Security 24/7

Archive for the ‘Certificate Authority’ Category

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

1. Login to the server using Root account.
2. Change permissions on the keys folder:
   chmod 640 /usr/local/resin/keys
3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line.
5. Send the file /tmp/resin.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/resin/keys/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
    <!-- SSL port configuration: -->
<http address="*" port="8443">
<jsse-ssl self-signed-certificate-name="resin@localhost"/>
</http>
To:
    <http address="Server_DNS_Name" port="443">
<openssl>
<certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
<certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
<certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
<password>my-password</password>
</openssl>
</http>
Note: Replace “my-password” with the password for the “server.key” file.
11. Restart the Resin services:
    /etc/init.d/resin restart
12. Backup the file
    /usr/local/resin/keys/server.key

Print PDF

This step-by-step guide explains how to install and configure public key infrastructure, based on:

• Windows 2008 R2 Server core – offline Root CA
• Windows 2008 R2 domain controller
• Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
   sconfig.cmd
10. Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
12. From the command prompt window, run the command bellow:
    sconfig.cmd
13. Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
14. Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
16. From the command prompt window, run the command bellow:
    sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
18. Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
19. Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
20. Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation phase

1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
2. Install Certificate services:
   start /w ocsetup.exe CertificateServices /norestart /quiet
3. To check that the installation completed, run the command:
   oclist find /i "CertificateServices"
4. Download the file “setupca.vbs” from:
   http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
   To:
   C:\Windows\system32
5. Run the command bellow to configure the Root CA:
   Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
6. In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
   Install complete! Passed
7. Run the command bellow to enable remote management of the Root CA:
   netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
8. Run the command bellow to stop the CertSvc service:
   Net stop CertSvc
9. Run the command bellow to change new certificate validity period time:
   reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be written in one line.
10. Run the command bellow to start the CertSvc service:
    Net start CertSvc

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

• Active Directory (Forest functional level – Windows 2008 R2)
• Add “A” record for the Root CA to the Active Directory DNS.

1. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the “Initial Configuration Tasks” window, configure the following settings:
   • Set time zone
   • Configure networking – specify static IP address, netmask, gateway, DNS
   • Provide computer name and domain – add the server to the domain
   • Enable Remote Desktop
10. In-order to be able to remotely manage the Root CA, run the command bellow:
    cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

• DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.

1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
2. Start -> Administrative Tools -> Server Manager.
3. From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
   • Web Server
   • Common HTTP Features
   • Static Content
   • Default Document
   • Directory Browsing
   • HTTP Errors
   • HTTP Redirection
   • Application Development
   • .NET Extensibility
   • ASP
   • ISAPI Extensions
   • Health and Diagnostics
   • HTTP Logging
   • Logging Tools
   • Tracing
   • Request Monitor
   • Security
   • Windows Authentication
   • Client Certificate Mapping Authentication
   • IIS Client Certificate Mapping Authentication
   • Request Filtering
   • Performance
   • Static Content Compression
   • Management Tools
   • IIS Management Console
   • IIS Management Scripts and Tools
   • IIS 6 Management Compatibility
   • IIS 6 Metabase Compatibility
4. Click Next -> click Install -> click Close.
5. From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
6. From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
   • Certification Authority
   • Certification Authority Web Enrollment
   • Certificate Enrollment Policy Web Service
7. Click Next.
8. Configure the following settings:
   • Specify Setup Type: Enterprise
   • CA Type: Subordinate CA
   • Private Key: Create a new private key
   • Cryptography:
     Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
     Key length: 2048
     Hash algorithm SHA256
   • CA Name:
     Common name: specify here the subordinate server NetBIOS name
     Distinguished name suffix: leave the default domain settings
   • Certificate Request: Save a certificate to file and manually send it later
   • Certificate Database: leave the default settings
   • Authentication Type: Windows Integrated Authentication
   • Server Authentication Certificate: Choose and assign a certificate for SSL later
9. Click Next twice -> click Install -> click Close.
10. Close the Server Manager.
11. Start -> Administrative Tools -> Certification Authority
12. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
13. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
15. Click OK and allow the CA server to restart its services.
16. From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
17. Right click on the CA name -> All tasks -> Stop service
18. Right click on the CA name -> All tasks -> Start service
19. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"Note: Replace “DC=mycompany,DC=com” according to your domain name.
20. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
21. Close the “Certification Authority” snap-in and logoff the subordinate CA server.
22. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
23. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
24. Start -> Administrative Tools -> Group Policy Management.
25. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
26. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
27. Logoff the domain controller.
28. Return to the subordinate enterprise CA server.
29. Start -> Administrative Tools -> Certification Authority.
30. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
31. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
32. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
33. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name – <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
34. Run the command bellow from command line to avoid offline CRL errors:
    Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
35. From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
36. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
37. Right click on the subordinate CA server name -> All Tasks -> Start Service.
38. Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
39. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt

    Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt

    • Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
40. Click OK and allow the CA server to restart its services.
41. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
42. Close the “Certification Authority” snap-in
43. Copy the files bellow from the Root CA to the subordinate CA (same location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt
44. Logoff the subordinate CA server.
45. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
46. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
47. Start -> Administrative Tools -> Group Policy Management.
48. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
49. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
50. Logoff the domain controller.

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
5. Send the file /tmp/nginx.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
11. Remove the original server.crt and ca-bundle.crt files:
    rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt

12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443;
    # server_name localhost;

    # ssl on;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_timeout 5m;

    # ssl_protocols SSLv2 SSLv3 TLSv1;
    # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    # ssl_prefer_server_ciphers on;

    # location / {
# root html;
# index index.html index.htm;
# }
#}
To:
    server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}


13. Restart the Nginx service:
    /etc/init.d/nginx restart

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
   cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
9. Remove the original server.crt file:
   rm -f /etc/lighttpd/ssl/server.crt

10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
    $SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
}
13. Restart the Lighttpd service.

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl
3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
    Listen Server_FQDN:443
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
11. Restart the Apache services:
    /usr/local/apache2/bin/apachectl restart
12. Backup the file /usr/local/apache2/ssl/server.key

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Mount Solaris 10 DVD, and move to the packages folder:
   cd /cdrom/sol_10_1008_x86/Solaris_10/Product
3. Run the command bellow to install OpenSSL packages:
   pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
4. Create folder for the SSL certificate files:
   mkdir -p /etc/apache2/ssl.crt
5. Create folder for the SSL private key:
   mkdir -p /etc/apache2/ssl.key
6. Run the command bellow to generate a key pair:
   /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
   Specify a complex pass phrase for the private key (and document it)
7. Change the permissions on the private key file:
   chmod 600 /etc/apache2/ssl.key/server.key
8. Run the command bellow to generate the CSR:
   /usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
9. Send the file /tmp/apache.csr to a Certificate Authority server.
10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
11. Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
13. Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
    From:
    SSLSessionCache dbm:/var/run/apache2/ssl_scacheTo:
    SSLSessionCache dbm:/var/ apache2/ssl_scache

    From:
    SSLMutex file:/var/run/apache2/ssl_mutexTo:
    SSLMutex file:/var/apache2/ssl_mutex

    From:
    ServerName 127.0.0.1:443To:
    ServerName Server_FQDN:443

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtTo:
    SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    From:
    SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLTo:
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

15. Remove the section bellow:
    <Directory "/var/apache2/cgi-bin">
16. Stopping Apache from command line:
    /usr/apache2/bin/apachectl stop
17. Starting Apache from command line:
    /usr/apache2/bin/apachectl startssl

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
   mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
   chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
6. Run the command bellow to generate a CSR (certificate request):
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

17. Start the Tomcat service:
    /etc/init.d/tomcat start -security

Print PDF