QRG - Securing Apache HTTP with mod ssl for Linux - Stewing Home

DoD Public Key Enablement (PKE) Quick Reference Guide Securing Apache HTTP with mod_ssl for Linux

Contact: [email protected] URL: https://www.us.army.mil/suite/page/474113

QRG – Securing Apache HTTP with mod_ssl for Linux of 15 4/10/2009

rpm -qa | grep httpd httpd-2.2.3-11.el5_1.3 rpm -qa | grep mod_ssl mod_ssl-2.2.3-11.el5_1.3 rpm -qa | grep wget wget-1.10.2-7.el5 rpm -qa | grep openssl openssl-0.9.8b-10.el5

mkdir –p /etc/pki/tls/private/

openssl genrsa -des3 -out /etc/pki/tls/private/dodserverkey.key 1024

openssl rsa -noout -text -in /etc/pki/tls/private/dodserverkey.key

This guide provides instructions for configuring Apache HTTP Server using mod_ssl. This configuration guide assumes the

Apache HTTP server, mod_ssl, wget, and openssl are installed. It is highly recommended that Apache HTTP server be set to FIPS Mode. FIPS Mode requires Apache, openssl, and mod_ssl to be built from source. Instructions for building Apache,

openssl, and mod_ssl in FIPS mode can be found at http://www.openssl.org/docs/fips/. The steps of this configuration guide should be completed by an administrator account. The following steps are designed for Red Hat Enterprise Linux 5.2, and would have to be tailored for other Linux distributions.

2. Create the folder /etc/pki/tls/private/.

3. Create a 1024-bit RSA private key for the Apache server (will be Triple-DES encrypted and PEM formatted). An example

of a certificate signing request can be found on page 2 of this document.

4. Backup this server.key file and the pass-phrase entered, in a secure location. The details of this RSA private key by using the following command:

1. Verify HTTP, mod_ssl, wget, and openssl are installed.

Note: If any component is not installed, install the component before continuing. Each of the following commands are bolded below. Desired output should be similar to “httpd-2.2.3-11.el5_1.3,” “mod_ssl-2.2.3-11.el5_1.3,” “wget-1.10.2-

7.el5,” and “openssl-0.9.8b-10.el5.” There may be a slight variation in version numbers.


openssl req -new -key /etc/pki/tls/private/dodserverkey.key -out /etc/pki/tls/private/dodserver-pkcs10.csr -config /etc/pki/tls/openssl.cnf

openssl req -noout -text -in /etc/pki/tls/private/dodserver-pkcs10.csr

5. Create a Certificate Signing Request (CSR) with the server RSA private key (the output will be PEM formatted).

NOTE: An openssl.cnf file must be specified if not in the current path

6. Enter the Fully Qualified Domain Name of the server when OpenSSL prompts for the "CommonName", i.e. when a CSR

is generated for a website which will be later accessed via https://www.foo.mil/, enter "www.foo.mil" here.

The details of this CSR by using the following command:

Example 1: Certificate Signing Request (CSR) Example.


8. A) Select PKCS#10 for the

Certificate Request Type. B) Copy the Certificate Request into

the text box. C) Insert your contact information in

the Requestor Name, Requestor Email Address, and Requestor

Phone Number text boxes. D) Click Submit.

7. Open your web browser and enter the appropriate

URL below: https://ca-17.c3pki.chamb.disa.mil/

or https://ca-18.c3pki.den.disa.mil/

(Check with your LRA or RA if you do not know your organization’s primary site.)

Select Request a Server Certificate.

