Apache HTTP Server Integration Guide

Similar documents
Microsoft IIS Integration Guide

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

Microsoft SQL Server Integration Guide

Active Directory Rights Management Service Integration Guide

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Integration Guide. SafeNet Authentication Client. Using SAC with Putty-CAC

SafeNet Authentication Manager Express. Upgrade Instructions All versions

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

Configuration Guide. SafeNet Authentication Service. Remote Logging Agent

Configuration Guide. SafeNet Authentication Service AD FS Agent

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

Configuration Guide. SafeNet Authentication Service. Token Validator Proxy Agent

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

Installation Guide. SafeNet Authentication Service

Integration Guide. SafeNet Authentication Client. Using SAC CBA for Check Point Security Gateway

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Agent Configuration Guide

SafeNet KMIP and Amazon S3 Integration Guide

Integration Guide. SafeNet Authentication Service. Integrating Active Directory Lightweight Services

User Guide. SafeNet MobilePASS for Windows Phone

SafeNet MSSQL EKM Provider User Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Synchronization Agent Configuration Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Gemalto SafeNet Minidriver 9.0

SafeNet MobilePASS Version 8.2.0, Revision B

Sentinel Cloud V.3.5 Installation Guide

ncipher Modules Integration Guide for Apache HTTP Server

2 Installing Privileged User Manager 2.3

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Radiator RADIUS Server

NetIQ Sentinel Quick Start Guide

Novell Access Manager

SafeNet Cisco AnyConnect Client. Configuration Guide

2 Downloading Access Manager 3.1 SP4 IR1

SAS Agent for Outlook Web Access

SAS Agent for Outlook Web App

Novell Identity Manager

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Installation and Configuration Guide

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Integration Guide. SafeNet Authentication Service. Using RADIUS and LDAP Protocols for Cisco Secure ACS

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Migration Guide. SafeNet Authentication Service. SafeWord/SAMx. Migration Guide: SafeNet Authentication Service. SafeWord/SAMx

Novell Identity Manager Resource Kit

Administration Guide GroupWise Mobility Service 2.1 February 2015

Novell Identity Manager

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Server Installation ZENworks Mobile Management 2.7.x August 2013

IGEL Universal Management. Installation Guide

Installation and Configuration Guide

StreamServe Persuasion SP4

Novell Sentinel Log Manager 1.2 Release Notes. 1 What s New. 1.1 Enhancements to Licenses. Novell. February 2011

Dell One Identity Cloud Access Manager Installation Guide

PrivateServer HSM Integration with Microsoft IIS

Document Exchange Server 2.5

SAP HANA Client Installation and Update Guide

Jobs Guide Identity Manager February 10, 2012

SAS Token Validator Proxy Agent Configuration Guide

VERSION 9.02 INSTALLATION GUIDE.

NetIQ Identity Manager Setup Guide

CA Spectrum and CA Service Desk

Connect to an SSL-Enabled Microsoft SQL Server Database from PowerCenter on UNIX/Linux

Configuring TLS Security for Cloudera Manager

Omniquad Exchange Archiving

Copyright 2014, SafeNet, Inc. All rights reserved.

Microsoft IAS and NPS Agent Configuration Guide

Server Installation Guide ZENworks Patch Management 6.4 SP2

Generating an Apple Push Notification Service Certificate

Novell SUSE Linux Enterprise Virtual Machine Driver Pack

SafeNet Luna SA Client Software Installation

EMC Data Protection Search

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

SafeNet Authentication Service Token Validator Proxy Agent. Configuration Guide

IBM WEBSPHERE LOAD BALANCING SUPPORT FOR EMC DOCUMENTUM WDK/WEBTOP IN A CLUSTERED ENVIRONMENT

IDENTIKEY Server Windows Installation Guide 3.2

Administration Quick Start

Sophos SafeGuard Disk Encryption for Mac Startup guide

Novell ZENworks 10 Configuration Management SP3

Configuration Guide. SafeNet Authentication Service. SAS Agent for PEAP

Sentinel Protection Installer Version (Windows) ReadMe

DameWare Server. Administrator Guide

Sophos Mobile Control Installation guide. Product version: 3

Password Management Guide

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

EMC Data Domain Management Center

High Availability Configuration

Security Analytics Virtual Appliance

Remote Filtering Software

QAD Enterprise Applications. Training Guide Demand Management 6.1 Technical Training

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Installing RMFT on an MS Cluster

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Transcription:

Apache HTTP Server Integration Guide

Document Information Document Part Number 007-011228-001 (Rev E) Release Date November 2014 Trademarks All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or otherwise, without the prior written permission of SafeNet, Inc. Limitations This document does not include the steps to set up the third-party software. The steps given in this document must be modified accordingly. Refer to Luna SA documentation for general Luna setup procedures. Disclaimer The foregoing integration was performed and tested only with the specific versions of equipment and software and only in the configuration indicated. If your setup matches exactly, you should expect no trouble, and Customer Support can assist with any missteps. If your setup differs, then the foregoing is merely a template and you will need to adjust the instructions to fit your situation. Customer Support will attempt to assist, but cannot guarantee success in setups that we have not tested. SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes. We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address or email below. Contact Method Mail Email Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017, USA TechPubs@safenet-inc.com 2

