Posts Tagged ‘certificate’

Update on DOORS Web Access, server.xml and Tomcat…

It appears I was incorrect! When you modify your server.xml file, you may or may not need to add SSLEnabled=”true” to your SSL connector piece. And neither of the Tomcat servers I’ve seen modified to support SSL ever required keyAlias=”server” for what it’s worth.

 

Again, this is in reference to an earlier post on converting a PFX file to a JKS file for Tomcat.

DoDI 8520.2 and ECA Certificates

It looks like this has been out for some time but this is the first time I’ve encountered a server configured for it. Essentially, the network engineers removed all of the trusted CAs from the “Trusted Root Certification Authorities” tab except for ones they needed and DoDI 8520.2 ECA vendors. Why was this a problem you ask? Well, the developer who was administrating the server needed to connect to our webserver from the remote server in the datacenter to retrieve files to update the server. Our SSL certificate was from a non ECA vendor hence the company certificate wasn’t trusted. Clearly this isn’t just for client side certs (or at least that’s how the datacenter folks interpreted it!)

Couple of useful links:
http://www.identrust.com/certificates/eca/

http://iase.disa.mil/pki/eca/

Converting a PFX file to a Java Keystore & using it w/ Tomcat

So a couple of months ago I had to stand up a DOORS Web Access server for work. It was pretty straight forward except for the creation of a certificate in your Java Keystore and then using it inside of your Tomcat server’s server.xml file.

  To create the Java Keystore file you’ll first need to have downloaded Jetty which will do the command-line magic for you. I downloaded it from the codehaus.org website but you can find it by doing a Google for Jetty keytool. Once downloaded ensure your Java environment is setup correctly by issuing via command-line java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import . It should return back w/ usage information letting you know your Java environment is setup for command-line Java execution. Next, put your PFX file in the same directory where you are via command-line and then issue java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import <mycert>.pfx <myjavakeystorefile>.jks. You’ll be prompted for the password that allows you to use the PFX file, then you’ll be asked for a password for your JKS file. Once it’s done, you’ll have your Java Keystore and password.

Now, you need to open up your server.xml file and find the SSL part which needs to be modified to point to your Java Keystore file. When I found my server.xml file the https port was changed to 8443 which from what I hear is pretty common. I simply changed mine back to 443 so I wouldn’t have to do any firewall redirection. Now, I simply had to add SSLEnabled="true" keyAlias="server" keystoreFile="C:\path\to\keystore\file\mykeystorefile.jks" keypass="supersecretpasswordwhichI'mnotstupidenoughtoblogabout" . Once I had those attributes correctly set I simply stopped and restarted the Tomcat server.

All credit really goes to DigiCert & Entrust :)

Jetty tool kit explained:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7925

Tomcat SSL certificate installation:
http://www.digicert.com/ssl-certificate-installation-tomcat.htm

Jetty’s website:
http://docs.codehaus.org/display/JETTY/Jetty+Wiki

vsftpd, FTPES & CentOS 5.5 part 2

 

This is the second part of my FTPES, vsftpd & CentOS article. In the first part I walked you thru how I built a certificate, sent the CSR off to my CA and finally, modified the vsftpd.conf file. In this part I’ll show you how to test the service via command-line so you can actually see the certificate and how to punch a hole thru your FW because the data part of your FTP session is now encrypted.

First, let’s talk about verifying the configuration. One of the obvious things you can do is open up a command prompt session and attempt to log into your ftp server. Once connected, does it accept an anonymous connection? Was that what you wanted? Also, was the plain jane ftp command allowing you to log in or did you get a 331 error, “Non-anonymous sessions must use encryption.” If you’ve configured it correctly it shouldn’t allow you to login at all. So how do you test it using encryption? By using openssl w/ s_client of course! Use…

openssl s_client -starttls ftp -connect yourserver.example.com:21

This will allow you to not only log into your server using encryption via command-line but also verify that you’ve got the proper certificate & certificate chain installed. I personally tried connecting w/ out the starttls option but wasn’t successful (instead I get a “SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol” error message. I beleive this is because I’m using vsftpd in explicit mode not impicit mode.) The openssl s_client command can also be used for a number of other encrypted services for debugging certificates which is extremely helpful!