Select Regular SSL Server Enrollment from the Certificate Profile Name list, as shown.


mkdir –p /etc/pki/tls/certs/ca_certs/

cd /etc/pki/tls/certs/ca_certs/

wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.p7b wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b wget http://dodpki.c3pki.den.disa.mil/rel3_dodroot_1024.p7b wget http://dodpki.c3pki.den.disa.mil/rel3_dodroot_2048.p7b

openssl pkcs7 –inform DER –outform PEM –in rel3_dodroot_1024.p7b –out rel3_dodroot_1024.pem –print_certs openssl pkcs7 –inform DER –outform PEM –in rel3_dodroot_2048.p7b –out rel3_dodroot_2048.pem –print_certs

11. Create the folder /etc/pki/tls/certs/ca_certs/.

10. Once your certificate has been signed (Approved by you Registration Authority) go to the CA and download the signed server certificate. Save the resulting certificate in Base64 (PEM) format at /etc/pki/tls/certs/dodservercert.cer.

9. The Certificate Profile window is displayed with your request ID. Provide

your RA/LRA with this request ID and any

additional forms required by your organization’s policy.

Note: The RA needs this information to

complete the process.

13. Download the DoD Certificates from http://dodpki.c3pki.chamb.disa.mil or http://dodpki.c3pki.den.disa.mil using wget.

Note: There are two files that need to be downloaded. rel3_dodroot_1024.p7b and rel3_dodroot_2048.p7b. To configure your system to use ECA Certificates see Appendix: ECA

12. Navigate to the folder /etc/pki/tls/certs/ca_certs/.

14. Convert rel3_dodroot_1024.p7b and rel3_dodroot_2048.p7b to pem file format.


cat *.pem > alldodcerts.pem

bash /etc/pki/tls/ca_certs/getSHA1fingerprints.sh alldodcerts.pem

mkdir –p /etc/pki/tls/crls/

bash /etc/pki/tls/crls/getCRL.sh

crontab -e

00 3 * * * /etc/pki/tls/crls/getCRL.sh >> /var/log/getCRL.log

15. Concatenate rel3_dodroot_1024.p7b and rel3_dodroot_2048.p7b to a single pem file.

18. Create the folder /etc/pki/tls/crls/.

19. Create getCRL.sh in /etc/pki/tls/crls/.

Note: getCRL.sh is an automated CRL download script that can be found in the Appendices section of this document under Appendix: getCRL.sh.

20. Run getCRL.sh by using the following command.

22. Add the following line to crontab to automatically run the getCRL script everyday at 3AM. In the editor press “i” to start inserting text.

Note: getCRL.sh needs to run every night to pull the latest CRLs.

21. Schedule getCRL.sh to run nightly by using the following command.

23. Save and Exit crontab by pressing the ESC button and then typing “:wq”

Note: It is extremely important to verify the CRLs are up to date because if the CRLs are expired mod_ssl will deny all clients with certificates from the CA with the expired CRL.

Note: It is extremely important to verify the authenticity of certificates of the Certificate Authority prior to installation to

prevent installing undesired certificates. Use the script genSHA1fingerprints.sh from Appendix: genSHA1fingerprints.sh to complete the verification process.

16. Run getSHA1fiingerprints.sh to generate the SHA1 fingerprints.

17. Compare the SHA1 fingerprint of each CA with the SHA1 fingerprint on https://crl.disa.mil/. Go to Appendix:

Comparing SHA1 Fingerprints for an example.


cd /etc/httpd/conf/

vi httpd.conf

# Load config files from the config directory "/etc/httpd/conf.d". # Include conf.d/*.conf

cd /etc/httpd/conf.d/

vi ssl.conf

#SSLRandomSeed startup file:/dev/urandom 256 #SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024

24. Navigate to the httpd conf directory.

29. Open ssl.conf with a text editor.

Note: There are several lines within this file that need to be edited.

25. Open httpd.conf with a text editor.

28. Navigate to the conf.d directory.

26. Verify Include conf.d/*.conf is not commented out or missing. If Include conf.d/*.conf is not present add in the “Load

config files from the config directory” section shown here.

27. Save Changes (if made) and Exit httpd.conf.

30. Remove or comment out the default SSLRandomSeed and add the SSLRandomSeed value for the startup file and connect file.


