificate.
|
|||
|
|
|||
|
1. The client request content from the Web Server using HTTPS.
|
|||
|
|
|||
|
2. The web server responds with a Digital Certificate which includes the
|
|||
|
server's public key.
|
|||
|
|
|||
|
3. The client checks to see if the certificate has expired.
|
|||
|
|
|||
|
4. Then the client checks if the Certificate Authority that signed the
|
|||
|
certificate, is a trusted authority listed in the browser. This explains
|
|||
|
why we need to get a certificate from a a trusted CA.
|
|||
|
|
|||
|
5. The client then checks to see if the Fully Qualified Domain Name (FQDN)
|
|||
|
of the web server matches the Comman Name (CN) on the certificate?
|
|||
|
|
|||
|
6. If everything is successful the SSL connection is initiated.
|
|||
|
|
|||
|
|
|||
|
Note Note:
|
|||
|
<EFBFBD> Anything encrypted with Private Key can only be decrypted by using the
|
|||
|
Public Key. Similarly anything encrypted using the Public Key can only
|
|||
|
be decrypted using the Private Key. There is a common mis-conception
|
|||
|
that only the Public Key is used for encryption and Private Key is used
|
|||
|
for decryption. This is not case. Any key can be used for encryption/
|
|||
|
decryption. However if one key is used for encryption then the other key
|
|||
|
must be used for decryption. e.g. A message can not encrypted and then
|
|||
|
decrypted using only the Public Key.
|
|||
|
|
|||
|
Using Private Key to encrypt and a Public Key to decrypt ensures the
|
|||
|
integrity of the sender (owner of the Private Key) to the recipients.
|
|||
|
Using Public Key to encrypt and a Private Key to decrypt ensures that
|
|||
|
only the inteded recipient (owner of the Private Key) will have access
|
|||
|
to the data.(i.e. only the person who holds the Private Key will be able
|
|||
|
to decipher the message).
|
|||
|
|
|||
|
Symmetric Cryptography - Actual transmission of data: After the SSL
|
|||
|
connection has been established, Symmetric cryptography is used for
|
|||
|
encrypting data as it uses less CPU cycles. In symmetric cryptography the
|
|||
|
data can be encrypted and decrypted using the same key. The Key for symmetric
|
|||
|
cryptography is exchanged during the initiation process, using Public Key
|
|||
|
Cryptography.
|
|||
|
|
|||
|
Message Digest The server uses message digest algoritm such as HMAC, SHA-1,
|
|||
|
MD5 to verify the integrity of the transferred data.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.1.2. Ensuring Authenticity and Integrity
|
|||
|
|
|||
|
Encryption Process
|
|||
|
Sender's Receiver's
|
|||
|
PrivateKey PublicKey
|
|||
|
,-. ,-.
|
|||
|
( ).......... ( )..........
|
|||
|
`-' ''''|'|'|| `-' ''''''''||
|
|||
|
| | |
|
|||
|
| | |
|
|||
|
.----------. | | .----------. | .----------.
