SecuritySpy Setting Up SecuritySpy Over SSL



Similar documents
ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Enterprise SSL Support

esync - Receiving data over HTTPS

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

To enable https for appliance

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Apache, SSL and Digital Signatures Using FreeBSD

Apache Security with SSL Using Ubuntu

Creating Certificate Authorities and self-signed SSL certificates

Securing the OpenAdmin Tool for Informix web server with HTTPS

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

How to setup HTTP & HTTPS Load balancer for Mediator

Setting Up CAS with Ofbiz 5

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

How to: Install an SSL certificate

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Configuring MassTransit for the Web Using Apache on Mac OS 10.2 and 10.3

Application Note AN1502

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Securing Your Apache Web Server With a Thawte Digital Certificate

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Best Practices in Hardening Apache Services under Linux

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

GlobalSign Solutions

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Apache Security with SSL Using Linux

10gAS SSL / Certificate Based Authentication Configuration

APACHE HTTP SERVER 2.2.8

Installing Dspace 1.8 on Ubuntu 12.04

e-cert (Server) User Guide For Apache Web Server

Scenarios for Setting Up SSL Certificates for View

Creating X.509 Certificates With OpenSSL

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

A STEP- BY-STEP GUIDE

Configuration Manual English version

Linux Deployment Guide. How to deploy Network Shutdown Module for Linux

Sentral servers provide a wide range of services to school networks.

EventTracker Windows syslog User Guide

Installation Guide for Pulse on Windows Server 2012

Encrypted Connections

Integrating Apache Web Server with Tomcat Application Server

Understanding SSL/TLS

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Craig Carpenter MCT. MCSE, MCSA

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access

Low cost secure VPN MikroTik SSTP over OpenIXP (Indonesian Internet) ASTA INFORMATICS Faisal Reza

Oracle Mobile Security Suite Workshop. Installation

Clearswift Information Governance

Implementing Secure Sockets Layer on iseries

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Enterprise Apple Xserve Wiki and Blog using Active Directory. Table Of Contents. Prerequisites 1. Introduction 1

Installation Guide for Pulse on Windows Server 2008R2

Administering mod_jk. To Enable mod_jk

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

LoadMaster SSL Certificate Quickstart Guide

Other documents in this series are available at: servernotes.wazmac.com

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

COMP 3704 Computer Security

Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Host your websites. The process to host a single website is different from having multiple sites.

Ciphermail for BlackBerry Quick Start Guide

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

Exchange 2013 mailbox setup guide

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

HP ALM. Software Version: External Authentication Configuration Guide

Apache 2 mod_ssl by example

RemotelyAnywhere. Security Considerations

SSL Enablement of the DB2 Web Query for System i Server

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

Use Enterprise SSO as the Credential Server for Protected Sites

Building a Secure RedHat Apache Server HOWTO

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

RED HAT SECURE WEB SERVER 3.0 DEVELOPER EDITION FOR COBALT NETWORKS SERVERS

PassBy[ME] - Bugzilla integration on

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Server Certificate: Apache + mod_ssl + OpenSSL

Apple Mac VPN Service Setting up Remote Desktop

FortiClient SSL VPN Client User s Guide

HP Cloud Service Automation Deployment Architectures

SSL Interception on Proxy SG

Important information for all POP users

SSL Installing your new Certificate

ShadowControl ShadowStream

CHAPTER 7 SSL CONFIGURATION AND TESTING

Managing Software and Configurations

A guide to https and Secure Sockets Layer in SharePoint Release 1.0

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Setting Up SSL on IIS6 for MEGA Advisor

orrelog Apache TLS / Crypto Enhanced Encryption Software

Mac OS VPN Set Up Guide

Obtaining SSL Certificates for VMware Horizon View Servers

User's Guide. Product Version: Publication Date: 7/25/2011

Transcription:

