Apache Webserver SSL Setup for BOE
For the purpose of the entire Landscape, I have consumed three separate machines running the OS Windows 2008 SP2 64 Bit Edition with a hardware size of 16G Ram Quad core processors.
Machine | Machine Name | Purpose |
Machine 1 | V01717 | CA Certificate Authority issuing machine |
Machine 2 | V01513 | Apache as a Web server Installation |
Machine 3 | V08000 | Client machine where certificate needs to be Imported |
How it Works:
We first set the https network working by configuring the Apache Webserver https enabled. We have a Certificate Authority machine which generates the different certificates required for the Client Server Authentication. Client Certificates are imported by the client in their machine or Browser and the Server side certificate is configured in the Apache Web server.
Client and Server certificates share a common certificate from a CA machine which we signing certificate. This needs to be configured in the Apache Web server , When the certificate is generated for the Client, this details of the signing certificate is used .
Machine 1 : V01717 - (Certificate Authority Machine)
1.
Download openssl.zip from http://gnuwin32.sourceforge.net/packages/openssl.htm and extract openssl.exe
Configuring the openSSL
Go to the system environment variable and set the path as given in the screenshot below::
2. Double Click openssl.exe . This should open up in the command prompt with openssl program running. Follow below to enter the required commands for the generation of various keys and certificates required.
Signing Certificate Generation:
genrsa -out v01513_ca.key 1024
req -new -key v01513_ca.key -out v01513_ca.csr
x509 -req -days 365 -in v01513_ca.csr -signkey v01513_ca.key -out v01513_ca.crt
These commands above would generate three files namely v01513_ca.key , v01513_ca.csr and v01513_ca.crt out of which the .crt file is the certificate file which needs to be imported to the server apache machine
Generate Certificate Files for Apache Server
genrsa -out v01513_server.key 1024
req -new -key v01513_server.key -out v01513_server.csr
x509 -req -days 365 -in v01513_server.csr -signkey v01513_server.key -out v01513_server.crt
Generate Certificate Files for Client
genrsa -out v01513_client.key 1024
req -new -key v01513_client.key -out v01513_client.csr -config openssl.cnf
x509 -req -days 365 -CA v01513_ca.crt -CAkey v01513_ca.key -CAcreateserial -in v01513_client.csr -out v01513_client.crt
openssl pkcs12 -export -clcerts -in v01513_client.crt -inkey v01513_client.key -out v01513_client.p12This would generate a Client certificates , The final command would generate a .p12 file which needs to be distributed to the client to be imported.
Importing of the cerficates is quite simple and double click the v01513_client.p12 file and finish importing the certificate.
Configure the Apache Web server (V01513):
1. Create a folder certificates in Apache Webserver home folder, For us , it is c:\Apache24
2. Copy the following certificates generated by the CA Machine inside this folder.
· v01513_ca.crt
· v01513_server.key
· v01513_server.crt
3. Include httpd-ssl.conf file in the httpd.conf
Include conf/extra/httpd-ssl.conf
4. Go to the httpd-ssl.conf and edit the following lines:
5. Uncomment the following line #Listen 80 and add the following specifying 9080 as the port number from where https can be accessed
Listen 9080
6. Uncomment the line #SSLRequireSSL to
SSLRequireSSL
SSLVerifyClient require
7. Add a port where https would be accessible
<VirtualHost _default_:9080>
<Location /BOE>
8. Ensure the line is commented and has the htdocs folder location appropriate
DocumentRoot "c:/Apache24/htdocs"
9. Just before this file is end, before the tag </VirtualHost> , add the following lines of code:
JkMount /examples tomcatlb
JkMount /examples/* tomcatlb
JkMount /docs/* tomcatlb
JkMount / balancer
JkMount /status stat
Include conf/bobj.BOE.conf
Include conf/bobj.AdminTools.conf
Include conf/bobj.BOE.conf
Include conf/bobj.BusinessProcessBI.conf
Include conf/bobj.clientapi.conf
Include conf/bobj.dswsbobje.conf
10.
By giving the appropriate certificate files which we had created above
SSLCertificateFile "c:/Apache24/certificates/v01513_server.crt"
SSLCertificateKeyFile "c:/Apache24/certificates/v01513_server.key"
SSLCACertificateFile "C:/Apache24/certificates/v01513_ca.crt"
11. Once the above settings is all configured, Restart Apache in the command line :
Httpd.exe –k start –DSSL
Configure the Client machine (V08000😞
1. Transfer the v01513_client.p12 to the Client machines and double click the file.
2. This should import the file with the required steps.
3. Access the URL with https with url and port number
Final Modified file would look like this :
httpd-ssl.conf
Listen 9080
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:9080>
DocumentRoot "c:/Apache24/htdocs"
#ServerName www.example.com:9080
#ServerAdmin admin@example.com
ErrorLog "c:/Apache24/logs/error.log"
TransferLog "c:/Apache24/logs/access.log"
SSLEngine on
SSLCertificateFile "c:/Apache24/certificates/v01513_server.crt"
SSLCertificateKeyFile "c:/Apache24/certificates/v01513_server.key"
SSLCACertificateFile "C:/Apache24/certificates/v01513_ca.crt"
<Location /BOE>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
JkMount /examples tomcatlb
JkMount /examples/* tomcatlb
JkMount /docs/* tomcatlb
JkMount / balancer
JkMount /status stat
Include conf/bobj.BOE.conf
Include conf/bobj.AdminTools.conf
Include conf/bobj.BOE.conf
Include conf/bobj.BusinessProcessBI.conf
Include conf/bobj.clientapi.conf
Include conf/bobj.dswsbobje.conf
</VirtualHost>
- SAP Managed Tags:
1 Comment
