Securing the OpenAdmin Tool for Informix web server with HTTPS

Transcription

1 Securing the OpenAdmin Tool for Informix web server with HTTPS Introduction You can use HTTPS to protect the IBM OpenAdmin Tool (OAT) for Informix web server from eavesdropping, tampering, and message forgery. HTTPS can protect the OAT web server from hackers who are trying to listen in or to interfere with the OAT network. When HTTPS is enabled, messages from OAT clients are encrypted before they are sent to the OAT web server. Encryption prevents hackers from listening over the line and stealing sensitive information. When HTTPS is enabled, OAT clients can also authenticate with the OAT host, so that hackers cannot deceive OAT clients with fake OAT web servers. Note that HTTPS only encrypts communication between the OAT web server and the OAT client. HTTPS does not encrypt communication between the Informix database server and the OAT web server. You can enable HTTPS in OAT by completing the following steps: 1. Replace the OAT Apache web server with a mod_ssl enabled Apache web server. 2. Create an encryption key and a certificate for the new OAT web server so that OAT clients can authenticate to the web server based on the certificate. 3. Configure the Apache configuration file httpd.conf to enable HTTPS. Replace the OAT Apache web server with a mod_ssl enabled Apache Web server To use HTTPS, OAT requires an Apache web server with the Apache mod_ssl module enabled, and PHP with some required extensions. When OAT is installed with the IBM Informix Client Software Development Kit, an Apache web server and PHP with the required extensions are installed. However, the OAT Apache web server does not include the Apache mod_ssl module. Therefore, an Apache web server compiled with the mod_ssl module must be installed to replace the OAT Apache web server. Then the OAT PHP-Apache handler can be dynamically loaded to the new Apache web server. The handler, libphp5.so or php5apache2_2.dll on Windows, is the Apache and PHP glue. On Linux To compile Apache with mod_ssl support, OpenSSL must be installed.

2 If OpenSSL is installed on your Linux distribution already, you only need to determine the installation directory. Note that the OpenSSL binaries must architecturally match the OAT and Apache binaries. For example, if you installed a 32-bit version of OAT, you need the 32-bit OpenSSL binaries. If OpenSSL is not installed already, you can download the latest source code release from Then compile the OpenSSL source code. Note that if you compile 32-bit OpenSSL binaries on a 64-bit operating system, set the CFLAGS environment variable to m32 and use setarch i386./config m32 instead of just./config. Use the following commands to compile OpenSSL: cd /path/to/openssl/source/code./config --prefix=/openssl/installdirectory/ -- openssldir=/openssl/installdirectory/ make make install Stop the OAT Apache web server by running the /oat/installation/directory/stopapache script. Rename the OAT Apache_ directory to Apache_2.2.16_noSSL, to create a backup copy of the Apache binaries. You will use some configuration files from this backup Apache directory in later steps. Next, compile the latest Apache with mod_ssl support. Download the latest Apache source code from For this article, I am using Apache However, it is a best practice to download and use the latest Apache version available and substitute any references to in this article with the version of Apache that you are using. Compile Apache with the following commands. The compilation prefix indicates where Apache will be installed on your system, so for Apache version , I ll be using /oat/installation/directory/apache_2.2.22/. Also note that if you are compiling 32-bit Apache binaries on a 64-bit operating system, first set the CFLAGS environment variable to m32. cd /path/to/apache/source/code./configure --prefix=/oat/installation/directory/apache_2.2.22/ -- enable-so --with-included-apr --enable-ssl --withssl=/openssl/installation/directory/bin/openssl make make install Now Apache should be installed with mod_ssl support. Use the following commands to check whether mod_ssl is enabled in Apache. cd /oat/installation/directory/apache_2.2.22/bin/./httpd M

3 This command shows you a list of Apache modules. Ensure that the SSL module is on the list. The next step is to change the Apache configuration file to load the OAT PHP Apache handler, which is the PHP and Apache glue. Edit the Apache configuration file, /oat/installation/directory/apache_2.2.22/conf/httpd.conf, to add the following lines, or to uncomment the lines if they are commented out. LoadModule php5_module /oat/installation/directory/php_5.3.6/libphp5.so AddType application/x-httpd-php.php PhpIniDir /oat/installation/directory/php_5.3.6/lib Setenv INFORMIXDIR /csdk/installation/directory/ In the httpd.conf file, search for this line: Listen 80. This line indicates the port number for the OAT web server. Use the same port number as the original OAT Apache web server that came with the OAT installation. In the httpd.conf file, search for this line: ServerName This line indicates the name and the port that the server uses to identify itself. Use the same ServerName as the original non-ssl Apache web server that came with the OAT installation. In the httpd.conf file, search for this line: DirectoryIndex index.html. This line sets the files that Apache serves if a directory is requested. Change this line to: DirectoryIndex index.html index.php Copy the file /oat/installation/directory/apache_2.2.16_nossl/bin/envvars to /oat/installation/directory/apache_2.2.22/bin/envvars. Edit the envars file and replace all instances of Apache_ with Apache_ (your new Apache directory name). Apache reads this file to set up the Apache environment variables for OAT to run. Edit the /oat/installation/directory/startapache and /oat/installation/directory/stopapache scripts. Replace all instances of Apache_ with Apache_ (your new Apache directory name). Copy the entire directory /oat/installation/directory/apache_2.2.16_nossl/htdocs/openadmin/ to /oat/installation/directory/apache_2.2.22/htdocs/openadmin/. All the OAT source code is in this directory. Run the following commands to make sure that the PHP Apache handler is properly loaded. cd /oat/installation/directory/apache_2.2.22/bin/./httpd M

