Return to Domain_Configuration_SSL.tex CVS log

Up to [LON-CAPA] / loncom / html / adm / help / tex

Consistent wording "e-mail"

    1: \label{Domain_Configuration_SSL}
    2: There are two different contexts in which a LON-CAPA server may communicate
    3: via SSL (Secure Sockets Layer):
    4: 
    5: \begin{itemize}
    6: \item Encrypted web pages served by Apache via port 443.
    7: In this case, client requests will be for URLs beginning https://.
    8: \item Encrypted internal communication between LON-CAPA servers via port 5663.
    9: \end{itemize}
   10: 
   11: \textbf{Apache SSL}
   12: 
   13: 
   14: In the case of Apache, the steps required depend on the Linux distro.
   15: \begin{itemize}
   16: \item CentOS/RedHat/Scientific Linux/Fedora:
   17: \begin{quote}
   18: \emph{yum install mod\_ssl}
   19: \end{quote}
   20: \item SuSE/SLES:
   21: \begin{quote}
   22: Check that ssl is included in the list of modules in the \emph{APACHE\_MODULES} string 
   23: in \emph{/etc/sysconfig/apache2}.
   24: \end{quote}
   25: \item Debian/Ubuntu LTS:
   26: \begin{quote}
   27: \emph{a2enmod ssl}
   28: \end{quote}
   29: \end{itemize}
   30: 
   31: 
   32: For all distros you will need to install a key, generate a certificate signing
   33: request with that key, and have the certificate signed. You will also want to 
   34: disable the passphrase prompt on web server restart by removing the password from
   35: the copy of the key you use with Apache, e.g., 
   36: \begin{quote}
   37: \emph{openssl rsa -in server.key -out server.key.nopass}
   38: \end{quote}
   39: You will then put the the (nopass) key and certificate files in locations 
   40: accessible to Apache, and include information about the locations of those files 
   41: in a config file containing the following lines: 
   42: \begin{quote}
   43:   SSLCertificateFile $<$path to signed certificate$>$
   44: \end{quote}
   45: \begin{quote}
   46:   SSLCertificateKeyFile $<$path to key$>$
   47: \end{quote}
   48: replacing $<$path to ...$>$ with the path to the location of the particular file.
   49: 
   50: 
   51: Which Apache config file contains these entries depends on the distro: 
   52: 
   53: \begin{itemize}
   54: \item CentOS/RedHat/Scientific Linux/Fedora:
   55: \begin{quote}
   56: /etc/httpd/conf.d/ssl.conf
   57: \end{quote}
   58: \item SuSE/SLES
   59: \begin{quote}
   60: /etc/apache2/vhosts.d/vhost-ssl.conf 
   61: \end{quote}
   62: \begin{quote}
   63: (copied from vhost-ssl.conf with
   64: the entry for DocumentRoot changed to ``/home/httpd/html'').
   65: \end{quote}
   66: \item Debian/Ubuntu LTS
   67: \begin{quote}
   68: /etc/apache2/sites-available/000-default-ssl
   69: \end{quote}
   70: \end{itemize}
   71: 
   72: If you want to use rewrite rules to ensure that all external web requests are 
   73: served using SSL, you should verify that mod\_rewrite is enabled:
   74: 
   75: \begin{itemize}
   76: \item CentOS/RedHat/Scientific Linux/Fedora
   77: \begin{quote}
   78: Verify that the following entry in /etc/httpd/conf/httpd.conf is not commented out:
   79: \emph{LoadModule rewrite\_module modules/mod\_rewrite.so}
   80: \end{quote}
   81: \item SuSE/SLES
   82: \begin{quote}
   83: Check that \emph{rewrite} is included in the list of modules in the 
   84: \emph{APACHE\_MODULES} string in /etc/sysconfig/apache2.
   85: \end{quote}
   86: \item Debian/Ubuntu LTS
   87: \begin{quote}
   88: \emph{a2enmod rewrite}
   89: \end{quote}
   90: \end{itemize}
   91: 
   92: You will also need to copy the rewrites/loncapa\_rewrite\_on.conf file to
   93: loncapa\_rewrite.conf with the following commands: 
   94: \begin{itemize}
   95: \item CentOS/RedHat/Scientific Linux/Fedora
   96: \begin{quote}
   97: \emph{cp /etc/httpd/conf/rewrites/loncapa\_rewrite\_on.conf /etc/httpd/conf/loncapa\_rewrite.conf}
   98: \end{quote}
   99: \item SuSE/SLES/Debian/Ubuntu LTS
  100: \begin{quote}
  101: \emph{cp /etc/apache2/rewrites/loncapa\_rewrite\_on.conf /etc/apache2/loncapa\_rewrite.conf}
