Section 5.6. Configuring your Server for Secure Connections


5.6. Configuring your Server for Secure Connections

With the advent of commerce over the Internet, it became necessary to create a protocol by which data could be sent securely between Web servers and browsers. This protocol is HTTPS, the secure version of HTTP. HTTPS encrypts the data to be sent using an agreed encryption protocolmost commonly Secure Sockets Layer (SSL)then sends the encrypted data to its destination, where it's decrypted and processed.

Apache can provide secure Web services over HTTP using OpenSSL. Before we go and set this up, though, it's important that we understand the process involved in serving secure requests from our server.

5.6.1. A Brief Introduction to Public Key Cryptography

Two elements are required to encrypt the connection between server and browser: keys and certificates. These will allow the server to provide the browser with evidence of its identity, and establish a connection that utilizes public key cryptography.

The keys serve to encrypt the connection. There are two fundamental types of encryption: public key encryption and symmetric key encryption , also known as private key encryption. In the latter, both the server and the browser posses the encryption key, which is necessary to encrypt and decrypt data. While very secure, distributing the encryption key to all clients makes use of the symmetric key cryptography nearly impossible for public servers: how can you ensure that no one stole the encryption key while it was in transit? Symmetric key encryption is much more common in intranet environments or internal server usage.

With public key encryption, two keys exist: the public key and the private key. As their names imply, the private key is stored securely on the server, while the public key is made available for public access. Through a complex mathematical process, data that's encrypted with the public key can only be decrypted with the private key, and vice versa.

However, cryptography isn't the only element that's necessary to create a secure, trustworthy connection. A client needs assurance that the machine is really the one it claims to be. This can be accomplished by acquiring a public key certificate from a well-known and trusted certificate authority (CA) . When requesting a certificate from a CA, you'll need to send proof of your or your company's identity, as well as payment for the service, in most cases. The CA will return a public key certificate for use on your secure server.

It's also possible to create your own public key certificates using OpenSSL , but such certificates are only appropriate for development and testing purposes: browsers will usually complain when confronted with a certificate issued by a CA that they don't consider "trusted," showing an error similar to that depicted in Figure 5-14. In this chapter, we'll be creating our own certificates using the genkey tool, which acts as a wrapper for OpenSSL.

Figure 5-14. The Website Certified by an Unknown Authority dialog.


5.6.2. Installing OpenSSL and genkey

In the Package Management tool, click on the Details button of the Web Server package group, and ensure that mod-ssl and crypto-utils are checked. Click the Close button, then click Update in the main window to install any packages you lack.

5.6.3. Creating your own Private and Public Key Pair

With everything installed, we're now ready to create our private and public keys . To run the genkey tool, open a terminal window and run genkey servername as root.

[kermit@swinetrek ~]$ su Password: [root@swinetrek kermit]# genkey www.mycompany.com

Figure 5-15. genkey's first screen.


genkey's interface is similar to the text-mode installation we saw in Chapter 1. Move between options by pressing the Tab key, and select options by pressing Space.

genkey's first screen, shown in Figure 5-15, tells us that it will write the private key to /etc/pki/tls/private/servername.key and the public key certificate to /etc/pki/tls/certs/servername.cert. It's important to make a note of these filenames, as we'll need to know them when we configure Apache. When you're ready to proceed, select Next.

Figure 5-16. Selecting a key size in genkey.


The next screen, shown in Figure 5-16, lets you select the size of your key. The larger they key, the more difficult your encryption is to crack, but few browsers support keys that are larger than 1024 bits. Select 1024 bits, and select Next.

Figure 5-17. genkey collecting random data.


genkey will now generate your keys. After spending some time generating random bits itself, genkey will ask you to type at your keyboard in order to collect some further random data, as shown in Figure 5-17. As you type, the progress meter will slowly tick over until it reaches 100%.

Next, you'll be asked if you want to send a certificate signing request (CSR) to a CA. We don't, so answer No to this question. If you did want to send a CSR, you'd answer Yes, then select the CA you'd be sending the request to (one of Equifax, Thawte, VeriSign, or Other).

Figure 5-18. Entering the details for your certificate.


The next step is to enter the details of your certificate, as illustrated in Figure 5-18. The form is pre-populated with dummy details; overwrite them with information that's appropriate to your server.

