7015079: Using the Novell Service Desk appliance with SSL

Step 1: NSD 6.5 Appliance



If you are using the Novell Service Desk 6.5 Appliance then we needto change the configuration before proceeding. If you have a laterversion of the Novell Service Desk Appliance, skip this section andproceed directly to Step 2.

ssh into the appliance and login as root

[root]# cd/etc/apache2/conf.d

[root]# mv nsd.confnsd-conf.old

Launch text editor to create a new configuration file.

[root]# vinsd.conf

Enter the following into this file

<IfModulemod_jk.c>

JkWorkersFile”/usr/share/tomcat6/conf/worker.properties”

JkLogFile”/var/log/apache2/mod_jk.log”

JkShmFile”/var/log/apache2/jk-runtime-status”

JkLogLevel debug

</IfModule>

Save the file by pressing ESC and then typing :wq

Now to create new virtual host for Novell Service Desk

[root]# cd /etc/apache2/vhosts.d

[root]# vi nsd-vhost.conf

Enter the following into this file

# Novell Service Desk virtualhost apache2 configuration file

#

# Version 1.1 by JonGiffard

#

#

<VirtualHost *:80>

JkLogFile”/var/log/tomcat6/mod_jk.log”

JkLogLevelerror

Alias/WebObjects/LiveTime.woa/Contents/WebServerResources/”/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/”

JkMount /LiveTime/*ajp13

# don’t loose time withIP address lookups

HostnameLookupsOff

# needed for namedvirtual hosts

UseCanonicalNameOff

<IfModulemod_rewrite.c>

RewriteEngine On

#RewriteLog /var/log/apache2/rewrite.log

#RewriteLogLevel 2

#everything else is handled by our application

RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]

</IfModule>

<Directory/>

Options IndexesFollowSymLinks

AllowOverrideNone

</Directory>

<FilesMatch.(?i:gif|jpe?g|png|js)$>

Orderallow,deny

Allow fromall

</FilesMatch>

</VirtualHost>

Save the file by pressing ESC and then typing :wq

Restart Apache to recognise our configuration changes.

[root]# rcapache2restart

If all is ok, Novell Service Desk will be available using http andwe can start the SSL configuration process.

Step 2: Setup your own CA (Certificate Authority)

In order to run a secure (SSL/TLS encrypted) web server, you haveto have a private key and a certificate for the server. ForIntranet or special-purpose uses like this, you can be your ownCA.

Here, we will make a private CA key and a private CA X.509certificate. We will also make a directory for the certs and keys.During the creation of the certificate you will be asked a seriesof questions ( shown below in the example ). Take sometime toconsider how you will respond as changing these later is somewhatproblematic. You’re also going to be asked for a pass phrase thatwill protect your CA keys. Make sure that you remember this….

ssh into the appliance and login as root

[root]# mkdir/root/CA

[root]# chmod 0770 /root/CA

[root]# cd /root/CA

[root]# openssl genrsa -des3 -outnsd-ca.key 2048

Generating RSA private key, 2048 bit longmodulus

………+++

..+++

e is 65537 (0x10001)

Enter pass phrase fornsd-ca.key:

Verifying – Enter pass phrase fornsd-ca.key:

[root]# openssl req -new -x509 -days 3650-key nsd-ca.key -out nsd-ca.crt

Enter pass phrase fornsd-ca.key:

You are about to be asked to enterinformation that will be incorporated

into your certificaterequest.

What you are about to enter is what iscalled a Distinguished Name or a DN.

There are quite a few fields but you canleave some blank

For some fields there will be a defaultvalue,

If you enter ‘.’, the field will be leftblank.

—–

Country Name (2 letter code)[AU]:

State or Province Name (full name)[Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [InternetWidgits Pty Ltd]:

Organizational Unit Name (eg, section)[]:

Common Name (eg, YOUR name)[]:

Email Address []:

You will probably also want to make backups of the cert and key andlock them in a safe place. We can view our newly createdcertificate by typing:-

[root]# openssl x509 -innsd-ca.crt -text -noout

Step 3: Make a key and a certificate for the webserver:

Now, we have to make an X.509 certificate and corresponding privatekey for the web server. Rather than creating a certificatedirectly, we will create a key and a certificate request, then“sign” the certificate request with the CA key we made in Step 1 (You can make keys for multiple web servers this way ). One thing tonote is that SSL/TLS private keys for web servers need to be either512 or 1024 bits. Any other key size may be incompatible withcertain browsers. A pass pharse will be required.

[root]# openssl genrsa -des3-out nsd-server.key 1024

Generating RSA private key, 1024 bit longmodulus

………………………………………….++++++

……..++++++

e is 65537 (0x10001)

Enter pass phrase fornsd-server.key:

Verifying – Enter pass phrase fornsd-server.key:

IMPORTANT: When asked for Common Name (eg, YOUR name) []: inthe step below, be sure to enter the FQDN of the Novell ServiceDesk appliance. Do not enter anything for Challenge Password

[root]# openssl req -new -keynsd-server.key -out nsd-server.csr

Enter pass phrase fornsd-server.key:

You are about to be asked to enterinformation that will be incorporated

into your certificaterequest.

What you are about to enter is what iscalled a Distinguished Name or a DN.

There are quite a few fields but you canleave some blank

For some fields there will be a defaultvalue,

If you enter ‘.’, the field will be leftblank.

