Apache Webserver SSL Setup for BOE

For the purpose of the entire Landscape, I have consumed   three separate machines running the OS Windows 2008 SP2  64 Bit Edition with a hardware size of 16G Ram Quad core processors.

             

Machine

Machine Name

Purpose

Machine 1

V01717

CA Certificate Authority issuing machine

Machine 2

V01513

Apache  as a Web server Installation

Machine 3

V08000

Client machine where certificate needs to   be Imported

How it Works:

We first set the https network working by configuring  the Apache Webserver https enabled.  We have a Certificate Authority machine which generates the different certificates required for the Client Server Authentication.  Client Certificates are imported by the  client in their machine or Browser  and the Server side certificate is configured in the Apache Web server.

Client and Server certificates share a common certificate from a CA machine  which  we signing certificate. This needs to be configured in the Apache Web server , When the certificate is generated for the Client, this details of the signing certificate is used .


Machine 1 : V01717  – (Certificate Authority Machine)

1.     

Download openssl.zip from http://gnuwin32.sourceforge.net/packages/openssl.htm  and extract openssl.exe

Configuring the openSSL

Go to the  system environment variable and set the path as given in the screenshot below::

/wp-content/uploads/2015/12/115_847581.png

2.       Double Click openssl.exe  . This should open up in the command prompt with openssl program running. Follow below to enter the required commands for the generation of various keys and certificates required.

Signing Certificate Generation:

genrsa -out v01513_ca.key 1024

req -new -key v01513_ca.key -out v01513_ca.csr

x509 -req -days 365 -in v01513_ca.csr -signkey v01513_ca.key -out v01513_ca.crt

These commands above would generate three files namely  v01513_ca.key , v01513_ca.csr  and  v01513_ca.crt  out of which the .crt file is the certificate file which needs to  be imported to the server apache machine

Generate Certificate Files for Apache Server

genrsa -out v01513_server.key 1024

req -new -key v01513_server.key -out v01513_server.csr

x509 -req -days 365 -in v01513_server.csr -signkey v01513_server.key -out v01513_server.crt

Generate Certificate Files for Client

genrsa -out v01513_client.key 1024

req -new -key v01513_client.key -out v01513_client.csr -config openssl.cnf

x509 -req -days 365 -CA v01513_ca.crt -CAkey v01513_ca.key -CAcreateserial -in v01513_client.csr -out v01513_client.crt

openssl pkcs12 -export -clcerts -in v01513_client.crt -inkey v01513_client.key -out v01513_client.p12

This would generate a Client certificates , The final command would generate a .p12 file which  needs to be distributed to the client to be imported.

Importing of the cerficates is quite simple and double click the v01513_client.p12 file  and finish importing the certificate.

Configure the Apache  Web server (V01513):

1.       Create a folder  certificates  in Apache Webserver home folder, For us , it is c:\Apache24

2.       Copy the following certificates generated by the CA Machine inside this folder.

·         v01513_ca.crt

·         v01513_server.key

·         v01513_server.crt

3.       Include httpd-ssl.conf file in the httpd.conf

Include conf/extra/httpd-ssl.conf

4.       Go to the httpd-ssl.conf and edit the following lines:

5.       Uncomment the following line #Listen 80    and add the following  specifying 9080 as the port number from where https can be accessed

Listen 9080

6.       Uncomment the line #SSLRequireSSL to

SSLRequireSSL

SSLVerifyClient require

7.       Add a port where https would be accessible

<VirtualHost _default_:9080>

<Location /BOE>

8.       Ensure the line  is commented and has the htdocs folder location appropriate

DocumentRoot “c:/Apache24/htdocs”

9.       Just before this file is end, before  the tag  </VirtualHost> , add the following lines of code:

JkMount /examples tomcatlb

JkMount /examples/* tomcatlb

JkMount /docs/* tomcatlb

JkMount / balancer

JkMount /status   stat

Include conf/bobj.BOE.conf

Include conf/bobj.AdminTools.conf

Include conf/bobj.BOE.conf

Include conf/bobj.BusinessProcessBI.conf

Include conf/bobj.clientapi.conf

Include conf/bobj.dswsbobje.conf

10.  

By giving the appropriate certificate files which we had created above

SSLCertificateFile “c:/Apache24/certificates/v01513_server.crt”

SSLCertificateKeyFile “c:/Apache24/certificates/v01513_server.key”

SSLCACertificateFile “C:/Apache24/certificates/v01513_ca.crt”

11.   Once the above settings is all configured, Restart Apache  in the command line :

Httpd.exe –k start –DSSL  

Configure the Client  machine (V08000):

1.       Transfer the v01513_client.p12  to the Client machines  and double  click the file.

2.       This should import the file with the required steps.

3.       Access the URL with https  with url and port number

Final Modified file would look  like this :

httpd-ssl.conf

Listen 9080

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

SSLPassPhraseDialog  builtin

SSLSessionCache        “shmcb:c:/Apache24/logs/ssl_scache(512000)”

SSLSessionCacheTimeout  300

<VirtualHost _default_:9080>

DocumentRoot “c:/Apache24/htdocs”

#ServerName www.example.com:9080

#ServerAdmin admin@example.com

ErrorLog “c:/Apache24/logs/error.log”

TransferLog “c:/Apache24/logs/access.log”

SSLEngine on

SSLCertificateFile “c:/Apache24/certificates/v01513_server.crt”

SSLCertificateKeyFile “c:/Apache24/certificates/v01513_server.key”

SSLCACertificateFile “C:/Apache24/certificates/v01513_ca.crt”

<Location /BOE>

SSLRequireSSL

SSLVerifyClient require

SSLVerifyDepth 10

</Location>

<FilesMatch “\.(cgi|shtml|phtml|php)$”>

    SSLOptions +StdEnvVars

</FilesMatch>

<Directory “c:/Apache24/cgi-bin”>

    SSLOptions +StdEnvVars

</Directory>

BrowserMatch “MSIE [2-5]” \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

CustomLog “c:/Apache24/logs/ssl_request.log” \

          “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

JkMount /examples tomcatlb

JkMount /examples/* tomcatlb

JkMount /docs/* tomcatlb

JkMount / balancer

JkMount /status   stat

Include conf/bobj.BOE.conf

Include conf/bobj.AdminTools.conf

Include conf/bobj.BOE.conf

Include conf/bobj.BusinessProcessBI.conf

Include conf/bobj.clientapi.conf

Include conf/bobj.dswsbobje.conf

</VirtualHost>                                 

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply