Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007



Similar documents
Creating Certificate Authorities and self-signed SSL certificates

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

EventTracker Windows syslog User Guide

SecuritySpy Setting Up SecuritySpy Over SSL

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Application Note AN1502

Understanding SSL/TLS

Encrypted Connections

Apache Security with SSL Using Ubuntu

Clearswift Information Governance

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Apache, SSL and Digital Signatures Using FreeBSD

Browser-based Support Console

Using LDAP Authentication in a PowerCenter Domain

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Using Client Side SSL Certificate Authentication on the WebMux

LoadMaster SSL Certificate Quickstart Guide

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

SSL Interception on Proxy SG

Enterprise SSL Support

Configuring TLS Security for Cloudera Manager

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Acano solution. Virtualized Deployment R1.1 Installation Guide. Acano. February B

webmethods Certificate Toolkit

CHAPTER 7 SSL CONFIGURATION AND TESTING

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

Setting Up CAS with Ofbiz 5

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Linux Deployment Guide. How to deploy Network Shutdown Module for Linux

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

SolarWinds Technical Reference

Certificate technology on Pulse Secure Access

Securing Your Apache Web Server With a Thawte Digital Certificate

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Scenarios for Setting Up SSL Certificates for View

Certificate technology on Junos Pulse Secure Access

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Crypto Lab Public-Key Cryptography and PKI

Installing Dspace 1.8 on Ubuntu 12.04

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Oracle Mobile Security Suite Workshop. Installation

Secure Traffic Inspection

Use Enterprise SSO as the Credential Server for Protected Sites

SSL Insight Certificate Installation Guide

Obtaining SSL Certificates for VMware Horizon View Servers

Using custom certificates with Spectralink 8400 Series Handsets

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Enable SSL in Go2Group SOAP Server

Obtaining SSL Certificates for VMware View Servers

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Server Certificate: Apache + mod_ssl + OpenSSL

Low cost secure VPN MikroTik SSTP over OpenIXP (Indonesian Internet) ASTA INFORMATICS Faisal Reza

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

10gAS SSL / Certificate Based Authentication Configuration

Implementing Secure Sockets Layer on iseries

Protect your CollabNet TeamForge site

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

Apache Security with SSL Using Linux

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

EMC Data Protection Search

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Self Signed Certificates

NSi Mobile Installation Guide. Version 6.2

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

COMP 3704 Computer Security

MassTransit 6.0 Enterprise Web Configuration For Windows

Configuring Digital Certificates

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Chapter 7 Managing Users, Authentication, and Certificates

Introduction SSL-VPN. Creating and Installing Digital Certificates on SonicWALL SSL-VPN Appliances

SWITCHBOARD SECURITY

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

SSL Certificate Generation

Virtual Private Network (VPN) Lab

Exchange 2010 PKI Configuration Guide

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Acano solution. Acano Solution Installation Guide. Acano. January B

Setting Up Your FTP Server

Avoid the SSLippery Slope of Default SSL

Installing and Configuring a Server Certificate for use by MailSite Fusion with TLS/SSL A guide for MailSite Administrators

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Exchange Reporter Plus SSL Configuration Guide

How to FTP (How to upload files on a web-server)

Cloud Services. Introduction...2 Overview...2. Security considerations Installation...3 Server Configuration...4

C-Series How to configure SSL

CA and SSL Certificates

Transcription:

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate Brent Wagner, Seeds of Genius October 2007 Edition: 1.0 October 2007

All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Seeds of Genius and its licensors, if any. - 2 -

Abstract: This paper assumes the following: 1. You have an instance of Sun Java System Web Server 6.1. 2. The machine has a static IP. 3. You have root access to install and configure the software. 4. All steps are presented in the form of examples with the assumption that you will replace environment specific parameters such as myserver, mydomain.com, password, and any other fields with the appropriate values for your environment. Generate your own Certificate Authority (CA) 1. From Paul Bramscher (http://www.tc.umn.edu/~brams006/selfsign.html): Some steps in this document require privileged access, and you'll want to limit access to the certs to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory. In this step you'll take the place of VeriSign, Thawte, etc. You'll first build the CA key, and then build the certificate itself. The Common Name (CN) of the CA and the Server certificates should not match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In Step #2 below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical. CA: Common Name (CN): www.somesite.edu CA Organization (O): Somesite Organizational Unit (OU): Development Server: Common Name (CN): www.somesite.edu Organization (O): Somesite Organizational Unit (OU): Development If you don't have a fully qualified domain name, you should use the IP that you'll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA's CN from the Server's CN. 2. # cd /<path to store CA key and certificate> # openssl genrsa -des3 -out ca.key 4096 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt - 3 -

