Chapter 5 Enabling the Secure Socket Layer Protocol

  Table of Contents

  Glossary

  Index

To enhance the security of communications between your Web browser and administrative instances of the Secure Web Server, the Secure Web Servers have built-in support for the Secure Socket Layer (SSL) protocol. This chapter describes how SSL provides secure Internet connections and how to use Internet Express to enable SSL on your server.

SSL Concepts

The SSL protocol is a widely used method for performing secure transactions on the Web. This protocol is supported by most Web servers and clients including Netscape Navigator and Microsoft Internet Explorer.

SSL provides privacy, guaranteed through encryption. Although information can be intercepted by a third party, the perpetrator cannot read the information without the private encryption key (session key). If the information is received and will not decrypt properly, the recipient can determine that the information has been tampered with during transmission. Authentication is provided through digital certificates generated for SSL, though the source of digital certificates might not always be credible for online payment transactions.

SSL encryption uses a secret key nested within public key encryption, authenticated through certificates. Secret key encryption provides faster access than public-key encryption alone. Initially, the client and server exchange public keys, and then the client generates a session key for a specific transaction. The client encrypts the session key with the server's public key and sends the information to the server. Then, and for the remainder of the transaction, the client and the server use the session key for private key encryption.

Completing a transaction with an SSL-enabled server follows this general procedure:

  1. A client sends a request for a document to be transmitted using the https: protocol by prefixing the URL with https://.

  2. The server sends the client its certificate.

  3. The client verifies that the certificate was issued by a trusted Certificate Authority (CA). If the client does not verify the CA, it gives the user the option to continue or to terminate the transaction.

  4. The client compares information in the certificate with information received concerning the site; specifically, the domain name and the public key. If the information matches, the client accepts the site as authentic.

  5. The client tells the server what ciphers (encryption algorithms) it uses to communicate.

  6. The client generates a session key using the agreed-upon cipher.

  7. The client encrypts the session key with the server's public key and sends the information to the server.

  8. The server receives the encrypted session key and decrypts the information with the session key.

  9. The client and the server then use the session key for the remainder of the transaction.

For additional information about SSL, see the mod-ssl Web site:

http://www.modssl.org/docs

Enabling SSL Support from the Web Server Administration Utility

Using the Web Server Administration utility, you can manage support for SSL connections. Follow these steps:

  1. On the Secure Web Server Administration menu, select the Web server for which you want to enable (or disable) SSL support, for example, the public Web server. The Manage the Public Web Server menu is displayed (see Figure 2-11).

  2. Choose Manage SSL for the Public Web Server. The SSL menu options are displayed (Figure 5-1: Manage SSL for the Public Web Server Menu), initially showing the following options:

  3. Proceed to generate a private key (Section : Generating a Private Key) and request a digital certificate (Section : Generating a Certificate Request).

    Note:

    The steps for managing SSL that are described in this chapter use public Web server examples. Steps for managing SSL for the Administration Web Server are identical.

Figure 5-1 Manage SSL for the Public Web Server Menu

Manage SSL for the Public Web Server Menu

When you enable SSL for the first time, you must generate a private key and then generate a certificate request. A Certificate Authority (CA), such as VeriSign (http://www.verisign.com), processes the request and provides you with an official digital certificate. While waiting for your official digital certificate, you can generate and install a test certificate. These steps are described in “Generating a Private Key” through Section : Generating and Installing a Test Certificate.

For information on setting up an Apache Web server with SSL without using the Secure Web Server Administration utility, visit the Apache Web site at the following URL:

http://www.apache.org/

Generating a Private Key

SSL uses on asymmetric key encryption to encode and decode data that is transmitted to and from the Web server. SSL key encryption requires two keys: a private key and a public key. The private key resides on the Web server system and must be kept secure. Before you can perform other steps to set up an SSL connection, you must generate a private key.

To generate a private key, perform these steps:

  1. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  2. Choose Generate a Private Key. The Generate a Private Key menu is displayed, informing you whether a private key already exists.

  3. Click Submit to generate a private key. When you generate a private key, the key is saved to following file for each server:

    /usr/internet/httpd/server/conf/ssl.key/server.key

    Where server is the name of the server you are modifying for SSL, as follows:

    • Public Web servers:

      /usr/internet/httpd/conf/ssl.key/server.key

    • Administration Web Server:

      /usr/internet/httpd/admin/conf/ssl.key/server.key

    If a private key already exists, the existing key is saved in a separate server.n.key file where n is an integer incrementing from 1.