  102: \end{quote}
  103: \end{itemize}
  104: 
  105: and then reload the web server:
  106: \begin{itemize}
  107: \item CentOS/RedHat/Scientific Linux/Fedora
  108: \begin{quote}
  109: \emph{/etc/init.d/httpd reload}
  110: \end{quote}
  111: \item SuSE/SLES/Debian/Ubuntu LTS
  112: \begin{quote}
  113: \emph{/etc/init.d/apache2 reload}
  114: \end{quote}
  115: \end{itemize}
  116: 
  117: To disable rewriting of external web requests to https://, copy 
  118: rewrites/loncapa\_rewrite\_off.conf to loncapa\_rewrite.conf and reload the web 
  119: server.
  120: 
  121: You will need to open the server's Firewall to allow inbound traffic on port 443.
  122: \begin{itemize}
  123: \item CentOS/RedHat/Scientific Linux
  124: \begin{quote}
  125: \emph{/usr/bin/system-config-securitylevel-tui}
  126: \end{quote}
  127: \item Fedora
  128: \begin{quote}
  129: \emph{/usr/bin/system-config-firewall-tui}
  130: \end{quote}
  131: \item SuSE/SLES
  132: \begin{quote}
  133: yast -$>$ Security and Users -$>$ Firewall 
  134: \end{quote}
  135: \item Debian 6/Ubuntu LTS
  136: \begin{quote}
  137: \emph{ufw allow 443/tcp}
  138: \end{quote}
  139: \end{itemize}
  140: 
  141: Note: changing firewall settings will cause iptables to reload, which means the
  142: rules to allow connections from other LON-CAPA servers via port 5663 will need to
  143: be re-established (if the LON-CAPA daemons were already running) by doing: \emph{/etc/init.d/loncontrol restart} as root.
  144: 
  145: \textbf{Internal LON-CAPA SSL} 
  146: 
  147: 
  148: In the case of encrypted internal communication between LON-CAPA servers, 
  149: you will need command line access as either root or www and enter the following
  150: commands:
  151: 
  152: \begin{quote}
  153: \emph{cd /home/httpd/lonCerts}
  154: \end{quote}
  155: \begin{quote}
  156: \emph{sh request\_ssl\_key.sh}
  157: \end{quote}
  158: 
  159: \textbf{Important}: for the Common Name you should enter the lonHostID.
  160: This is displayed on the log-in page (Server: ) and is also an entry in the 
  161: loncapa.conf file in /etc/httpd/conf (CentOS RedHat Scientific Linux Fedora)
  162: or /etc/apache2 (SuSE SLES Debian Ubuntu LTS).  An example would be msul1.
  163: 
  164: By running \emph{request\_ssl\_key.sh} you will:
  165: \begin{itemize}
  166: \item Generate a private/public key pair. 
  167: \begin{quote}
  168: The private key will be stored in /home/httpd/lonCerts/lonKey.pem
  169: It will be set so that only www can read this file. (You will want to
  170: make sure this file stays secret).
  171: \end{quote}
  172: \item Automatically send an e-mail to the LON-CAPA certificate authority. 
  173: containing your public key so LON-CAPA can sign it.
  174: \end{itemize}
  175: 
  176: Your certificate will be signed by the certificate authority and an e-mail
  177: will be sent to the e-mail address you gave when prompted for one 
  178: when you ran request\_ssl\_key.sh.
  179: 
  180: Save the e-mail you receive to a file, remove the headers from it, 
  181: and run it (as the \emph{www} user).
  182: 
  183: If it successfully completes you will have:
  184: 
  185: \begin{itemize} 
  186: \item /home/httpd/lonCerts/lonhostcert.pem
  187: \begin{quote}
  188: (your signed public key)
  189: \end{quote}
  190: \item /home/httpd/lonCerts/loncapaCA.pem  
  191: \begin{quote}
  192: (the public key of the Lon-CAPA certificate authority)
  193: \end{quote}
  194: \end{itemize}
  195: 
  196: Now when you machine connects to another server in the LON-CAPA 
  197: network it will try to do so over an SSL connection. 
  198: You can verify this by doing:
  199: \begin{quote}
  200: 
  201: \emph{ps auxwww | grep lonc}
  202: 
  203: \end{quote}
  204: 
  205: You should see something like:
  206: \begin{quote}
  207: lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl) 
  208: \end{quote}
  209: where before you saw something like:
  210: \begin{quote}
  211: lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)
  212: \end{quote}