|
|||
|
| | V | | | V | |
|
|||
|
|Clear Text|--------->|CipherText|--------->|CipherText|
|
|||
|
| | Step1 | 1 | Step2 | 2 |\
|
|||
|
`----------' | `----------' `----------' \ __
|
|||
|
| | \ [_'
|
|||
|
| | step5 \ |
|
|||
|
|Step3 | __ --|--
|
|||
|
| | _.--' |
|
|||
|
V | _..-'' / \
|
|||
|
.---------. | .---------. _..-'' Receiver
|
|||
|
| SHA 1 | V | Digital | _..-''
|
|||
|
|MsgDigest|--------->|Signature|' _
|
|||
|
`---------' Step4 `---------' _ (_)
|
|||
|
_____ ____ ____ ____ _ _ ____ _| |_ _ ___ ____
|
|||
|
| ___ | _ \ / ___)/ ___) | | | _ (_ _) |/ _ \| _ \
|
|||
|
| ____| | | ( (___| | | |_| | |_| || |_| | |_| | | | |
|
|||
|
|_____)_| |_|\____)_| \__ | __/ \__)_|\___/|_| |_|
|
|||
|
(____/|_|
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step1: In this step the Original "Clear Text" message is encrypted using
|
|||
|
the Sender's Private Key, which results in Cipher Text 1. This ensures
|
|||
|
the Authenticity of the sender.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step2: In this step the "CipherText 1" is encrypted using Receiver's
|
|||
|
Public Key resulting in "CipherText 2". This will ensure the Authenticity
|
|||
|
of the Receiver i.e. only the Receiver can decipher the Messsage using
|
|||
|
his Private Key.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step3: Here the SHA1 Message Digest of the "Clear Text" is created.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step4: SHA1 Message Digest is then encrypted using Sender's Private Key
|
|||
|
resulting in the Digital Signature of the "ClearText". This Digital
|
|||
|
Signature can be used by the receiver to ensure the Integrity of the
|
|||
|
message and authenticity of the Sender.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step5: The "Digital Signature" and the "CipherText 2" are then send to
|
|||
|
the Receiver.
|
|||
|
|
|||
|
|
|||
|
Decryption Process
|
|||
|
Receiver's Sender's
|
|||
|
PrivateKey PublicKey
|
|||
|
,-. ,-.
|
|||
|
( ).......... ( )..........
|
|||
|
`-' ''''''''|| `-' '''''''|||
|
|||
|
| | |
|
|||
|
| | |
|
|||
|
.----------. | .----------. | | .----------.
|
|||
|
| | V | | V | | | .---#1----.
|
|||
|
|CipherText|--------->|CipherText|--------->|ClearText |------>| SHA 1 |
|
|||
|
| 2 | Step1 | 1 | Step2 | | | Step3 |MsgDigest|
|
|||
|
`----------' `----------' | `----------' `---------'
|
|||
|
| ||
|
|||
|
| ||Step5
|
|||
|
| ||
|
|||
|
| ||
|
|||
|
.---------. | .---------.
|
|||
|
| Digital | V | SHA 1 |
|
|||
|
|Signature|---------------------->|MsgDigest|
|
|||
|
_ `---------' Step4 _ `---#2----'
|
|||
|
| | _ (_)
|
|||
|
__| |_____ ____ ____ _ _ ____ _| |_ _ ___ ____
|
|||
|
/ _ | ___ |/ ___)/ ___) | | | _ (_ _) |/ _ \| _ \
|
|||
|
( (_| | ____( (___| | | |_| | |_| || |_| | |_| | | | |
|
|||
|
\____|_____)\____)_| \__ | __/ \__)_|\___/|_| |_|
|
|||
|
(____/|_|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step1: In this step the "CipherText 2" message is decrypted using the
|
|||
|
Receiver's Private Key, which results in Cipher Text 1.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step2: In this step the "CipherText 1" is decrypted using Sender's Public
|
|||
|
Key resulting in "ClearText".
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step3: Here the SHA1 Message Digest of the "Clear Text" is created.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step4: The "Digital Signature" is then decrypted using Sender's Public
|
|||
|
Key, resulting the "SHA 1 MSG Digest".
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Step5: The "SHA1 MsgDigest #1" is then compared against "SHA1 MsgDigest #
|
|||
|
2". If they are equal, the data was not modified during transmission, and
|
|||
|
the integrity of the Original "Clear Text" has been maintained
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
6.2. Test Certificates
|
|||
|
|
|||
|
While compiling Apache we created a test certificate. We used the makefile
|
|||
|
provided by mod_ssl to create this custom Certificate. We used the command:
|
|||
|
# make certificate TYPE=custom
|
|||
|
|
|||
|
This certificate can be used for testing purposes.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.3. Certificates for Production use
|
|||
|
|
|||
|
For production use you will need a certificate from a Certificate Authority
|
|||
|
(hereafter CA). Certificate Authorities are certificate vendors, who are
|
|||
|
listed as a Trusted CA in the user's browser. As mentioned in the Encryption
|
|||
|
Algorithms section, if the CA is not listed as a trusted authority, your user
|
|||
|
will get a warning message when trying to connect to a secure location.
