-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathSecurity.txt
132 lines (106 loc) · 6.13 KB
/
Security.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Sigma can be configured for HTTPS. Only attempt this if you have good system
administration skills or are willing to invest a few days of work. There are a
lot of moving parts that all have to work together. This is only one way to
accomplish this, it's only known to work on Linux and I'm not able to advise on
different approaches. You need sudo access to the server you're installing on.
All the commands below are done on the same server where you have installed
Sigma.
This procedure uses LetsEncrypt's free command line tool on Linux. I based my approach on
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416
1. Install LetsEncrypt's CertBot command line tool that lets you generate a free
certificate. Since this whole process is complicated, many companies charge a
lot for a certificate. But this one is free thanks to the Linux Foundation and
the non-profit Internet Security Research Group (ISRG).
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
1a. Note that in step 6 below you'll set up your Tomcat to accept a particular key, as the value of
keystorePass in your $TOMCAT_HOME/conf/server.xml file
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="myplaintext"
clientAuth="false" sslProtocol="TLS"/>
2. Use the java keytool command to create a keystore. You have to use your domain name
in place of your first and last name. Note also that when asked to create a password
for the keystore this has to be given in plain text to your tomcat configuration file,
so make this a unique password. That seems odd to me, so there must be a better way.
The password for the tomcat key must the same as the keystore.
~$ sudo keytool -genkey -alias tomcat -keyalg RSA -keystore ~/.keystore -keysize 2048
What is your first and last name?
[Unknown]: www.foo.org
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: My Open Source Non-Profit
What is the name of your City or Locality?
[Unknown]: Anytown
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=www.foo.org, OU=Unknown, O=My Open Source Non-Profit, L=Anytown, ST=CA, C=US correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
3. Use the CertBot to create a Certificate Signing Request (CSR) which LetsEncrypt will sign.
This process verifies that you own the server you claim to own. The csr will be called
request.csr
~$ sudo keytool -certreq -alias tomcat -file request.csr -keystore ~/.keystore
4. Use CertBot and request.csr to create the certificate. There are several methods
allowed but since my server is Ubuntu and the Apache webserver is already installed and
running, I chose the method of having the CertBot write a file to my web root. You'll
see your Linux account id instead of "theuser" in the commands below and you'll need
to replace www.foo.org with your domain name. Note that you must be on the same machine
as the domain you enter for this to work, since the command will be writing the
change file to your web root and then accessing the file through your web server on that
domain.
-------------------------------------------------------------------------------
~$ sudo certbot certonly --csr request.csr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Performing the following challenges:
http-01 challenge for www.foo.org
Select the webroot for www.foo.org:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for www.foo.org: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /home/theuser/0000_cert.pem
Cert chain written to <fdopen>
Cert chain written to <fdopen>
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/home/theuser/0001_chain.pem
Your cert will expire on 2018-01-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
-------------------------------------------------------------------------------
5. Import the new certificate (named in the response from certobt above
into the keystore
sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore ~/.keystore
6. Modify your Tomcat configuration file. There should be an element like the one
below that is commented out and can be replaced with this one. Note that the password
is one you used in step 2 above and it appears in clear text.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" KeystoreFile="~/.keystore"
KeystorePass="Password_you_have_set_at_key_creation" />
7. Restart tomcat and make sure you get a response from https://localhost:8443
8. Modify your Sigma config.xml file to set use of HTTPS and port 8443
<preference name="https" value="true" />
<preference name="port" value="8443" />
9. Restart tomcat and it should all work.