SecuritySpy Setting Up SecuritySpy Over SSL Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and a private key. URLs that require an SSL connection start with https:// insead of http:// and operate on port 443 by default. SSL increases security as it makes it impossible for someone intercepting the stream of data to decode any information from it. SecuritySpy does not have built- in support for SSL, however Mac OS X comes with Apache, a fully- featured and powerful web server, that can be used to set up the secure communication between the internet and SecuritySpy. In this way, Apache will be acting as a secure "reverse proxy" web server for SecuritySpy. This document describes how to set this up. These instructions describe how to set up SSL using "self- signed" certificates. This allows you to get everything up and running, however for a proper installation you should ideally obtain a certificate from a Certificate Authority (such as Verisign or Thawte). A Certificate Authority is a trusted entity that confirms to whomever is connecting to your web server that you are who you say you are. This is only really applicable for web servers available to the general public, so a self- signed certificate is appropriate for when the server will be accessed by you or your employees or agents, as in this case there is no doubt about the server's authenticity. Although we have made every effort to make this guide easy to follow, this is a complex setup that requires use of the Terminal and editing of Apache configuration files, so is not for the novice user. This guide assumes that you have already set up the web server feature of SecuritySpy and are familiar with concepts such as dynamic DNS, port forwarding, and IP addressing on local networks. Step 1: Create a Certificate Authority (CA) certificate Open Terminal (from your Applications folder). Type the following commands, shown in red: mkdir ~/Documents/myssl This creates a myssl folder where you will be creating the required key and certificate files. cd ~/Documents/myssl This sets the myssl folder as the current working directory openssl genrsa - des3 - out ca.key 1024 This creates a triple- DES encrypted 1024- bit RSA key file called ca.key. You will be asked for a passphrase for the key - make a note of it. openssl req - new - x509 - days 3650 - key ca.key - out ca.crt This creates a Certificate Authority certificate. You will be asked for the passphrase for the key you just created, as well as some information about yourself (i.e. you as the Certificate Authority). Remember that this is for the certificate that will, for the moment at least, be a substitue for a proper one obtained from real Certificate Authority. The Terminal output for this step should look something like this: Step 2: Generate a private key for the web server

In Terminal, type: openssl genrsa - des3 - out server.key 1024 This creates a triple- DES encrypted 1024- bit RSA key file called "server.key". You will be asked for a passphrase for the key - make a note of it. openssl req - new - key server.key - out server.csr You will be asked for the passphrase for the key you just created, as well as some information about yourself (i.e. you as the web server administrator). The vital thing here is, when it askes you to enter the Common Name, you must enter the host name (or IP address) of your server as a client would connect to it over the internet. For example, if you have a dynamic DNS name set up for accessing you server over the internet called myserver.dyndns.org, this is what you enter here. It may also ask you for a challenge password and optional company name - just leave these blank. The Terminal output for this step should look something like this: Step 3: Sign the server key with your CA certificate You need to download the latest mod_ssl, find the sign.sh file from the pkg.contrib folder, and place it in your ~/Documents/myssl folder. Back in the Terminal, type: chmod +x sign.sh./sign.sh server.csr You will be asked for the passphrase for the ca.key file that you created above. For the questions Sign the certificate? and commit?, type y and enter. This creates the server certificate server.crt file. Here is the Terminal output for this step:

Step 4: Remove the passphrase requirement from server.key This step is required so that Apache can read the private key without you having to manually start Apache from the command line with the passphrase every time you need to enable the web server. In Terminal, type: cp server.key server.key.original openssl rsa - in server.key.original - out server.key You will be asked for the passphrase that you initially specified for the server.key file. Step 5: Configure the Apache web server for SSL in Mac OS X 10.4 "Tiger" (see next step for alternative Mac OS X 10.5 / 10.6 instructions) Now we have all the files needed to enable SSL in Apache. In the Finder, choose Go to folder from the Go menu and type /etc: Within this folder, find the httpd folder - this is where the configuration files from the web server are stored. Click on the httpd folder and Get Info (from the File menu or Command- I on the keyboard). You need to temporarily change the permmissions of this folder so that you can make changes - click the padlock to unlock it (if it's not already open), and change the owner to the admin account of the computer (in the below example the admin account is called Server): Open the httpd folder, locate the users folder, and also set the permissions for the users folder as above. It is a good idea to reset these permissions back to their previous values (owned by the system) when you have finished configuring the web server. Within the httpd folder, create a new folder called myssl, and copy the server.crt and server.key files from ~/Documents/myssl into this folder. Open the httpd.con file in TextEdit. This is the main configuration file for Apache. Make a backup of this file before making any changes (call it httpd.conf.backup for example). These are the changes you need to make to this file: Uncomment (remove the # from the front of) the line LoadModule ssl_module Uncomment the line AddModule mod_ssl.c Uncomment the line LoadModule proxy_module

