Annotation of loncom/html/adm/help/tex/Domain_Configuration_SSL.tex, revision 1.5
1.1 raeburn 1: \label{Domain_Configuration_SSL}
2: There are two different contexts in which a LON-CAPA server may communicate
3: via SSL (Secure Sockets Layer):
4:
5: \begin{itemize}
6: \item Encrypted web pages served by Apache via port 443.
7: In this case, client requests will be for URLs beginning https://.
8: \item Encrypted internal communication between LON-CAPA servers via port 5663.
1.2 raeburn 9: \end{itemize}
1.1 raeburn 10:
11: \textbf{Apache SSL}
12:
13:
14: In the case of Apache, the steps required depend on the Linux distro.
15: \begin{itemize}
16: \item CentOS/RedHat/Scientific Linux/Fedora:
17: \begin{quote}
18: \emph{yum install mod\_ssl}
19: \end{quote}
20: \item SuSE/SLES:
21: \begin{quote}
22: Check that ssl is included in the list of modules in the \emph{APACHE\_MODULES} string
23: in \emph{/etc/sysconfig/apache2}.
24: \end{quote}
25: \item Debian/Ubuntu LTS:
26: \begin{quote}
27: \emph{a2enmod ssl}
28: \end{quote}
29: \end{itemize}
30:
31:
32: For all distros you will need to install a key, generate a certificate signing
33: request with that key, and have the certificate signed. You will also want to
34: disable the passphrase prompt on web server restart by removing the password from
35: the copy of the key you use with Apache, e.g.,
36: \begin{quote}
37: \emph{openssl rsa -in server.key -out server.key.nopass}
38: \end{quote}
39: You will then put the the (nopass) key and certificate files in locations
40: accessible to Apache, and include information about the locations of those files
41: in a config file containing the following lines:
42: \begin{quote}
1.4 raeburn 43: SSLCertificateFile $<$path to signed certificate$>$
1.1 raeburn 44: \end{quote}
45: \begin{quote}
1.4 raeburn 46: SSLCertificateKeyFile $<$path to key$>$
1.1 raeburn 47: \end{quote}
1.4 raeburn 48: replacing $<$path to ...$>$ with the path to the location of the particular file.
1.1 raeburn 49:
50:
51: Which Apache config file contains these entries depends on the distro:
52:
53: \begin{itemize}
54: \item CentOS/RedHat/Scientific Linux/Fedora:
55: \begin{quote}
56: /etc/httpd/conf.d/ssl.conf
57: \end{quote}
58: \item SuSE/SLES
59: \begin{quote}
60: /etc/apache2/vhosts.d/vhost-ssl.conf
61: \end{quote}
62: \begin{quote}
63: (copied from vhost-ssl.conf with
64: the entry for DocumentRoot changed to ``/home/httpd/html'').
65: \end{quote}
66: \item Debian/Ubuntu LTS
67: \begin{quote}
68: /etc/apache2/sites-available/000-default-ssl
69: \end{quote}
70: \end{itemize}
71:
72: If you want to use rewrite rules to ensure that all external web requests are
73: served using SSL, you should verify that mod\_rewrite is enabled:
74:
75: \begin{itemize}
76: \item CentOS/RedHat/Scientific Linux/Fedora
77: \begin{quote}
78: Verify that the following entry in /etc/httpd/conf/httpd.conf is not commented out:
79: \emph{LoadModule rewrite\_module modules/mod\_rewrite.so}
80: \end{quote}
81: \item SuSE/SLES
82: \begin{quote}
83: Check that \emph{rewrite} is included in the list of modules in the
84: \emph{APACHE\_MODULES} string in /etc/sysconfig/apache2.