Figure 5-19. Choosing whether or not to encrypt the private key.


Next, you're asked if you want to encrypt the private key you've created . If a malicious party were to gain access to your private key and it was not encrypted, they would be able to decrypt the communication between the browser and the Web server. If you're running a secure site and trying to build a trustworthy reputation, this has obvious disastrous consequences. Encrypting the key ensures that, even if the malicious party compromises your system and gains access to the key, he or she cannot use it to decrypt communications without the key's passphrase . However, if you encrypt your private key, you'll need to enter the key's passphrase whenever Apache is restarted; therefore , Apache cannot start automatically after the server is rebooted. You need to decide which is more important for your server: security or ease of management.

In almost any case in which HTTPS is required, server security should be paramount, so we'll encrypt our private key. Hit Space so that an asterisk appears next to Encrypt the private key, then select Next.

Figure 5-20. Entering the private key's passphrase.


On the next screen, enter the private key's passphrase twice, then select Next to complete the key generation process.

Select Next and the process is complete! You're dumped rather unceremoniously at the command prompt. If you had generated a CSR, from this point you'd need to follow the CA's instructions as to how to obtain your certificate. If you've generated a self-signed certificate, as we have here, you're ready to configure Apache to use it.


Note: If you've configured Apache to use an encrypted private key, you'll need to stop Apache's daemon from starting when the system is rebooted. If you don't stop it, you'll find that your system won't start properly at all!Open the Service Configuration tool (Desktop > System Settings > Server Settings > Services), select Edit Runlevel > Runlevel All from the menu, locate httpd in the list and make sure that none of its checkboxes are checked. Be sure to click Save if you make any changes.

5.6.4. Configuring Apache

All we need to do now is to configure Apache to use these certificates instead of the dummy certificates that are included with Fedora Core. Make a backup of /etc/httpd/conf.d/ssl.conf, open the original file in a text editor, and locate the lines shown below.

/etc/httpd/conf.d/ssl.conf (excerpt)

 #   Server Certificate: #   Point SSLCertificateFile at a PEM encoded certificate.  If #   the certificate is encrypted, then you will be prompted for a #   passphrase.  Note that a kill -HUP will prompt again.  A new #   certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/pki/tls/certs/localhost.crt #   Server Private Key: #   If the key is not combined with the certificate, use this #   directive to point at the key file.  Keep in mind that if #   you've both a RSA and a DSA private key you can configure #   both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 

Here, SSLCertificateFile is the name of the public key certificate file, and SSLCertificateKeyFile is the name of the private key. Edit the file so that these lines refer to the files created by genkey.

/etc/httpd/conf.d/ssl.conf (excerpt)

 #   Server Certificate: #   Point SSLCertificateFile at a PEM encoded certificate.  If #   the certificate is encrypted, then you will be prompted for a #   passphrase.  Note that a kill -HUP will prompt again.  A new #   certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/pki/tls/certs/www.mycompany.com.cert #   Server Private Key: #   If the key is not combined with the certificate, use this #   directive to point at the key file.  Keep in mind that if #   you've both a RSA and a DSA private key you can configure #   both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/private/www.mycompany.com.key 

Save your changes and restart Apache using the apachectl command.

[root@swinetrek kermit]# /usr/sbin/apachectl restart httpd not running, trying to start Apache/2.0.54 mod_ssl/2.0.54 ( Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the passphrases. Server 127.0.0.1:443 (RSA) Enter : OK:  Dialog successful. [root@swinetrek kermit]# 

Note: When you use an encrypted private key, you must start Apache with apachectl so that you can enter the private key's passphrase. You'll receive an error message if you try to start Apache with something other than apachectl.

Now, your Apache server is ready to serve documents over HTTPS. To test this, attempt to load your server's default page in Firefox with HTTPS by entering https://localhost/ into the browser. If you've installed a self-signed certificate, you'll receive at least one warning that the certificate may be from an untrusted source. Click Examine Certificate… to see the details of the certificate; you should see many of the details you entered while generating the certificate.




Run Your Own Web Server Using Linux & Apache
Run Your Own Web Server Using Linux & Apache
ISBN: 0975240226
EAN: 2147483647
Year: 2006
Pages: 92

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net