1PalGov © 2011
أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Session 4
LAB
2PalGov © 2011
About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
University of Trento, Italy
University of Namur, Belgium
Vrije Universiteit Brussel, Belgium
TrueTrust, UK
Birzeit University, Palestine
(Coordinator )
Palestine Polytechnic University, Palestine
Palestine Technical University, PalestineUniversité de Savoie, France
Ministry of Local Government, Palestine
Ministry of Telecom and IT, Palestine
Ministry of Interior, Palestine
Project Consortium:
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 [email protected]
3PalGov © 2011
© Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
4PalGov © 2011
Tutorial 5:
Information Security
Session 4: Certificates and HTTPS Lab
Session 4 Outline:•Apache with Basic authentications.
•Open SSL certificate and certificate authority
•Apache and HTTPS
5PalGov © 2011
Tutorial 5:
Session 6: HTTPS LAB
This session will contribute to the following
ILOs:• C: Professional and Practical Skills:
• c1: Deploy and configure a secure system to protect their computing
resources.
• c2: Configure an end-to-end secure and available system using
Apache.
• c3: Configure integral and confidentiality services using integrity
and confidentiality algorithms and protocols.
• c4: Configure user authentication and authorization services using
LDAP and SSL certificates.
• D: General and Transferable Skills• d1: Communication and team work.
• d2: Systems configurations.
• d3: Analysis and identification skills.
6PalGov © 2011
Apache Web Server
• In this lab we will explain how to configure secure
Apache web server.
• To set up a web site we need a web server, a
domain name, and an IP address.
• We will use Ubuntu 11.10 in setting up Apache web
server.
Installing Apache
• The desktop version of Ubuntu does not install the
Apache web server by default. Therefore, the first step is
to install Apache.
• To install Apache from the command-line start a terminal
window (Ctrl-Alt-T) and run the following command at the command prompt:
• sudo apt-get install apache2
• Once the installation is complete the next step is to verify
the web server is up and running.
• To do this run the web browser and enter 127.0.0.1 in the
address bar. The browser should load a page that reads It
works!.
8PalGov © 2011
Configuring Apache
• The next step in setting up your web server is to configure it for a domain
name. Edit /etc/hosts and add the domain name:• 127.0.1.1 example.com
• To configure the web server open a terminal window and change directory
to /etc/apache2/sites-available. Edit the default file as follows:
• <VirtualHost *:80>
• ServerAdmin [email protected]
• ServerName example.com
•
• DocumentRoot /var/www/example.com
• <Directory />
• Options FollowSymLinks
• AllowOverride None
• </Directory>
• <Directory /var/www/example.com>
• Options Indexes FollowSymLinks MultiViews
• AllowOverride None
• Order allow,deny
• allow from all
• </Directory>
9PalGov © 2011
Configuring Apache
• Next, create the /var/www/example.com directory and place an index.html
file in it. For example:
• <html>
• <title>Sample Web Page</title>
• <body>
• Welcome to my website.
• </body>
• </html>
• The last step is to restart the Apache web server
• sudo /etc/init.d/apache2 restart
• If the web server sits on a network protected by a firewall, you need to
configure the firewall to forward port 80 to the web server system. The
mechanism for performing this differs between firewalls and devices.
10PalGov © 2011
Configuring HTTPS
• In order for Apache web server to provide HTTPS, a certificate and key file
are also needed. The default HTTPS configuration file use an auto-
generated certificate and key. The auto-generated certificate and key are
used for testing, but should be replaced by a certificate specific to the site
or server.
• To generate a key, change directory to /etc/ssl/private and run the
following command from a terminal window:
• openssl genrsa -des3 -out server.key 2048
• A key without a passphrase is often used with Apache web server to allow
Apache service to start without manual intervention. To remove
passphrase from private key:
• openssl rsa -in server.key -out server.key
• Next, create the Certificate Signing Request (CSR):
• openssl req -new -key server.key -out server.csr
11PalGov © 2011
Configuring HTTPS
• Once you enter all required information, the CSR file will be created.
You can now submit this CSR file to a Certification Authority (CA) to
issue the certificate. Alternatively, you can create your own self-
signed certificate.
• To create a self-signed certificate, run the following commands:
• openssl x509 -in server.csr -out server.crt -req -
signkey server.key -days 365
• chmod 400 server.*
12PalGov © 2011
Configuring HTTPS
• To configure Apache for HTTPS, edit default SSL configuration file in
/etc/apache2/sites-available as follows:• <VirtualHost *:443>
• ServerAdmin [email protected]
• ServerName example.com
•
• DocumentRoot /var/www/example.com
• <Directory />
• Options FollowSymLinks
• AllowOverride None
• </Directory>
• <Directory /var/www/example.com>
• Options Indexes FollowSymLinks MultiViews
• AllowOverride None
• Order allow,deny
• allow from all
• </Directory>
• SSLCertificateFile /etc/ssl/private/server.crt
• SSLCertificateKeyFile /etc/ssl/private/server.key
13PalGov © 2011
Configuring HTTPS
• To enable ssl module and default-ssl site within Apache
configuration:
• sudo a2enmod ssl
• sudo a2ensite default-ssl
• With Apache now configured for HTTPS, restart the service to
enable the new settings:
• sudo /etc/init.d/apache2 restart
14PalGov © 2011
HTTP Basic Authentication
• HTTP basic authentication is used to restrict access to a web site by looking up users in plain text password file.
• To create a password file for protecting the directory /var/www/example.com/secret:
• htpasswd -c /var/www/passwords admin
• Next, we need to configure Apache to request a password and tell the server which users are allowed access.
• To configure Apache, edit default configuration file in /etc/apache2/sites-available as follows:
• <Directory /var/www/example.com/secret>
• AuthType Basic
• AuthName "Restricted Files“
• AuthUserFile /var/www/passwords
• Require valid-user
• </Directory>
15PalGov © 2011
HTTP Basic Authentication
• To add a user to your already existing password file:
• htpasswd /var/www/passwords admin2
• The last step is to check access to the directory by
runing the web browser and enter
http://127.0.0.1/secret in the address bar. The
browser should ask for username and password to
load the page.
16PalGov © 2011
Summary
• In this session we discussed the
following:
• Apache with Basic authentications.
• SSL practical (basic authentication over
SSL, HTTPS)
• Open SSL certificate and certificate
authority
17PalGov © 2011
Thanks
Eng. Ghannam Aljabary