Support Contacts If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Contact Method Address Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone United States 1-800-545-6608 International 1-410-931-7520 Email support@safenet-inc.com 3

Contents Contents CHAPTER 1 Introduction... 5 Scope... 5 Prerequisites... 6 CHAPTER 2 Configuring Apache Toolkit for v2.2.x (An Example)... 8 CHAPTER 3 Integration of Apache Server with Luna... 9 4

CHAPTER 1: Introduction CHAPTER 1 Introduction This document covers the necessary information to install, configure and integrate Apache HTTP Server with SafeNet Luna SA Hardware Security Modules (HSM). The Luna HSMs integrates with the Apache HTTP Server to provide significant performance improvements by off-loading cryptographic operations from the Apache HTTP Server to the Luna HSMs. In addition, the Luna HSMs provides extra security by protecting and managing the server s high value SSL private key within a FIPS 140-2 certified hardware security module. Scope 3rd Party Application Details Apache HTTP Server v2.2.x for Unix Apache HTTP Server v2.4.x for Unix Supported Platforms Operating System Luna Version Apache Version RHEL 5.8 (64 bit) RHEL 5 (32/64 bit) SA 4.4 Luna Client 5.2.1 SA 5.0 PCI 5.0 Apache v2.0.59 Apache v 2.2.14 Apache v2.2.14 Apache v2.2.14 RHEL 6 (64 bit) Luna Client 5.2.1 Apache v2.2.14 Solaris 10 Sparc SA 5.0 Apache v2.2.21 RHEL 6.5 (64 bit) Luna Client 5.4.1 Apache v2.4.4 HSMs and Firmware Version K5 HSM f/w 4.8.1 (Luna SA v4.4.3) K6 HSM f/w 6.0.8 (Luna SA v5.0) K6 HSM f/w 6.1.3 (Luna PCI v5.0) K6 HSM f/w 6.10.1 (Luna SA 5.2.1) K6 HSM f/w 6.21.0 (Luna SA 5.4.1) 5

CHAPTER 1: Introduction Library and Driver Support PKCS#11 v2.01 dynamic library PKCS#11 v2.20 dynamic library Distributions Luna SA Client s/w v4.4.1 Luna SA Client s/w v5.0 Luna PCI Client s/w v5.0 Luna Client s/w v5.2.1 Luna Client s/w v5.4.1 Apache Toolkit Prerequisites Luna SA Setup Please refer to the Luna SA documentation for installation steps and details regarding to configure and setup the box on UNIX systems. Before you get started ensure the following: Luna SA appliance and a secure admin password Luna SA, and a hostname, suitable for your network Luna SA network parameters are set to work with your network Initialize the HSM on the Luna SA appliance Create a partition on the HSM and remember the partition password that will be later used for APACHE HTTP Server. Create and exchange certificates between the Luna SA and your "Client" system (registered the Client with the Partition). Run the command, vtl verify to display a partition from Luna SA. The general form of command is /usr/lunasa/bin/vtl verify. NOTE: For Solaris 10 SPARC, you need to export LD_LIBRARY_PATH. export LD_LIBRARY_PATH=/opt/lunasa/lib:$LD_LIBRARY_PATH NOTE: For Solaris 10 SPARC platform in Luna SA v5.0, the general form of the command is /opt/lunasa/bin/vtl verify. For Luna Client v5.2.1 onwards, the general form of the command is 6

CHAPTER 1: Introduction /usr/safenet/lunaclient/bin/vtl verify Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Luna PCI Setup Please refer to the Luna PCI documentation for installation steps and details regarding configuring and setting up the box on RHEL and Solaris SPARC systems. Before you get started ensure the following: Initialize the HSM on the Luna PCI appliance Create a partition on the HSM that will be later used by the Apache HTTP Server. Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Apache Toolkit The APACHE toolkit is provided to make the installation quick and easy. The installation CD can be obtained from the SafeNet Customer Connection Center. APACHE toolkit installs by default the apache version that was built with the toolkit. However you can use any version of Apache with our toolkit which is described in Chapter 2. You can skip the Chapter 2 if you need to install Apache 2.2.14 anyway. NOTE: If you already have Apache installed, uninstall it before proceeding with the installation. 7

