7.4 Enabling HTTPS on Appliance Prior to 7.3 Version

To enable HTTPS for Service Desk Appliance prior to 7.3 versionIn this scenario, openSSL command is used to generate a key pair. See the following to generate key using the openssl command. SSH into appliance and login as root.

  1. Copy all the certificates and keys into a single directory.

    srm-tst-nsd-130:~ # mkdir /root/CAsrm-tst-nsd-130:~ # chmod 770 /root/CA/srm-tst-nsd-130:~ # cd /root/CA/

  2. Create a private key and then generate a certificate request

    srm-tst-nsd-130:~/CA # openssl genrsa -des3 -out nsd-ca.key 2048Generating RSA private key, 2048 bit long modulus....................+++...................................................................................+++ e is 65537 (0x10001)Enter pass phrase for nsd-ca.key:Verifying - Enter pass phrase for nsd-ca.key:srm-tst-nsd-130:~/CA #

  3. Generate a self-signed root certificate from the generated private key

    srm-tst-nsd-130:~/CA # openssl req -new -x509 -days 3650 -key nsd-ca.key -out nsd-ca.crtSpecify pass phrase for nsd-ca.key:Specify information that will be incorporated into your certificate request. Information includes Distinguished Name or a DN and a few mandatory fields.For a few fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pvt Ltd]: Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:

  4. Creation of key and certificate for the web server:

    srm-tst-nsd-130:~/CA # openssl genrsa -des3 -out nsd-server.key 1024Generating RSA private key, 1024 bit long modulus.............++++++.............................................................................++++++ e is 65537 (0x10001)Enter pass phrase for nsd-server.key:Verifying - Enter pass phrase for nsd-server.key:

  5. Creation of Certificate for web server:

    srm-tst-nsd-130:~/CA # openssl req -new -key nsd-server.key -out nsd-server.csrSpecify pass phrase for nsd-server.key:Specify information that will be incorporated into your certificate request. Information includes Distinguished Name or a DN and a few mandatory fields.For a few fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []: Email Address []:Specify additional attributes to be sent with your certificate request.A change password []:An optional company name []:

  6. Use of our CA to sign our key:

    srm-tst-nsd-130:~/CA # openssl x509 -req -in nsd-server.csr -out nsd-server.crt -sha1 -CA nsd-ca.crt -CAkey nsd-ca.key -CAcreateserial -days 3650Signature oksubject=/C=US/ST=Utah/L=provo/O=novell/OU=epm/CN=srm-tst-nsd- 130.epm.blr.novell.com/emailAddress=ybellur@novell.comGetting CA Private KeySpecify pass phrase for nsd-ca.key:srm-tst-nsd-130:~/CA #

  7. Take out the pass phrase from key or specify pass phrase every time whenever Apache is started. To specify pass phrase, Apache only gives you a few seconds to perform before terminating in a bulk.

    srm-tst-nsd-130:~/CA # openssl rsa -in nsd-server.key -out nsd-server-npp.keySpecify pass phrase for nsd-server.key: writing RSA keysrm-tst-nsd-130:~/CA #

Configuring Apache for SSL Connection

  1. Move the new keys generated to the proper directories in the apache folder /etc/apache2.

    srm-tst-nsd-130:~/CA # cp nsd-server.crt /etc/apache2/ssl.crt/nsd-ssl.crtsrm-tst-nsd-130:~/CA # cp nsd-server-npp.key /etc/apache2/ssl.key/nsd-ssl.keysrm-tst-nsd-130:~/CA # cp nsd-ca.crt /etc/apache2/ssl.crt/nsd-ca.crt

  2. Launch the text editor to create a virtual host configuration file or you can use the SSH file transfer to edit the file and copy the edited file back to the same location.

    srm-tst-nsd-130:~/CA # cd /etc/apache2/vhosts.d/srm-tst-nsd-130:/etc/apache2/vhosts.d # vi nsd-ssl-vhost.conf

  3. Paste the following into the file

    <IfDefine SSL><IfDefine !NOSSL><VirtualHost *:443>#Setup SSL for this virtual host SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSSLCertificateFile /etc/apache2/ssl.crt/nsd-ssl.crt SSLCertificateKeyFile /etc/apache2/ssl.key/nsd-ssl.key SSLCertificateChainFile /etc/apache2/ssl.crt/nsd-ca.crt SSLCACertificateFile /etc/apache2/ssl.crt/nsd-ca.crt SSLProtocol all -SSLv2 -SSLv3#Fix for IE browsers when using SSL with Apache SetEnvIf User-Agent ".*MSIE.*" \nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0#Custom log fileCustomLog /var/log/apache2/ssl_request_log ssl_combined#Apache sends incoming request to TomcatJkLogFile "/var/log/tomcat6/mod_jk.log" JkLogLevel errorAlias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"JkMount /LiveTime/* ajp13# do not loose time with IP address lookups HostnameLookups Off# needed for named virtual hosts UseCanonicalName Off<IfModule mod_rewrite.c> RewriteEngine OnRewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]</IfModule><Directory />Options Indexes FollowSymLinks AllowOverride None</Directory><FilesMatch \.(?i:gif|jpe?g|png|js)$> Order allow,denyAllow from all</FilesMatch></VirtualHost></IfDefine></IfDefine>

  4. Save the file by pressing ESC and then tpying :wq

  5. Apache web server requires a start up flag passing to it to enable SSL. This is available in the apache configuration file located at /etc/sysconfig

    srm-tst-nsd-130:/ # vi /etc/sysconfig/apache2

  6. Scroll down the file to find the following line:

    APACHE_SERVER_FLAGS=""

  7. Change the APACHE_SERVER_FLAGS="" to APACHE_SERVER_FLAGS="SSL

  8. Save the file by pressing ESC and then tpying :wq

  9. Restart the apache server:

    rcapache2 restart

  10. Launch your browser at Service Desk Appliance.