SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. ListManager supports SSL2, SSL3 and TSL 1.
In order to use SSL with the Lyris ListManager Webserver, it is necessary to generate a private key file and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc file. The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org), but a similar process can be done with tools from RSA (http://www.rsa.com). You will need to have OpenSSL installed and have an openssl (or openssl.exe) binary to follow this example.
We include (in the 'tclweb/bin/certs/' directory) the openssl program so that you do not need to obtain it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for Linux), or obtained from Cygwin (http://www.cygwin.com).
SSL is a feature of ListManager Pro and Enterprise, and is unavailable for standard ListManager. Contact your account representative at sales@lyris.com if you'd like to upgrade to ListManager Pro or Enterprise.
Please note: These examples are for illustrative purposes only. If you need extra assistance please contact sales@lyris.com to learn about our professional services.
SSL Installation Information:
Installing an Intermediate Root Certificate
1. Open a command prompt, and then change the directory to ...tclweb/bin/certs/.
2. Generate a CSR file (Certificate Request) and the private key file
NOTE This should all be on the same line:
openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf
You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.
3. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world.
4. Submit the CSR file you created to a Certifying Authority (CA), for example Verisign.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----
5. Submit your CSR for a certificate authority to receive an SSL certificate.
6. The file you receive back from the certificate authority should be copied into a file called server.pem. In order to do this, create a file called server.pem and copy the contents of your certificate into the file server.pem.
7. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb\bin\certs directory.
8. Restart the webserver. You should see output like this (if started from the command line).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
1. Generate a CSR file (Certificate Request) and the private key file:
openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf
You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.
2. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world. To set the file permissions appropriately, run:
chmod 600 skey.pem
3. Submit the CSR file you created to a Certifying Authority (CA) for example Verisign.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----
4. Submit the CSR file you created to a Certifying Authority (CA), for example Verisign.
5. The file you receive back from the certificate authority should be copied into a file called server.pem. In order to do this, create a file called server.pem and copy the contents of your certificate into the file server.pem
6. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb/bin/certs directory.
7. Turn on the SSL option for the ListManager webserver. Open tclweb/bin/tclhttpd.rc in the ListManager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows:
Config USE_TLS1 1
Config USE_SSL2 0
Config USE_SSL3 0
Note: By default this option is off (0).
Important: USE_SSL2 and USE_SSL3 should be set to 0 as these protocols are no longer secure.
8. Restart the webserver. You should see output like this (if started from the command line).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
Installing an Intermediate Root Certificate
When using an intermediate root certificate, you may get an error indicating that the certificate is not yet valid, or has expired, when it clearly is in the correct date range. Here is how you solve that problem with Verisign:
1. Cd to tclweb/bin (underneath the directory where you installed ListManager)
2. Make a backup copy of the file tclhttpd.rc.
3. Open tclhttpd.rc with a plain text editor.
4. Replace
Config SSL_CAFILE " "
with
Config SSL_CAFILE [file join [Config SSL_CADIR] intermediate.crt]
5. Save tclhttpd.rc.
6. Get your immediate certificate from your certificate authority and create a file called intermediate.crt.
7. Open the intermediate.crt and copy the contents of your intermediate certificate into the intermediate.crt file.
8. Copy the intermediate.crt file to the ListManager tclweb/bin/certs directory.
9. Restart the ListManager tclhttpd web server.
Note: ListManager 9.x uses OpenSSL 0.9.7. This version may give false positives under certain circumstances.