Create a Trust Database for your Web Server 1. Login to Web Server console at http://myserver.mydomain.com:8888 2. Click manage for the target instance 3. Click security tab 4. Click create database link 5. Enter a password for the database Create Server Certificate Signing Request (csr) 1. Click on Request a certificate link under security tab within instance administration console for Web Server. 2. Enter a CA Email address. The server will send your request to this email address. 3. Enter the password you used to create the Trust Database in Step II.5 for the Key Pair File Password. 4. Fill in rest of the form with your personal information. 5. For Common name field, enter the host name of the server. 6. For State, make sure spell out the full state name. Do not use abbreviation. 7. The certificate request will be emailed to the address entered and a copy will be saved in /tmp as stated in the popup dialog. Locate this file and move it to a safe place while renaming it to server.csr. 8. # mv /tmp/<filename given in Step 7> /<path to certificates directory>/server.csr Sign the Certificate Signing Request (csr) with the self-created Certificate Authority (CA) 1. From Paul Bramscher (http://www.tc.umn.edu/~brams006/selfsign.html): Note that 365 days is used here. After a year you'll need to do this again. Note also that I set the serial number of the signed server certificate to "01". Each time you do this, especially if you do this before a previously-signed certificate expires, you'll need to change the serial key to something else -- otherwise everyone who's visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up -- they've signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl's (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients who have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we'll just avoid the problem. (If you're a sysadmin of a production system and your server. key is compromised, you'll certainly need to worry.) - 4 -

The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more "official" in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself. 2. # openssl x509 -req -days 365 -in <path to server.csr> -CA <path to ca.crt from Step I.2> -CAkey <path to ca.key from Step I.2> - set_serial 01 -out <path to store newly signed server.crt certificate> 3. To examine the components if you're curious: a. # openssl rsa -noout -text -in server.key b. # openssl req -noout -text -in server.csr c. # openssl rsa -noout -text -in ca.key d. # openssl x509 -noout -text -in ca.crt Install the certificate in Sun Java Web Server 1. Login to Web Server s admin console. 2. Choose to manage the correct instance that the cert was created for and click manage. 3. Click Security tab. 4. Click Install Certificate. 5. Enter password for the cert database for Key Pair File Password field. 6. Choose Message text (with headers). 7. Use cat to read the contents of the signed Server Certificate. 8. # cat server.crt 9. Copy and past the text of the certificate into the text box. Make sure you include the text that says -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- 10. Click OK. 11. Click Add Server Certificate button. 12. You will see a pop-up warning window telling you the change will require a sever restart. Click OK. 13. You should see a pop-up success window. Click OK. Enable SSL by Adding a Listening Socket 1. Click Add Listen Socket under Preference tab in instance administration console. 2. Enter 443 for Port field. 3. Change Security field to Enabled. 4. Click OK - 5 -

5. You should see a pop-up window telling you to apply changes. 6. Click Apply link on the upper right corner. 7. Click Apply Changes. 8. Type Trust Database password from Step II.5 into Module internal field before clicking the Sever On button. 9. Test the SSL-enabled Web Server by navigating to the page https://myserver.mydomain.com 10.Your browser should ask whether to accept the certificate provided by the server. OPTIONAL STEP: Create Plain-Text Password File to Allow Unattended Restarts 1. Create the file password.conf in the config directory of the web server. For example: /opt/sunwwbsvr/https-secure- WebServer/config/password.conf 2. The syntax of the file is: internal:<password> a. This will let the system start the webserver from the command line without entering in the password. /etc/init.d/webserv01 start (all webservers) or /opt/sunwwbsvr/https-secure-webserver/start (just this one webserver) b. If you try to use the web based interface to start the server you still need to enter in the password. 3. Modify the permissions of the password.conf file so that it is readable only by root a. # chmod 400 password.conf Credits: OpenSSL steps from Paul Bramscher (http://www.tc.umn.edu/~brams006/selfsign.html) Sun Web Server Trust Database steps from Dave (http://vegdave.wordpress.com/2007/04/12/howto-setup-ssl-on-sun-javasystem-web-server-61-on-soaris/) If you need any help please contact the Seeds of Genius support center at support@seedsofgenius.com. - 6 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information