So you’ve verified that FTPES does work on the local LAN but doesn’t seem to work thru your FW. This is where passive ftp comes into play because your FTP traffic is now encrypted and your FW can’t do an inspection to determine which port is going to be used next and open it up for you ahead of time. Most FWs come with some sort of FTP inspect feature but we just killed it because that data is totally encrypted now and it’s unable to sniff the FTP traffic and sense which port needs to be opened. You won’t have to turn on passive FTP because it’s on by default with vsftpd. You should specify the port range and I also turned on pasv_address too:

pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=yourserverhere.example.com
pasv_min_port=63000
pasv_max_port=65535

Once done, this will force your vsftpd server to use a port range of 63000 to 65535 for data connections. Alot of the commands I used above can be found w/in the man page for vsftpd.conf (along with their default values!)

Now you just need to open up that same range on your FW device (NOTE: Each FW is going to be different!) On my Cisco Adaptive Security appliance (ASA) I’m defining an object-group first for the port range like such:

object-group service ftp_passive tcp
  description ftp passive range
  port-object range 63000 65535

Then I use that port range in my outside ACL for inbound traffic like such:

access-list outside_access_in extended permit tcp any host YOUR_PUBLIC_IP object-group ftp_passive
.
.
.

Just be sure to use your public IP address for ‘YOUR_PUBLIC_IP’ in the above ACE. Now when it comes to ACL rules there’s tons of different ways to allow traffic so I won’t go into much more detail here other than how I punched a hole thru my FW to allow the encrypted vsftpd data channel traffic through.

That’s about it folks. Remember, if you’re having problems with your configuration, break it down into simple pieces and troubleshoot it that way versus trying to eat the entire problem at once!

-Q

Oh, almost forgot. Here’s a couple links that might be helpful!

http://en.wikipedia.org/wiki/Ftp
http://en.wikipedia.org/wiki/FTPES
http://it.toolbox.com/blogs/unix-sysadmin/troubleshooting-ssltls-mail-services-29266
http://www.wowtutorial.org/tutorial/26.html
http://vsftpd.beasts.org/
http://www.openssl.org/docs/apps/s_client.html
http://blogs.iis.net/robert_mcmurray/archive/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps.aspx

Export/Import SSL Certificate from one Windows Server to another

 

At home I typically use Linux whenever possible and feel pretty familiar working with Openssl when it comes to generating different certificates, making a certificate signing request (CSR) and what the different files mean. But when it comes to Windows boxes, I’ve generally used the certificate wizard like everyone else. Today I had an issue with moving a wildcard certificate from one windows box to another because you can’t just look in the file system to find the private key for the public key your certificate authority (CA) just finished issuing to you from the CSR you built previously.

Essentially, you’ve got to use the Windows mmc console, add the certificate Snap-in and export the certificate’s private key & public key to the new server via a PFX file which is password protected. Once you’ve moved it. You can simply select the new certificate at the Bindings option or use the certificate wizard to bring it in. I won’t go into lots of details but will show you the link I found here: http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html

Adding multiple SSL sites to IIS 6.0

 

So, for some time now I’ve worked w/ HTTPS and SSL and have had no real issues. Today however, I finally got a chance to put multiple SSL sites on one IIS 6.0 server which wasn’t very intuitive. HTTPS is funny in that the host header data that a web server needs to have access to is encrypted and can’t be used until it’s decrypted. Course for it to decrypt the packet, it must know which certificate to use and very quickly we’ve got a circular issue. Long story short, web servers CAN host multiple SSL websites so long as the sites are variations of  <something>.example.com and you use an apporpriate wild card certificate that will cover all the different sites on your HTTPS web server (such as an SSL certificate issued to *.example.com to cover all of the variations of <something>.example.com.) Ya, I know, confusing.

So while I was applying my craft to a Windows Server 2003 R2 box running IIS 6.0 I quickly encountered an error when I tried to put another website on port 443. Error was, “Cannot register the URL prefix https://*:443/ for site ‘<your site identifier here>’. The necessary network binding may already be in use. The site has been deactivated.” I believe it was event ID 1007 in the event viewer system logs. God I love logs :)

Quick search on Google reveals you’ve got to go command-line for this one by executing cscript.exe like so:

cd C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set /w3svc/Identifier/SecureBindings ":443:host header"

.
.
.
.

You can find your site identifier inside of IIS for the site you’re trying to attach on port 443 and just use your site’s FQDN for the host header field.

See this link for a more thorough walk thru:

http://www.digicert.com/ssl-support/configure-iis-host-headers.htm

Return top