Implementing HTTPS in CONTENTdm 6 September 5, 2012



Similar documents
This section describes how to use SSL Certificates with SOA Gateway running on Linux.

To enable https for appliance

Installing an SSL certificate on the InfoVaultz Cloud Appliance

The course will be run on a Linux platform, but it is suitable for all UNIX based deployments.

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

How to: Install an SSL certificate

Securing the OpenAdmin Tool for Informix web server with HTTPS

Securing Web Access with a Private Certificate Authority

HP ALM. Software Version: External Authentication Configuration Guide

Real Vision Software, Inc.

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Apache2 Configuration under Debian GNU/Linux. Apache2 Configuration under Debian GNU/Linux

Drupal CMS for marketing sites

Enterprise SSL Support

esync - Receiving data over HTTPS

GlobalSign Solutions

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

SecuritySpy Setting Up SecuritySpy Over SSL

Install Apache on windows 8 Create your own server

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Configuring MassTransit for the Web Using Apache on Mac OS 10.2 and 10.3

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Web Server: Principles and Configuration Web Programming 8) Web Server

Enterprise Knowledge Platform

Setting up an Apache Web Server for Greenstone 2 Walkthrough

10gAS SSL / Certificate Based Authentication Configuration

Acronis Backup Cloud APS 2.0 Deployment Guide

Parallels Panel. Administrator's Guide to Configuring Apache on Servers Running Parallels Plesk Panel 10. Revision 1.0

What will be supplied with chemoventory package?

APACHE HTTP SERVER 2.2.8

orrelog Apache TLS / Crypto Enhanced Encryption Software

Howto: Create a virtual platform Shibboleth

A STEP- BY-STEP GUIDE

Installing Apache Software

PassBy[ME] - Bugzilla integration on

Table of Contents GEEK GUIDE APACHE WEB SERVERS AND SSL AUTHENTICATION

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

How to setup HTTP & HTTPS Load balancer for Mediator

Creating X.509 Certificates With OpenSSL

Apache & Virtual Hosts & mod_rewrite

APACHE WEB SERVER. Andri Mirzal, PhD N

Administering mod_jk. To Enable mod_jk

Apache 2 mod_ssl by example

Getting the software The Apache webserver can be downloaded free from the Apache website :

Building a Secure RedHat Apache Server HOWTO

Created by : Ashish Shah, J.M. PATEL COLLEGE UNIT-5 CHAP-1 CONFIGURING WEB SERVER

Apache Usage. Apache is used to serve static and dynamic content

Name-based SSL virtual hosts: how to tackle the problem

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

EQUELLA. Clustering Configuration Guide. Version 6.2

Apache Web Server Complete Guide Dedoimedo

Graphviz Website Installation, Administration and Maintenance

Setting Up One Search

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

How To Install Amyshelf On Windows 2000 Or Later

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

WEB2CS INSTALLATION GUIDE

Greenstone Documentation

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

How to configure HTTPS proxying in Zorp 5

Presented by Mark Bixby Solution Symposium 2002

Content Management System

OpenPro ERP Software Installation Guide Talbert Ave Suite 200 Fountain Valley, CA USA Phone Fax

Host your websites. The process to host a single website is different from having multiple sites.

C:\www\apache2214\conf\httpd.conf Freitag, 16. Dezember :50

MapGuide Open Source. Installing and Configuring on Windows

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

Installing Dspace 1.8 on Ubuntu 12.04

Certificate technology on Pulse Secure Access

Technical specification

CentraSite SSO with Trusted Reverse Proxy

Certificate technology on Junos Pulse Secure Access

Bitrix Site Manager 9.x. Installation Guide

Setting Up CAS with Ofbiz 5

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Setup a Virtual Host/Website

Best Practices in Hardening Apache Services under Linux

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and more. Security Review

Avatier Identity Management Suite

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

CA Workload Automation DE

How To Configure Apa Web Server For High Performance

SSL Installing your new Certificate

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Step-by-Step guide to setup an IBM WebSphere Portal and IBM Web Content Manager V8.5 Cluster From Zero to Hero (Part 2.)

Kollaborate Server Installation Guide!! 1. Kollaborate Server! Installation Guide!

unigui Developer's Manual 2014 FMSoft Co. Ltd.

