Table of Contents
SSL Certificates
NetYCE can be setup to use SSL certificates when accessed using the browser (https). When https is enabled, the SSL protocol will also be used for the back-end communication between browser and the NetYCE API's and to access the REST API's (XCHapi and TMFapi).
Where the http protocol uses port 80, https will switch to port 443 forwarding any port 80 request to port 443.
The back-end API port will use port 8080 for http and https. Although the 8080 port number can be changed, the 8080 port will only serve http or https depending on SSL the configuration.
This http/https behaviour of port 8080 will soon be modified to support port 8080 for http and port 8443 for https.
The common procedure to install SSL certificates requires to first create a Certificate Signing Request (CSR) file which is then submitted to be signed by the Certificate Authority (CA). The resulting certificate (CRT) is installed on the server at the appropriate location. Once installed, the NetYCE configuration must then be updated to include the certificate and modify the used protocols.
To support this procedure, NetYCE includes cli tools to create the CSR and update the SSL configuration.
Create CSR
The mk_ssl_cert.pl
tool is used to create the CSR in a few steps. First the SSL configuration needs to be defined, then the host KEY and CSR files can be generated. A third step allows for the creation of a PEM file that some signing procedures require.
The KEY file represents the PRIVATE KEY of the host. It is used for the SSL encryption and must be unique for the server. Normally the KEY file is generated once and should never be deleted or shared insecurely. The KEY file is also used to generate the CSR on which the CRT will be based. Losing or re-generating the KEY file of a server will render the CRT useless.
The /opt/yce/system/mk_ssl_cert.pl
tool will prompt the user with a menu. Select option 1) to create or review the certificate configuration values.
$ mk_ssl_cert.pl ----------------------------------------------------- Actions: 1) generate CONF file (certificate settings) 2) generate CSR file (certificate signing request) 3) extend CSR into PEM and INFO files 4) generate CRT file (self-signed certificate) 5) extend CRT into PEM and INFO files q) quit Select action: [1]
The user is them prompted by some mandatory values. Most organizations will use some guidelines as to accepted values for these values. The responses will be stored in a ssl configuration file which will be used as defaults for later sessions: /opt/yce/etc/ssl_cert.conf
A sample session:
Select action: [1] Please enter appropriate values for the certificate. (blank values will be ignored) C - Country Name (2 letter code) [NL] ST - State or Province Name [Weesp] Hoord-Holland emailAddress - Email address [[email protected]] OU - Organizational Unit (eg section) [development] CN - Common Name (fqdn) [genesis.netyce.org] O - Organization Name [NetYCE] L - Locality Name (eg city) [Weesp] -> created CONF file: /opt/yce/etc/ssl_cert.conf -----------------------------------------------------
To create the CSR, select option 2). If a KEY file for the server name was found (in the directory /opt/yce/etc) a warning issued not to overwrite it.
Select action: [1] 2 Creating CSR -> have KEY file: /opt/yce/etc/genesis.netyce.org.key WARNING: a KEY file already exists - overwriting will obsolete existing certificates! Use existing KEY file? [Y]
If no KEY was found it will be created.
Use existing KEY file? [Y] y /usr/bin/openssl req -out /opt/yce/etc/genesis.netyce.org.csr -key /opt/yce/etc/genesis.netyce.org.key -new -config /opt/yce/etc/ssl_cert.conf Set permissions chmod 400 /opt/yce/etc/genesis.netyce.org.key /opt/yce/etc/genesis.netyce.org.csr Below is the Certificate Signing Request (CSR) to submit to the Certificate Authority (CA): Make sure the '-----BEGIN/END CERTIFICATE REQUEST-----' lines are included. It can also be copied from '/opt/yce/etc/genesis.netyce.org.csr'. -----BEGIN CERTIFICATE REQUEST----- MIIDdDCCAlwCAQAwgZUxCzAJBgNVBAYTAk5MMSAwHgYDVQQDDBdkZXZlbDdhLmxl ZnQubmV0eWNlLm9yZzEOMAwGA1UEBwwFV2Vlc3AxDzANBgNVBAoMBk5ldFlDRTEU ...... TX8swZ8/LkM6fbVeYOA6BMpIGT2RawRaoHjHydIc4vFLZx3W64ObmYA22RVRcwUm FaAYE3znKD4qW+d76RikvjbKElNnZ+Mc1+yv5HVwUEH1lRIN2QV5h7FuM4FIJWh+ pr7D8JMviQvHOgcZOIRtunlLBzUIIlFA -----END CERTIFICATE REQUEST----- -> used KEY file: /opt/yce/etc/genesis.netyce.org.key -> created CSR file: /opt/yce/etc/genesis.netyce.org.csr -----------------------------------------------------
Because signing by the CA requires the CSR and de KEY this is often combined in a PEM file. This file can be created using option 3).
