HP 5991-5565 Secure the Web Server Stack, Enabling HTTPS Support in the Apache HTTP Server, ssl, SSL, Data, Transportation, Application Authentication

Secure the Web Server Stack

This section covers web server security.

•Data Transportation—Secure Sockets Layer (SSL) is a widely used technology to protect data transfer. SSL enablement methods for both the Apache Web server and Tomcat Application server.

•Application Authentication— Apache Web server provides a built-in authorization module to enable access protection. Alternatively, Symas CDS provides a directory service solution based on OpenLDAP, Berkeley DB, Cyrus SASL, and OpenSSL for more fine-grained authentication purposes. CDS is an integrated authentication and authorization-based security mechanism for enterprise applications managed and deployed in Apache httpd and Tomcat Web servers. The directory server can store credential information and application privileges about the users who are granted or forbidden access to specific resources. In addition to controlling access based on user identities, OpenLDAP can control access based on other attributes such as network address, transport, encryption strength, dynamic relationships, and so on (for example, sets). Some applications or web pages in specific applications in Apache Web server or Tomcat require access only by authenticated users. Symas CDS provides this authentication mechanism by storing user credentials in the directory server.

Enabling HTTPS Support in the Apache HTTP Server

The mod_ssl module provides an SSL implementation that allows web applications running within the Apache Web server to communicate securely with their respective clients. Communication can still occur over standard HTTP.

To enable HTTP over SSL (HTTPS), perform the following steps:

1.Run the shell script /usr/bin/gensslcert to create dummy ssl keys for mod_ssl.

This tool copies the /etc/apache2/ssl.crt/ca.crt file to /srv/www/htdocs/CA.crt and creates the following key files:

•/etc/apache2/ssl.crt/ca.crt

•/etc/apache2/ssl.key/server.key

•/etc/apache2/ssl.crt/server.crt

•/etc/apache2/ssl.csr/server.csr

2.Edit the /etc/sysconfig/apache2 file by adding ssl to the APACHE_MODULES definition and SSL to the APACHE_SERVER_FLAGS definition.

After completing the edits, the lines should look like the following:

APACHE_MODULES="... ssl ..." APACHE_SERVER_FLAGS="SSL"

3.Create an SSL virtual host configuration file by copying template file to perform the test:

# cp /etc/apache2/vhosts.d/vhost-ssl.template \ /etc/apache2/vhosts.d/vhost-ssl.conf

4.Restart Apache by entering the following:

# /etc/init.d/apache2 restart

42