Apache SSL Installation

My log of installation on Solaris 2.6

First, acquire the three source modules:
OpenSSL (http://www.openssl.org)
Apache (http://www.apache.org)
ModSSL (http://www.modssl.org)
MM shared memory module (http://www.engelschall.com/sw/mm/)
Unzip/untar all the modules in the same installation
working directory so that a subdirectory for each module
source chain is created.

Go to the mod_ssl directory and follow the excellent instructions in
the INSTALL file. Here are the gotchas I found:

1) Do NOT do the usual things (configure, make, make install). They
have to be done a la the procedure for mod-ssl.

2) In installing OpenSSL, follow the EU instructions and don't get
rsaref.

3) After OpenSSL is installed, and before configuring mod-ssl, you
need to create a certificate request using openssl.

-> Put a randomizing seed file into .rnd
   copy /var/adm/wtmpx .rnd
-> openssl req -new
   When it asks you for certificate information, the State is
   "Server" (without the ""), and give the location as your "city,
   ST" (again without the "")
-> Put the key privkey.pem in the /usr/local/ssl/private directory
-> Cut and paste the certificate request into my CA server Web page:
https://mmc.epm.ornl.gov (select manual server enrollment).
-> Retrieve the certificate and put it into /usr/local/ssl/certs with
a .crt extension.

4) To configure mod-ssl, I used:
# ./configure \
> --with-apache=../apache_1.3.12 \
> --with-ssl=../openssl-0.9.5a \
> --with-mm=../mm-1.1.2 \
> --with-crt=/usr/local/ssl/certs/hopi.crt \
> --with-key=/usr/local/ssl/private/privkey.pem \
> --prefix=/usr/local/apache \
> --enable-shared=ssl \
> --disable-rule=SSL_COMPAT \
> --enable-rule=SHARED_CORE \
> --enable-module=so

5) The mod-ssl configure utility tells you how to make and install Apache.

6) The SSL-enabled Apache worked for me the very first time on my Solaris
2.6 machine!
 

Configure Apache to require User certificates (and to accept only the MMC Certificate)

1) Install the MMC CA certificate. Visit https://bant.ms.ornl.gov and select the Retrieval tab and on the left, select Import CA Certificate Chain. While you are here, click the Import the CA certificate chain into your browser (to be sure it is there).  Then select the Display the CA certificate chain in PKCS#7 for importing into a server radio button. Click Submit and copy the text including the BEGIN CERTIFICATE and END CERTIFICATE lines into the file /usr/local/apache/conf/ssl.crt/ca.crt (or to wherever you have placed your Apache).

2) Configure /usr/local/apache/conf/httpd.conf.

Uncomment and modify the two lines
SSLVerifyClient require
SSLVerifyDepth  1

and uncomment and modify the line
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt

So the server can find your CA certificate.

3) Stop and restart the SSL server.
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl startssl

Your site will now use SSL, require user certificates, and be only accessible to people with MMC certificates.
 

User certificate information

If you go to the Apache cgi-bin directory and make printenv executable and go to
https://localhost/cgi-bin/printenv, you will see that you now have lots of information about the user accessing your Web page:
 

SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=MMC CA"
SSL_CLIENT_I_DN_C="US"
SSL_CLIENT_I_DN_CN="MMC CA"
SSL_CLIENT_I_DN_L="Oak Ridge, TN"
SSL_CLIENT_I_DN_O="Materials Microcharacterization Collaboratory"
SSL_CLIENT_I_DN_OU="Center for Information Infrastructure Technology"
SSL_CLIENT_I_DN_ST="Administrator"
SSL_CLIENT_M_SERIAL="05"
SSL_CLIENT_M_VERSION="3"
SSL_CLIENT_S_DN="/C=US/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/ST=Administrator/L=Oak Ridge, TN/0.9.2342.19200300.100.1.1=jar/CN=James A. Rome/Email=jar@y12.doe.gov"
SSL_CLIENT_S_DN_C="US"
SSL_CLIENT_S_DN_CN="James A. Rome"
SSL_CLIENT_S_DN_Email="jar@y12.doe.gov"
SSL_CLIENT_S_DN_L="Oak Ridge, TN"
SSL_CLIENT_S_DN_O="Materials Microcharacterization Collaboratory"
SSL_CLIENT_S_DN_OU="Center for Information Infrastructure Technology"
SSL_CLIENT_S_DN_ST="Administrator"
SSL_CLIENT_VERIFY="SUCCESS"
SSL_CLIENT_V_END="Jan 16 14:30:35 2005 GMT"
SSL_CLIENT_V_START="Jan 18 14:30:35 2000 GMT"