4 This command shows you a list of Apache modules. Ensure that the php5 module is on the list. Note: Sometimes running./httpd M returns an error similar to this: Cannot load libphp5.so into server: libssl.so.4: cannot open shared object file: No such file or directory. You can resolve this error by creating symbolic links from the libssl.so and libcrypto.so libraries that are already installed on your system. For example: ln -s /lib/libssl.so.0.9.8e /lib/libssl.so.4 ln -s /lib/libcrypto.so.0.9.8e /lib/libcrypto.so.4 Now your new web server should be properly set up for OAT. You can start your web server by running /oat/installation/directory/startapache and go to OAT by using your web browser. Note that this server has mod_ssl enabled, but HTTPS is not switched on yet. To enable HTTPS, you need to complete a few more steps, which are explained later on in this article. On Windows First, download and install OpenSSL from the following website: The next step is to set up Apache with mod_ssl support. Download the latest Win32 Binary including OpenSSL 0.9.8t (MSI Installer). This package is available at Stop the OAT Apache web server. The Start menu should include an OpenAdmin shortcut. You can stop the OAT Apache web server from there. Make sure that the Apache Monitor is not running on your system tray. Rename the OAT Apache_ directory to Apache_2.2.16_noSSL to create a backup copy of the Apache binaries. You will use some configuration files from this Apache directory in later steps. Run the Apache MSI installer. Do a typical install and set the installation directory to be /oat/installation/directory/apache_ Important note: For Windows, keep the directory name as Apache_2.2.16, even if you are installing a newer version of Apache. Your OAT installation and its services are configured to use the directory name Apache_ They will not work if you use a different directory name for your new Apache installation. Edit the Apache configuration file (/oat/installation/directory/apache_2.2.16/conf/httpd.conf). Add or uncomment the following lines in the httpd.conf file:

5 LoadModule php5_module "c:\oat\installation\dir\php_5.2.4\php5apache2_2.dll" LoadModule ssl_module modules/mod_ssl.so AddType application/x-httpd-php.php PhpIniDir 'c:\oat\installation\dir\php_5.2.4' In the httpd.conf file, search for this line: Listen 80 (or Listen 8080). This line indicates the port number for the OAT web server. Use the same port number as the original OAT Apache web server that came with the OAT installation. In the httpd.conf file, search for this line: ServerName This line indicates the name and the port that the server uses to identify itself. You should use the same ServerName as the original OAT Apache web server that comes with the OAT installer. In the httpd.conf file, search for this line: DirectoryIndex index.html. This line sets the files that Apache serves if a directory is requested. Change this line to: DirectoryIndex index.html index.php In the original OAT Apache configuration file (c:\oat\installation\dir\apache_2.2.16_nossl\conf\httpd.conf), search for this line: setenv INFORMIXDIR. This line sets the INFORMIXDIR variable in the Apache environment for OAT. This variable must be set in your new Apache web server. Copy the line to your new Apache web server s httpd.conf file. You can put the line at the end of the file. Copy the entire directory c:\oat\installation\dir\apache_2.2.16_nossl\htdocs\openadmin\ to c:\oat\installation\dir\apache_2.2.16\htdocs\openadmin\. All the OAT source code is in this directory. Run the following commands in a command prompt to make sure that the PHP Apache handler and the mod_ssl modules are properly loaded. cd c:\oat\installation\dir\apache_2.2.16\bin\ httpd.exe M This command displays a list of Apache modules. Confirm that the php5 module and the ssl module are on the list. Now your new web server should be properly setup for OAT. On the Start menu, click the OpenAdmin Menu and then click Start Apache Service for OpenAdmin. You can access OAT by using your web browser. Note that the web server has mod_ssl enabled, but HTTPS is not switched on yet. To enable HTTPS, you need to complete a few more steps, which are explained in the remainder of this article.