|
|||
|
|
|||
|
Similarly the test certificates will also cause a warning message to appear
|
|||
|
on the user's browser.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.4. How to generate a CSR
|
|||
|
|
|||
|
CSR or Certificate Signing Request must be sent to the trusted CA for
|
|||
|
signing. This section discusses howto create a CSR, and send it to the CA of
|
|||
|
your choice. # openssl req command can be used to a CSR as follows:
|
|||
|
# cd /usr/local/apache/conf/
|
|||
|
# /usr/local/ssl/bin/openssl req -new -nodes -keyout private.key -out public.csr
|
|||
|
Generating a 1024 bit RSA private key
|
|||
|
............++++++
|
|||
|
....++++++
|
|||
|
writing new private key to 'private.key'
|
|||
|
-----
|
|||
|
You are about to be asked to enter information that will be incorporated
|
|||
|
into your certificate request.
|
|||
|
What you are about to enter is what is called a Distinguished Name or a DN.
|
|||
|
There are quite a few fields but you can leave some blank
|
|||
|
For some fields there will be a default value,
|
|||
|
If you enter '.', the field will be left blank.
|
|||
|
-----
|
|||
|
Country Name (2 letter code) [AU]:US
|
|||
|
State or Province Name (full name) [Some-State]:California
|
|||
|
Locality Name (eg, city) []:San Jose
|
|||
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Seagate
|
|||
|
Organizational Unit Name (eg, section) []:Global Client Server
|
|||
|
Common Name (eg, YOUR name) []:xml.seagate.com
|
|||
|
Email Address []:saqib@seagate.com
|
|||
|
|
|||
|
Please enter the following 'extra' attributes
|
|||
|
to be sent with your certificate request
|
|||
|
A challenge password []:badpassword
|
|||
|
An optional company name []:
|
|||
|
|
|||
|
|
|||
|
Note "PRNG not seeded"
|
|||
|
<EFBFBD> If you do not have /dev/random on your system you will get a "PRNG not seeded" error message. In that
|
|||
|
case you can use the following command:
|
|||
|
# /usr/local/ssl/bin/openssl req -rand some_file.ext -new -nodes -keyout private.key -out public.csr
|
|||
|
|
|||
|
Replace some_file.ext with the name of a existing file on your file system. Any file can be specified.
|
|||
|
Openssl will use that file to generate the seed
|
|||
|
|
|||
|
Solaris 9 comes with /dev/random. However on Solaris you might have to install the [http://
|
|||
|
sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112438] 112438 patch to get the /dev/random
|
|||
|
|
|||
|
At this point you will be asked several questions about your server to
|
|||
|
generate the Certificate Singning Request
|
|||
|
|
|||
|
Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your
|
|||
|
webserver e.g. dav.server.com . If you put in anything else, it will NOT
|
|||
|
work. Remember the password that you use, for future reference.
|
|||
|
|
|||
|
Once the process is complete, you will have private.key and a public.csr .
