Kohei Nozaki's blog 

Entries tagged [ssl]

Enabling SSL for Apache/WildFly


Posted on Monday Feb 09, 2015 at 05:56PM in Technology


Environment

  • WildFly 8.2.0.Final

  • httpd-2.2.15-39.el6.centos.x86_64

  • CentOS 6.5

  • public.crt: begins with BEGIN CERTIFICATE

  • intermediate.crt: begins with BEGIN CERTIFICATE

  • private.key: begins with BEGIN RSA PRIVATE KEY

Edit /etc/httpd/conf.d/ssl.conf

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /usr/local/ssl/public.crt
SSLCertificateKeyFile /usr/local/ssl/private.key
SSLCertificateChainFile /usr/local/ssl/intermediate.crt
SSLPassPhraseDialog exec:/usr/local/ssl/passphrase.sh

Put passphrase.sh

#!/bin/sh
echo "put the passphrase here"

Define an ajp-listener

Execute following command with jboss-cli:

/socket-binding-group=standard-sockets/socket-binding=https-external:add(port=443)
/subsystem=undertow/server=default-server/ajp-listener=myListener:add(socket-binding=ajp, redirect-socket="https-external", enabled=true)

Put /etc/httpd/conf.d/jk.conf

<VirtualHost *:80>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / http://www.example.org/
</VirtualHost>

Put following inside VirtualHost element of /etc/httpd/conf.d/ssl.conf

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / https://www.example.org/


Configuring WildFly as a standalone HTTP/HTTPS server


Posted on Sunday Feb 08, 2015 at 12:23PM in Technology


Environment

  • WildFly 8.2.0.Final

Requirement

  • WildFly runs as a regular user owning process

  • WildFly listens port 8080 and 8443

  • iptables forwards 80 and 443 to ports of WildFly is listening

  • Record combined access_log equivalent on http/https listener

  • Gzip compression enabled

Defining SSL listener

  1. Set https port to 8443

    /socket-binding-group=standard-sockets/socket-binding=https:write-attribute(name=port, value="${jboss.https.port:8443}")
  2. Put your Java KeyStore in $WILDFLY_HOME/standalone/configuration/mykeystore.jks

  3. Create a security realm named CertificateRealm

    /core-service=management/security-realm=CertificateRealm:add
    /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add( \
    	keystore-path="mykeystore.jks", \
    	keystore-relative-to="jboss.server.config.dir", \
    	keystore-password="PASSPHRASE")
  4. Create a https listener:

    /subsystem=undertow/server=default-server/https-listener=myHttpsListener:add( \
    	socket-binding="https", \
    	security-realm="CertificateRealm")

Defining a socket binding for HTTP ⇒ HTTPS redirection

As default WildFly redirects to 8443 port when client attempt to enter confidential area because WildFly listen to it but in my case client needs to be redirected to port 443 instead of 8443. so I need to tell WildFly to send redirects to 443 not 8443.

/socket-binding-group=standard-sockets/socket-binding=https-external:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value="https-external")

Configuring WildFly to listen 0.0.0.0

/system-property=jboss.bind.address:add(value=0.0.0.0)

Defining combined access_log equivalent

/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
/subsystem=undertow/server=default-server/host=default-host/setting=access-log:write-attribute(name=pattern, value="%h %l %u [%t] \"%r\" %s %b \"%{i,Referer}\" \"%{i,User-Agent}\"")

Enabling gzip compression

/subsystem=undertow/configuration=filter/gzip=gzipFilter/:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=gzipFilter:add(\
 predicate="exists['%{o,Content-Type}'] and regex[pattern='(?:application/javascript|text/css|text/html|text/xml|application/json)(;.*)?', value=%{o,Content-Type}, full-match=true]")

Also sending Vary: Accept-Encoding is better for proxies. conditional insertion is best, but an issue reported about it at present time, so I’d go constant insertion this time.

/subsystem=undertow/configuration=filter/response-header=vary-header:add(header-name="Vary", header-value="Accept-Encoding")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=vary-header:add

Configuring iptables redirection

An example of /etc/sysconfig/iptables:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8080 -m comment --comment "HTTP"
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination :8443 -m comment --comment "HTTPS"
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination :10025 -m comment --comment "SMTP"
-A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination :10465 -m comment --comment "SMTPS"
-A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination :10993 -m comment --comment "IMAPS"
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "HTTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -m comment --comment "HTTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10025 -j ACCEPT -m comment --comment "SMTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10465 -j ACCEPT -m comment --comment "SMTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10993 -j ACCEPT -m comment --comment "IMAPS"
COMMIT


Configuring James to use SSL


Posted on Saturday Feb 07, 2015 at 12:07AM in Technology


Environment

  • Apache James 3.0.0beta5-SNAPSHOT

  • Oracle JDK8u31

  • CentOS 6.5

Requirement

  • Listening IMAPS at 993

  • Listening SMTPS at 465 (for mail client)

  • Listening SMTP at 25 (for accepting connection from other SMTP server. STARTTLS enabled)

  • Expose these ports with forwarding by iptables

Put Java KeyStore

I put it to $JAMES_HOME/conf/mykeystore.jks. check this posting for how to create the Java KeyStore.

