Note: For printing purposes, you can
SHOW ALL or
HIDE ALL
instructions.
Implementation
While this document provides some high-level implementation recommendations,
specific instructions are given for Fedora Core 4 as the base for the Apache
Web Server. We hope to add more information as we test additional platforms
and software versions.
Server Setup
Here we give instructions for building the server and configuring the
software. Since we will be using the
Apache Web Server, instructions are
provided for a Linux server, specifically
Fedora Core 4. As the Apache Web
Server is available for (i.e. compiles on) various operating systems and
architectures, it is assumed that this process can be applied to other
systems. However, this assumption has not yet been tested.
In each step below, a 'general' instruction is given first, followed by a
link for specific instructions. These specific instructions
are initially hidden and can be viewed by clicking on the appropriate link.
- Install the operating system for your server.
Instructions For Fedora
Core 4...
Download
and
install
Fedora Core 4. You should be able to install as few or as many packages as
you want. Using the
"workstation"
installation profile might be a good selection. After you have a working
installation, update your software to the latest versions using
"yum
update".
- Install/update Apache Web Server and OpenSSL.
At the minimum, you need to be using OpenSSL 0.9.7g since that is the
first version with proxy certificate support. However, it is advised that
you use OpenSSL 0.9.8a since that has many fixes and is what was used for
testing. Once you have an appropriate version of OpenSSL installed, you can
build install the Apache Web Server. At the minimum, you need to use
httpd 2.0.x and make sure that mod_ssl is built against the appropriate
version of OpenSSL. Ideally, you should install httpd 2.2.x since it
contains numerous bug fixes and speed enhancements.
Instructions For Fedora
Core 4...
A basic installation of Fedora Core 4 with all updates applied gives you
httpd 2.0.54 and OpenSSL 0.9.7f. These are not sufficient for our
purposes. In order to get the latest versions, you need to do the
following.
- Edit /etc/yum.repos.d/fedora-devel.repo and set
"enabled=1".
- If you have not yet installed the web server or OpenSSL, then
execute:
yum install httpd mod_ssl openssl
Otherwise update your current installation with:
yum update httpd mod_ssl openssl
You should now have httpd and mod_ssl versions 2.2.0 and openssl version
0.9.8a.
- Configure OpenSSL to allow proxy certificates.
This can be done by setting the environment variable
OPENSSL_ALLOW_PROXY_CERTS to 1.
Instructions For Fedora
Core 4...
Edit /etc/init.d/httpd and insert the line
export OPENSSL_ALLOW_PROXY_CERTS=1
just before the line
HTTPD_LANG=${HTTPD_LANG-"C"}
- Obtain a certificate to secure your web server.
There are several ways to secure your web server. You can obtain an SSL
certificate from one of the many commercial certificate providers, for
example VeriSign. This will allow
users to connect to your website via an https:// connection without any
annoying warning messages. You can obtain a free SSL certificate from CAcert.org. You can create a self-signed
certificate which will generate a warning message for users, but otherwise
provides a secure https connection. Finally, if you are at an organization
which can act as a Certificate Authority (CA) such as NCSA, you can obtain a
host certificate authorized by that organization.
Instructions For NCSA-Signed
Certificate...
Log onto
tungsten.ncsa.uiuc.edu or
public-linux.ncsa.uiuc.edu and
run "
/usr/local/NCSA-CA/bin/ncsa-cert-request -host HOSTNAME"
where
HOSTNAME is the FQDN (fully-qualified domain name) of your Apache
Web Server. Follow the directions filling in the appropriate information.
The host certificate and key will be stored in
~/.globus/hostcert.pem and
~/.globus/hostkey.pem
respectively. For more information on NCSA certificates and policies
regarding their issuance, see
http://www.ncsa.uiuc.edu/UserInfo/Grid/Security/.
Instructions For Commercial
SSL Certificate Provider...
You need to generate a Certificate Signing Request (CSR) for your commercial
SSL certificate provider. Typically, you can find instructions for this
procedure on the commercial provider's web site. If not, you can
generate
a CSR with OpenSSL.
A self-signed certificate does not provide the security guarantees provided
by a certificate signed by a commercial Certificate Authority and thus is
NOT recommended. But it will allow you to provide a secure https connection
to your web site. The biggest difference clients will see is a warning
message stating that your site's identity cannot be verified and thus is not
a "trusted site". Clients then have the option of accepting the certificate
for the session. OpenSSL has facilities for
generating
a self-signed certificate.
- Install your host certificate and private key for the Apache Web
Server.
Instructions For Fedora
Core 4...
Strictly speaking, you can install your host certificate and key anywhere
you like on your server as long as the apache web server has read access to
that location. The instructions here assume that you have obtained an
NCSA-signed certificate and thus use a configuration typical for a globus
installation. This configuration will work equally well with a self-signed
or commercially-signed certificate.
Install
hostcert.pem and
hostkey.pem in
/etc/grid-security
Set permissions appropriately for these directories and files:
chmod 755 /etc/grid-security
chmod 644 /etc/grid-security/hostcert.pem
chmod 600 /etc/grid-security/hostkey.pem
- If necessary, install Certificate Authority files.
If you obtained your host certificate from a commercial provider, you do not
need to install any CA files since clients will have information on the
commercial provider and accept their root CA as trusted. If you generated a
self-signed certificate, you do not need to install any CA files since the
certificate is not signed by any Certificate Authority.
For Other Certificate
Authorities...
You will need to download and install the CA files for the CA that issued
your host certificate. CAcert.org has its own set of
root certificates that
you can use. You may need to rename them using their
hash
values.
For NCSA-issued certificates, download the following two certificate
authority files by right-clicking on them and selecting "Save As...":
http://ca.ncsa.uiuc.edu/4a6cd8b1.0
http://ca.ncsa.uiuc.edu/4a6cd8b1.signing_policy
Move the files you downloaded to
/etc/grid-security/certificates/
and set appropriate permissions:
chmod 755 /etc/grid-security/certificates
chmod 644 /etc/grid-security/certificates/*
- Configure the Apache Web Server for https (SSL) access.
Instructions For Fedora
Core 4...
By default, Apache is not set up to handle https connections. You need to
modify the configuration files to do so. Additionally, we want to enforce
client verification to ensure that all clients connecting to the
secure web server have a (possibly proxy) client certificate. Edit
/etc/httpd/conf.d/ssl.conf and change/add the following
entries:
| Modify |
SSLCertificateFile |
/etc/grid-security/hostcert.pem |
| Modify |
SSLCertificateKeyFile |
/etc/grid-security/hostkey.pem |
| Uncomment |
SSLCACertificateFile |
/etc/pki/tls/certs/ca-bundle.crt |
| Uncomment |
SSLVerifyClient |
require |
| Uncomment |
SSLVerifyDepth |
10 |
| Add |
SSLCACertificatePath |
/etc/grid-security/certificates/ |
- If you are running a firewall, allow access for http/https.
Instructions For Fedora
Core 4...
For the firewall provided with Fedora, run
"system-config-securitylevel". Select the "Customize" button.
Then open the ports for http (80) and https (443) by checking the
appropriate checkboxes.
- Restart the Apache web server.
Instructions For Fedora
Core 4...
Run "service httpd restart" or "/etc/init.d/httpd restart".
Verify that "Starting httpd:" returns "[ OK ]".
Once you have your server configured and running, you can
test your server with Internet Explorer.