|
|||
|
You will need to submit the public.csr to the Certification Authority. At
|
|||
|
this pointe the public.key is not encrypted. To encrypt:
|
|||
|
# mv private.key private.key.unecrpyted
|
|||
|
# /usr/local/ssl/bin/openssl rsa -in private.key.unecrpyted -des3 -out private.key
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.5. Installing Server Private Key, and Server Certificate
|
|||
|
|
|||
|
Once the Certification Authority processes your request, they will send an
|
|||
|
encoded certificate (Digital Certificate) back to you. The Digital
|
|||
|
Certificate is in the format defined by X.509 v3. The following shows the
|
|||
|
structure of a typical X509 v3 Digital Certificate
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Certificate
|
|||
|
|
|||
|
<20><>+<2B>Version
|
|||
|
|
|||
|
<20><>+<2B>Serial Number
|
|||
|
|
|||
|
<20><>+<2B>Algorithm ID
|
|||
|
|
|||
|
<20><>+<2B>Issuer
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Validity
|
|||
|
|
|||
|
<20><>+<2B>
|
|||
|
<20><>o<EFBFBD>Not Before
|
|||
|
|
|||
|
<20><>o<EFBFBD>Not After
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Subject
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Subject Public Key Info
|
|||
|
|
|||
|
<20><>+<2B>
|
|||
|
<20><>o<EFBFBD>Public Key Algorithm
|
|||
|
|
|||
|
<20><>o<EFBFBD>RSA Public Key
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Extensions
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Certificate Signature Algorithm
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Certificate Signature
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
6.5.1. Verifying a Digital Certificate
|
|||
|
|
|||
|
To verify a X.509 Certificate use the following command
|
|||
|
# openssl verify server.crt
|
|||
|
server.crt: OK
|
|||
|
|
|||
|
Where server.crt is the name of the file that contains the Digital
|
|||
|
Certificate
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.5.2. Viewing the contents of a Digital Certificate
|
|||
|
|
|||
|
The contents of a Digital Certificate can be viewed by using the # openssl
|
|||
|
x509 command as follows:
|
|||
|
# openssl x509 -text -in server.crt
|
|||
|
Certificate:
|
|||
|
Data:
|
|||
|
Version: 3 (0x2)
|
|||
|
Serial Number: 312312312 (0x0)
|
|||
|
Signature Algorithm: md5WithRSAEncryption
|
|||
|
Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
|
|||
|
Validity
|
|||
|
Not Before: Feb 8 03:25:50 2000 GMT
|
|||
|
Not After : Feb 8 03:25:50 2001 GMT
|
|||
|
Subject: C=US, ST=New York, L=Pelham, O=xml-dev, OU=web, CN=www.xml-dev.com/Email=saqib@xml-dev.com
|
|||
|
Subject Public Key Info:
|
|||
|
Public Key Algorithm: rsaEncryption
|
|||
|
RSA Public Key: (1024 bit)
|
|||
|
Modulus (1024 bit):
|
|||
|
............
|
|||
|
............
|
|||
|
Exponent: 65537 (0x10001)
|
|||
|
Signature Algorithm: md5WithRSAEncryption
|
|||
|
............
|
|||
|
............
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.5.3. Modifying the httpd.conf to Install the Certificates
|
|||
|
|
|||
|
You will need to place this certificate on the server, and tell Apache where
|
|||
|
to find it.
|
|||
|
|
|||
|
For this example, the Private Key is placed in the /usr/local/apache2/conf/
|
|||
|
ssl.key/ directory, and the Sever Certificate is placed in the /usr/local/
|
|||
|
apache2/conf/ssl.crt/.
|
|||
|
|
|||
|
Copy the file received from the Certification to a file called server.crt in
|
|||
|
the /usr/local/apache2/conf/ssl.crt/.
|
|||
|
|
|||
|
And place the private.key generated in the previous step in the /usr/local/
|
|||
|
apache2/conf/ssl.key/
|
|||
|
|
|||
|
Then modify the /usr/local/apache2/conf/ssl.conf to point to the correct
|
|||
|
Private Key and Server Certificate files:
|
|||
|
# Server Certificate:
|
|||
|
# Point SSLCertificateFile at a PEM encoded certificate. If
|
|||
|
# the certificate is encrypted, then you will be prompted for a
|
|||
|
# pass phrase. Note that a kill -HUP will prompt again. Keep
|
|||
|
# in mind that if you have both an RSA and a DSA certificate you
|
|||
|
# can configure both in parallel (to also allow the use of DSA
|
|||
|
# ciphers, etc.)
|
|||
|
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
|
|||
|
#SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt
|
|||
|
|
|||
|
# Server Private Key:
|
|||
|
# If the key is not combined with the certificate, use this
|
|||
|
# directive to point at the key file. Keep in mind that if
|
|||
|
# you've both a RSA and a DSA private key you can configure
|
|||
|
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
|||
|
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/private.key
|
|||
|
#SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.6. Removing passphrase from the RSA Private Key
|
|||
|
|
|||
|
RSA Private Key stored on the webserver is usually encrypted, and you need a
|
|||
|
passphrase to parse the file. That is why you are prompted for a passphrase
|
|||
|
when start Apache with modssl:
|
|||
|
|
|||
|
|
|||
|
# apachectl startssl
|
|||
|
Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)
|
|||
|
Some of your private key files are encrypted for security reasons.