In particular, note that the SSL_CLIENT_I_DN_ST variable is used for role-based access control.
The following "roles" have been defined by me:
 
Administrator Jim Rome only
Server All MMC secure Server Certificates
Guest Lurkers
Student  Limited control
Researcher Full control 
Operator Facility operators

 

Apply Apache Certificate Boolean access controls

The default SSL home page gives access to the Mod-SSL and Apache manuals. Since the page is useful, but should not usually be accessed by the public, I suggest moving and renaming this page.

The Mod-SSL manual Chapter 5 gives complete instructions on how to do things like:

Installing Tomcat

You will need to build the mod_jserv connector on Unix platforms. Get the correct source code tree:
http://jakarta.apache.org/builds/tomcat/release/v3.1/src/

In general, follow the user guide in the tomcat_ug.html file included with the distribution. However
we encountered the following problems in our build on Sun OS 2.6 with the Sun C++ compiler:

  1. We had to add '-Wc,-xCC' to the apxs command line using the Sun Workshop C compiler to allow the C++-style comments throughout  the source code.

  2. Header files seemed to have carriage returns (^M) which caused many warnings from the Workshop C compiler.

  3. The apxs command generated a ld command with two -o options,  '-o autochange.so' at the beginning and '-o mod_jserv.so' at the end.  The link editor took the first one.  We had to enter the command without the '-o autochange.so' manually.
You can test your installation using the URL https://yourhost/examples/servlet/SnoopServlet.

Apache/Tomcat also puts the certificate data into environment variables, similar to IIS5. You can see these variables by making the printenv program in the Apache cgi-bin directory execuatable.

On my machine, https://hopi.ciit.y12.doe.gov/cgi-bin/printenv yielded the following:
  

DOCUMENT_ROOT="/usr/local/apache/htdocs"

GATEWAY_INTERFACE="CGI/1.1"

HTTPS="on"

HTTP_ACCEPT="image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*"

HTTP_ACCEPT_CHARSET="iso-8859-1,*,utf-8"

HTTP_ACCEPT_ENCODING="gzip"

HTTP_ACCEPT_LANGUAGE="en"

HTTP_CONNECTION="Keep-Alive"

HTTP_HOST="hopi.ciit.y12.doe.gov"

HTTP_USER_AGENT="Mozilla/4.73 [en] (WinNT; U)"

PATH="/usr/dt/bin:/usr/openwin/bin:/bin:/usr/bin:/usr/ucb:/usr/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ccs/bin:/opt/NSCPcom:/data/j2sdk1.3/bin:/export/home/SoftWindows/bin:/export/home/Workshop/SUNWspro/bin:/export/home/java/Java-WorkShop2.0/JWS/sparc-S2/bin"

QUERY_STRING=""

REMOTE_ADDR="134.167.144.30"

REMOTE_PORT="1828"

REQUEST_METHOD="GET"

REQUEST_URI="/cgi-bin/printenv"

SCRIPT_FILENAME="/usr/local/apache/cgi-bin/printenv"

SCRIPT_NAME="/cgi-bin/printenv"

SERVER_ADDR="134.167.144.31"

SERVER_ADMIN="root@hopi.CIIT.ORNL.GOV"

SERVER_NAME="hopi.CIIT.ORNL.GOV"

SERVER_PORT="443"

SERVER_PROTOCOL="HTTP/1.0"

SERVER_SIGNATURE="<ADDRESS>Apache/1.3.12 Server at hopi.CIIT.ORNL.GOV Port 443</ADDRESS>\n"