# SSL Engine Switch: # Enable/Disable SSL for this virtual host. #SSLEngine off SSLEngine on

# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: #SSLProtocol all -SSLv2 SSLProtocol +SSLv3 +TLSv1

# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCipherSuite 3DES:AES:SHA1:SHA:SSLv3:TLSv1:!DES:!MD5:!DH:!MEDIUM:!LOW:!SSLv2:!NULL

# Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/pki/tls/certs/dodservercert.cer

# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/pki/tls/private/dodserverkey.key

34. Remove or comment out the default Server Certificate and add the DoD Issued Server Certificate by location.

35. Remove or comment out the default Server Certificate Private Key and add the DoD Issued Server Certificate Private Key by location.

31. Verify SSLEngine is set to on. If SSLEngine is set to off, then remove or comment out the SSLEngine off and added SSLEngine on.

32. Remove or comment out the default SSLProtocol and add the SSLProtocol value

33. Remove or comment out the default SSLCipherSuite and add the SSLCipherSuite value :-ALL:3DES:+SHA1:+SHA:+SSLv3:+TLSv1:!MD5:!DH:!MEDIUM:!LOW:!SSLv2:!NULL


# Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCACertificateFile /etc/pki/tls/certs/ alldodcerts.pem

# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCACertificateFile /etc/pki/tls/certs/alldodcerts.pem SSLCARevocationPath /etc/pki/tls/crls/

# Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10

36. Remove or comment out the default Server Certificate Chain.

37. Remove or comment out the default Certificate Authority File and add the Certificate Authority File Created in Step 3 by location.

38. Under the Certificate Authority section, add the Revocation Path /etc/pki/tls/crls/.

39. Change SSLVerifyClient to require and verify SSLVerifyDepth is 3 or higher.


#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire #<Files ~ "\.(cgi|shtml|phtml|php3?)$"> # SSLOptions +StdEnvVars #</Files> #<Directory "/var/www/cgi-bin"> # SSLOptions +StdEnvVars #</Directory> SSLOptions +StrictRequire

service httpd restart

41. Save Changes and Exit ssl.conf.

42. The httpd service needs to be restarted before changes from httpd.conf and ssl.conf can take effect.

The Apache Web Server should now be configured for SSL using mod_ssl.

The DoD PKI will occasionally add new CAs to issue certificates. When new CAs goes online the new CA certificates need to

be added to the server so users with certificates from the new CAs are able to authenticate to the web servers. Remove

alldodcerts.pem that was created in Step 15. Then Repeat Steps 12-15 to add the CAs to the server.

Appendix: New DoD CA Certificates

Appendix: ECA Certificates

Appendices

40. Verify SSLOptions is set to +StrictRequire. If SSLOptions is not set to +StrictRequire, then remove or comment out

the SSLOptions and added SSLOptions +StrictRequire.

The ECA program was created for subscribers that need to conduct business with the U.S. Government. If this webserver

needs to provide access to users who have ECA certificates follow the steps with in this Appendix.

NOTE: Unless there is a need to provide access to ECA users, it is not recommended that the steps outlined in this appendix be performed.


wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b wget http://dodpki.c3pki.den.disa.mil/dodeca.p7b

openssl pkcs7 –inform DER –outform PEM –in dodeca.p7b –out dodeca.pem –print_certs

cat *.pem > alldodcerts.pem

vi genSHA1fingerprints.sh

#!/bin/bash # DISA PKE Engineering Support [email protected] # Author: Brannon Biehl # Date: October 2008 # # Contributors: # Jeff Hensley, DoD PKE Engineering # # This script generates the SHA1 fingerprints for pem formatted pkcs11 files. # This script is designed to be used with https://crl.disa.mil to compare # the fingerprints of the CA Certificates. if [[ -z "$1" ]]; then echo Please specify a .pem file as a command line argument. echo Usage: $0 [pem file] exit 1 fi pkcs7file=$1 if [[ -n `grep "subject=" $1` ]]; then

