Secure Sockets Layer in Orka platform - grnet/e-science GitHub Wiki

SSL setup and configuration in Personal Orka Server

SSL (Secure Sockets Layer) configuration in personal Orka server is done during the server's initialization.

First, the nginx configuration template file, which is modified to handle HTTPS requests, is copied to nginx configuration directory:

- name: Copy nginx.conf file
  tags: postimage
  template: src=nginx.j2 dest=./conf owner=orka_admin

- name: Rename nginx.j2 template to nginx.conf
  tags: postimage
  command: mv nginx.j2 nginx.conf chdir=./conf

Then, Ansible creates the SSL certificate with the following commands:

  - name: Create directory ssl in /etc/nginx
    sudo: yes
    file: path=/etc/nginx/ssl state=directory
    tags: postimage

  - name: Create the SSL certificate
    sudo: yes
    command: openssl req -x509 -nodes -days {{certificate_key_lifetime}} -newkey rsa:{{key_rsa}} -sha256 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN={{ ansible_ssh_host }}"
    tags: postimage

The default values of the SSL certificate variables are in webserver group variables file. After nginx is restarted, it is configured as a HTTPS server.

The Orka user that opens the web graphical user interface in the browser for the first time after creating and starting the personal Orka server, should ignore the "Your connection is not secure" messages and add an exception for the SSL certificate.

Configure the Orka command line interface for secure communication with Personal Orka Server

For the Orka CLI communication with the personal Orka server, a property "verify_ssl" is added in .kamakirc orka section. Sample .kamakirc file:

[global]
default_cloud = ~okeanos

[cloud "~okeanos"]
url = https://accounts.okeanos.grnet.gr/identity/v2.0
token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[orka]
base_url = https://xx.xxx.xxx.xx
verify_ssl = false
#verify_ssl = <path/to/valid/crt/file>

If the property is set to no or false or even if the property is not set, keyword argument "verify" for requests python library is set to False. This means the SSL certificate is ignored and communication is not secured for orka CLI.

On the contrary, if verify_ssl is set to the path of the SSL certificate file in the local filesystem, then it will be used for secure Orka CLI requests. A user should download the SSL certificate file (/etc/nginx/ssl/nginx.crt) from the personal Orka server and add the certificate's local path to .kamakirc file.

Configure VRE images to support SSL

####Mediawiki/Drupal

For drupal, the existing container must be deleted and a new one created with ports 443 and 80 binded:

docker rm --force drupal
docker run -d --name drupal --link db:mysql -p 80:80 -p 443:443 samos123/drupal

Common steps for Drupal/Mediawiki:

docker exec -ti <container_name> bash
mkdir -p /etc/apache2/ssl
mkdir -p /etc/apache2/logs
cd /etc/apache2/logs
touch access.log error.log
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN=localhost"
cd /etc/apache2/mods-available
cp ssl.conf ssl.load socache_shmcb.load ../mods-enabled/
cd ../sites-available/
cp 000-default.conf default-ssl.conf ../sites-enabled/
cd ../sites-enabled/

Open 000-default.conf and add/edit:

ErrorLog /etc/apache2/logs/error.log
CustomLog /etc/apache2/logs/access.log combined

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open default-ssl.conf and add/edit:

ErrorLog /etc/apache2/logs/error.log
CustomLog /etc/apache2/logs/access.log combined

SSLCertificateFile    /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Close file, exit and restart container:

exit
docker <container_name> restart

###DSpace

The existing container must be deleted and a new one created with ports 443 and 80 binded:

docker rm -f dspace
docker run -d -p 8080:8080 -p 443:8443 --name dspace quantumobject/docker-dspace

Create the admin user for the dspace application:

docker exec -it dspace create-admin
permanently delete everything? [yes]
creating an initial administrator account
e-mail address: [[email protected]]
first name: [John]
last name: [Doe]
password: [changeme]

docker exec -it dspace bash

Create the self-signed keystore:

/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -genkey \
    -alias tomcat \
    -keyalg RSA \
    -keysize 1024 \
    -keystore /var/lib/tomcat8/conf/keystore \
    -storepass e-science \
    -validity 365 \
    -dname 'CN=localhost, OU= , O= , L=Athens, S=Athens, C=GR'

Open /usr/share/tomcat8/bin/catalina.sh and add/edit:

#insert this at the beginning, after the comments
#to reduce time needed for tomcat to load
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms1024m -Xmx1024m -XX:PermSize=256m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC"

Open /var/lib/tomcat8/conf/server.xml and edit to enable SSL:

<Connector port="8443"
    SSLEnabled="true"
    URIEncoding="UTF-8"
    maxThreads="150" minSpareThreads="25"
    enableLookups="false"
    disableUploadTimeout="true"
    acceptCount="100"
    scheme="https" secure="true" sslProtocol="TLS"
    keystoreFile="/var/lib/tomcat8/conf/keystore" keystorePass="e-science"
    clientAuth="false" />

Permissions and owner on keystore file should be set properly:

chown root:tomcat8 /var/lib/tomcat8/conf/keystore
chmod 664 /var/lib/tomcat8/conf/keystore

Create the temp directory catalina:

mkdir /var/lib/tomcat8/temp
chown tomcat8:tomcat8 /var/lib/tomcat8/temp

Restart tomcat:

sv restart tomcat8

#####Enable http to https redirection for DSpace (optional):

docker exec -it dspace bash

Open /var/lib/tomcat8/conf/server.xml and edit:

<Connector port="8080"
  enableLookups="false"
  redirectPort="443" />

Open /var/lib/tomcat8/conf/web.xml and edit:

<!-- add these at the end, right before </web-app> -->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Context</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Restart tomcat:

sv restart tomcat8

####Redmine

The existing container must be deleted and a new one created with ports 443 and 80 binded:

docker rm --force <id>
docker run --name=redmine_redmine_1 -d --link=redmine_postgresql_1:postgresql -p 80:80 -p 443:443 --env='REDMINE_PORT=443' --volume=/srv/docker/redmine/redmine:/home/redmine/data sameersbn/redmine:3.0.4

Connect to the newly created container:

docker exec -ti redmine_redmine_1 bash
cd /etc/nginx/
apt-get update
apt-get install nano
export TERM=xterm

Copy redmine file and name it redmine.conf:

cd sites-enabled/
cp redmine redmine.conf

Edit redmine.conf and replace appropriately:

server {
    listen 0.0.0.0:80;
    listen [::]:80;
    rewrite ^ https://$host$request_uri? permanent;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
.......
    .......
    gzip off;   # find and comment out

Edit /etc/nginx/nginx.conf:

gzip off;  (find and replace)
Find line: include /etc/nginx/sites-enabled/*; and replace with:
include /etc/nginx/sites-enabled/redmine.conf;

Make directory ssl in /etc/nginx/ and create the SSL certificate and key with openssl:

cd /etc/nginx/
mkdir ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GR/ST=Athens/L=Athens/O= /OU= /CN=localhost"

Exit and restart container:

exit
docker restart redmine_redmine_1
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️