Figure 5-2 shows that a private key has been generated for the public Web server and the location of the server.key file. Note that you can generate a certificate request directly from this page, from which you can display the Generate a Certificate Request form. See Section  for complete steps for generating a certificate request.

Figure 5-2 Generate a Private Key — Results

Generate a Private Key

Generating a Certificate Request

After you have generated a private key (Section ), you can generate a certificate request that provides information about your company and private key to a Certificate Authority (CA). From this request, an X.509 certificate signing request (CSR) is created.

To generate a certificate request, perform these steps:

  1. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  2. Choose Generate a Certificate Request. The Generate a Certificate Request form is displayed (Figure 5-3).

    Figure 5-3 Generate a Certificate Request Form

    Generate a Certificate Request Form
  3. Enter your company data in the text fields.

    A two-character country code is required by your CA. For the country code, enter an official ISO standard two-character country code as defined in ISO Standard 3166-1:

    http://www.iso.org/iso/en/ISOOnline.frontpage

    For the Common Name field, use the fully qualified domain name of your server (for example, www.server.wyxcorp.com).

  4. Click on Submit. From the information you provided, an X.509 certificate signing request (CSR) is created. The certificate request displays in your browser window and is saved in the /usr/internet/httpd/server/conf/ssl.csr/server.csr file, where server is the name of the server you are modifying. For the Web Server Public Instance, the certificate request file is saved in /usr/internet/httpd/conf/ssl.csr/server.csr.

  5. To complete the certificate request process, copy information from the browser window or copy the contents from the CSR file and send the information (along with required paperwork and payment) to a Certificate Authority (CA) such as VeriSign (http://www.versign.com). The highlighted text in Figure 5-4 shows the information that you send to your CA.

    Note that you can generate a test certificate directly from this page. See Section  for complete steps for generating a test certificate.

    Figure 5-4 Certificate Request Success Notice

    Certificate Request Success Notice

Generating and Installing a Test Certificate

Before you receive your official certificate, you can generate a self-signed certificate and test establishing secure connections from your server.

To generate and install a test certificate, perform these steps:

  1. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  2. Choose Generate and Install a Test Certificate. The Generate and Install a Test Certificate form is displayed.

  3. Click on Submit. The test certificate is saved in the /usr/internet/httpd/server/conf/ssl.crt/server.crt file, where server is the name of the server you are modifying. When you generate and install an official certificate, it is saved in the same file.

    For example, for the public Web server, the test certificate or official certificate is stored in /usr/internet/httpd/conf/ssl.crt/server.crt. If you had a previous certificate, the new certificate overwrites the server.crt file. However, existing certificates are saved under a new name. Figure 5-5 shows the message displayed when successfully installing the test certificate.

    Figure 5-5 Test Certificate Installation Success Notice

    Test Certificate Installation Success Notice

    With a test certificate in place, you can now try enabling SSL on the server.

  4. On the Generate and Install Test Certificate form (Figure 5-5), click on the Manage SSL button to enable SSL using the installed test certificate. The Manage SSL for the Public Web Server form will be displayed as shown in Figure 5-9. See Section  for instructions on enabling and disabling SSL for a Web server using this form.

When you generate a test certificate, it is automatically installed. The Manage SSL main menu changes to show two additional options, as shown in Figure 5-6.

Figure 5-6 Manage SSL Main Menu with Additional Options

Manage SSL Main Menu with Additional Options

With a test certificate in place, you can now try connecting to the SSL-enabled system. Note that when you make an SSL connection to a server using a self-signed test certificate, you are warned that the certificate is signed by an untrusted source. The system gives you the option to accept the certificate and connect to the Web server.

To view the contents of the certificate, see Section : Viewing Certificate Details.

Installing a Digital Certificate

When you receive a digital certificate from your Certificate Authority, you must then install it to the proper location.

To install a certificate, perform these steps:

  1. Determine that the certificate you received is compatible with the private key you created in Section : Generating a Private Key. The key and certificate must be compatible for the certificate to install properly.

  2. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  3. Choose Install a Certificate. The Install a Certificate form is displayed.

  4. Cut and paste the contents from the official certificate into the Install a Certificate text field, shown in Figure 5-7.

    Figure 5-7 Install a Certificate Text Field

    Install a Certificate Text Field
  5. Click on Submit. The certificate file is copied to the /usr/internet/httpd/server/conf/ssl.crt/server.crt file, where server is the name of the system you are modifying.