Select action: [3] 3 Creating PEM Generating PEM from CSR /usr/bin/openssl req -in /opt/yce/etc/genesis.netyce.org.csr -noout -text > /opt/yce/etc/genesis.netyce.org.info cat /opt/yce/etc/genesis.netyce.org.csr /opt/yce/etc/genesis.netyce.org.key > /opt/yce/etc/genesis.netyce.org.pem Set permissions chmod 400 /opt/yce/etc/genesis.netyce.org.info /opt/yce/etc/genesis.netyce.org.pem -> created INF file: /opt/yce/etc/genesis.netyce.org.info -> created PEM file: /opt/yce/etc/genesis.netyce.org.pem -----------------------------------------------------
Copy the content of the KEY, PEM and CSR files and submit as appropriate them for signing by the CA.
ssl_cert.conf
The generated CSR will include the now often required Subject Alternative Name (SAN) attributes. The /opt/yce/etc/ssl_cert.conf
reflects this:
$ cat ssl_cert.conf [req] default_bits = 2048 distinguished_name = req_dn prompt = no req_extensions = req_ext [req_dn] C = NL CN = genesis.netyce.org L = Weesp O = NetYCE OU = development ST = Weesp emailAddress = [email protected] [req_ext] basicConstraints = CA:FALSE extendedKeyUsage = serverAuth, clientAuth keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = genesis.netyce.org
It can be modified to include additional names/domains and ip-addresses like the example below:
[alt_names] DNS.1 = genesis.netyce.org DNS.2 = netyce.org IP.1 = 172.17.0.24 IP.2 = 2003::24
Install CRT
Assuming the signed certificate was returned in CRT format (using .crt
or .cer
extensions), the file must be installed in the correct directory using the correct file names and activated.
If a PFX format was returned, see below for the extraction.
NetYCE expects the two SSL files in the directory /opt/yce/etc
. They should be named after the full qualified name of the server using the extensions .key
and .crt
respectively.
As these files are highly private limited file permissions must be enforced.
cd /opt/yce/etc sudo chown yce.nms genesis.netyce.org.key sudo chown yce.nms genesis.netyce.org.crt chmod 0400 genesis.netyce.org.key chmod 0400 genesis.netyce.org.crt
PFX file extraction
Some signing authorities do not return a CRT (or CER) file but a PFX file. In that case the CRT file must be extracted from the FPX file.
openssl pkcs12 -in genesis.netyce.org.pfx -clcerts -nokeys -out genesis.netyce.org.crt
The PFX file can also provide KEY file. But if this is the same that was used to create the CSR there is no need. If that was not the case (like a CRT for an entire domain), the KEY must be extracted in two steps and requires a decryption and encryption passphrase.
The CRT and KEY files obtained this way can be installed as described above
-- extract the key in encrypted form. -- It first prompts for the decryption passphrase, -- then twice for a new encryption passphrase openssl pkcs12 -in netyce.org.pfx -nocerts -out netyce.org.encrypted.key -- now extract the unencrypted KEY file -- it will prompt for the new passphrase openssl rsa -in netyce.org.encrypted.key -out genesis.netyce.org.key
Activating SSL certificate
The SSL certificate will be used by the web service (apache) and the back-end service (mojo). The NetYCE setup tool yce_setup.pl
will be used to configure these services to enable SSL.
If the certificate only replaces an existing SSL CRT, the NetYCE application only needs to be restarted to have it activated. The yce_setup step can then be skipped.
To configure the local NetYCE server for SSL, start yce_setup.pl
and continue to the “Yce server roles” section. Select the local server and answer each prompt. Answer 'yes' to the enable SSL prompt. Choose the SSL-hardening setting as per preference.
YCE servers currently in setup: 1) genesis.netyce.org (*) | IPv4-address | IPv6-address | 172.17.0.24 | 3001::24 local server is marked with (*) Select the server-number to Edit/Remove, or 'A' to add, 'C' to continue: [C] YCE server roles: 1) genesis.netyce.org (*) | Front-end | SSL | URL | Backend | yes | http | name | 8080 | Database | Db-id | yes | 1 local server is marked with (*) Select the server-number to change, 'C' to continue: [1] 'genesis' is (also) a Front-end server? [yes] 'genesis' is DNS resolvable (y/n)? [yes] 'genesis' uses SSL (y/n)? [no] ? The use of SSL or 'secure-socket-layer' is highly recommended for production systems. It requires the generation and signing of a server-certificate by the CA (certificate- authority) of your company. More information on the generation of a SSL certificate on NetYCE servers is located at: 'https://wiki.netyce.com/doku.php/maintenance:general:tools:mk_ssl_cert.pl' 'genesis' uses SSL (y/n)? [no] y 'genesis' uses SSL-hardening (y/n)? [no] ? SSL can be setup to accept older (weaker) levels of TLS (transport-layer-security) as well as the newer (hardened) level of TLS1.2. When selecting 'SLL-hardening' the http server will only accept connections supporting TLS1.2 and reject older levels. 'genesis' uses SSL-hardening (y/n)? [no] y 'genesis' portnumber of backend server? [8080] 'genesis' is (also) a Database server? [yes] 'genesis' uses database-id value (1/2)? [1]
Service restart
use the commands go restart httpd -f
and go restart mojo -f
to restart these services. The -f
option is used to force the restart instead of the standard hot-deploy.
$ go restart httpd -f -- restarting Daemon 'httpd' httpd: 1022 11920 11923 11924 11925 stop: /usr/bin/sudo /usr/bin/systemctl stop httpd.service wait stop 'httpd': start: /usr/bin/sudo /usr/bin/systemctl start httpd.service wait start 'httpd': 12272 12273 12274 12275 12276 done $ go restart mojo -f -- restarting Daemon 'mojo' mojo: 11990 12058 12059 12060 12061 12062 12063 stop: /opt/yce/system/init/yce_mojo stop wait stop 'mojo': start: /opt/yce/system/init/yce_mojo start wait start 'mojo': 12161 12162 12163 12164 12165 12166 12167 done