Adding SSL to the ListManager Web Server

SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. ListManager supports SSL 2.1.

In order to use SSL with the Lyris ListManager Webserver, it is necessary to generate a private key file and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc file. The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org), but a similar process can be done with tools from RSA (http://www.rsa.com). You will need to have OpenSSL installed and have an openssl (or openssl.exe) binary to follow this example.

We include (in the 'tclweb/bin/certs/' directory) the openssl program so that you do not need to obtain it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for Linux), downloaded for Solaris from Sunfreeware (http://www.sunfreeware.com) or obtained from Cygwin (http://www.cygwin.com).

SSL is a feature of ListManager Pro and Enterprise, and is unavailable for standard ListManager. Contact your account representative at sales@lyris.com if you'd like to upgrade to ListManager Pro or Enterprise.

For additional information about installing SSL with Solaris, see Installing SSL on Solaris, below.

Adding SSL for Linux and Solaris

1. Generate a CSR file (Certificate Request) and the private key file:

openssl req -new -nodes -keyout skey.pem -out public.csr

You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com) has some example input for creating the certificate request.

2. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world. To set the file permissions appropriately, run:

chmod 600 skey.pem

3. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.

The certificate request should look something like

-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

More letters and numbers....

-----END CERTIFICATE REQUEST-----

To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you will also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.

4. Fill out the technical contact information and submit. You will receive your certificate via email.

5. Install the certificate in the ListManager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.

6. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb/bin/certs directory.

7. Turn on the SSL option for the ListManager webserver. Open tclweb/bin/tclhttpd.rc in the ListManager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows:

Config USE_TLS1 1

By default this option is off (0).

8. Restart the webserver. You should see output like this (if started from the command line).

ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443

Adding SSL for Windows

1. Generate a CSR file (Certificate Request) and the private key file:

openssl req -new -nodes -keyout skey.pm -out public.csr -config .\openssl.conf

2. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world.

3. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.

The certificate request should look something like

-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

More letters and numbers....

-----END CERTIFICATE REQUEST-----

4. Fill out the technical contact information and submit. You will receive your certificate via email.

5. Install the certificate in the ListManager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.

6. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb\bin\certs directory.

7. Turn on the SSL option for the ListManager webserver. Open tclweb\bin\tclhttpd.rc in the ListManager directory with a plain text editor (such as Notepad or Wordpad) and edit the following line to be as follows:

Config USE_TLS1 1

By default this option is off (0).

8. Restart the webserver. You should see output like this (if started from the command line).

ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443

Installing SSL on Solaris

SSL requires a source of unpredictable data to work correctly. Many systems use the /dev/random and /dev/urandom devices for this purpose, and will not function correctly without them. If your system is missing these devices, you may see one of these error messages from your SSL software when generating a certificate request file:

"unable to write 'random state'"

"PRNG not seeded"

If you see one of those error messages on Solaris 8, a patch from Sun should fix the problem. Have your system administrator download and install patch number 112438. Note that installing this patch WILL REQUIRE A REBOOT. The following instructions describe the process for installing this patch:

1. Read the Documentation for Solaris Patch 112438

Use your web browser to read Sun's description for this patch. The web page address is:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fpatches%2F112438

Pay particular attention to any notes or warnings in that document that are relevant to your system.

2. Download Solaris Patch 112438

Click one of the links labeled "Download Patch" on that web page. Save the file in a directory of your choice on the computer to be patched, taking care not to overwrite any existing files. (The official file name at the time of this writing is "112438-01.zip", but nearly any file name will work as long as you remember it.)

3. Unzip the Patch Files

Use unzip to extract the contents of the file you downloaded. Assuming you saved it as "112438-01.zip" in the "/tmp" directory, running these commands in a terminal window should work:

cd /tmp
unzip 112438-01.zip

You will create a new directory (called "112438-01" or something similar) full of patch-related files.

4. Become Root

If you are not already logged in as the "root" user, you can become root with this command:

5. Install the Patch

Use patchadd to install the patch. Assuming that you chose the example file and directory names used earlier, this command should work:

patchadd /tmp/112438-01

Look out for any error messages.

6. Reboot the System

Use your usual method of rebooting the system. This command should work, allowing five minutes warning time for any logged in users:

shutdown -g 300 -i 6 "Installing a system patch."

Once the system has rebooted, try generating a certificate request file. The error messages quoted earlier should not reappear.

1. The ListManager Web Server

2. Starting and Stopping the ListManager Web Server

3. Installing the Web Interface on a Separate Machine

4. How To Install The Web Interface By Hand

5. Configuring the ListManager Web Server

6. Customizing the ListManager Web Interface

7. Adding SSL to the ListManager Web Server

8. Creating a Web Server for Action Tracking Only

Configuring the ListManager Web Server - tclhttpd.rc