CHAPTER 2: Configuring Apache Toolkit for v2.2.x (An Example) CHAPTER 2 Configuring Apache Toolkit for v2.2.x (An Example) This is an example of how to use the version of Apache Server that is not build in Apache Toolkit by default. To configure Apache HTTP Server 2.2.x to recognize the Luna SA / Luna PCI cryptographic device: 1. Download the desired version from the following site: http://archive.apache.org/dist/httpd/ NOTE: We have downloaded Apache v2.2.21 but you can download any v2.2.x available. 2. Traverse to toolkit, e.g. /root/_cdrom_apache. 3. Copy and paste the httpd-2.2.x.tar.gz, downloaded from the above site. 4. Extract the luna-samples-0.9.8 from luna-samples-0.9.8.tar.gz by using the following commands: gunzip luna-samples-0.9.8.tar.gz tar -xvf luna-samples-0.9.8.tar 5. Now execute the following commands cd luna-samples-0.9.8 cp httpd-luna-2.2.14.conf httpd-luna-2.2.x.conf cp mpm-luna-2.2.14.conf mpm-luna-2.2.x.conf cp ssl-luna-2.2.14.conf ssl-luna-2.2.x.conf tar -cvf luna-samples-0.9.8.tar luna-samples-0.9.8/* gzip luna-samples-0.9.8.tar 6. Traverse to toolkit, e.g. /root/_cdrom_apache. 7. Edit the abuild-2.x script for apache version change the APACHEVER="2.2.14" as APACHEVER="2.2.x" 8. Save the script after changing the version. Now you have completed all the changes required to integrate Apache v2.2.x with Luna SA. Follow the steps mentioned in the next Chapter. 8

CHAPTER 3: Integration of Apache Server with Luna CHAPTER 3 Integration of Apache Server with Luna To configure Apache HTTP Server to recognize the Luna SA / Luna PCI cryptographic device: 1. Traverse to toolkit, e.g. /root/_cdrom_apache. 2. Run the OptimizeApache.sh to configure the Luna SA configuration file (/etc/chrystoki.conf) for APACHE:./OptimizeApache.sh fork For further information, refer to the README-OPTIMIZE under the APACHE toolkit. 3. The Luna SA / Luna PCI configuration file (/etc/chrystoki.conf) is now configured for Apache HTTP Server. Luna SA Misc = { PE1746Enabled = 0; Apache = 0; } EngineLunaCA3 = { LibPath = /usr/safenet/lunaclient/lib/libcryptoki2.so; LibPath64 = /usr/safenet/lunaclient/lib/libcryptoki2_64.so; EngineInit = 1:10:11; DisableRand = 1; DisableDsa = 1; DisableEcdsa = 1; DisableCheckFinalize = 0; EnableRsaGenKeyPair = 0; EnableDsaGenKeyPair = 0; } NOTE: Make sure that the value of LibPath and LibPath64 should be the path of libcryptoki2.so or libcryptoki2_64.so respectively in /etc/chrystoki.conf after running OptimizeApache.sh script. Path of Cryptoki library has been changed in Luna 5.2.1 onwards. 9

CHAPTER 3: Integration of Apache Server with Luna Luna PCI Misc = { Apache = 1; PE1746Enabled=1; } EngineLunaCA3 = { DisableCheckFinalize = 0; DisableEcdsa = 1; DisableDsa = 1; DisableRand = 1; EngineInit = 1:10:11; LibPath64 = /usr/lunapci/lib/libcryptoki2_64.so; LibPath = /usr/lunapci/lib/libcryptoki2.so; } 4. Traverse to the toolkit: /root/_cdrom_apache, run the configuration script (abuild-2.x) to install Apache HTTP Server and Open SSL for Luna SA with For (32-bit): LUNA_CONFIG_BITS=32 LUNA_CONFIG_BITS=32./abuild-2.x --build For (64-bit): LUNA_CONFIG_BITS=64 LUNA_CONFIG_BITS=64./abuild-2.x --build For further information, refer to the README-ABUILD under the APACHE toolkit. 5. Open a session to Luna SA using the sautil utility provided under the /usr/local/sautil/bin: sautil -v -s 1 -i 10:11 -o -q For further information, refer to the README-RSA under the APACHE toolkit. 6. Enter the partition password of the HSM in which you have registered the APACHE server as a client 7. Traverse to the toolkit: /root/_cdrom_apache, run the abuild-2.2 script to generate keys on the Luna SA / Luna PCI. For (32-bit): LUNA_CONFIG_BITS=32./abuild-2.x --genrsa For (64-bit): LUNA_CONFIG_BITS=64./abuild-2.x --genrsa 10

CHAPTER 3: Integration of Apache Server with Luna Enter the relevant information as prompted for the keys to be generated. 8. Traverse to apache installation directory: /usr/local/apache2/conf 9. Open the apache configuration file (httpd.conf) and edit the ServerName field with the hostname or IP address of the server. 10. Traverse to the directory: /usr/local/apache2/conf/extra 11. Open the ssl configuration file (httpd-ssl.conf) and edit the Virtual Host section as below: <Virtual Host Hostname or IP Address: 443> 12. Traverse to the directory: /usr/local/apache2/bin 13. Start the Apache HTTP Server with the SSL option:./apachectl -DSSL or./apachectl -k (stop/start/restart) Make sure you have disabled iptables or allow http/https traffic through iptables. 14. Open any browser (IE/Firefox) and access the HTTP Server: https://<hostname or IP Address>:443 15. Accept the certificate. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information