—–

Country Name (2 letter code)[AU]:

State or Province Name (full name)[Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [InternetWidgits Pty Ltd]:

Organizational Unit Name (eg, section)[]:

Common Name (eg, YOUR name)[]:

Email Address []:

Please enter the following ‘extra’attributes

to be sent with your certificaterequest

A challenge password []:

An optional company name []:

Now to use our CA we created in Step 2 to sign our key.

[root]# openssl x509 -req -innsd-server.csr -out nsd-server.crt -sha1 -CA nsd-ca.crt -CAkeynsd-ca.key -CAcreateserial -days 3650

Take out the pass phrase from key or you will need to enter thisevery time Apache starts up. And Apache only gives you a fewseconds to do so before terminating in a sulk.

[root]# openssl rsa -innsd-server.key -out nsd-server-npp.key

Enter pass phrase fornsd-server.key:

writing RSA key

Step 4: Configure Apache for SSL connection

We need to move the new keys and certs into the proper directoriesin the /etc/apache2 hierarchy:

[root]# cp nsd-server.crt/etc/apache2/ssl.crt/nsd-ssl.crt

[root]# cp nsd-server-npp.key/etc/apache2/ssl.key/nsd-ssl.key

[root]# cp nsd-ca.crt/etc/apache2/ssl.crt/nsd-ca.crt

Launch your text editor to create a virtual host configurationfile.

[root]# cd/etc/apache2/vhosts.d

[root]# vi nsd-ssl-vhost.conf

Paste the following into the file:

<IfDefineSSL>

<IfDefine !NOSSL>

<VirtualHost *:443>

#Setup SSL for thisvirtual host

SSLEngineon

SSLCipherSuiteALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile/etc/apache2/ssl.crt/nsd-ssl.crt

SSLCertificateKeyFile/etc/apache2/ssl.key/nsd-ssl.key

SSLCertificateChainFile/etc/apache2/ssl.crt/nsd-ca.crt

SSLCACertificateFile/etc/apache2/ssl.crt/nsd-ca.crt

#Fix for IE browserswhen using SSL with Apache

SetEnvIf User-Agent”.*MSIE.*”

nokeepalive ssl-unclean-shutdown

downgrade-1.0 force-response-1.0

#Custom logfile

CustomLog/var/log/apache2/ssl_request_log ssl_combined

#Apache sends incomingrequest to Tomcat

JkLogFile”/var/log/tomcat6/mod_jk.log”

JkLogLevelerror

Alias/WebObjects/LiveTime.woa/Contents/WebServerResources/”/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/”

JkMount /LiveTime/*ajp13

# don’t loose time withIP address lookups

HostnameLookupsOff

# needed for namedvirtual hosts

UseCanonicalNameOff

<IfModulemod_rewrite.c>

RewriteEngine On

RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]

</IfModule>

<Directory/>

Options Indexes FollowSymLinks

AllowOverride None

</Directory>

<FilesMatch.(?i:gif|jpe?g|png|js)$>

Order allow,deny

Allow from all

</FilesMatch>

</VirtualHost>

</IfDefine>

</IfDefine>

Save the file by pressing ESC and then typing :wq

Apache web server requires a start up flag passing to it to enableSSL. This is found in the apache configuration file located at/etc/sysconfig

[root]# vi/etc/sysconfig/apache2

Scroll down this file until you find the line:-

APACHE_SERVER_FLAGS=””

Change this to:-

APACHE_SERVER_FLAGS=”SSL”

Save the file by pressing ESC and then tpying :wq

Now we need to restart Apache web server so that it picks up theconfiguration changes and makes available our new secure connectionfor Novell Service Desk.

[root]# rcapache2restart

Test to see that Apache is listening on the port used forhttps

[root]# netstat -tna | grep443

tcp 0 0:::443 :::* LISTEN

Launch your browser at Novell Service Desk appliance and you shouldsee something like this if all is working

A untrusted connection is a result of using our own CertificateAuthority. It is perfectly ok to proceed onwards. You should nowsee the Novell Service Desk login page.

Step 5: Redirect http to https

Relying on people to type https into their browsers when they wanta secure connection to Novell Service Desk is something that wewant to avoid. People will forget or simply not bother negating thework we have performed so far to ensure secure communications.Apache has the answer for us as it can automatically redirectpeople from http to https whenever they connect to Novell ServiceDesk using their browser.

Backup the current configuration file in case that you want torevert back.

[root]# cd/etc/apache2/vhosts.d

[root]# mv nsd-vhost.confnsd-vhost_conf.old

Launch text editor to create a new virtual host configurationfile.

[root]# vinsd-vhost.conf

Paste the following into the file

# Novell Service Desk virtualhost apache2 configuration file

#

# Redirects http to https

#

#

<VirtualHost *:80>

# don’t loose time withIP address lookups

HostnameLookupsOff

# needed for namedvirtual hosts

UseCanonicalNameOff

<IfModulemod_rewrite.c>

RewriteEngine On

RewriteLog /var/log/apache2/rewrite.log

RewriteLogLevel 1

#everything else is handled by our application

RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}[R]

</IfModule>

<Directory/>

Options IndexesFollowSymLinks

AllowOverrideNone

</Directory>

<FilesMatch.(?i:gif|jpe?g|png|js)$>

Orderallow,deny

Allow fromall

</FilesMatch>

</VirtualHost>

Save the file by pressing ESC and then tpying :wq

Restart Apache web server so that it picks up the configurationchange

[root]# rcapache2restart

Launch your browser and enter http://<NSD Appliance IP> andyou will be redirected to a secure connection automatically.

Related:

Leave a Reply