6 Creating an Encryption Key and a Certificate for your OAT Web server Keys are used in encryption and decryption. They usually come in pairs, the public key and private key. Public keys are used to encrypt messages and private keys are used to decrypt messages. The message encrypted by a public key can only be decrypted by its associated private key. An HTTPS-enabled web server has its own pair of public and private keys. The web server makes its public key available to all clients. But only the web server knows its private key. So all the clients are able to encrypt messages, but only the web server can decrypt the message. To send an encrypted message to the web server, the client encrypts the message with the public key provided by the web server and then sends the message. The web server decrypts the client s message by using its secret private key. Hackers who are trying to listen over the network and steal the client s message cannot decrypt the client s message, because they do not have the private key. A certificate is a document that authenticates a web server. An HTTPS-enabled web server has a certificate, signed by a trusted certificate authority, to verify that it is the web server that the clients want to communicate with. Before a client talks to the web server, the client is prompted to view and accept the web server s certificate. The client can make sure that the certificate is signed by a trusted certificate authority before proceeding with the communication. After a web server is HTTPS-enabled, clients can choose whether to establish a normal connection or a secure connection to the web server. To establish a normal connection, the client types server_url in their web browser. To establish a secure connection, the client types server_url. In a secure connection, the web server sends its certificate and its public key to the client. The client is prompted to view and accept the web server s certificate before the web page is loaded, so that the client can be sure that the web server is not a fake web server created by hackers. After the client accepts the certificate, the client s web browser uses the public key that it received from the web server to encrypt communication. Only the web server has the associated private key, so only the web server can decrypt the client s encrypted communication. Hackers cannot secretly listen and decrypt the communication. To generate private/public key pairs and the certificate, you use the openssl executable in the bin directory of your OpenSSL installation. To generate a private key, use the following command: openssl genrsa -des3 -out privkey.pem 2048 The private key is stored in the privkey.pem file. Store this file in a secure location because it contains the web server s secret decryption key. When you generate the

7 certificate, this file is used to generate the associated public key, which is included in the certificate. When you run the command to generate the private key, you are prompted to enter a passphrase to protect your private key. You must re-enter this passphrase every time you run a command that requires the use of the private key, for example when you start your Apache web server or use your private key to generate a certificate. On Linux, for security reasons, it is highly recommended to use a passphrase to protect and encrypt your private key. On Windows, Apache does not support using a private key with a pass phrase. So on Windows, you must run the following command to remove the passphrase. openssl rsa -in privkey.pem -out privkey_nopassphrase.pem This command creates an unencrypted version of the private key in the file privkey_nopassphrase.pem. Store this file in a secure location because it contains your private key in an unencrypted form. After you have a private key, you need to create a certificate to authenticate the identity of the web server. To generate a certificate, create a certificate signing request, and send the certificate signing request to a trusted certificate authority (such as VeriSign). The authority will then issue you a certificate. Use the following command to generate a certificate request. openssl req -new -key privkey.pem -out cert.csr For more information about the process of signing certificate requests, contact your certificate authority. If you don t want to go through a certificate authority and you just want to create a certificate for yourself, you can create a self-signed certificate. Note that this is not the recommended way of creating a certificate. openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 OpenSSL will prompt you to enter your personal information. The certificate is stored in the cacert.pem file. This file is displayed to web clients to verify your identity. It also includes the public key for web clients, so that they can encrypt communication. For more information about encryption keys, refer to the OpenSSL documentation: For more information about certificates, refer to the OpenSSL documentations:

8 Configure the Apache configuration file httpd.conf to enable HTTPS Edit the Apache configuration file: /oat/installation/directory/apache_2.2.22/conf/httpd.conf Search for the following line: #Include conf/extra/httpd-ssl.conf This line is commented out by default. Uncomment it so that httpd.conf includes the Apache SSL configuration file. Then edit the Apache SSL configuration file: /oat/installation/directory/apache_2.22/conf/extra/httpd-ssl.conf HTTPS requires a separate SSL port. By default, the SSL port number is set to be 443. Make sure that this port is available. If you want to change this port, edit the Listen directive and the Virtual Host section of the httpd-ssl.conf file. In the httpd-ssl.conf file, search for the SSLCertificateKeyFile directive and the SSLCertificateFile directive. These two directives indicate the location of your private key file and the certificate file. Make sure that they point to the privkey.pem (or privkey_nopassphrase.pem for Windows) and the cacert.pem that you created in the previous section. Search for the SSLCipherSuite directive. This directive indicates the ciphers for your HTTPS web server. By default the HTTPS web server accepts all encryption ciphers. You can keep the default configuration or if you want to accept only the seven strongest ciphers, edit the directive as follows: SSLProtocol all SSLCipherSuite HIGH:MEDIUM For more information about HTTPS configurations, refer to the following website: Final Testing You must restart the web server for the HTTPS changes to take effect. After restarting, your OAT web server should be secured with HTTPS. Launch OAT with your web browser, but instead of using use You will be prompted to view and accept the OAT web server s certificate before the OAT login page is launched.

9 On Linux, you can restart your web server by running the StopApache script and then the StartApache script in the OAT installation directory. You will be prompted to enter the pass phrase before you can start you web server. On Windows, you can restart your web server with the Apachemonitor.exe or by using the Start menu shortcuts. Appendix This article was tested using the following software versions. However, these instructions should work using any recent version of Apache or OpenSSL. It is a best practice to always download the latest available Apache and OpenSSL release to ensure that you are up-to-date with security fixes. OpenAdmin Tool for Informix version 2.75 IBM Informix Client SDK version 3.70.xC5 Apache HTTP Server version OpenSSL version l This article was tested on the following operating systems. Linux Red Hat Enterprise Linux Server release 5.3, i686 Linux Red Hat Enterprise Linux Server release 5.3, x86_64 Windows 2008, 64-bit