Apache SSL
In the case of Apache, the steps required depend on the Linux distro.
yum install mod_ssl
Check that ssl is included in the list of modules in the APACHE_MODULES string in /etc/sysconfig/apache2.
a2enmod ssl
For all distros you will need to install a key, generate a certificate signing request with that key, and have the certificate signed. You will also want to disable the passphrase prompt on web server restart by removing the password from the copy of the key you use with Apache, e.g.,
openssl rsa -in server.key -out server.key.nopassYou will then put the the (nopass) key and certificate files in locations accessible to Apache, and include information about the locations of those files in a config file containing the following lines:
SSLCertificateFile < path to signed certificate >
SSLCertificateKeyFile < path to key >replacing < path to ... > with the path to the location of the particular file.
Which Apache config file contains these entries depends on the distro:
/etc/httpd/conf.d/ssl.conf
/etc/apache2/vhosts.d/vhost-ssl.conf
(copied from vhost-ssl.conf with the entry for DocumentRoot changed to "/home/httpd/html").
/etc/apache2/sites-available/000-default-ssl
If you want to use rewrite rules to ensure that all external web requests are served using SSL, you should verify that mod_rewrite is enabled:
Verify that the following entry in /etc/httpd/conf/httpd.conf is not commented out: LoadModule rewrite_module modules/mod_rewrite.so
Check that rewrite is included in the list of modules in the APACHE_MODULES string in /etc/sysconfig/apache2.
a2enmod rewrite
You will also need to copy the rewrites/loncapa_rewrite_on.conf file to loncapa_rewrite.conf with the following commands:
cp /etc/httpd/conf/rewrites/loncapa_rewrite_on.conf /etc/httpd/conf/loncapa_rewrite.conf
cp /etc/apache2/rewrites/loncapa_rewrite_on.conf /etc/apache2/loncapa_rewrite.conf
and then reload the web server:
/etc/init.d/httpd reload
/etc/init.d/apache2 reload
To disable rewriting of external web requests to https://, copy rewrites/loncapa_rewrite_off.conf to loncapa_rewrite.conf and reload the web server.
You will need to open the server's Firewall to allow inbound traffic on port 443.
/usr/bin/system-config-securitylevel-tui
/usr/bin/system-config-firewall-tui
yast - > Security and Users - > Firewall
ufw allow 443/tcp
Note: changing firewall settings will cause iptables to reload, which means the rules to allow connections from other LON-CAPA servers via port 5663 will need to be re-established (if the LON-CAPA daemons were already running) by doing: /etc/init.d/loncontrol restart as root.
Internal LON-CAPA SSL
In the case of encrypted internal communication between LON-CAPA servers, you will need command line access as either root or www and enter the following commands:
cd /home/httpd/lonCerts
sh request_ssl_key.sh
Important: for the Common Name you should enter the lonHostID. This is displayed on the log-in page (Server: ) and is also an entry in the loncapa.conf file in /etc/httpd/conf (CentOS RedHat Scientific Linux Fedora) or /etc/apache2 (SuSE SLES Debian Ubuntu LTS). An example would be msul1.
By running request_ssl_key.sh you will:
The private key will be stored in /home/httpd/lonCerts/lonKey.pem It will be set so that only www can read this file. (You will want to make sure this file stays secret).
Your certificate will be signed by the certificate authority and an e-mail will be sent to the e-mail address you gave when prompted for one when you ran request_ssl_key.sh.
Save the e-mail you receive to a file, remove the headers from it, and run it (as the www user).
If it successfully completes you will have:
(your signed public key)
(the public key of the Lon-CAPA certificate authority)
Now when you machine connects to another server in the LON-CAPA network it will try to do so over an SSL connection. You can verify this by doing:
You should see something like:ps auxwww | grep lonc
lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl)where before you saw something like:
lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)