Adding SSL to the ListManager Web Server
SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. ListManager supports SSL 3 and TSL 1.
In order to use SSL with the Lyris ListManager Webserver, it is necessary to generate a private key file and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc file. The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org), but a similar process can be done with tools from RSA (http://www.rsa.com). You will need to have OpenSSL installed and have an openssl (or openssl.exe) binary to follow this example.
We include (in the 'tclweb/bin/certs/' directory) the openssl program so that you do not need to obtain it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for Linux), downloaded for Solaris from Sunfreeware (http://www.sunfreeware.com) or obtained from Cygwin (http://www.cygwin.com).
SSL is a feature of ListManager Pro and Enterprise, and is unavailable for standard ListManager. Contact your account representative at sales@lyris.com if you'd like to upgrade to ListManager Pro or Enterprise.
Please note: These examples are for illustrative purposes only. If you need extra assistance please contact sales@lyris.com to learn about our professional services.
SSL Installation Information:
Adding SSL for Linux and Solaris
Installing an Intermediate Root Certificate
1. Open a command prompt, and then change the directory to ...tclweb/bin/certs/.
2. Generate a CSR file (Certificate Request) and the private key file
NOTE This should all be on the same line:
openssl req -new -nodes -keyout skey2.pem -out public2.csr -config openssl.conf
You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.
3. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world.
4. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----
To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you will also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.
5. Fill out the technical contact information and submit. You will receive your certificate via email.
6. Install the certificate in the ListManager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.
7. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb\bin\certs directory.
8. Turn on the SSL option for the ListManager webserver. Open tclweb\bin\tclhttpd.rc in the ListManager directory with a plain text editor (such as Notepad or Wordpad) and edit the following line to be as follows:
Config USE_TLS1 1
Config USE_SSL2 1
Config USE_SSL3 1
By default this option is off (0).
9. Add a list of SSL ciphers to support, if necessary, to the Config SSL_CIPHERS setting.
Config SSL_CIPHERS { }
NOTE OpenSSL provides the SSL support for TclHttpd. The TclHttpd setting "Config SSL_CIPHERS { }" takes a string of the same form expected by OpenSSL's "ciphers" command:
openssl ciphers [-v] [-V] [-ssl2] [-ssl3] [-tls1] [cipherlist]
Note that multiple ciphers are listed with ":" (colon) between each cipher name:
Config SSL_CIPHERS {ALL:eNULL}
Config SSL_CIPHERS {3DES:+RSA}
You can learn more about OpenSSL and ciphers here.
10. Restart the webserver. You should see output like this (if started from the command line).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
Adding SSL for Linux and Solaris
1. Generate a CSR file (Certificate Request) and the private key file:
openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf
You will be prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you don't have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.
2. You will have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world. To set the file permissions appropriately, run:
chmod 600 skey.pem
3. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----
To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you will also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.
4. Fill out the technical contact information and submit. You will receive your certificate via email.
5. Install the certificate in the ListManager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.
6. Copy the server.pem and skey.pem (from step 1 above) to the ListManager tclweb/bin/certs directory.
7. Turn on the SSL option for the ListManager webserver. Open tclweb/bin/tclhttpd.rc in the ListManager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows:
Config USE_TLS1 1
Config USE_SSL2 1
Config USE_SSL3 1
By default this option is off (0).
8. Restart the webserver. You should see output like this (if started from the command line).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
SSL requires a source of unpredictable data to work correctly. Many systems use the /dev/random and /dev/urandom devices for this purpose, and will not function correctly without them. If your system is missing these devices, you may see one of these error messages from your SSL software when generating a certificate request file:
"unable to write 'random state'"
"PRNG not seeded"
If you see one of those error messages on Solaris 8, a patch from Sun should fix the problem. Have your system administrator download and install patch number 112438. Note that installing this patch WILL REQUIRE A REBOOT. The following instructions describe the process for installing this patch:
1. Read the Documentation for Solaris Patch 112438
Use your web browser to read Sun's description for this patch. The web page address is:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fpatches%2F112438
Pay particular attention to any notes or warnings in that document that are relevant to your system.
2. Download Solaris Patch 112438
Click one of the links labeled "Download Patch" on that web page. Save the file in a directory of your choice on the computer to be patched, taking care not to overwrite any existing files. (The official file name at the time of this writing is "112438-01.zip", but nearly any file name will work as long as you remember it.)
3. Unzip the Patch Files
Use unzip to extract the contents of the file you downloaded. Assuming you saved it as "112438-01.zip" in the "/tmp" directory, running these commands in a terminal window should work:
cd /tmp
unzip 112438-01.zip
You will create a new directory (called "112438-01" or something similar) full of patch-related files.
4. Become Root
If you are not already logged in as the "root" user, you can become root with this command:
su
5. Install the Patch
Use patchadd to install the patch. Assuming that you chose the example file and directory names used earlier, this command should work:
patchadd /tmp/112438-01
Look out for any error messages.
6. Reboot the System
Use your usual method of rebooting the system. This command should work, allowing five minutes warning time for any logged in users:
shutdown -g 300 -i 6 "Installing a system patch."
Once the system has rebooted, try generating a certificate request file. The error messages quoted earlier should not reappear.
Installing an Intermediate Root Certificate
When using an intermediate root certificate, you may get an error indicating that the certificate is not yet valid, or has expired, when it clearly is in the correct date range. Here is how you solve that problem with Verisign:
1. Cd to tclweb/bin (underneath the directory where you installed ListManager)
2. Make a backup copy of the file tclhttpd.rc.
3. Open tclhttpd.rc with a plain text editor.
4. Replace
Config SSL_CAFILE ""
with
Config SSL_CAFILE [file join [Config SSL_CADIR] intermediate.crt]
5. Save tclhttpd.rc.
6. In the "certs"
directory (underneath "bin"), create a file "intermediate.crt" and add this to it
(including the CERTIFICATE headers)
(obtained from https://www.verisign.com/support/site/caReplacement.html
):
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----
7. Restart the ListManager tclhttpd web server.
Note: ListManager 9.x uses OpenSSL 0.9.7. This version may give false positives under certain circumstances.
More
2. Starting and Stopping the ListManager Web Server
3. Installing the Web Interface on a Separate Machine
4. How To Install The Web Interface By Hand
5. Configuring the ListManager Web Server
6. Customizing the ListManager Web Interface
7. Adding SSL to the ListManager Web Server
8. Creating a Web Server for Action Tracking Only
|
|