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

9.92 Using HTTPS for building secure web applications v 1.0

Apache SSL Certificate Deployment Guide

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

How to configure HTTPS proxying in Zorp 6

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date: 19 Apr 2011

Setting Up SSL on IIS6 for MEGA Advisor

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Federated Access to an HTTP Web Service Using Apache (WSTIERIA Project Technical Note 1)

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

Transcription:

Implementing HTTPS in CONTENTdm 6 This is an overview for CONTENTdm server administrators who want to configure their CONTENTdm Server and Website to make use of HTTPS. While the CONTENTdm Server has supported HTTPS since version 4.x, you will need to upgrade to CONTENTdm 6.1.4 or later to use HTTPS with the CONTENTdm Website. This information is for system administrators running CONTENTdm locally. It does not apply to users subscribed to CONTENTdm Hosting Services. Learn about: Section I Section II Section III Section IV Appendix Section I Before You Begin Overview Configuring CONTENTdm to Use HTTPS Testing the Setup Example HTTPS Apache Configuration Before You Begin This document assumes experience with configuring and setting up secure web servers using HTTPS and with installing and configuring a CONTENTdm Server & Website. You must install CONTENTdm 6.1.4 or later before you can make use of HTTPS with the CONTENTdm Website. Section II Overview CONTENTdm 6 requires two distinct web site instances, the Server and the Website. Both can be configured to use HTTPS in addition to HTTP. The CONTENTdm Server is the Administration module for the CONTENTdm collection administrators, the repository for Project Client uploads, and the database & API server for the CONTENTdm Website. It is helpful to keep in mind the role the Server and Website play when configuring HTTPS: CONTENTdm Server: The Server is configured to run only over HTTP by default. Since the Server is used by CONTENTdm Administrators to manage the collection data and by Project Client users to upload new records, it handles user authentication. To secure the Server logins and to support HTTPS in the CONTENTdm Website, you can add HTTPS to the bindings in IIS or add a virtual host in Apache. This HTTPS binding/virtual host is in addition to the HTTP one that is already configured. Since the Website and Server are typically installed to the same machine, the data calls the Website makes back to the Server can make use of the HTTP protocol. CONTENTdm Website: The Website is the public-facing site, but also hosts the Website Configuration Tool and can be logged into directly for users to access restricted collections or items. To use HTTPS with CONTENTdm, both the Server and the Website will be configured to run over HTTP and HTTPS. The Website will use HTTP for all anonymous traffic and will make calls back to the Server over HTTP as well. When a user logs into the Website (whether to the public-facing Login box or to the Website Configuration Tool) the site will redirect to HTTPS and all calls back to the Server at that point will be over HTTPS. The Website makes a few curl calls to itself but the majority of its traffic is back to the Server. For this to be handled in a secure way, the Website code needs to know the location of the Server s SSL certificate and be able to read it. This is straightforward when Server and 2012 OCLC Page 1 of 7

Website are installed to the same machine. If Server and Website have been separated, it will be necessary to export the Server s certificate and copy it to a location the Website can access. The details of implementing HTTPS will not be described here. There are many ways to set up HTTPS and certificate creation and management will be particular to your environment. See the appendix at the end of this document for an example Apache configuration using HTTPS with the CONTENTdm Website. Section III Configuring CONTENTdm to Use HTTPS Once you have set up your web server (IIS or Apache) to use the HTTPS protocol, it is necessary to configure CONTENTdm. CONTENTdm Server: Configuring HTTPS for the CONTENTdm Server is straightforward and can be handled exclusively through IIS on Windows or Apache on Linux. For IIS you can add HTTPS to the bindings for the site instance and in Apache you can add an additional Virtual Host configuration to the CONTENTdm Server s cdm.conf file. The cdm.conf file should contain VirtualHost directives for HTTP and HTTPS instances. CONTENTdm Website: Once you have configured IIS or Apache to use HTTPS for your CONTENTdm Website, the next step is to create the configurations pointing to your site instance s SSL certificate files. Due to the use of curl the Website code needs to be able to locate the certificates. Configuring the Website is handled by a command line PHP script, managehttps.php, located in the Website installation s admin directory: <CdmWebsite-dir>/admin/manageHttps.php -h=on or off -u=the Secure Server URL -s=the Server SSL Certificate path -w=the Website SSL Certificate path To see help information about managehttps.php, run the following from the <CdmWebsitedir>/admin directory:./managehttps.php -o The following series of commands could be used to enable HTTPS in a CONTENTdm Website that is installed to the same Linux machine as the CONTENTdm Server:./manageHttps.php h=on The h=on switch turns on HTTPS in the CONTENTdm code../managehttps.php u=your.servercertificatedomain.edu:443 The u switch specifies the URL of your HTTPS CONTENTdm Server. It is not necessary to include https:// in the URL. Be sure that the domain specified matches what was used to generate the SSL certificate. The port should always be specified, even if it is the default 443../manageHttps.php s="/usr/local/ssl/crt/global.crt"./managehttps.php w="/usr/local/ssl/crt/global.crt" The s and w switches specified the path to the Server s and Website s SSL certificates, respectively. For an installation where Server and Website use the same domain and are distinguished only by port, the certificate can be shared. If the Server is on a different machine from the Website, the Server s certificate must be exported and made available to the Website code. In that case, the paths specified in s and w may not match. 2012 OCLC Page 2 of 7

