Versionen im Vergleich

Alte Version 14

changes.mady.by.user Brand Peter

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user Peter Brand

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Kommentar: rm links to old TCS supplieer

...

Equipped with the CSR you can now request a TLS certificate based from your CA, e.g. using the using ACOnet TCS supplier. Once the certificate has been issued copy it to the IDP server as webserver.crt.
You'll also need to copy any intermediary Certificate Authority (CA) certificates to the IDP server.

Info

In case of ACOnet TCS, Sectigo and an RSA OV certificate the only intermediate CA certificate you'll need is the one with the subject "C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4", referenced as file GEANT-OV-RSA-CA-4.crt below.

Convert the TLS/SSL keypair into PKCS12

Copy the private key, new TLS certificate and any intermediate CA certificates into a PKCS#12 keystore file:

Kein Format
openssl pkcs12 -export -in webserver.crt -inkey webserver.key -certfile GEANT-OV-RSA-CA-4.crt -name webserver -out webserver.p12

When asked to "Enter pass phrase for webserver.key" provide the passphrase generated earlier.
Again when asked to "Enter Export Password".
And yet again, when asked to "Verifying - Enter Export Password".

Move the newly created keystore to its final location (we're chosing Tomcat's config directory) and set strict file system permissions on it:

Kein Format
[[ -f /etc/tomcat10/webserver.p12 ]] && cp -a /etc/tomcat10/webserver.p12 /etc/tomcat10/webserver.p12.`date -u +%Y%m%d`
mv webserver.p12 /etc/tomcat10/
chown root:tomcat /etc/tomcat10/webserver.p12
chmod 640 /etc/tomcat10/webserver.p12

Configure Tomcat Connector

Remove or comment out all other Connectors in /etc/tomcat10/server.xml, then add the two Connectors as per below, replacing certificateKeystorePassword with the password generated earlier:

Hinweis

If you still need to support clients that can only speak TLS 1.0 or TLS 1.1 you will have to amend the sslEnabledProtocols parameter below!

!

Convert the TLS/SSL keypair into PKCS12

Copy the private key, new TLS certificate and any intermediate CA certificates into a PKCS#12 keystore file:

Kein Format
openssl pkcs12 -export -in webserver.crt -inkey webserver.key -certfile MATCHING-INTERMEDIATE-CA-CERTS.crt -name webserver -out webserver.p12

When asked to "Enter pass phrase for webserver.key" provide the passphrase generated earlier.
Again when asked to "Enter Export Password".
And yet again, when asked to "Verifying - Enter Export Password".

Move the newly created keystore to its final location (we're chosing Tomcat's config directory) and set strict file system permissions on it:

Kein Format
[[ -f /etc/tomcat10/webserver.p12 ]] && cp -a /etc/tomcat10/webserver.p12 /etc/tomcat10/webserver.p12.`date -u +%Y%m%d`
mv webserver.p12 /etc/tomcat10/
chown root:tomcat /etc/tomcat10/webserver.p12
chmod 640 /etc/tomcat10/webserver.p12

Configure Tomcat Connector

Remove or comment out all other Connectors in /etc/tomcat10/server.xml, then add the two Connectors as per below, replacing certificateKeystorePassword with the password generated earlier:

Hinweis

If you still need to support clients that can only speak TLS 1.0 or TLS 1.1 you will have to amend the sslEnabledProtocols parameter below!


Codeblock
languagehtml/xml
<!-- Localhost-only connector for IDP command line tools -->
<Connector address="127.0.0.1" port="80" />

<!-- https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html -->
<!-- https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support -->
<Connector
  port="443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150"
  maxPostSize="100000"
  SSLEnabled="true"
  scheme="https"
  secure="true">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig
      protocols="TLSv1.2,TLSv1.3"
      ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
Codeblock
languagehtml/xml
<!-- Localhost-only connector for IDP command line tools -->
<Connector address="127.0.0.1" port="80" />

<!-- https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html -->
<!-- https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support -->
<Connector
  port="443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150"
  maxPostSize="100000"
  SSLEnabled="true"
  scheme="https"
  secure="true">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig
      protocols="TLSv1.2,TLSv1.3"
      ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305">
    <Certificate type="RSA"
      certificateKeystoreType="PKCS12"
      certificateKeystoreFile="/etc/tomcat10/webserver.p12"
      certificateKeystorePassword="see sections above" />
    </SSLHostConfig>
</Connector>

...

Kein Format
openssl s_client -CApath /etc/ssl/certs/ -connect webserver-fqdn:443 2>&1 </dev/null | grep -A8 "^Certificate chain"[si]:

and verify that it looks something like the "Certificate chain" presented below. The Subject of cert 0 will obviously differ, and depending on your choice of CA or certificate product the CA or certificate chain may also be different. A correct chain (and therfore PKCS#12 keystore) for TLS usage should contain all the certificates up until but excluding the root CA certificate. I.e, in the example below the certificate with CN=USERTrust RSA Certification Authority is not included in the chain sent from the server (but must be known by the web browser): all the certificates up until but excluding the root CA certificate. I.e, in the example below the certificate with CN = Hellenic Academic and Research Institutions RootCA 2015 is not included in the chain sent from the server (but must be known by the web browser).

Kein Format
 0 s:C = AT, ST = Wien, O = Universit\C3\A4t Wien, CN = idp.aco.net                  
   i:C = GR, O = Hellenic Academic and Research Institutions CA, CN = GEANT TLS RSA 1
 1
Kein Format
Certificate chain
 0 s:C = ATGR, postalCodeO = 1010,Hellenic STAcademic =and Wien,Research LInstitutions = WienCA, streetCN = UniversitaetsstrasseGEANT 7,TLS O = ACOnet, CN = idp.aco.netRSA 1
   i:C = NLGR, O = GEANT Vereniging Hellenic Academic and Research Institutions CA, CN = GEANTHARICA OVTLS RSA Root CA 42021
 12 s:C = NLGR, O = GEANT Vereniging Hellenic Academic and Research Institutions CA, CN = GEANTHARICA OVTLS RSA Root CA 42021
   i:C = USGR, STL = New JerseyAthens, LO = JerseyHellenic City,Academic Oand =Research TheInstitutions USERTRUSTCert. NetworkAuthority, CN = USERTrust RSA Certification Authority Hellenic Academic and Research Institutions RootCA 2015

In case of errors check the output of "journalctl -u tomcat10 -ef".

...