Go to the mod_ssl directory and follow the excellent instructions in
the INSTALL file. Here are the gotchas I found:
1) Do NOT do the usual things (configure, make, make install). They
have to be done a la the procedure for mod-ssl.
2) In installing OpenSSL, follow the EU instructions and don't get
rsaref.
3) After OpenSSL is installed, and before configuring mod-ssl, you
need to create a certificate request using openssl.
-> Put a randomizing seed file into .rnd
copy /var/adm/wtmpx .rnd
-> openssl req -new
When it asks you for certificate information, the State
is
"Server" (without the ""), and give the location as your
"city,
ST" (again without the "")
-> Put the key privkey.pem in the /usr/local/ssl/private directory
-> Cut and paste the certificate request into my CA server Web page:
https://mmc.epm.ornl.gov (select manual server enrollment).
-> Retrieve the certificate and put it into /usr/local/ssl/certs with
a .crt extension.
4) To configure mod-ssl, I used:
# ./configure \
> --with-apache=../apache_1.3.12 \
> --with-ssl=../openssl-0.9.5a \
> --with-mm=../mm-1.1.2 \
> --with-crt=/usr/local/ssl/certs/hopi.crt \
> --with-key=/usr/local/ssl/private/privkey.pem \
> --prefix=/usr/local/apache \
> --enable-shared=ssl \
> --disable-rule=SSL_COMPAT \
> --enable-rule=SHARED_CORE \
> --enable-module=so
5) The mod-ssl configure utility tells you how to make and install Apache.
6) The SSL-enabled Apache worked for me the very first time on my Solaris
2.6 machine!
2) Configure /usr/local/apache/conf/httpd.conf.
Uncomment and modify the two lines
SSLVerifyClient require
SSLVerifyDepth 1
and uncomment and modify the line
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt
So the server can find your CA certificate.
3) Stop and restart the SSL server.
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl startssl
Your site will now use SSL, require user certificates, and be only accessible
to people with MMC certificates.
SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials
Microcharacterization Collaboratory/OU=Center for Information Infrastructure
Technology/CN=MMC CA"
SSL_CLIENT_I_DN_C="US"
SSL_CLIENT_I_DN_CN="MMC CA"
SSL_CLIENT_I_DN_L="Oak Ridge, TN"
SSL_CLIENT_I_DN_O="Materials Microcharacterization Collaboratory"
SSL_CLIENT_I_DN_OU="Center for Information Infrastructure Technology"
SSL_CLIENT_I_DN_ST="Administrator"
SSL_CLIENT_M_SERIAL="05"
SSL_CLIENT_M_VERSION="3"
SSL_CLIENT_S_DN="/C=US/O=Materials Microcharacterization Collaboratory/OU=Center
for Information Infrastructure Technology/ST=Administrator/L=Oak Ridge,
TN/0.9.2342.19200300.100.1.1=jar/CN=James A. Rome/Email=jar@y12.doe.gov"
SSL_CLIENT_S_DN_C="US"
SSL_CLIENT_S_DN_CN="James A. Rome"
SSL_CLIENT_S_DN_Email="jar@y12.doe.gov"
SSL_CLIENT_S_DN_L="Oak Ridge, TN"
SSL_CLIENT_S_DN_O="Materials Microcharacterization Collaboratory"
SSL_CLIENT_S_DN_OU="Center for Information Infrastructure Technology"
SSL_CLIENT_S_DN_ST="Administrator"
SSL_CLIENT_VERIFY="SUCCESS"
SSL_CLIENT_V_END="Jan 16 14:30:35 2005 GMT"
SSL_CLIENT_V_START="Jan 18 14:30:35 2000 GMT"
In particular, note that the SSL_CLIENT_I_DN_ST variable is used for
role-based access control.
The following "roles" have been defined by me:
Administrator | Jim Rome only |
Server | All MMC secure Server Certificates |
Guest | Lurkers |
Student | Limited control |
Researcher | Full control |
Operator | Facility operators |
The Mod-SSL manual Chapter 5 gives complete instructions on how to do things like:
In general, follow the user guide in the tomcat_ug.html file included
with the distribution. However
we encountered the following problems in our build on Sun OS 2.6 with
the Sun C++ compiler:
Apache/Tomcat also puts the certificate data into environment variables, similar to IIS5. You can see these variables by making the printenv program in the Apache cgi-bin directory execuatable.
