Versions Compared

Version Old Version 1 New Version Current
Changes made by

Nick Day (Unlicensed)

Keith Sinclair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are 11 servers in use at Hearst, no one wants to put the passwords in all the time, so we use SSO, and SSL makes it more secure (apparently).

Table of Contents

Configuring SSO for opCharts and opOthers

Currently SSO with NMIS and other application does not interoperate.  for opCharts this is done in opCommon.nmis, the second . is required.

Code Block
'auth_sso_domain' => '.companynet.org'

Setting up Apache Web Server

Enterprises will typically require that all access is over SSL and that SSO features are supported.  This requires Apache to be configured to support this.

Using VHosts to Ensure the FQDN is used

...

(for SSO)

For HTTPS and for SSO to work right, all access needs to use the FQDN of the server.  So we get Apache to handle that.

Each Server has a vhosts.conf added with the below code.  The first VirtualHost is the default and catches any access to the server using any URL and redirects it to the second VirtualHost which is for the FQDN host

 

...

. Note the line "RewriteRule" which is the one redirecting.


Code Block
languagebash
titleVHosts Config
#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
<VirtualHost *:80>
    ServerAdmin opmantek@hearstopmantek@example.com
    DocumentRoot "/var/www/html"
    ServerName het001stropk002 servername002
    ServerAlias servername002.example.org
    RewriteEngine on
    RewriteCond %{HTTP_HOST} !=localhost
    RewriteCond %{HTTP_HOST} !=127.0.0.1
    RewriteCond %{REMOTE_ADDR} !=127.0.0.1
    RewriteCond %{REMOTE_ADDR} !=::1
    RewriteRule (.*) httphttps://het001stropk002servername002.companynetexample.org$1
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin opmantek@hearst.com
    DocumentRoot "/var/www/html"
    ServerName het001stropk002.companynet.org
</VirtualHost>

Creating CSR (Certificate Signing Request)

You must create a CSR for each server, these are used to create the final SSL Cert

The details used for Hearst were:

Country: US
State/Province: New York
Locality: New York
Organisation: The Hearst Corporation
Common Name (CN): FQDN of the server, e.g.  het001wesopk001.companynet.org

To generate the CSR's easily, the following SHELL script generate-csr.sh was created:

 

Code Block
#!/bin/sh
if [ "$1" == "" ]
then
        echo Please define HOSTNAME AND DOMAINNAME
    echo eg. $0 het001stropk001 companynet.org
        exit
else
        SERVER=$1
        DOMAIN=$2
fi
echo Working on $SERVER $DOMAIN
openssl req -nodes -newkey rsa:2048 -keyout $SERVER.key -out $SERVER.csr -subj "/C=US/ST=New York/L=New Tork/O=The Hearst Corporation/OU=Hearst Enterprise Technologies/CN=$SERVER.$DOMAIN"

View the CSR

To view a CSR, run this:

Code Block
openssl req -text -in het001sclopk001.csr

Converting a CER into a CRT

If the certificates come from a Microsoft system, they will likely have the extension "CER", these will be in the format DER/Binary, and they need to be converted to Standard PEM for Apache.

This web page helped with that. https://www.sslshopper.com/ssl-converter.html

View the CRT

To view a CSR, run this:

Code Block
openssl x509 -text -in het001sclopk001.cer

You can check the contents and make sure the names match up if required.

Installing the Certificate

TBD

...


Using VHosts to Ensure redirection from HTTP to HTTPS and the correct FQDN - (HTTPS plus SSO)
To ensure ALL users are forced to use HTTPS one redirects the connections from HTTP to HTTPS.  For HTTPS or more specifically the SSL certificate to work correctly you also need guarantee users are accessing via the FQDN which matches the DN string (server name) in the SSL certificate.