|
|||
|
In order to read them you have to provide us with the pass phrases.
|
|||
|
Server your.server.dom:443 (RSA)
|
|||
|
Enter pass phrase:
|
|||
|
|
|||
|
Encrypting the RSA Private Key is very important. If a cracker gets hold of
|
|||
|
your "Unencrypted RSA Private Key" he/she can easily impersonate your
|
|||
|
webserver. If the Key is encrypted, the cracker can not do anything without
|
|||
|
brute forcing the passphrase. Use of a strong (ie: long) passphrase is
|
|||
|
encouraged.
|
|||
|
|
|||
|
However encrypting the Key can sometimes be nuisance, since you will be
|
|||
|
prompted for a passphrase everytime you start the web-server. Especially if
|
|||
|
you are using rc scripts to start the webserver at boot time. The prompt for
|
|||
|
a passphrase will stop the boot process, waiting for your input.
|
|||
|
|
|||
|
You can get rid of the passphrase prompt easily by decrypting the Key.
|
|||
|
However make sure that no one can hold of this Key. I would recommend
|
|||
|
Hardening and Securing guidelines be followed before decrypting the Key on
|
|||
|
the webserver.
|
|||
|
|
|||
|
To decrypt the Key:
|
|||
|
|
|||
|
First make a copy of the encrypted key
|
|||
|
|
|||
|
# cp server.key server.key.cryp
|
|||
|
|
|||
|
Then re-write the key with encryption. You will be prompted for the original
|
|||
|
encrypted Key passphrase
|
|||
|
|
|||
|
# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key
|
|||
|
read RSA key
|
|||
|
Enter PEM pass phrase:
|
|||
|
writing RSA key
|
|||
|
|
|||
|
One way to secure the decrypted Private Key is to make readable only by the
|
|||
|
root:
|
|||
|
# chmod 400 server.key
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.7. SSL Performance Tuning
|
|||
|
|
|||
|
6.7.1. Inter Process SSL Session Cache
|
|||
|
|
|||
|
Apache uses a multi-process model, in which all the request are NOT handled
|
|||
|
by the same process. This causes the SSL Session Information to be lost when
|
|||
|
a Client makes multiple requests. Multiple SSL HandShakes causes lot of
|
|||
|
overhead on the webserver and the client. To avoid this, SSL Session
|
|||
|
Information must be stored in a inter-process Session Cache, allowing all the
|
|||
|
processes to have access to to handshake information. SSLSessionCache
|
|||
|
Directive the in /usr/local/apache2/conf/ssl.conf file can be used to specify
|
|||
|
the location of the SSL Session Cache:
|
|||
|
SSLSessionCache shmht:logs/ssl_scache(512000)
|
|||
|
#SSLSessionCache shmcb:logs/ssl_scache(512000)
|
|||
|
#SSLSessionCache dbm:logs/ssl_scache
|
|||
|
SSLSessionCacheTimeout 300
|
|||
|
|
|||
|
Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local
|
|||
|
disk.
|
|||
|
|
|||
|
Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory
|
|||
|
Segment
|
|||
|
|
|||
|
Note shmht vs shmcb
|
|||
|
<EFBFBD> shmht: uses a Hash Table to Cache the SSL HandShake Information in the
|
|||
|
Shared Memory
|
|||
|
|
|||
|
shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the
|
|||
|
Shared Memory
|
|||
|
|
|||
|
Note Note:
|
|||
|
<EFBFBD> Not all platforms/OS support creation of Hash table in the Shared
|
|||
|
Memory. So dbm:logs/ssl_scache must be used instead
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.7.2. Verifying SSLSession Cache
|
|||
|
|
|||
|
To verify if the SSLSessionCache is working properly, you can use the openssl
|
|||
|
utility with the -reconnect as follows:
|
|||
|
# openssl s_client -connect your.server.dom:443 -state -reconnect
|
|||
|
|
|||
|
CONNECTED(00000003)
|
|||
|
.......