1. Create the script genSHA1fingerprints.sh in /etc/pki/tls/certs/ca_certs/

2. Add the following text to genSHA1fingerprints.sh

Appendix: genSHA1fingerprints.sh

3. Concatenate dodeca.p7b, rel3_dodroot_1024.p7b, and rel3_dodroot_2048.p7b to a single pem file.

1. Download the ECA Certificates from http://dodpki.c3pki.chamb.disa.mil or http://dodpki.c3pki.den.disa.mil using wget.

2. Convert dodeca.p7b to pem file format.

Note: After completing this Appendix return to Step 17 and complete the rest of this guide.


rm -f /tmp/tmpcert*.tmp awk '/subject=/{n++}{print > "/tmp/tmpcert" n ".tmp"}' $pkcs7file cd /tmp for a in `ls /tmp/tmpcert*.tmp`; do caSubject=`cat $a | grep "subject="` openssl x509 -inform PEM -outform DER -in $a -out "$a.der" echo -e "$caSubject \n SHA1:`sha1sum $a.der`" done rm -f /tmp/tmpcert*.tmp rm -f /tmp/tmpcert*.tmp.der else echo ERROR: Invalid file. Please read the documentation on how to create an echo input file for $0 from a PKCS#7 file. fi

:wq

subject=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD CLASS 3 Root CA SHA1:10f193f340ac91d6de5f1edc006247c4f25d9671 /tmp/tmpcert1.tmp.der

3. Save genSHA1fingerprints.sh by pressing Esc, typing :wq and then pressing Enter

genSHA1fingerprints.sh DoD CLASS 3 Root CA’s Fingerprint

Appendix: Comparing SHA1 Fingerprints

https://crl.disa.mil DoD CLASS 3

Root CA’s Fingerprint


vi getCRL.sh

#!/bin/bash

#

# CRL retrieval script for Apache HTTP Server with mod_ssl

# DISA PKE Engineering <dod_support at disa.mil>

# Date: April 9, 2009

# Version: 1.11

# Website: https://www.us.army.mil/suite/page/474113

#

#

# Installation: Make sure you dos2unix this script before running it

# Execution: Execute by running "bash getCRLs.sh"

# Usage: No arguments are required

# Result: Current DOD CRLs

#

#

# NOTE: This script copies CRLs to a default destination specified by SSLCARevocationPath.

# This location will be different depending on which version of linux and/or apache

# you are running. Use the mod_ssl directive "SSLCARevocationPath" to specify this

# location.

# For more information see: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC15

# NOTICE: This script should NOT be run more frequently than every 24 hours

# due to bandwidth constraints and the DODs CRL update frequency.

#

# RECOMMENDATION: Schedule this script to run nightly from 2AM to 5AM.

# Add the following cron entry with "crontab -e" (remove the # comment character)

#0 3 * * * /path/to/apache-CRL/script/getCRLs.sh > /var/log/httpd/getcrls.log 2>&1

#

# If you are seeing ERRORs that wget or openssl don't exist on the system when

# running these scripts as a cronjob - wget or openssl are probably installed in a

# non-default path and you will need to include a path declaration in the front of

# your cron declarations. By default the cron path is /usr/bin:/bin

# The folder specified in the Apache SSLCARevocationPath Directive for CRLs.

# This is typically can be found in the /etc/httpd/conf.d/ssl.conf file.

# Do not place a trailing / after the path.

SSLCARevocationPath=/etc/pki/crls

1. Create the script getCRL.sh in /etc/pki/tls/crls/

2. Add the following text to getCRL.sh

Appendix: getCRL.sh


#### begin CRLdistributionPoints block ####

# Include all CRL Distribution Points here. HTTP and HTTPS only. Every URL will be

# downloaded. Beware of multiple queries for the same CRL unless absolutely necessary.

#

# mod_ssl will not check a CRL if the CRL doesn't exist. Be very careful of this!

# it is RECOMMENDED that allcrls.zip is downloaded for DoD CRLs because it will

# include all future CA CRLs.

#

# NOTE: a trailing " \" is required after each entry that appears on a new line

CRLdistributionPoints="\

http://crl.disa.mil/getcrlzip?ALL+CRL+ZIP \

"

