Tuesday, October 12, 2010

MASSL Between WebSEAL And Apache On Windows

Every now and again I get faced with Windows infrastructure. As I've previously stated on this blog, I'm not "religious" about my Operating Systems but Windows does present one or two slightly different challenges and SSL enabling Apache (though very easy) does have a gotcha!

Here's how to generate the certificates necessary to create a Mutually Authenticated SSL junction between a WebSEAL and an Apache instance on Windows.

Let's assume that Apache (v2.2) has been installed at c:\Apache2.2 and that OpenSSL (v1.0.0a) has been installed at c:\openssl-win32 using the Win32 binary installer.

Setting Up The Environment
The environment setup for OpenSSL requires some directories to be created:

cd c:\openssl-win32\bin
mkdir TAM
mkdir TAM\keys
mkdir TAM\requests
mkdir TAM\certificates
mkdir TAM\newcerts
> TAM\index.txt
echo "01" > TAM\serial

The openssl.cfg file should be updated so that the "dir" directive within the CA_default stanza reads:

dir = ./TAM 

Within the req_distinguished_name stanza, add the following:

stateOrProvinceName_default = xx

xx can be set to anything you want, but it is important that a stateOrProvinceName is provided during certificate generation.

Creating a Certificate Authority
openssl genrsa -out TAM\cacert.key 1024
openssl req -new -key TAM\cacert.key -out TAM\cacert.csr
openssl x509 -req -days 365 -in TAM\cacert.csr -out TAM\cacert.crt -signkey TAM\cacert.key
openssl x509 -in TAM\cacert.crt -text

That was painless, wasn't it? We now have a certificate authority which can be used for the signing of other certificates. Our next step is to create certificates for the Apache and WebSEAL instances. Note, we have no need for Apache or WebSEAL to generate the certificate requests, we can do that with OpenSSL:

Create Apache Certificate
This is a four step process which involves the generation of a key, a request, a certificate and a conversion of the key to unencrypted format because Apache on Windows "hissy-fits" when attempting to use an encrypted key.

openssl genrsa -des3 -out TAM\keys\apache.key 1024
openssl req -new -key TAM\keys\apache.key -out TAM\requests\apache.csr
openssl ca -days 365 -in TAM\requests\apache.csr -cert TAM\cacert.crt -keyfile TAM\cacert.key -out TAM\certificates\apache.crt -config openssl.cfg
openssl rsa -in TAM\keys\apache.key -out TAM\keys\apache_unenc.key

We can now move these certificates to the correct location:

mkdir c:\Apache2.2\certs
copy TAM\cacert.crt c:\Apache2.2\certs\cacert.pem
copy TAM\certificates\apache.crt c:\Apache2.2\certs\apache.crt
copy TAM\keys\apache_unenc.key c:\Apache2.2\certs\apache.key

Configuring Apache
The c:\Apache2.2\conf\httpd.conf file should have the handful of references to SSL uncommented:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

The c:\Apache2.2\conf\extras\httpd-ssl.conf should be updated as such:
  • Update SSLCertificateFile to point at c:\Apache2.2\certs\apache.crt
  • Update SSLCertificateKeyFile to point at c:\Apache2.2\certs\apache.keyUpdate
  • SSLCACertificateFile to point at c:\Apache2.2\certs\cacert.pem
Apache can now be restarted.

Create WebSEAL Certificate
The generation of the key, request and certificate for WebSEAL is also a four step process though the final step isn't the conversion of the key to unencrypted format but rather the generation of a #PKCS12 format certificate:

openssl genrsa -des3 -out TAM\keys\webseald.key 1024
openssl req -new -key TAM\keys\webseald.key -out TAM\requests\webseald.csr
openssl ca -days 365 -in TAM\requests\webseald.csr -cert TAM\cacert.crt -keyfile TAM\cacert.key -out TAM\certificates\webseald.crt -config openssl.cfg
openssl pkcs12 -export -clcerts -in TAM\certificates\webseald.crt -inkey TAM\keys\webseald.key -out TAM\certificates\webseald.p12

Importing the webseald.p12 file into the pdsrv.kdb keystore can be tricky unless your Java Policy Files allow the level of encryption that will have been applied to the p12. So, update the Java Policy Files on the WebSEAL by visiting https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk. Download the Policy Files for Java 1.4.2 or above and copy the two policy files to {java_home}/jre/lib/security

The #PKCS12 file can now be imported with the following commands:

java -cp {gsk7_location}/classes/gsk7cls.jar;{gsk7_location}/classes/cfwk.zip com.ibm.gsk.ikeyman.ikeycmd -cert -add -file cacert.pem -format ascii -db pdsrv.kdb -pw pdsrv -type cms -label TAMCA -trust enable

java -cp {gsk7_location}/classes/gsk7cls.jar;{gsk7_location}/classes/cfwk.zip com.ibm.gsk.ikeyman.ikeycmd -cert -import -file webseald.p12 -type pkcs12 -target pdsrv.kdb -target_pw pdsrv -target_type cms -pw {p12 password}

You should now determine the label that has been assigned to the certificate:

java -cp {gsk7_location}/classes/gsk7cls.jar;{gsk7_location}/classess/cfwk.zip com.ibm.gsk.ikeyman.ikeycmd -cert -list -db pdsrv.kdb -pw pdsrv -type cms

The label will look like something like this: "2cn=webseald, o=x,st=x,c=x, etc"

Create a WebSEAL Junction
The WebSEAL junction can now be created with the -K option (plus the above label) which should result in a "Created junction" message with no other warnings.

Notes & Observations
The certificates used to created a MASSL connection between WebSEAL and Apache won't ever be seen by any client - remember, WebSEAL acts as the client to the Apache server. As such, there is no strong need for these certificates to be generated by the likes of a Verisign. There is no need for these certificates to make any reference to the actual host names at all - the names Apache and WebSEAL seem like good names to me for the Common Name of the certificate. In reality, using the above method for generating the certificates is as good than any other (if not better as it has been tried and tested).


Ajay said...
This comment has been removed by the author.
Ajay said...

The above article was very helpful. I followed it and was able to create "MASSL between WebSEAL and Apache on Linux".