plixer International clients Sitemap Contact plixer International
 

Setting up SSL for Scrutinizer
By Ben Pottle

1. Install OpenSSL from http://www.openssl.org/related/binaries.html. Reboot (even if installer does not prompt to do so!)

Setting Up SSL Key/Certificate
We'll generate three files, and end up using two of them.  Make sure OpenSSL Binaries are in PATH. OpenSSL commands can be run from anywhere, including the SCRUTINIZER\apache2\conf directory.

2. We generate the RSA keypair (client.key, which is in BASE64 PEM format, which is why the file often has a .pem filename extension).

You give several filespecs delimited by colons to give openssl enough entropy to work with.  We're omitting the "-des3" switch, which causes the private key to be stored in symmetrically-encrypted form to protect
it against being stolen by shell users, the downside of which is Client would have to supply the 3DES key to read the private key every time Apache restarts.  Which is a _big_ downside, and is why almost nobody ever does it. Example: “openssl genrsa  -rand file1:file2[...]  -out client.key  1024“.

openssl genrsa –rand c:\ -out client.key 1024

3. Next, we generate a CSR= Certificate Signing Request file (client.csr), which associates the key with the organisation's identity (specified in X.509 format, which is similar to LDAP/X.500), and could theoretically be shipped off to Verisign or another Certificate Authority (CA) to be digitally signed.

You'll be prompted for several strings to build an X.500-style Distinguished Name (two-letter country name, state, city, organization, Apache hostname/Common Name, administrative e-mail address).  It's important that the hostname/Common Name match what's specified in httpd.conf, or users will get a warning about the mismatch. IE: www.webnm.com.

openssl req  -new  -key client.key  -out client.csr  

4. Last, we have Client purport to self-sign the CSR file (in lieu of a CA), resulting in client.crt, the certificate file -- at which point client.csr can be discarded.

openssl x509  -req  -days 730  -in client.csr  -signkey client.key  -out client.crt

Make sure “client.crt” and “client.key” are in the SCRUTINIZER \apache2\conf directory.

5. FTP down files:
FTP: downloads.somix.com
User: public
Pass: public

Get (BINARY) “mod_ssl.pdb” and “mod_ssl.so”, placing them in the SCRUTINIZER \apache2\modules directory. Get (ASCII) “ssl.conf”, placing it in SCRUTINIZER\apache2\conf directory.

6. Config File Changes
Make sure the line “LoadModule ssl_module modules/mod_ssl.so” is uncommented in the SCRUTINIZER\apache2\conf\httpd.conf file.

Make sure the following is in the httpd.conf file:

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>

Modify the following in SCRUTINIZER\apache2\conf\httpd.conf for the virtual host:

DocumentRoot "c:/SCRUTINIZER/html"
ServerName jamaica:443
ServerAdmin you@example.com
ErrorLog logs/error_log
TransferLog logs/access_log

Most notably “ServerName” and “ServerAdmin” may need to be modified. Also, if “DocumentRoot” needs to be changed, it must be done here.

7. Modify the apache service to run in SSL mode:
From the SCRUTINIZER \apache2\bin folder, run:

apache -n APACHE_SERVICE_NAME_HERE -k config -D SSL

8. All done.
Restart Apache, logon to server with HTTPS.

 
spacer
 


plixer International - Setting Standards in NetFlow & sFlow Analysis
©2006-2008 Plixer International, Inc.