Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

Transcription

1 Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate Brent Wagner, Seeds of Genius October 2007 Edition: 1.0 October 2007

2 All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Seeds of Genius and its licensors, if any

3 Abstract: This paper assumes the following: 1. You have an instance of Sun Java System Web Server The machine has a static IP. 3. You have root access to install and configure the software. 4. All steps are presented in the form of examples with the assumption that you will replace environment specific parameters such as myserver, mydomain.com, password, and any other fields with the appropriate values for your environment. Generate your own Certificate Authority (CA) 1. From Paul Bramscher ( Some steps in this document require privileged access, and you'll want to limit access to the certs to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory. In this step you'll take the place of VeriSign, Thawte, etc. You'll first build the CA key, and then build the certificate itself. The Common Name (CN) of the CA and the Server certificates should not match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In Step #2 below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical. CA: Common Name (CN): CA Organization (O): Somesite Organizational Unit (OU): Development Server: Common Name (CN): Organization (O): Somesite Organizational Unit (OU): Development If you don't have a fully qualified domain name, you should use the IP that you'll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA's CN from the Server's CN. 2. # cd /<path to store CA key and certificate> # openssl genrsa -des3 -out ca.key 4096 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt - 3 -

4 Create a Trust Database for your Web Server 1. Login to Web Server console at 2. Click manage for the target instance 3. Click security tab 4. Click create database link 5. Enter a password for the database Create Server Certificate Signing Request (csr) 1. Click on Request a certificate link under security tab within instance administration console for Web Server. 2. Enter a CA address. The server will send your request to this address. 3. Enter the password you used to create the Trust Database in Step II.5 for the Key Pair File Password. 4. Fill in rest of the form with your personal information. 5. For Common name field, enter the host name of the server. 6. For State, make sure spell out the full state name. Do not use abbreviation. 7. The certificate request will be ed to the address entered and a copy will be saved in /tmp as stated in the popup dialog. Locate this file and move it to a safe place while renaming it to server.csr. 8. # mv /tmp/<filename given in Step 7> /<path to certificates directory>/server.csr Sign the Certificate Signing Request (csr) with the self-created Certificate Authority (CA) 1. From Paul Bramscher ( Note that 365 days is used here. After a year you'll need to do this again. Note also that I set the serial number of the signed server certificate to "01". Each time you do this, especially if you do this before a previously-signed certificate expires, you'll need to change the serial key to something else -- otherwise everyone who's visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up -- they've signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl's (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients who have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we'll just avoid the problem. (If you're a sysadmin of a production system and your server. key is compromised, you'll certainly need to worry.) - 4 -

5 The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more "official" in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself. 2. # openssl x509 -req -days 365 -in <path to server.csr> -CA <path to ca.crt from Step I.2> -CAkey <path to ca.key from Step I.2> - set_serial 01 -out <path to store newly signed server.crt certificate> 3. To examine the components if you're curious: a. # openssl rsa -noout -text -in server.key b. # openssl req -noout -text -in server.csr c. # openssl rsa -noout -text -in ca.key d. # openssl x509 -noout -text -in ca.crt Install the certificate in Sun Java Web Server 1. Login to Web Server s admin console. 2. Choose to manage the correct instance that the cert was created for and click manage. 3. Click Security tab. 4. Click Install Certificate. 5. Enter password for the cert database for Key Pair File Password field. 6. Choose Message text (with headers). 7. Use cat to read the contents of the signed Server Certificate. 8. # cat server.crt 9. Copy and past the text of the certificate into the text box. Make sure you include the text that says -----BEGIN CERTIFICATE----- and -----END CERTIFICATE Click OK. 11. Click Add Server Certificate button. 12. You will see a pop-up warning window telling you the change will require a sever restart. Click OK. 13. You should see a pop-up success window. Click OK. Enable SSL by Adding a Listening Socket 1. Click Add Listen Socket under Preference tab in instance administration console. 2. Enter 443 for Port field. 3. Change Security field to Enabled. 4. Click OK - 5 -

6 5. You should see a pop-up window telling you to apply changes. 6. Click Apply link on the upper right corner. 7. Click Apply Changes. 8. Type Trust Database password from Step II.5 into Module internal field before clicking the Sever On button. 9. Test the SSL-enabled Web Server by navigating to the page 10.Your browser should ask whether to accept the certificate provided by the server. OPTIONAL STEP: Create Plain-Text Password File to Allow Unattended Restarts 1. Create the file password.conf in the config directory of the web server. For example: /opt/sunwwbsvr/https-secure- WebServer/config/password.conf 2. The syntax of the file is: internal:<password> a. This will let the system start the webserver from the command line without entering in the password. /etc/init.d/webserv01 start (all webservers) or /opt/sunwwbsvr/https-secure-webserver/start (just this one webserver) b. If you try to use the web based interface to start the server you still need to enter in the password. 3. Modify the permissions of the password.conf file so that it is readable only by root a. # chmod 400 password.conf Credits: OpenSSL steps from Paul Bramscher ( Sun Web Server Trust Database steps from Dave ( If you need any help please contact the Seeds of Genius support center at support@seedsofgenius.com