Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Overview

It is possible to encrypt all communications between Infinit.e and its clients using SSLv3 (TLSv1).

It is not currently possible for some operations (eg authentication) to be encrypted and others (eg document access) to be cleartext (and faster) - everything or nothing must be encrypted.

The following steps are necessary:

  • Create a certificate
  • Get the certificate signed by a Trusted 3rd Party (in theory this is optional, though most browser/Java-based clients will not connect to a self-signed certificate)
  • Configure the tomcat server (via the "infinite.configuration.properties" file) to support SSL
  • Drop the required certificate into the tomcat home directory ("/usr/tomcat6/share")
  • For EC2 installs using a load-balancer, upload the certificate to EC2.

Creating a certificate

There is nothing Infinit.e-specific about certificate creation. The systems administrator should consult other help sources for certificate creation.

The official tomcat6 documentation is here.

This web-page provides a good overview of certificate creation in practice (and also discusses getting it signed by a 3rd party, see the next section).

Getting a certificate signed

Again, there is nothing Infinit.e-specific about SSL certificate creation. A systems administrator will have to chose a Trusted Authority in order to get their certificate signed once the certificate has been generated.

The chosen Trusted Authority will likely have instructions on their website, as an example, here is GoDaddy's (which we successfully followed for *.ikanow.com).

Integration with Infinit.e Enterprise

The first thing the systems administrator will need to do is copy their certificate, private key, and certificate authority certificate into a location that is not accessible to apache. In Redhat, CentOS, this location is in /etc/pki/tls/*. In the example below, ca.crt is the certificate, ca.key is the private key, and ca_bundle.crt is the certificate authority certificate.

Copy Certificates
# Copy the files to the correct locations
cp ca.crt /etc/pki/tls/certs/ca.crt
cp ca_bundle.crt /etc/pki/tls/certs/ca_bundle.crt
cp ca.key /etc/pki/tls/private/ca.key

After the certificates and private key are copied to the correct location, the next step will be to edit apache's SSL configuration file (ssl.conf).

Edit SSL.conf
vi /etc/httpd/conf.d/ssl.conf

There are three directives that need to be changed in this file, SSLCertificateFile, SSLCertificateKeyFile, and SSLCACertificateFile. The system administrator change these directives to point to the certificate file (ca.crt), the private key (ca.key), and certificate authority certificate (ca_bundle.crt) respectively.

Edit ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
SSLCACertificateFile /etc/pki/tls/certs/ca_bundle.crt

After these changes apache will need to be restarted.

Edit ssl.conf
/etc/init.d/httpd/restart
  • No labels

Copyright © 2012 IKANOW, All Rights Reserved | Licensed under Creative Commons