    If you generated and installed a test certificate (Section : Generating and Installing a Test Certificate), the test certificate file (server.crt) is overwritten with the official certificate file and is saved under a new name (for example, server.2.crt).

After successfully installing the certificate, the Manage SSL main menu provides two additional options that let you:

These options also appear on the Manage SSL main menu when you generate and install a test certificate (Figure 5-6).

Viewing Certificate Details

The View Certificate Details option enables you to display certificate information in a readable format. This certificate file includes information you provided when you requested the certificate (Section : Generating a Certificate Request), information from the CA, and information about your public key.

  1. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  2. Choose View Certificate Details. The certificate stored in /usr/internet/httpd/server/conf/ssl.crt/server.crt is displayed in readable format. Figure 5-8 shows the information in an example certificate.

    Figure 5-8 Certificate File in Readable Format

    Certificate File in Readable Format

Enabling and Disabling SSL for a Web Server

After obtaining a private key and an official certificate, you can enable (or disable) SSL capabilities for your Web server. When you enable SSL, the Web server's runtime configuration file (/usr/internet/httpd/server/conf/.httpdrc) is revised to instruct the Web server to use SSL when it restarts. Enabling SSL affects the public and administration servers as follows:

  • For the public Web server instance, you can connect to the secure Port 443 using the https: prefix. Note that you also can continue connecting to Port 80 using a non-secure connection using the http: prefix.

  • For the Administration Web Server instance, the port defined for each server is changed. You can only connect as a secure port using the https: prefix and the same port number. Once you connect to one of the administration servers, the Administration utility manages the connection to the other servers, using the proper type of connection.

To enable (or disable) SSL capabilities for a Web server:

  1. From the server administration menu, choose Manage SSL for the desired server. For example, from the Manage the Public Web Server menu, choose Manage SSL for the Public Web Server. The Manage SSL for the Public Web Server menu is displayed.

  2. Choose the Enable button or the Disable button at the bottom of the form to enable or disable SSL for the server, respectively.

    Figure 5-9 shows the confirmation page after SSL has been enabled on the server.

    Figure 5-9 Enable SSL Confirmation Page

    Enable SSL Confirmation Page

Testing Your SSL Connection

Test your secure connection after enabling SSL for public and administration servers, as follows:

  • For a public Web server, the standard https: port is 443. When you specify a URL as https://www.xxx.com/, for example, it automatically uses Port 443. Also test access to the nonsecure public server Port 80 by using httpd: after enabling SSL. (See Section  for additional considerations when enabling SSL for public Web servers.)

  • For an administration server, the same port is used for all connections, regardless of whether SSL is enabled. With SSL enabled, you can only access this server using https://www.xxx.com:8081/. Using http: will produce an error message asking you to specify https: (Figure 5-10). The administration server menus determine which protocol to use, http: or https:, and will advise you when you first connect.

Figure 5-10 SSL Connections Error Message

SSL Connections Error Message

Note:

After enabling SSL and changing a connection from nonsecure to secure, you might not be able to use the Back button of your browser to navigate to pages viewed prior to enabling SSL. Similarly, disabling SSL and changing a connection from secure to nonsecure might affect use of the Back button. This happens because the saved prefix might no longer be valid.

Specifying Public Web Server Access to HTTP and HTTPS Connections

After enabling SSL for the Web Server Public Instance, the data hierarchy you created (by default, /usr/internet/httpd/htdocs) will be accessible either using the standard http: protocol or the SSL-enabled https: protocol.

To limit access just to https: connections, perform these steps:

  1. From the Secure Web Server Administration menu, choose Manage the Public Web Server.

  2. Choose Change Configuration Parameters.

  3. Choose Change Listening Ports and Addresses and remove Port 80 from the list of active ports and make Port 443 the primary port.

  4. Click Submit to update the configuration file and restart the public Web server.

If you want the public Web server to respond to both http: requests on Port 80 and https: requests on Port 443 while maintaining separate data hierarchies, you must manually change the public Web server configuration file /usr/internet/httpd/conf/httpd.conf. Any https: directories must be defined within the SSL VirtualHost directive. (In the configuration file, search for the line <VirtualHost _default_:443>.)

Directory, Location, or File directives placed within the SSL VirtualHost directive, as well as Alias and ScriptAlias directives placed within the SSL VirtualHost directive, can only be accessed when SSL is enabled and when https: connections are used. By changing the value of the DocumentRoot directive within the SSL VirtualHost directive, you can specify a default location specific to https: connections.