Configuring IMAPS

  1. Change port number in bind element as follows:

    <bind>0.0.0.0:10993</bind>
  2. Edit tls element as follows:

    <tls socketTLS="true" startTLS="false">
     <keystore>file://conf/mykeystore.jks</keystore>
     <secret>PASSPHRASE</secret>
     <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
    </tls>

    I guess I don’t have BouncyCastleProvider class in my classpath but it works.

Configuring SMTPS

  1. Make a whole copy of smtpserver element in smtpserver.xml.

  2. Change jmxName element of second smtpserver element:

    <jmxName>smtpsserver</jmxName>
  3. Change port number in bind element as well:

    <bind>0.0.0.0:10465</bind>
  4. Edit tls element too:

    <tls socketTLS="true" startTLS="false">
     <keystore>file://conf/mykeystore.jks</keystore>
     <secret>PASSPHRASE</secret>
     <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
     <algorithm>SunX509</algorithm>
    </tls>
  5. Also enabling of following configuration is required for some mail client such as Apple Mail:

    <authRequired>announce</authRequired>

Configuring SMTP

Edit tls element inside first smtpserver element. set true to startTLS:

<tls socketTLS="false" startTLS="true">
 <keystore>file://conf/mykeystore.jks</keystore>
 <secret>PASSPHRASE</secret>
 <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
 <algorithm>SunX509</algorithm>
</tls>

Delete a Mailet from mailetcontainer.xml

There’s a Mailet which needs to get removed when you use SMTP auth. this solves the problem that getting Storing mail …​ in file://var/mail/relay-denied/. so delete following fragment from $JAMES_HOME/conf/mailetcontainer.xml:

<mailet match="RemoteAddrNotInNetwork=127.0.0.1" class="ToProcessor">
  <processor>relay-denied</processor>
  <notice>550 - Requested action not taken: relaying denied</notice>
</mailet>

In my case, a class named AuthRequiredToRelayRcptHook prevents open relay, without that Mailet.

Configuring iptables

An example as follows. write it to /etc/sysconfig/iptables and issue sudo service iptables restart.

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination :10025
-A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination :10465
-A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination :10993
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10025 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10993 -j ACCEPT
COMMIT

Open relay check of SMTP server

Just in case, do it with testing site like http://www.aupads.org/test-relay.html


Creating Java KeyStore from X.509 certificate


Posted on Friday Feb 06, 2015 at 10:00PM in Technology


Environment

  • Oracle JDK 8u20

  • OpenSSL 0.9.8zc 15 Oct 2014

  • A certificate bought from RapidSSL

Files

  • key.pem: Private key (Created with openssl command as I wrote in previous posting)

  • certificate.txt: Certificate which sent from the seller via email

  • intermediate_ca.txt: Intermediate CA which sent from the seller via email

Create CAFile

curl -O https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
cat intermediate_ca.txt ca-bundle.crt > allcacerts.crt

Create PKCS12 key store

openssl pkcs12 -export -chain -CAfile allcacerts.crt -in certificate.txt -inkey key.pem -out mykeystore.pkcs12 -name java

Create Java KeyStore

keytool -importkeystore -srckeystore mykeystore.pkcs12 -srcstoretype pkcs12 -srcalias java -destkeystore mykeystore.jks -deststoretype jks -destalias mykey

Show list of entries in key store

keytool -v -list -storetype jks -keystore mykeystore.jks

Now mykeystore.jks is usable for application built upon Java.


Obtaining a SSL certification


Posted on Friday Feb 06, 2015 at 06:43PM in Technology


SSL certification are cheap these days. even there is free one is available. you can obtain personal one for around $10 per one year.

What you need

  • Payment method (PayPal account, a credit card…​ usable method may vary depending on seller)

  • An administrative mail address in the domain which the certification will be issued to (e.g. postmaster@example.org)

Common procedure is following:

Create a random seed

openssl md5 /var/log/*.log* > rand.dat

Create a private key

openssl genrsa -rand rand.dat -des3 2048 > key.pem

Create CSR from private key

openssl req -new -key key.pem -out csr.pem

I entered following:

Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:www.nailedtothex.org
Email Address []:postmaster@MYDOMAIN.example.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Send CSR to certification authority (SSL certification seller)

The seller will send you the certification. now you need to apply certification to your servers (HTTP, SMTP, IMAP…​ etc).