Tuesday, February 19, 2008

Linux How-to: MySQL / PHP / Apache / SSL

Install the ff. applications:

1. Mysql

2. Php

3. Httpd

4. OpenSSL

To check package => rpm –qa |grep “package name”

To install package => yum install “package name”

Mysql Settings:

Start mysql service:

# service mysqld start

Add mysqladmin user:

# mysqladmin –u root password password

Access mysqladmin:

# mysql –u root –p

Enter Password: password

Create database:

> create database databasename;

Add privileges on user:

> grant all privileges on databasename.* to root@”%” identified by password;

Add other users:

> grant all privileges on databasename.* to user@”%” identified by J0shu@;

Apache settings:

Add line to httpd.conf:

AddType application/x-httpd-php .php

Install the ff. packages:

  • mod_ssl
  • openssl
  • openssl-devel

Enable SSL on Apache:

Edit or create an OpenSSL template:

Look inside the directory /usr/share/ssl/ for a file named openssl.cnf and open it in your favorite editor. You will need to look for and change the following values in the file:

countryName_default: put the name of your country

stateOrProvinceName_default: put the name of your state or province

localityName_default: put the name of your locality (street? region?)

organizationName_default: put the default organization name

organizationalUnitName_default: put your organization unit (OU) name

You don't actually need to do the above step, but it can be very useful later on, when you are generating your certificates, because you have already setup your defaults here.

Create a new CA certificate:

There is a supplied CA script inside the directory /usr/share/ssl/misc/ that you can use to generate your certificate. To begin generating your certificate, simply execute the following commands:

[root@localhost root]# cd /usr/share/ssl/misc
[root@localhost misc]# ./CA -newca

Press ENTER to create the new certificate and you will be prompted to key-in a passphrase. You will need to use this passphrase later, so you should remember what you keyed in here. Then you will be prompted for the particulars of your organization, etc. If you edited the openssl.cnf file properly in the previous step, you should be able to just hit ENTER for all the options except your server host name. A sample session is shown below. In this session, I am generating a CA certificate for my local Fedora Core 1 workstation:

[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
............++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Cymulacrum, Pte Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: localhost.localdomain
Email Address []: someone@somedomain.com

Create a Certificate Signing Request (CSR):

To create a CSR, we will use the same CA script, but with a different switch.

[root@localhost misc]# ./CA -newreq
Generating a 1024 bit RSA private key
...++++++
................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Cymulacrum, Pte Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: localhost.localdomain
Email Address []: someone@somedomain.com

You see how useful creating or editing the template file is ? If you did not set the defaults, you'd have to key in the same information all over again.

You will be prompted for extra attributes, a challenge password and an optional company name. If you don't need any of this, you can safely ignore these messages and just hit ENTER.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

Note the last line, which states that your CSR has been created, and is called newreq.pem in the current directory.

Sign the CSR:

If you have gotten this far without any errors, you can now sign the CSR. To do that, we will use the CA script again, but, again, with a different switch.

[root@localhost misc]# ./CA -sign

You will be prompted for your passphrase, and then information about your certificate will spew out on the screen. You should see something like what is shown below. I have omitted some information that comes up after the particulars of your organization.

Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  7 06:15:19 2004 GMT
            Not After : Feb  6 06:15:19 2005 GMT
        Subject:
            countryName               = SG
            stateOrProvinceName       = Singapore
            localityName              = Singapore
            organizationName          = Somewhere, Pte Ltd
            commonName                = localhost.localdomain
            emailAddress              = someone@somewhere.com

You will then be asked to sign the certificate and commit the changes.

Sign the certificate? [y/n]:y
 
1 out of 1 certificate requests certified, commit? [y/n]y

Information about your signed certificate will then be dumped to screen. Note the validity dates of the certificate.

At the end of the information dump, you will be told that the certificate filename is newcert.pem, and can be found in the current directory.

-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Store certificates in a directory:

Finally, we will create a directory and copy the newly created certificates to the new directory.

[root@localhost var]# mkdir myCA
[root@localhost var]# cd myCA
[root@localhost myCA]# cp /usr/share/ssl/misc/demoCA/cacert.pem .
[root@localhost myCA]# cp /usr/share/ssl/misc/newcert.pem ./servercert.pem
[root@localhost myCA]# cp /usr/share/ssl/misc/newreq.pem ./serverkey.pem
[root@localhost myCA]# ls
cacert.pem  servercert.pem  serverkey.pem

We will now need to copy the certificates and keys to a directory where Apache can access it. For simplicity, we will overwrite the default certificates that come with the mod_ssl RPM package.

[root@localhost myCA]# cd /var/myCA
[root@localhost myCA]# cp servercert.pem /etc/httpd/conf/ssl.crt/server.crt 
cp: overwrite `/etc/httpd/conf/ssl.crt/server.crt'? y
[root@localhost myCA]# cp serverkey.pem /etc/httpd/conf/ssl.key/server.key
cp: overwrite `/etc/httpd/conf/ssl.key/server.key'? y

Edit ssl.conf (optional):

Now, we enable SSL operations for Apache. Open ssl.conf for editing and uncomment and edit the following directives:

· DocumentRoot

· ServerName

· ServerAdmin

You may want to change DocumentRoot to point to another directory, such as /var/www/ssl, and place your SSL files inside there instead.

To test your SSL configuration, create a simple HTML file, name it index.html and place it inside the DocumentRoot directory defined above.

Test SSL:

Finally, we are ready to test our new SSL_enabled Apache web server. Start Apache. You will be asked to key in your passphrase. Enter your passphrase and observe that Apache 2 starts up. Open a browser and try to go to the URL https://localhost or http://localhost:443. If you have already created an index.html inside your DocumentRoot for your SSL configuration, you should see that page open up, but not before you get a certificate warning in your browser. If you see the certificate warning, it means that you have successfully setup Apache for SSL operations. Congratulations!

Disabling the passphrase on startup (Optional):

Sometimes, the passphrase prompt can be inconvenient, especially when you want Apache to startup automatically on boot, without user intervention. We can disable the passphrase prompt by simply de-crypting the server key. To do this, we begin by making a copy of the server keyfile, then run the following command to decrypt it:

# cd /etc/httpd/conf/ssl.key
# cp server.key server.bak
#openssl rsa -in server.bak -out server.key

Posted by Joseph Martinez at 4:53 PM
Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)