Archive for the ‘Resin’ Category

Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

  1. Install OpenSSL.
  2. Run the command bellow to generate a new key store called “server.key
    openssl genrsa -des3 -out /tmp/server.key 1024
  3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

    openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

  4. Run the command bellow to backup the key store file that has a password:
    cp /tmp/server.key /tmp/server.key.bak
  5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
  6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
  7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

  • server.key – Key store file
  • server.crt – Server SSL public key file
  • no.pwd.server.key – Key store file (without a password)
  • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
  • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

How to implement SSL on Resin 4.0.8

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

  1. Login to the server using Root account.
  2. Change permissions on the keys folder:
    chmod 640 /usr/local/resin/keys
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line.
  5. Send the file /tmp/resin.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /usr/local/resin/keys/
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
  10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
    <!-- SSL port configuration: -->
    <http address="*" port="8443">
    <jsse-ssl self-signed-certificate-name="[email protected]"/>
    </http>
    To:
    <http address="Server_DNS_Name" port="443">
    <openssl>
    <certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
    <certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
    <certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
    <password>my-password</password>
    </openssl>
    </http>
    Note: Replace “my-password” with the password for the “server.key” file.
  11. Restart the Resin services:
    /etc/init.d/resin restart
  12. Backup the file
    /usr/local/resin/keys/server.key

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

Pre-requirements:

  • JDK 1.6 source file
  • Resin Professional 4.0.8 source file

Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd resin
    useradd -g resin -d /home/resin -s /bin/bash resin
  3. Create folder for the web content:
    mkdir -p /www
  4. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  5. Copy JDK 1.6 into /tmp
  6. Change the permissions on the JDK 1.6:
    chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
  7. Run the command bellow to install JDK 1.6:
    /tmp/jdk-6u20-linux-i586-rpm.bin
  8. Remove the JDK 1.6 source files:
    rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
    rm -f /usr/java/jdk1.6.0_20/src.zip
    rm -rf /usr/java/jdk1.6.0_20/demo
    rm -rf /usr/java/jdk1.6.0_20/sample
    rm -rf /opt/sun/javadb/demo
    rm -rf /opt/sun/javadb/docs
  9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
    rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-42.i386.rpm
    rpm -ivh glibc-devel-2.5-42.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-46.el5.i386.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
  10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
  11. Move to /tmp
    cd /tmp
  12. Extract the resin-pro-4.0.8.tar.gz file:
    tar -zxvf resin-pro-4.0.8.tar.gz
  13. Move to the Resin 4.0.8 source folder:
    cd /tmp/resin-pro-4.0.8
  14. Run the commands bellow to compile the Resin 4.0.8 environment:
    ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
    Note: The command above should be written as one line.

    make
    make install

  15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
    From:
    <resin:if test="${resin.userName == 'root'}">To:
    <resin:if test="${resin.userName == 'resin'}">

    From:
    <user-name>www-data</user-name>To:
    <user-name>resin</user-name>

    From:
    <group-name>www-data</group-name>To:
    <group-name>resin</group-name>

    From:
    <server id="" address="127.0.0.1" port="6800">To:
    <server id="" address="Server_DNS_Name" port="6800">

    From:
    <http address="*" port="8080"/>To:
    <http address="Server_DNS_Name" port="8080"/>

    From:
    <dependency-check-interval>2s</dependency-check-interval>To:
    <dependency-check-interval>600s</dependency-check-interval>

    From:
    <host id="" root-directory=".">To:
    <host id="Server_DNS_Name" root-directory="/www">

    From:
    <root-directory>.</root-directory>To:
    <root-directory>/www</root-directory>

    From:
    <resin:set var="resin_admin_external" value="false"/>To:
    <resin:set var="resin_admin_external" value="true"/>

  16. Change the ownership on the folder bellow:
    chown resin:root -R /www/*
  17. Manually start the Resin service:
    /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
  18. Manually stop the Resin service:
    /usr/local/resin/bin/resin.sh stop
  19. Copy the Resin license file into
    /usr/local/resin/licenses
  20. Change the ownership and permissions on the folders bellow:
    chmod 664 -R /www/watchdog-data/
    chmod 777 /www/watchdog-data/default/
    chown resin:root -R /www/watchdog-data/*
  21. Remove the Resin 4.0.8 source folder:
    rm -rf /tmp/resin-pro-4.0.8
  22. Remove default documents:
    rm -rf /www/doc/resin-doc
  23. To start Resin service at server start-up, run the commands bellow:
    chkconfig --add resin
    chkconfig resin on
    /etc/init.d/resin start
  24. From a client machine, open an internet browser and login to the address:
    http://Server_DNS_Name:8080/resin-admin/
  25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
  26. Rename the admin-users.xml file:
    mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
  27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.