##########################

# Add additional CRLdistributionPoints if necessary

#https://local.crlcaching.server/getcrlzip?ALL+CRL+ZIP \

#

#### end CRLdistributionPoints block ####

echo "### Running $1 at `date` ###"

# Check if binaries exist. This is important when running as cron

check4binaries () {

if ! command -v $1>/dev/null 2>&1; then

echo ERROR: $1 is not installed or is not in the path.

exit 1

fi

} # check4binaries

check4binaries openssl

check4binaries gunzip

check4binaries unzip

check4binaries wget

# Create SSLCARevocationPath if it doesn't exist

if ! [[ -d $SSLCARevocationPath ]]; then

mkdir -p $SSLCARevocationPath

fi

cd $SSLCARevocationPath

for request in $CRLdistributionPoints;

do

tmpURL=${request##*/}

crlFilename="`echo -n $tmpURL | sed 's/[getcrlzip,getcrl,+?]//g'`"

echo Pulling $request CRL: Saving as $crlFilename


if [[ -f "$crlFilename" ]]; then

mv -f $crlFilename $crlFilename.prev > /dev/null 2>&1

fi

# Pull CRL

wget -nv --output-document=$crlFilename --tries=5 --no-check-certificate "$request"

# If new CRL was not found then put the old one back in place

if [[ ! -f "$crlFilename" ]]; then

mv -f $crlFilename.prev $crlFilename > /dev/null 2>&1

fi

# Check if in gzip format

if gunzip -t $crlFilename>/dev/null 2>&1; then

echo $crlFilename is a valid gzip archive

# gunzip CRL after download

mv $crlFilename $crlFilename.crl.gz> /dev/null 2>&1

gunzip -d -f $crlFilename.crl.gz

else

mv $crlFilename $crlFilename.crl> /dev/null 2>&1

fi

# Check if resulting file is in zip format

if unzip -tq $crlFilename.crl>/dev/null 2>&1; then

echo $crlFilename is a valid zip archive

# unzip after download

mv $crlFilename.crl $crlFilename.zip> /dev/null 2>&1

unzip -joq $crlFilename.zip

fi

done

# Convert all CRLs to PEM format

for a in $( ls *.crl ); do openssl crl -in $a -inform DER -outform PEM -out $a; done

# Create allcrls.pem if using the mod_ssl SSLCARevocationFile directive.

# NOTE: You can comment this line out if using the SSLCARevocationPath directive.

mv -f allcrls.pem allcrls.pem.bak 2> /dev/null

cat *.crl > allcrls.pem

# Create hashes for the SSLCARevocationPath directive

for tCRL in *.crl

do

crlHash=`openssl crl -in $tCRL -inform PEM -hash -noout`.r0

crlNextUpdate=`openssl crl -in $tCRL -inform PEM -nextupdate -noout`

echo -e "hash=$crlHash $crlNextUpdate $tCRL"


if [ ! -L $crlHash ]; then

ln -s $tCRL $crlHash

fi

done

:wq

Additional Resources: DoDPKE site on DKO at https://www.us.army.mil/suite/page/474113

For questions or comments regarding Public Key Enablement (PKE), please submit information to:

[email protected]

3. Save getCRL.sh by pressing Esc, typing :wq and then pressing Enter

QRG - Securing Apache HTTP with mod ssl for Linux - Stewing Home

Documents

Transcript of QRG - Securing Apache HTTP with mod ssl for Linux - Stewing Home