HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC joshua.penton@geocent.com.



Similar documents
Application Note AN1502

Apache, SSL and Digital Signatures Using FreeBSD

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

EventTracker Windows syslog User Guide

Apache Security with SSL Using Ubuntu

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

SecuritySpy Setting Up SecuritySpy Over SSL

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

Obtaining SSL Certificates for VMware View Servers

Oracle Mobile Security Suite Workshop. Installation

Creating Certificate Authorities and self-signed SSL certificates

Installing Dspace 1.8 on Ubuntu 12.04

Setting Up CAS with Ofbiz 5

Enterprise SSL Support

Linux Deployment Guide. How to deploy Network Shutdown Module for Linux

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

Obtaining SSL Certificates for VMware Horizon View Servers

Self Signed Certificates

Browser-based Support Console

How-to-Guide: SAP Web Dispatcher for Fiori Applications

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

e-cert (Server) User Guide For Apache Web Server

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Scenarios for Setting Up SSL Certificates for View

CA and SSL Certificates

Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide

COMP 3704 Computer Security

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Encrypted Connections

EMC Data Protection Search

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Protect your CollabNet TeamForge site

SSL Interception on Proxy SG

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

HTTPS Configuration for SAP Connector

Configuring Multiple ACE Management Servers VMware ACE 2.0

Using Client Side SSL Certificate Authentication on the WebMux

WebApp S/MIME Manual. Release Zarafa BV

Replacing Default vcenter Server 5.0 and ESXi Certificates

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Server Certificate: Apache + mod_ssl + OpenSSL

A Brief Guide to Certificate Management

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Use Enterprise SSO as the Credential Server for Protected Sites

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

Understanding SSL/TLS

deploying meteor with meteor up

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

Angel Dichev RIG, SAP Labs

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

NOTE: This is not a official Cisco document and you use it on your own risk.

Using custom certificates with Spectralink 8400 Series Handsets

Cloud Implementation using OpenNebula

How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain

IBM Cloud Manager with OpenStack

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

HP ALM. Software Version: External Authentication Configuration Guide

SSL Certificates in IPBrick

Deploying RSA ClearTrust with the FirePass controller

LoadMaster SSL Certificate Quickstart Guide

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

GlobalSign Solutions

Marriott Enrollment Server for Web User Guide V1.4

Exchange 2010 PKI Configuration Guide

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Apache Security with SSL Using Linux

Partek Flow Installation Guide

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Generating and Renewing an APNs Certificate. Technical Paper May 2012

Enabling SSL and Client Certificates on the SAP J2EE Engine

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

Crypto Lab Public-Key Cryptography and PKI

Securing Your Apache Web Server With a Thawte Digital Certificate

A STEP- BY-STEP GUIDE

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

CreationDirect. Clearstream file transfer connectivity solutions

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

To enable https for appliance

Sophos Mobile Control Installation guide. Product version: 3.5

Magento Search Extension TECHNICAL DOCUMENTATION

Sophos Mobile Control Installation guide. Product version: 3

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

SSL Certificate Generation

Best Practices for Splunk SSL Duane Waddle

Object Storage and Enterprise Repository Installation manual

OpenDaylight & PacketFence install guide. for PacketFence version 4.5.0

SolarWinds Technical Reference

Transcription:

HOWTO Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3 Joshua Penton Geocent, LLC joshua.penton@geocent.com March 2013

Table of Contents Overview... 1 Prerequisites... 2 Install OpenSSL... 2 Install Nginx... 2 Generate SSL Certificates... 2 Install DoD Root CA Certificates... 3 Download Root CA Certificates... 3 Convert DoD Root CA Certificates... 3 Install Converted Certificates... 3 Configure Nginx... 4 i