Uncomment the line LoadModule proxy_module Uncomment the line AddModule mod_proxy.c Locate the file Server.conf in the users folder. Duplicate this file and rename the duplicate myssl.conf. Open myssl.conf in TextEdit and follow these steps: Delete all existing text in this file. Copy and paste the following text into the file: <IfModule mod_ssl.c> Listen 443 SSLRandomSeed startup builtin SSLRandomSeed connect builtin < VirtualHost _default_:443> SSLEngine on ServerName SERVERNAME ServerAdmin ADMINEMAIL ErrorLog /var/log/httpd/error_log SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/private/etc/httpd/myssl/server.crt" SSLCertificateKeyFile "/private/etc/httpd/myssl/server.key" < /VirtualHost> </IfModule> Instead of SERVERNAME and ADMINEMAIL, enter the correct server external host name (or IP address) and email address of the server administrator. Step 5: Configure the Apache web server for SSL in Mac OS X 10.5 "Leopard" or Mac OS X 10.6 "Snow Leopard" (see previous step for alternative Mac OS X 10.4 instructions) Now we have all the files needed to enable SSL in Apache. In the Finder, choose Go to folder from the Go menu and type /etc: Within this folder, find the apache2 folder - this is where the configuration files from the web server are stored. Click on the apache2 folder and Get Info (from the File menu or Command- I on the keyboard). You need to temporarily change the permmissions of this folder so that you can make changes - click the padlock at the bottom of the Info window to unlock it, enter the computer's admin password, and change the permission for everyone to Read & Write: Open the apache2 folder, locate the extra folder, and also set the permissions for the extra folder as above. It is a good idea to reset these permissions back to Read only when have finished editing the configuration files. Within the apache2 folder, create a new folder called myssl, and copy the server.crt and server.key files from ~/Documents/myssl/ into this folder. Open the httpd.con file in TextEdit. This is the main configuration file for Apache. Make a backup of this file before making any changes (call it httpd.conf.backup for example). These are the changes you need to make to this file: Locate the ServerName parameter and set it to the external host name (or IP address) of your server. Remove any # character from the start of the line. Locate the line Include /private/etc/apache2/extra/httpd- ssl.conf and remove any # character at the start of this line. Open the httpd- ssl.con file within the extra folder. Make a backup of this file before making any changes (call it httpd- ssl.conf.backup for example). Make the following changes: Locate the ServerName parameter and set it to the external host name (or IP address) of your server. Remove any # character from the start of the line. Locate the SSLCertificateFile parameter and set it to "/private/etc/apache2/myssl/server.crt" (with quotes). Remove any # character from the start of this line. Locate the SSLCertificateKeyFile parameter and set it to "/private/etc/apache2/myssl/server.key" (with quotes). Remove any # character from the start of this line.

Step 6: Test Apache over SSL Now you are ready to test the Apache web server over SSL. Go to System Preferences, click on Sharing, and enable Web Sharing ("Personal Web Sharing" on Mac OS X 10.4). This starts the Apache web server. If web sharing was already enabled, you need to disable it and then enable it again to restart the web server. Open Safari and enter: https://127.0.0.1/ Note that this is https and not http. The IP address 127.0.0.1 is what is called the "loopback" address that refers to "this computer". You should get a warning about the certificate being invalid because of a host name mismatch. This is because the address that you are using to access the server (127.0.0.1) is different from the address that you specified in the server certificate. This error will not occur when accessing the web server from the internet using the proper host name (although the client will get a warning that the certificate was signed by an unknown authority). Simply click the Continue button to ignore the warning and enter the secure site. You should see the default Apache web page with a padlock in the top right of the Safari window, indicating a secure connection. Step 7: Configure the Apache web server as a reverse proxy for SecuritySpy Follow these steps: Open the myssl.con file (Mac OS X 10.4) or httpd- ssl.con file (Mac OS X 10.5 / 10.6) in TextEdit Scroll to the bottom of the file, and just above the "</VirtualHost>" tag, add these two lines: RewriteEngine On RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [P] SecuritySpy uses port 8000 by default, but if you are using a different port you can enter it insead of 8000 in the above line. This line tells Apache to act as a reverse proxy server for SecuritySpy for all incoming SSL connections. Stop and then start the web server from the Sharing System Preference. Open SecuritySpy. Now back in Safari, go to https://127.0.0.1/ again (you might have to click the reload button because Safari may have cached the previous Apache page). You should now see the SecuritySpy web server over a secure connection. Note that Apache is still also running on port 80 (the default port for HTTP). If you want to disable this, locate the line Listen 80 in the httpd.con file and comment it out by adding a # character at the beginning of the line. Alternatively, if you want to also use Apache as a reverse proxy server for normal HTTP connections on port 80, you can add the above two Rewrite lines to the bottom of the httpd.con file. Mac OS X 10.4 only: to enable listening on port 80, add a Listen 80 line below the Listen 443 line in the myssl.con file. Step 8: Set up port forwarding The final step is to set up port forwarding in your router to the server computer on port 443 - this is the port used by HTTPS. Introduction Overview Download Purchase Contact Help

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information