Archive for the ‘Solaris’ Category

Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

  1. Install OpenSSL.
  2. Run the command bellow to generate a new key store called “server.key
    openssl genrsa -des3 -out /tmp/server.key 1024
  3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

    openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

  4. Run the command bellow to backup the key store file that has a password:
    cp /tmp/server.key /tmp/server.key.bak
  5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
  6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
  7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

  • server.key – Key store file
  • server.crt – Server SSL public key file
  • no.pwd.server.key – Key store file (without a password)
  • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
  • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Hardening guide for Apache 2.0 on Solaris 10 platform

  1. Login to the server using Root account.
  2. Create a new account:

    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
    passwd apache
    passwd -l apache
  3. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  4. Run the command bellow to install Apache2 packages:
    pkgadd -d . SUNWapch2r SUNWapch2u
  5. Remove Default Content
    rm -r /var/apache2/htdocs/
    rm -r /var/apache2/cgi-bin/
    rm -r /var/apache2/icons/
  6. Updating Ownership and Permissions on Apache2 folders:
    chown -R root:root /usr/apache2
    chmod -R 770 /usr/apache2/bin
    chown -R root:root /etc/apache2
    chmod -R go-r /etc/apache2
    chmod -R 770 /etc/apache2
    chown -R root:root /var/apache2/logs
    chmod -R 700 /var/apache2/logs
  7. Create folder for the web content:
    mkdir -p /www
  8. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  9. Copy the configuration file in-order to edit it:
    cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
  10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
    From:
    # LockFile /var/apache2/logs/accept.lockTo:
    LockFile /var/apache2/logs/accept.lock

    From:
    User webservdTo:
    User apache
    From:
    Group webservdTo:
    Group apache

    From:
    PidFile /var/run/apache2/httpd.pidTo:
    PidFile /var/apache2/logs/httpd.pid

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerSignature OnTo:
    ServerSignature Off
    HostnameLookups Off

    From:
    # ServerTokensTo:
    ServerTokens Prod

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]yourcompany.com

    From:
    ServerName 127.0.0.1To:
    ServerName Server_FQDN

    From:
    Timeout 300To:
    Timeout 60

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    IndexOptions FancyIndexing VersionSortTo:
    # IndexOptions FancyIndexing VersionSort

    From:
    ReadmeName README.htmlTo:
    # ReadmeName README.html

    From:
    HeaderName HEADER.htmlTo:
    # HeaderName HEADER.html

    From:
    AddIconTo:
    # AddIcon

    From:
    DefaultIcon /icons/unknown.gifTo:
    # DefaultIcon /icons/unknown.gif

    From:
    Alias /icons/ "/var/apache2/icons/"To:
    # Alias /icons/ "/var/apache2/icons/"

    From:
    AliasMatchTo:
    # AliasMatch

    From:
    ScriptAliasTo:
    # ScriptAlias

    From:
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
    # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From
    LoadModule imap_module libexec/mod_imap.soTo:
    # LoadModule imap_module libexec/mod_imap.so

    From:
    LoadModule cgi_module libexec/mod_cgi.soTo:
    # LoadModule cgi_module libexec/mod_cgi.so

    From:
    LoadModule suexec_module libexec/mod_suexec.soTo:
    # LoadModule suexec_module libexec/mod_suexec.so

    From:
    LoadModule autoindex_module libexec/mod_autoindex.soTo:
    # LoadModule autoindex_module libexec/mod_autoindex.so

    From:
    LoadModule info_module libexec/mod_info.soTo:
    # LoadModule info_module libexec/mod_info.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule userdir_module libexec/mod_userdir.soTo:
    # LoadModule userdir_module libexec/mod_userdir.so

    From:
    LoadModule cern_meta_module modules/mod_cern_meta.soTo:
    # LoadModule cern_meta_module modules/mod_cern_meta.so

    From:
    LoadModule dav_module modules/mod_dav.soTo:
    # LoadModule dav_module modules/mod_dav.so