On my machine, https://hopi.ciit.y12.doe.gov/cgi-bin/printenv
yielded the following:
DOCUMENT_ROOT="/usr/local/apache/htdocs" GATEWAY_INTERFACE="CGI/1.1" HTTPS="on" HTTP_ACCEPT="image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*" HTTP_ACCEPT_CHARSET="iso-8859-1,*,utf-8" HTTP_ACCEPT_ENCODING="gzip" HTTP_ACCEPT_LANGUAGE="en" HTTP_CONNECTION="Keep-Alive" HTTP_HOST="hopi.ciit.y12.doe.gov" HTTP_USER_AGENT="Mozilla/4.73 [en] (WinNT; U)" PATH="/usr/dt/bin:/usr/openwin/bin:/bin:/usr/bin:/usr/ucb:/usr/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ccs/bin:/opt/NSCPcom:/data/j2sdk1.3/bin:/export/home/SoftWindows/bin:/export/home/Workshop/SUNWspro/bin:/export/home/java/Java-WorkShop2.0/JWS/sparc-S2/bin" QUERY_STRING="" REMOTE_ADDR="134.167.144.30" REMOTE_PORT="1828" REQUEST_METHOD="GET" REQUEST_URI="/cgi-bin/printenv" SCRIPT_FILENAME="/usr/local/apache/cgi-bin/printenv" SCRIPT_NAME="/cgi-bin/printenv" SERVER_ADDR="134.167.144.31" SERVER_ADMIN="root@hopi.CIIT.ORNL.GOV" SERVER_NAME="hopi.CIIT.ORNL.GOV" SERVER_PORT="443" SERVER_PROTOCOL="HTTP/1.0" SERVER_SIGNATURE="<ADDRESS>Apache/1.3.12 Server at hopi.CIIT.ORNL.GOV Port 443</ADDRESS>\n" SERVER_SOFTWARE="Apache/1.3.12 (Unix) tomcat/1.0 mod_ssl/2.6.4 OpenSSL/0.9.5a" SSL_CIPHER="RC4-MD5" SSL_CIPHER_ALGKEYSIZE="128" SSL_CIPHER_EXPORT="false" SSL_CIPHER_USEKEYSIZE="128" SSL_CLIENT_A_KEY="rsaEncryption" SSL_CLIENT_A_SIG="md5WithRSAEncryption" SSL_CLIENT_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=MMC CA" SSL_CLIENT_I_DN_C="US" SSL_CLIENT_I_DN_CN="MMC CA" SSL_CLIENT_I_DN_L="Oak Ridge, TN" SSL_CLIENT_I_DN_O="Materials Microcharacterization Collaboratory" SSL_CLIENT_I_DN_OU="Center for Information Infrastructure Technology" SSL_CLIENT_I_DN_ST="Administrator" SSL_CLIENT_M_SERIAL="05" SSL_CLIENT_M_VERSION="3" SSL_CLIENT_S_DN="/C=US/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/ST=Administrator/L=Oak Ridge, TN/0.9.2342.19200300.100.1.1=jar/CN=James A. Rome/Email=jar@y12.doe.gov" SSL_CLIENT_S_DN_C="US" SSL_CLIENT_S_DN_CN="James A. Rome" SSL_CLIENT_S_DN_Email="jar@y12.doe.gov" SSL_CLIENT_S_DN_L="Oak Ridge, TN" SSL_CLIENT_S_DN_O="Materials Microcharacterization Collaboratory" SSL_CLIENT_S_DN_OU="Center for Information Infrastructure Technology" SSL_CLIENT_S_DN_ST="Administrator" SSL_CLIENT_VERIFY="SUCCESS" SSL_CLIENT_V_END="Jan 16 14:30:35 2005 GMT" SSL_CLIENT_V_START="Jan 18 14:30:35 2000 GMT" SSL_PROTOCOL="SSLv3" SSL_SERVER_A_KEY="rsaEncryption" SSL_SERVER_A_SIG="md5WithRSAEncryption" SSL_SERVER_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=MMC CA" SSL_SERVER_I_DN_C="US" SSL_SERVER_I_DN_CN="MMC CA" SSL_SERVER_I_DN_L="Oak Ridge, TN" SSL_SERVER_I_DN_O="Materials Microcharacterization Collaboratory" SSL_SERVER_I_DN_OU="Center for Information Infrastructure Technology" SSL_SERVER_I_DN_ST="Administrator" SSL_SERVER_M_SERIAL="11" SSL_SERVER_M_VERSION="3" SSL_SERVER_S_DN="/C=US/ST=Server/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=Hopi/Email=jar@y12.doe.gov" SSL_SERVER_S_DN_C="US" SSL_SERVER_S_DN_CN="Hopi" SSL_SERVER_S_DN_Email="jar@y12.doe.gov" SSL_SERVER_S_DN_L="Oak Ridge, TN" SSL_SERVER_S_DN_O="Materials Microcharacterization Collaboratory" SSL_SERVER_S_DN_OU="Center for Information Infrastructure Technology" SSL_SERVER_S_DN_ST="Server" SSL_SERVER_V_END="Jun 11 18:06:16 2005 GMT" SSL_SERVER_V_START="Jun 12 18:06:16 2000 GMT" SSL_SESSION_ID="5EB2C099F84C102B07DF7B21181A0AD99DCC41B77AF6B72793AB0ABD9C4E85F1" SSL_VERSION_INTERFACE="mod_ssl/2.6.4" SSL_VERSION_LIBRARY="OpenSSL/0.9.5a" TZ="US/Eastern"