85: \end{quote}
86: \item Debian/Ubuntu LTS
87: \begin{quote}
88: \emph{a2enmod rewrite}
89: \end{quote}
90: \end{itemize}
91:
92: You will also need to copy the rewrites/loncapa\_rewrite\_on.conf file to
93: loncapa\_rewrite.conf with the following commands:
94: \begin{itemize}
95: \item CentOS/RedHat/Scientific Linux/Fedora
96: \begin{quote}
1.3 raeburn 97: \emph{cp /etc/httpd/conf/rewrites/loncapa\_rewrite\_on.conf /etc/httpd/conf/loncapa\_rewrite.conf}
1.1 raeburn 98: \end{quote}
99: \item SuSE/SLES/Debian/Ubuntu LTS
100: \begin{quote}
101: \emph{cp /etc/apache2/rewrites/loncapa\_rewrite\_on.conf /etc/apache2/loncapa\_rewrite.conf}
102: \end{quote}
103: \end{itemize}
104:
105: and then reload the web server:
106: \begin{itemize}
107: \item CentOS/RedHat/Scientific Linux/Fedora
108: \begin{quote}
1.5 ! bisitz 109: \emph{/etc/init.d/httpd reload}
1.1 raeburn 110: \end{quote}
111: \item SuSE/SLES/Debian/Ubuntu LTS
112: \begin{quote}
1.5 ! bisitz 113: \emph{/etc/init.d/apache2 reload}
1.1 raeburn 114: \end{quote}
115: \end{itemize}
116:
1.2 raeburn 117: To disable rewriting of external web requests to https://, copy
1.1 raeburn 118: rewrites/loncapa\_rewrite\_off.conf to loncapa\_rewrite.conf and reload the web
119: server.
120:
121: You will need to open the server's Firewall to allow inbound traffic on port 443.
122: \begin{itemize}
123: \item CentOS/RedHat/Scientific Linux
124: \begin{quote}
125: \emph{/usr/bin/system-config-securitylevel-tui}
126: \end{quote}
127: \item Fedora
128: \begin{quote}
129: \emph{/usr/bin/system-config-firewall-tui}
130: \end{quote}
131: \item SuSE/SLES
132: \begin{quote}
1.4 raeburn 133: yast -$>$ Security and Users -$>$ Firewall
1.1 raeburn 134: \end{quote}
135: \item Debian 6/Ubuntu LTS
136: \begin{quote}
137: \emph{ufw allow 443/tcp}
138: \end{quote}
139: \end{itemize}
140:
141: Note: changing firewall settings will cause iptables to reload, which means the
142: rules to allow connections from other LON-CAPA servers via port 5663 will need to
143: be re-established (if the LON-CAPA daemons were already running) by doing: \emph{/etc/init.d/loncontrol restart} as root.
144:
145: \textbf{Internal LON-CAPA SSL}
146:
147:
148: In the case of encrypted internal communication between LON-CAPA servers,
149: you will need command line access as either root or www and enter the following
150: commands:
151:
152: \begin{quote}
153: \emph{cd /home/httpd/lonCerts}
154: \end{quote}
155: \begin{quote}
156: \emph{sh request\_ssl\_key.sh}
157: \end{quote}
158:
159: \textbf{Important}: for the Common Name you should enter the lonHostID.
160: This is displayed on the log-in page (Server: ) and is also an entry in the
1.2 raeburn 161: loncapa.conf file in /etc/httpd/conf (CentOS RedHat Scientific Linux Fedora)
162: or /etc/apache2 (SuSE SLES Debian Ubuntu LTS). An example would be msul1.
1.1 raeburn 163:
164: By running \emph{request\_ssl\_key.sh} you will:
165: \begin{itemize}
166: \item Generate a private/public key pair.
167: \begin{quote}
168: The private key will be stored in /home/httpd/lonCerts/lonKey.pem
169: It will be set so that only www can read this file. (You will want to
170: make sure this file stays secret).
171: \end{quote}
172: \item Automatically send an e-mail to the LON-CAPA certificate authority.
173: containing your public key so LON-CAPA can sign it.
174: \end{itemize}
175:
176: Your certificate will be signed by the certificate authority and an e-mail
177: will be sent to the e-mail address you gave when prompted for one
178: when you ran request\_ssl\_key.sh.
179:
180: Save the email you receive to a file, remove the headers from it,
181: and run it (as the \emph{www} user).
182:
183: If it successfully completes you will have:
184:
185: \begin{itemize}
186: \item /home/httpd/lonCerts/lonhostcert.pem
187: \begin{quote}
188: (your signed public key)
189: \end{quote}
190: \item /home/httpd/lonCerts/loncapaCA.pem
191: \begin{quote}
192: (the public key of the Lon-CAPA certificate authority)
193: \end{quote}
194: \end{itemize}
195:
196: Now when you machine connects to another server in the LON-CAPA
197: network it will try to do so over an SSL connection.
198: You can verify this by doing:
199: \begin{quote}
200:
201: \emph{ps auxwww | grep lonc}
202:
203: \end{quote}
204:
205: You should see something like:
206: \begin{quote}
207: lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl)
208: \end{quote}
209: where before you saw something like:
210: \begin{quote}
211: lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)
212: \end{quote}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>