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/var/apache2/htdocs">To:
    <Directory "/www">
    <Limitexcept GET POST>
    deny from all
    </Limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  11. Add the following sections to the end of the httpd.conf file:
    LimitRequestBody 10000
    LimitRequestFields 40
    LimitRequestFieldSize 100
    LimitRequestLine 500
  12. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/apache2/manual">
    <Directory "/var/apache2/cgi-bin">
  13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"
    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"
  14. Starting Apache from command line:
    /usr/apache2/bin/apachectl start
  15. Run the command bellow to start the Apache service at server start-up:
    svcadm enable apache2

Hardening guide for Tomcat 5.5 on Solaris 10 platform

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

  1. Login to the server using Root account.
  2. Make sure the folder /usr/jdk exists:
    ls /ad /usr/jdk
  3. If the folder /usr/jdk doesn’t exists, manually create it:
    mkdir /usr/jdk
  4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
  5. Move to /usr/jdk folder
    cd /usr/jdk
  6. Change the permissions on the JDK 1.6 (32bit) script:
    chmod +x jdk-6u15-solaris-i586.sh
  7. Run the command bellow to install JDK 1.6 (32bit):
    ./jdk-6u15-solaris-i586.sh
  8. Change the permissions on the JDK 1.6 (x64) script:
    chmod +x jdk-6u15-solaris-x64.sh
  9. Run the command bellow to install JDK 1.6 (x64):
    ./jdk-6u15-solaris-x64.sh
  10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
    rm /usr/jdk/jdk-6u15-solaris-i586.sh
    rm /usr/jdk/jdk-6u15-solaris-x64.sh
    rm /usr/jdk/jdk1.6.0_15/src.zip
    rm -r /usr/jdk/jdk1.6.0_15/demo
    rm -r /usr/jdk/jdk1.6.0_15/sample
  11. Remove the link for the Java
    rm /usr/bin/java
  12. Create new link for the Java (for x64 servers):
    ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
  13. Reload the links into memory:
    rehash
  14. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  15. Run the command bellow to install Tomcat packages:
    pkgadd -d . SUNWtcatr SUNWtcatu
  16. Remove the following default folders:
    rm -r /usr/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
    rm -r /var/apache/tomcat55/webapps/jsp-examples
    rm -r /var/apache/tomcat55/webapps/servlets-examples
    rm -r /var/apache/tomcat55/webapps/webdav
    rm -r /var/apache/tomcat55/webapps/balancer
  17. Copy the server.xml configuration file:
    cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
  18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector:
    From:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
    To:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
  19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</ROLE-NAME>
    </auth-constraint>
    </security-constraint>
  20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
    <role rolename="admin">
    <role rolename="manager">
    <user roles="admin,manager" password="adminpass" username="admin">
    Note: Specify complex password for the admin account (and document it).
  21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow:
    From:
    allow="127.0.0.1"To:
    allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
    Inside the “Context” section, add the following line:
    <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  23. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  24. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
    server.infoerver.info=Apache Tomcat/5.5.26To:
    server.infoerver.info=Secure Web serverReplace the string bellow from:
    server.number=5.5.26.0To:
    server.number=1.0.0.0
  26. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  27. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  28. Remove the folder bellow:
    rm -r /usr/apache/tomcat55/server/lib/org
  29. Create a user account for the Tomcat service:
    mkdir /home/tomcatgroupadd tomcat
    useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
    chown tomcat:tomcat /home/tomcat/
    passwd tomcat
    passwd -l tomcat
  30. Create using VI, the file /etc/init.d/tomcat with the following content:
    #!/bin/sh
    #
    # Startup script for Tomcat
    #
    case "$1" in
    start)
    echo -n "Starting Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
    ;;
    stop)
    echo -n "Stopping Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Usage: $0 {startstoprestart}"
    exit 1
    esac
  31. Change the permissions on the file /etc/init.d/tomcat
    chmod u+x /etc/init.d/tomcat
  32. Create soft link/symoblic links for system level startup
    ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
    ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
  33. Reload the links into memory:
    rehash
  34. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/*
    chown -R tomcat:tomcat /usr/apache/tomcat55/*