SSL certificates - nsc-norway/system GitHub Wiki
This procedure sets up an SSL proxy at port 443, so the LIMS servers can be accessed via a normal https:// URL. That is, we don't need ports like :8080. We get valid SSL certificates from UiO, so there is never a warning message when loading the web interface. There will still be a warning when loading the operations interface.
First, generate a key pair and get a certificate for it. Follow the instructions in:
- http://www.uio.no/tjenester/it/sikkerhet/ssl/kokebok.html
- http://www.uio.no/tjenester/it/sikkerhet/sertifikater/bestilling.html
Make sure that the private key (.key) is not readable by others. Ideally, run the openssl commands in a directory which is only accessible to your user.
Copy the .key into /etc/pki/tls/private
. It should only be readable by root. (It actually doesn't matter where it's saved. Many sources also put it under /etc/httpd
, but as of now, we have standardised on /etc/pki
.)
[paalmbj@cees-lims ~]$ ls -l /etc/pki/tls/private/
total 4
-rw-------. 1 root root 1704 Feb 9 15:22 cees-lims.sequencing.uio.no.key
As described in the UiO document, back up the private key, but encrypt it before it goes off the system. Use a really strong password, as it has to protect against an offline attack. Currently, encrypted backups are stored on Marius's computer.
After you get the .crt files from USIT, place them in /etc/pki/tls/certs
. This includes the signed host certificate and the CA chain. Rename these to uio-chain.crt and .crt (not required, but good to have a less specific name when renewing certs).
Then set up an SSL proxy. This is described on the Genologics support page, but there are some differences.
First make the changes to the file /opt/gls/clarity/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml_sslsocket
.
Then install the mod_ssl yum package, as this is not installed by default. Use the Genologics clarity.conf file for apache, but fix this first: Before "# Redirect to https" there should be a closing tag, </VirtualHost>
. Here is an example:
#Configuration for Clarity LIMS with Apache Proxy and SSL
<VirtualHost cees-lims.sequencing.uio.no:443>
ServerName cees-lims.sequencing.uio.no
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/cees-lims.sequencing.uio.no.crt
SSLCertificateKeyFile /etc/pki/tls/private/cees-lims.sequencing.uio.no.key
SSLCertificateChainFile /etc/pki/tls/certs/uio-chain.crt
ProxyPass /clarity https://cees-lims.sequencing.uio.no:8443/clarity
ProxyPassReverse /clarity https://cees-lims.sequencing.uio.no:8443/clarity
ProxyPass /glsstatic https://cees-lims.sequencing.uio.no:8443/glsstatic
ProxyPassReverse /glsstatic https://cees-lims.sequencing.uio.no:8443/glsstatic
ProxyPass /GLS https://cees-lims.sequencing.uio.no:8443/GLS
ProxyPassReverse /GLS https://cees-lims.sequencing.uio.no:8443/GLS
ProxyPass /lablink https://cees-lims.sequencing.uio.no:8443/lablink
ProxyPassReverse /lablink https://cees-lims.sequencing.uio.no:8443/lablink
ProxyPass /api https://cees-lims.sequencing.uio.no:8443/api
ProxyPassReverse /api https://cees-lims.sequencing.uio.no:8443/api
Redirect / https://cees-lims.sequencing.uio.no/clarity/
</VirtualHost>
# Redirect to https
<VirtualHost cees-lims.sequencing.uio.no:80>
Redirect / https://cees-lims.sequencing.uio.no/clarity/
</VirtualHost>
As stated in the Genologics document, place the config file in /etc/httpd/conf.d
.
Set the path to the certificates correctly in the file, and set the hostname. The path to the private key and server certificate are the same as where the .key and host .crt files were saved. The SSLCertificateFile and the SSLCertificateChainFile are the files that were returned in the email from USIT/UNINETT.
Configure apache to use these certs by adding /etc/httpd/conf.d/clarity.conf
:
The files that were moved into the /etc/pki/tls
dir will have the wrong SELinux labels. Use this command to correct it:
sudo restorecon -R /etc/pki/tls/
Now restart apache and jboss and confirm that the page loads using https:// .
sudo /etc/init.d/httpd restart
sudo /etc/init.d/jboss restart
Make sure apache is set to start on reboot: sudo chkconfig httpd on
.
It's also possible to set a cert for the actual jboss service at port 8443, not just the proxy at 443 ( https://genologics.zendesk.com/entries/69422336-Creating-a-Java-Keystore-SSL-Certificate-for-Clarity-LIMS ). I never even tried this because:
- Using the java
keytool
is hard and error-prone - The cert would probably not be valid for port 8443 anyway -- in my experience it's only valid for 443 (or any single port).
You will probably get an email from UiO reminding you to renew. Then follow the procedure in the email. This should give you at least a new .crt, maybe a new .key. Place these on the servers, in the locations given above:
- .crt files go in
/etc/pki/tls/certs
- .key file goes in
/etc/pki/tls/private
(if generating a new key, it will already be on the server, and should never leave it in un-encrypted form).
Replace the old .crt and maybe .key files with the new ones (give them exactly the same name).
- Server certificate:
certs/<hostname>.crt
- Certificate chain:
certs/uio-chain.crt
- Key:
private/<hostname>.key
Then run sudo restorecon -R /etc/pki/tls
to set the right SELinux contexts. Then restart httpd
and jboss
and confirm that it works.
(On the closed network, renewal is handled automatically by the certmonger daemon)