SERVER_SOFTWARE="Apache/1.3.12 (Unix) tomcat/1.0 mod_ssl/2.6.4 OpenSSL/0.9.5a"

SSL_CIPHER="RC4-MD5"

SSL_CIPHER_ALGKEYSIZE="128"

SSL_CIPHER_EXPORT="false"

SSL_CIPHER_USEKEYSIZE="128"

SSL_CLIENT_A_KEY="rsaEncryption"

SSL_CLIENT_A_SIG="md5WithRSAEncryption"

SSL_CLIENT_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=MMC CA"

SSL_CLIENT_I_DN_C="US"

SSL_CLIENT_I_DN_CN="MMC CA"

SSL_CLIENT_I_DN_L="Oak Ridge, TN"

SSL_CLIENT_I_DN_O="Materials Microcharacterization Collaboratory"

SSL_CLIENT_I_DN_OU="Center for Information Infrastructure Technology"

SSL_CLIENT_I_DN_ST="Administrator"

SSL_CLIENT_M_SERIAL="05"

SSL_CLIENT_M_VERSION="3"

SSL_CLIENT_S_DN="/C=US/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/ST=Administrator/L=Oak Ridge, TN/0.9.2342.19200300.100.1.1=jar/CN=James A. Rome/Email=jar@y12.doe.gov"

SSL_CLIENT_S_DN_C="US"

SSL_CLIENT_S_DN_CN="James A. Rome"

SSL_CLIENT_S_DN_Email="jar@y12.doe.gov"

SSL_CLIENT_S_DN_L="Oak Ridge, TN"

SSL_CLIENT_S_DN_O="Materials Microcharacterization Collaboratory"

SSL_CLIENT_S_DN_OU="Center for Information Infrastructure Technology"

SSL_CLIENT_S_DN_ST="Administrator"

SSL_CLIENT_VERIFY="SUCCESS"

SSL_CLIENT_V_END="Jan 16 14:30:35 2005 GMT"

SSL_CLIENT_V_START="Jan 18 14:30:35 2000 GMT"

SSL_PROTOCOL="SSLv3"

SSL_SERVER_A_KEY="rsaEncryption"

SSL_SERVER_A_SIG="md5WithRSAEncryption"

SSL_SERVER_I_DN="/C=US/ST=Administrator/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=MMC CA"

SSL_SERVER_I_DN_C="US"

SSL_SERVER_I_DN_CN="MMC CA"

SSL_SERVER_I_DN_L="Oak Ridge, TN"

SSL_SERVER_I_DN_O="Materials Microcharacterization Collaboratory"

SSL_SERVER_I_DN_OU="Center for Information Infrastructure Technology"

SSL_SERVER_I_DN_ST="Administrator"

SSL_SERVER_M_SERIAL="11"

SSL_SERVER_M_VERSION="3"

SSL_SERVER_S_DN="/C=US/ST=Server/L=Oak Ridge, TN/O=Materials Microcharacterization Collaboratory/OU=Center for Information Infrastructure Technology/CN=Hopi/Email=jar@y12.doe.gov"

SSL_SERVER_S_DN_C="US"

SSL_SERVER_S_DN_CN="Hopi"

SSL_SERVER_S_DN_Email="jar@y12.doe.gov"

SSL_SERVER_S_DN_L="Oak Ridge, TN"

SSL_SERVER_S_DN_O="Materials Microcharacterization Collaboratory"

SSL_SERVER_S_DN_OU="Center for Information Infrastructure Technology"

SSL_SERVER_S_DN_ST="Server"

SSL_SERVER_V_END="Jun 11 18:06:16 2005 GMT"

SSL_SERVER_V_START="Jun 12 18:06:16 2000 GMT"

SSL_SESSION_ID="5EB2C099F84C102B07DF7B21181A0AD99DCC41B77AF6B72793AB0ABD9C4E85F1"

SSL_VERSION_INTERFACE="mod_ssl/2.6.4"

SSL_VERSION_LIBRARY="OpenSSL/0.9.5a"

TZ="US/Eastern"