|
|||
|
.......
|
|||
|
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
|
|||
|
SSL-Session:
|
|||
|
.....
|
|||
|
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
|
|||
|
SSL-Session:
|
|||
|
.....
|
|||
|
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
|
|||
|
SSL-Session:
|
|||
|
.....
|
|||
|
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
|
|||
|
SSL-Session:
|
|||
|
.....
|
|||
|
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
|
|||
|
SSL-Session:
|
|||
|
.....
|
|||
|
|
|||
|
-reconnect forces the s_client to connect to the server 5 times using the
|
|||
|
same SSL session ID. You should see 5 attempts of Reusing the same Session-ID
|
|||
|
as shown above.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
A. HTTP/HTTPS Benchmarking tools
|
|||
|
|
|||
|
The following is a list of some of the OpenSource BenchMarking tools for
|
|||
|
WebServers
|
|||
|
|
|||
|
i. [http://distcache.sourceforge.net/] SSLswamp - For stress-testing/
|
|||
|
benchmarking connction to a SSL enable server
|
|||
|
|
|||
|
ii. [http://www.hpl.hp.com/personal/David_Mosberger/httperf.html] HTTPERF - A
|
|||
|
Tool for Measuring Web Server Performance
|
|||
|
|
|||
|
iii. [http://httpd.apache.org/docs-2.1/en/programs/ab.html] ab - Apache HTTP
|
|||
|
server benchmarking tool
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
B. Hardware based SSL encryption solutions
|
|||
|
|
|||
|
The following is a Hardware Based SSL encryption solution available:
|
|||
|
|
|||
|
i. [http://www.ncipher.com] CHIL (Cryptographic Hardware Interface Library)
|
|||
|
by nCipher
|
|||
|
|
|||
|
ii. [http://httpd.apache.org/docs-2.1/en/programs/ab.html] ab - Apache HTTP
|
|||
|
server benchmarking tool
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
C. Certificate Authorities
|
|||
|
|
|||
|
The following is list of Certificate Authorities that are trusted by the
|
|||
|
various browsers:
|
|||
|
|
|||
|
i. [http://www.baltimore.com/] Baltimore
|
|||
|
|
|||
|
ii. [http://www.entrust.com/] Entrust
|
|||
|
|
|||
|
iii. [http://www.globalsign.net/] GeoTrust
|
|||
|
|
|||
|
iv. [http://www.thawte.com] Thawte
|
|||
|
|
|||
|
v. [http://www.trustcenter.de/] TrustCenter
|
|||
|
|
|||
|
|
|||
|
Glossary of PKI Terms
|
|||
|
|
|||
|
A
|
|||
|
|
|||
|
Asymmetric Cryptography
|
|||
|
In this Cryptography a Key Pair - Private and Public Key is used. Private
|
|||
|
Key is kept secret and the Public Key is Widely distributed.
|
|||
|
|
|||
|
|
|||
|
C
|
|||
|
|
|||
|
Certificate
|
|||
|
A Data Record that contains the information as defined in the X.509
|
|||
|
Format.
|
|||
|
|
|||
|
Certificate Authority (CA) (CA)
|
|||
|
Issuer of the Digital Certificate. Also validates the Identity of the
|
|||
|
End-Entity that posseses the Digital Certificate.
|
|||
|
|
|||
|
Certificate Signing Request (CSR) (CSR)
|
|||
|
Certificate Signing Request (CSR) is what you send to a Certifiate
|
|||
|
Authority (CA) to get enrolled. A CSR contains the Public Key of the
|
|||
|
End-Entity that is a requesting the Digital Certificate.
