| 1 | == Linking to files on a https server == |
| 2 | |
| 3 | On this page I will try to write about setting up an environment with files on an external web server that uses https and requires client authentication to access the files. It is a long procedure and there are probably multiple ways to do it and multiple ways to screw up if you are not careful. The first step is setting up an Apache HTTP server and configure it to use https and only accept clients that are authenticated with a trusted certificate. |
| 4 | |
| 5 | === Setting up a secure Apache server === |
| 6 | |
| 7 | I more or less followed the instruction in [http://www.vanemery.com/Linux/Apache/apache-SSL.html Van's Apache SSL/TLS mini-HOWTO]. The key idea is that you first setup your own Certification Authority. This makes it easier to setup a trusted chain of certificates since you will only need to import the CA-certificate to also trust all other certificates signed by it. |
| 8 | |
| 9 | Create a CA-certificate as described in step 1. |
| 10 | |
| 11 | Create a certificate for the web server and sign it with the CA-certificate as described in step 2. |
| 12 | |
| 13 | Steps 3-4 are about configuring the Apache server to use the generated certificates. Use the suggested configuration as a starting point. After this step the web server can run as a https server but it will allow any client to connect. |
| 14 | |
| 15 | To allow only clients with a trusted certificate to connect add this to the configuration file: |
| 16 | |
| 17 | {{{ |
| 18 | SSLVerifyClient require |
| 19 | SSLVerifyDepth 1 |
| 20 | }}} |
| 21 | |
| 22 | Due to recently discovered security issues with SSL the above should be applied to the entire server. The guide suggests that you can add this to a sub-directory but it may not work until all clients have fixed their implementation. For example, Java 1.6.0_20 (which is the newest Java version when I write this) has disabled re-negotiation (See [http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html] for detailed background information) |
| 23 | |
| 24 | This should complete the server-side setup. |
| 25 | |
| 26 | === Creating a signed certificate for the BASE server === |
| 27 | |
| 28 | We need to create a client certificate for the BASE server that the Apache server can trust. The section ''Creating Client Certificates for Authentication'' in the mini-guide is useful only for certificates that should be used in Firefox or Internet explorer. I could not get certificates that was generated by that recipe to work with the BASE server. Instead we need to use the '''keytool''' program that is shipped with Java. Most of the information that we need can be found in the [http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html Keytool documentation]. Be aware that some of the examples override default settings and some doesn't. You'll need to be more consistent, particularly with 'alias' and 'keystore' parameters. |
| 29 | |
| 30 | The first step is to create a key for the BASE server. Follow the instructions in the ''Generating Your Key Pair'' section in the examples chapter. |
| 31 | |
| 32 | The second step is to create a Certificate Signing Request. Follow the instruction in the ''Requesting a Signed Certificate from a Certification Authority'' in the examples chapter. |
| 33 | |
| 34 | The file that is generated needs to be signed by the CA-certificate that we created in the first step when setting up the Apache server. For this we can once again follow the mini-guide. It is the third '''openssl''' command in the ''Creating Client Certificates for Authentication'' section: |
| 35 | |
| 36 | {{{ |
| 37 | openssl x509 -req -in van-c.csr -out van-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650 |
| 38 | }}} |
| 39 | |
| 40 | Now, we need to use the keytool again to import the signed certificate, but before we can do this we need to trust the CA-certificate that we used for signing. Import the CA-certificate into the 'cacerts' file (found in <java-home>/jre/lib/security/cacerts). Follow the descriptions in the ''Importing a Certificate for the CA'' section in the examples chapter. Make sure that you import to the 'cacerts' file and not to the keystore as in the example. |
| 41 | |
| 42 | The final step is to import the signed certificate to the keystore. This is easy and is described in the ''Importing the Certificate Reply from the CA'' section. |
| 43 | |
| 44 | |
| 45 | === Configuring the BASE server === |
| 46 | |
| 47 | You'll need to instruct BASE to load the keystore and truststore files. This is described in the [http://base.thep.lu.se/chrome/site/latest/html/appendix/appendix.base.config.html base.config documentation]. |
| 48 | |
| 49 | Test everything by adding a file item in BASE that points to a URL on the Apache server. |
| 50 | |