If you are running your Website on non-standard ports (ports other than 80 for HTTP and 443 for HTTPS) you will need to add provide some additional configurations using managehttps.php: managehttps.php i=http Website port managehttps.php p=https Website port Windows servers: The above examples apply to Apache on Linux. A similar set of commands would be used to configure HTTPS in IIS on Windows: managehttps.php h=on managehttps.php u=your.servercertificatedomain.edu:port managehttps.php s="c:\ssl\certs\thawteprimaryrootca.crt" managehttps.php w="c:\ssl\certs\thawteprimaryrootca.crt" All file paths should be enclosed in quotes to account for spaces in directories or file names. To be able to use SSL with CONTENTdm on Windows, the PHP installation needs the openssl module to be enabled. CONTENTdm installations prior to 6.1.4 did not enable this module by default. To enable openssl, complete the following steps: 1. Locate the php.ini file used by CONTENTdm. By default this would be located at C:\OCLC\CONTENTdm\Content6\common\php533\php.ini 2. Open the file in a text editor. Find the following line and remove the semicolon to uncomment the setting: extension=php_openssl.dll 3. Restart IIS (either manually in the IIS Manager or at the command line using iisreset). Section IV Testing the Setup Once you have completed the above, verify the configuration by doing the following from a browser running on a workstation machine (not the server where CONTENTdm is installed): 1. View the Server s CONTENTdm Administration module over HTTPS: https://your.servercertificatedomain.edu:port/cgi-bin/admin/start.exe Log in and verify you see that Start page. 2. View the Website over HTTP: http://your.website.edu:port If logins are enabled, log into the Website. You should be redirected to an HTTPS login page and redirected back to an HTTPS Website if authentication is successful. 3. Log into the Website Configuration Tool: https://your.website.edu/config/ If you try to force access to the Website Configuration Tool over HTTP, you should be redirected to the HTTPS Website instead. 2012 OCLC Page 3 of 7

Appendix Example HTTPS Apache Configuration Below is an example Apache conf file configured for HTTPS with the CONTENTdm Website. This is an internal use example where the certificate has been prepared for a fixed IP rather than a qualified domain. +------------------------------------------+ /usr/local/content6/website/website.conf +------------------------------------------+ # CONTENTdm Website apache configuration file # Called from the end of httpd.conf ############################## # The following directives are needed outside the virtual host directive # These may be set already in http.conf so these setting may override # the settings there. # VIRHOST: # Add a Listen port if you want to listen to addtional # ports besides the one already defined in httpd.conf. # Useful if you want virhosts on unique ports # THIS MUST NOT BE SET IN VIRTUAL HOST SECTION #Listen 80 # use apache to tell php to use this ini file dir # THIS MUST NOT BE SET IN VIRTUAL HOST SECTION #PHPIniDir /php # the user and group of the web server process # this MUST MATCH with those used in scripts/scripts.conf # THIS MUST NOT BE SET IN VIRTUAL HOST SECTION User web #Group content # this feature is not supported in the automated CDM installer ############### #VIRHOST: use as virtual host for all host names, on port80 <VirtualHost *:80> #VIRHOST: uncomment and edit this to use as virtual host # ServerName yourserver.yourdomain.org # configuration for a CONTENTdm instance # # replace "/usr/local/content6/website/" with the full path to your installation # CONTENTdm needs to use these libraries # SetEnv LD_LIBRARY_PATH /usr/local/content6/website/lib:/usr/lib:/usr/local/lib DocumentRoot "/usr/local/content6/website/public_html" <Directory "/usr/local/content6/website/public_html"> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all SetEnv APPLICATION_ENV development RewriteEngine On #RewriteBase / #RewriteRule!\.(js ico gif jpg png css)$ index.php RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d # do no rewrite to anything in the oai dir #RewriteRule ^oai$ oai [NC,L] 2012 OCLC Page 4 of 7

RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L] </Directory> DirectoryIndex index.php index.html AddType application/x-httpd-php.php <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" CustomLog /usr/local/content6/website/../server/logs/weblogs/website_access.log </IfModule> #VIRHOST uncomment this to use as virtual host </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName 132.174.11.4:443 DocumentRoot "/usr/local/content6/website/public_html" <Directory "/usr/local/content6/website/public_html"> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all SetEnv APPLICATION_ENV development RewriteEngine On #RewriteBase / #RewriteRule!\.(js ico gif jpg png css)$ index.php RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d # do no rewrite to anything in the oai dir #RewriteRule ^oai$ oai [NC,L] RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L] </Directory> DirectoryIndex index.php index.html AddType application/x-httpd-php.php <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" CustomLog /usr/local/content6/website/../server/logs/weblogs/website_access.log </IfModule> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/readme.debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/132.174.11.4-web.crt SSLCertificateKeyFile /etc/ssl/private/132.174.11.4-web.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile 2012 OCLC Page 5 of 7

# when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER}!~ m/^(exp NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31zmtzzkva'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. 2012 OCLC Page 6 of 7

</VirtualHost> </IfModule> # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi shtml phtml php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 2012 OCLC Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information