Archive for the ‘Solaris’ Category
Generating self-signed SSL certificate using OpenSSL
OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.
Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/
- Install OpenSSL.
- Run the command bellow to generate a new key store called “server.key”
openssl genrsa -des3 -out /tmp/server.key 1024
- Run the commands bellow to request a new SSL certificate:
openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt
openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info
- Run the command bellow to backup the key store file that has a password:
cp /tmp/server.key /tmp/server.key.bak
- Run the command bellow to generate a new key store without a password:
openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
- Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
- Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx
Appendix:
- server.key – Key store file
- server.crt – Server SSL public key file
- no.pwd.server.key – Key store file (without a password)
- no.pwd.server.pem – Key store file + server SSL public key file (without a password)
- server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)
IPv6 – Problem and some solutions
The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.
Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984
http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year
I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:
Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx
Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm
How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true
Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx
Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx
DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx
Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx
IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx
Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/
IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html
Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems
Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view
Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541
Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html
Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html
Apache Talking IPv6
http://www.linuxjournal.com/article/5451
How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm
Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/
IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058
IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html
Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm
EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm
Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf
Hardening guide for Apache 2.0 on Solaris 10 platform
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
- Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
- Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www - Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
- Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock
From:
User webservd
To:
User apache
From:
Group webservd
To:
Group apache
From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off
From:
# ServerTokens
To:
ServerTokens Prod
From:
ServerAdmin [email protected]
To:
ServerAdmin webmaster@yourcompany.com
From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN
From:
Timeout 300
To:
Timeout 60
From:
LogLevel warn
To:
LogLevel notice
From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort
From:
ReadmeName README.html
To:
# ReadmeName README.html
From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html
From:
AddIcon
To:
# AddIcon
From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif
From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"
From:
AliasMatch
To:
# AliasMatch
From:
ScriptAlias
To:
# ScriptAlias
From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so
From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so
From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so
From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so
From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so
From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so
From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
- Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin"> - Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/apache2/bin/apachectl start
- Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2
Hardening guide for Tomcat 5.5 on Solaris 10 platform
Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.
Installation phase
- Login to the server using Root account.
- Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
- If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
- Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
- Move to /usr/jdk folder
cd /usr/jdk
- Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
- Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
- Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
- Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
- Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
- Remove the link for the Java
rm /usr/bin/java
- Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
- Reload the links into memory:
rehash
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
- Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
- Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line. - Edit using VI, the file /var/apache/tomcat55/conf/server.xml
Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
Replace the non-SSL HTTP/1.1 Connector:
From:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
To:
<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint> - Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
<role rolename="admin">
Note: Specify complex password for the admin account (and document it).
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin"> - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
Inside the “Context” section, add the following line:
<valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
- Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
- Create a user account for the Tomcat service:
mkdir /home/tomcatgroupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat - Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac - Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
- Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat - Reload the links into memory:
rehash
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*