Migrating Your Netscape Digital Certificate to the Secure Web Server

This section describes how to migrate a Netscape Web Server digital certificate to the Secure Web Server, which will then allow you to migrate Netscape (iPlanet) Web Server SSL users to an SSL-enabled Secure Web Server.

Prerequisites for Migration

Before you can migrate your Netscape digital certificate to the Secure Web Server, you must first access the Netscape Web Server's private key. You use this key as the Secure Web Server's private key when installing the digital certificate. You must also save a copy of the Netscape Web Server's digital certificate in order to install it in the Secure Web Server.

The Secure Web Server must have the same Common Name and IP address as the Netscape Web Server. This data was used when creating the Certificate Signing Request that you sent to your Certificate Authority when requesting the digital certificate. The Common Name is usually the same as the fully qualified host name of the server.

Migrating the Netscape Digital Certificate

Follow these steps to migrate your Netscape Web Server private key and digital certificate to the Secure Web Server:

  1. Login as root on the system where you installed both Web servers and start the Netscape Communicator 4.X Web browser:

    # su root
    # /usr/bin/X11/netscape &
  2. Create a backup copy of the Web browser certificate file and the private key database file in the root user's $HOME/.netscape directory:

    # cp -pf  /.netscape/key3.db /.netscape/key3.db.orig
    # cp -pf  /.netscape/cert7.db /.netscape/cert7.db.orig
  3. Copy the Netscape Web Server digital certificate file and private key database file from the Web server root to the /.netscape directory, overwriting the Web browser certificate file and key database file:

    # cp -pf Netscape server root/alias/server key database name-key3.db/\
    .netscape/key3.db
    # cp -pf Netscape server root/alias/server certificate database name-cert7.db /\
      .netscape/cert7.db
  4. Export the Web Server private key database to a PKCS#12 (PFX) format certificate file using Netscape Communicator, as follows:

    1. Under the Communicator pull down menu, select the Security Info option in the Tools menu. (Alternately, click on the padlock icon in the bottom left hand corner of the Web browser.) The Security Info dialog box is displayed.

    2. Select the Yours option under Certificates in the Security Info dialog box. The Server-Cert certificate appears in the displayed list.

    3. Select the Server-Cert certificate and click on the Export button.

      Note:

      You must use the same password you used for the Netscape Web Server key database when prompted to enter the passwords for accessing and exporting the certificate.

    4. Export the certificate to the PKCS#12 format certificate file by entering the name of the file (for example, cert.p12) in the Save As pop-up menu, then click on OK.

  5. Extract the private key from the PKCS#12 format certificate file (cert.p12) using the OpenSSL pkcs12 command. Save the private key to a PEM-format private key file, using the same password you entered for the import password and PEM pass phase:

    # /usr/internet/httpd/bin/openssl pkcs12 -nocerts -in/\
    .netscape/cert.p12 -out /.netscape/key.pem
    Enter Import Password: password
        MAC verified OK 
        Enter PEM pass phrase: 
        Verifying password - Enter PEM pass phrase: password
  6. Remove the PEM pass phase from the private key file using the OpenSSL rsa command:

    # /usr/internet/httpd/bin/openssl rsa -in /.netscape/\
    key.pem -out /.netscape/keyout.pem 
        read RSA key
    Enter PEM pass phrase: password
    writing RSA key
  7. Create the Secure Web Server Private Key directory and copy the private key file to the server.key file into the directory:

    # mkdir -p /usr/internet/httpd/server name/conf/ssl.key
    # chown root:system /usr/internet/httpd/server name/conf/ssl.key
    # chmod 640 /.netscape/keyout.pem
    #chown root:nobody /.netscape/keyout.pem
    #cp -pf /.netscape/keyout.pem /usr/internet/httpd/\
    server name/conf/ssl.key/server.key
    Note:

    The server name directory should be omitted when creating the private key file for the Public Web Server instance.

  8. Copy back the original Web browser certificate file and key database file overwriting the Web Server certificate file and key database file, then remove the files you created:

    # cp -pf  /.netscape/key3.db.orig /.netscape/key3.db
    # cp -pf  /.netscape/cert7.db.orig /.netscape/cert7.db
    # rm -f /.netscape/cert.p12 /.netscape/key.pem /.netscape/keyout.pem
  9. Using the copy of the Netscape Web Server certificate you recieved back from your Certificate Authority, install the digital certificate into the Secure Web Server using the Install a Certificate form provided in the Secure Web Server Administration server (see Section ).