Overview The expansion of web presence within the Department of Defense (DoD) is requiring more systems to provide a web- based interface to system information and resources. While many technologies comprise the stack from system resources to end user the one component that lies at the most exposed end point is that of the web server. Historically, this functionality has been delivered by monolithic applications such as Apache HTTP Server 1 or Microsoft Internet Information Services 2. However, as the need for web servers shift to require software that is both easier to deploy and manage while still providing necessary levels of performance and configurability it behooves administrators to look towards emerging solutions. Nginx 3 has emerged as a high performance solution that has gained wide adoption within the commercial sector. The open source project provides a web server and a reverse proxy with design principles centered on high concurrency and low memory usage coupled with a scalable module- based architecture. The end result is an easily configurable and cross- platform web server that has the ability to surpass the performance of traditional applications while both standardizing and easing configuration requirements. Within the DoD a common requirement is for applications to challenge incoming requests for Common Access Card (CAC) credential for user identification and authorization. As a result any web server that seeks to provide functionality within the DoD infrastructure is required to support this functionality. This document provides the necessary steps to configure Nginx to enable request authorization based off of CAC credentials. While the target environment is that of CentOS 6.3 the instructions are applicable to additional platforms. 1 Welcome! - The Apache HTTP Server Project - http://httpd.apache.org/ 2 Home : The Official Microsoft IIS Site - http://www.iis.net/ 3 nginx news - http://nginx.org/ 1

Prerequisites Install OpenSSL If OpenSSL 4 is not already installed on the target system use yum 5 to install the necessary packages: $ yum install openssl Install Nginx If Nginx is not already installed on the system use yum to install the necessary packages. First add the Nginx yum repository by creating a file named /etc/yum.repos.d/nginx.repo with the following contents: [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=0 enabled=1 Save the contents of the file and then initiate the yum installation to install the Nginx packages: $ yum install nginx Generate SSL Certificates If the target system does not already have the required SSL certificates generated and installed they can be generated at this time. First create the target directory to which the server key and certificate will be installed and set proper permissions: $ mkdir /etc/nginx/ssl $ chmod 700 /etc/nginx/ssl Next generate the private key for the server: $ cd /etc/nginx/ssl $ openssl genrsa -des3 -out server.key.org 1024 $ openssl rsa -in server.key.org -out server.key Next create a Certificate Signing Request (CSR): $ openssl req -new -key server.key -out server.csr If the server s certificate must be signed by a central signing authority submit the server.csr file to proper administrators and copy the returned certificate to 4 OpenSSL: The Open Source toolkit for SSL/TLS - http://www.openssl.org/ 5 Yum Package Manager - Trac - http://yum.baseurl.org/ 2

/etc/nginx/ssl/server.crt. Otherwise for development purposes a self- signed certificate can be generated and installed: $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Finally ensure all of the installed files have proper permissions set: $ chmod 600 /etc/nginx/ssl/* Install DoD Root CA Certificates The DoD currently hosts both its CA and ECA certificates at http://dodpki.c3pki.chamb.disa.mil/rootca.html and will need to be installed into the OpenSSL certificate store. Download Root CA Certificates The most recent certificates may be downloaded to the target server using wget: $ wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b $ wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b $ wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b Convert DoD Root CA Certificates The certificates downloaded from the DISA website are in PKCS#7 format but will need to be in a format recognizable by Nginx. OpenSSL can be used for converting the certificates to the Privacy Enhanced Mail (PEM) format usable by a wide variety of software including Nginx: $ openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b -out rel3_dodroot_2048.pem -print_certs $ openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs $ openssl pkcs7 -inform DER -outform PEM -in dodeca2.p7b -out dodeca2.pem -print_certs For deployment purposes with Nginx the root certificate file must be contained within a single certificate file. This is accomplished using the cat utility: $ cat rel3_dodroot_2048.pem dodeca.pem dodeca2.pem > dod-rootcerts.pem Install Converted Certificates The converted certificates must be installed to the SSL module: $ cp rel3_dodroot_2048.pem /etc/ssl/certs $ cp dodeca.pem /etc/ssl/certs $ cp dodeca2.pem /etc/ssl/certs $ cp dod-root-certs.pem /etc/ssl/certs 3

Configure Nginx Within the /etc/nginx/conf.d directory either create a new configuration file or modify a relevant file that is currently in use. To the configuration file add the following information: listen 443; ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; ssl_verify_client on; ssl_verify_depth 2; ssl_client_certificate /etc/ssl/certs/dod-root-certs.pem; Restart the Nginx process and access your site. $ service nginx restart Upon connection Nginx will prompt the user for their DoD certificate. 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information