|
|||
|
|
|||
|
Common Name (CN) (CN)
|
|||
|
Common Name is the name of the End-Entity e.g. Saqib Ali. If the
|
|||
|
End-Entity is a WebServer the CN is the Fully Qualified Domain Name
|
|||
|
(FQDN) of the WebServer
|
|||
|
|
|||
|
|
|||
|
D
|
|||
|
|
|||
|
Digital Certificate
|
|||
|
A certificate that binds a Public Key to a Subject (end-entity). This
|
|||
|
certificate also contains other indentifying information about the
|
|||
|
subject as defined in the X.509 Format. It is signed by Issuing CA, using
|
|||
|
CA's pivate key. e.g. of a digital certificate
|
|||
|
|
|||
|
Digital Signature
|
|||
|
A Digital Signature is created by signing the Message Digest (Message
|
|||
|
Hash) using the Private Key. It ensures the Identity of the Sender, and
|
|||
|
the Integrity of the Data.
|
|||
|
|
|||
|
|
|||
|
E
|
|||
|
|
|||
|
End-Entity
|
|||
|
An entity that participates in the PKI. Usually a Server, Service,
|
|||
|
Router, or a Person. A CA is not a End-Entity. An RA is an End-Entity to
|
|||
|
the CA
|
|||
|
|
|||
|
|
|||
|
H
|
|||
|
|
|||
|
Hash
|
|||
|
A hash is Hexadecimal number generated from a string of text such that,
|
|||
|
no two different strings can produce the same hash.
|
|||
|
|
|||
|
HMAC: Keyed Hashing for Message Authentication (HMAC)
|
|||
|
HMAC is an implementation of Message Authentication Code Algorithm.
|
|||
|
|
|||
|
|
|||
|
M
|
|||
|
|
|||
|
Message Authentication Code (MAC)
|
|||
|
Similar to a Message Digest (Hash/Fingerprint), except the Shared Secret
|
|||
|
Key is used in the process of calculating the Hash. Since a shared secret
|
|||
|
key is used, an attacker can not change the Message Digest. However the
|
|||
|
shared secret key has to be first communicated to the participating
|
|||
|
entities, unlike Digital Signature where Message Digest is signed using
|
|||
|
the Private Key. HMAC is an example of a Message Authentication Code
|
|||
|
Algorithm.
|
|||
|
|
|||
|
Message Digest 5 - MD5 (MD5)
|
|||
|
Message Digest 5 (MD5) is a 128-bit one-way hash function
|
|||
|
|
|||
|
|
|||
|
P
|
|||
|
|
|||
|
Private Key
|
|||
|
Private Key is the Key in Asymmetric Cryptography that is kept secret by
|
|||
|
the owner (End-Entity). Can be used for encryption or decryption
|
|||
|
|
|||
|
Public Key
|
|||
|
Public Key is the Key in Asymmetric Cryptography that is widely
|
|||
|
distributed. Can be used for encryption or decryption
|
|||
|
|
|||
|
Public Key Infrastructure (PKI) (PKI)
|
|||
|
Public Key Infrastructure
|
|||
|
|
|||
|
|
|||
|
S
|
|||
|
|
|||
|
SHA-1: Secure Hash Algorithm (MD5)
|
|||
|
Secure Hash Algorithm (SHA-1) is a 160-bit one-way hash function. Maximum
|
|||
|
message is 2^64 bits.
|
|||
|
|
|||
|
Secure Socket Layer (SSL) (SSL)
|
|||
|
Secure Socket Layer (SSL) is a security protocol that provides
|
|||
|
authentication (Digital Certificate), confidentiality (encryption), and
|
|||
|
data integrity (Message Digest - MD5, SHA etc).
|
|||
|
|
|||
|
Symmetric Cryptography
|
|||
|
In this cryptography the message the encrypted and decrypted by the same
|
|||
|
key. (((n^2-n))/2) keys are required for n users who want to participate
|
|||
|
in this system of cryptography.
|
|||
|
|
|||
|
|