Its a bit big and last Apache series post. In this we will see how to  secure a website with Active directory integration for user logins and a self signed certificate for encrypting login details, subsequent session.

To accomplish this we divide our task in to sub tasks.

Tasks :

Subtask1 : Creation of sub-domain on DNS server, website directory creation on our Apache server and index.html file.

Subtask2 : Creating ssl certificate.

Subtask3 : Creating Ad account on AD server which will act as default account which will query/authenticate user’s who are logging in to our portal by using AD authentication.

Subtask4 : Configuring AD, ssl on our Apache server.

Subtask1 :
Step1 : Check if the Apache package is installed or not. If its not installed, install it.

#rpm -qa | grep httpd
#yum install httpd
#yum install openssl

Step2 : Create DNS CNAME entry for this virtual host as adssl.linuxnix.com which should point to our server name server.linuxnix.com

Step3 : Create a home directory for our virtual host and index.html file

#mkdir /websites/ssl

#vi /websites/ssl/index.html

Write something to this file then save and exit.

Subtask2 :

Step4 : Create ssl self-signed certificate for our site.

What is self-signed certificate?
Ans : An self-signed certificate, created locally at the server where the web site with SSL services support are to be implemented, are locally generated certificates when web site or server owner either don’t plan on having certificate signed by a CA, or the certificate is for testing of new SSL implementation.

This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted because it’s not signed by any known trusted CA authority.
To generate a self-signed certificate we have to generate two things.

1. A private key which will be with server.
2. CSR (Certificate Signing Request) which is used to generate self-signed certificate.

Step4(a) : Generate a private key. Please keep this key in /etc/httpd/conf/sslcrt
#mkdir /etc/httpd/conf/sslcrt
#cd /etc/httpd/conf/sslcrt

Note : We can create this certificate key in any location but /etc/httpd/conf/sslcrt is good to remember .

#openssl genrsa -des3 -out server.key 1024

Once we execute above command it will prompt for a new password as shown below

Generating RSA private key, 1024 bit long modulus

………………………………..++++++

…………….++++++

e is 65537 (0x10001)

Enter pass phrase for server.key :

Verifying – Enter pass phrase for server.key :

Just enter server key which is a password.  So remember this word.

Let me explain the command

openssl is the command to generate SSL certificate
genrsa is to indicate generate a RSA key called server.key with  des3 encryption with 1024 key lenght.

To see the files create just give ls to check.

#ls -lrt

Step4(b) : Now Generate a CSR (Certificate Signing Request)

#openssl req -new -key server.key -out server.csr

When you execute this command you will be prompted for number inputs as shown below.

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:Andhra Pradesh

Locality Name (eg, city) [Newbury]:Hyderabad

Organization Name (eg, company) [My Company Ltd]:The Linux juggernaut Ltd.

Organizational Unit Name (eg, section) []:IT Support Group

Common Name (eg, your name or your server’s hostname) []:Surendra kumar Anne

Email Address []:[email protected]

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

These are self learn entries. So you can give your own details. Just press enter at “A challenge password” and “An optional company name” Don’t write anything for this two entries.

To see the files which you have created just give ls to check.

#ls -lrt

Step4(c) : Remove Passphrase from Key. Which not at all required and when ever Apache service is restarted your system will ask for this pass phrase. In order to eliminate some one to sit in front of the system to enter the pass-phrase after a reboot or restart service or a crash we have to remove the pass-phrase as shown below.

#cp server.key server.key.org
#openssl rsa -in server.key.org -out server.key

This will ask the pass-phrase for the last time. Just enter the pass-phrase which you given.

Step4(d) : Now its time to generate a self-signed certificate.

#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Once you execute above command you will get output as shown below

Signature ok

subject=/C=IN/ST=Andhra Pradesh/L=Hyderabad/O=The Linux juggernaut Ltd./OU=IT Support Group/CN=Surendra kumar Anne/emailAddress=[email protected]

Getting Private key

Subtask3 :

Step5: Create a normal AD account on your Domain controlar and assign a complex password for that one.

Subtask4 :
Step5 : Configure virtual host now in our httpd.conf file which is located at /etc/httpd/conf/

Step5(a): Specify NameVirtualHost
NameVirtual Host server.linuxnix.com

Step5(b) : Specify ServerName as server.linuxnix.com in httpd.conf file
ServerName server.linuxnix.com

Step5(c) : Now go to last line of the httpd.conf file and give below entries.

<VirtualHost 192.168.0.1:443>
DocumentRoot /websites/adssl
ServerName adssl.linuxnix.com
DirectoryIndex index.html

ServerSignature On
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/httpd/conf/sslcrt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/sslcrt/server .key
<Directory /websites/adssl>

Options Indexes FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
<Location “/”>

AuthType Basic
AuthName “Please enter your AD credentials to access this portal”
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN “cn=test_apache,cn=Users,dc=linuxnix,dc=com”
AuthLDAPBindPassword UV4Ziu6v
AuthLDAPURL “ldap://dc.linuxnix.com:3268/dc=linuxnix,dc=com?sAMAccountName?sub?(objectClass=*)”
Require valid-users
</Location>
</VirtualHost>

Let me explain each entry in this virtualhost which are new.

AuthBasicProvider ldap
We are mentioning to Apache that authentication is provided by LDAP ie is AD server.

AuthzLDAPAuthoritative off
Prevent other authentication modules from authenticating the user if this one fails. Here its off so we are allowing if ldap authentication failed, apache will try other authentications too.

AuthLDAPBindDN “cn=test_apache,cn=Users,dc=linuxnix,dc=com”

This is important line. Here AuthLDAPBindDN is saying what is the connecting account(here its test_apache ad account) and who are going to connect(cn=Users) and to which domain they are connecting(to linuxnix.com ie dc=linuxnix,dc=com)

Note : If your domain ends with .co.in then connecting domain should be.  dc=linuxnix,dc=co,dc=in

AuthLDAPBindPassword UV4Ziu6v

This line provide the AD password(here it is UV4Ziu6v) for the user test_apache.

So why we require this user name and password?
Ans : We require this user name and password because this test user will try to contact the AD server for authenticating AD users.

AuthLDAPURL “ldap://dc.linuxnix.com:3268/dc=linuxnix,dc=com?sAMAccountName?sub?(objectClass=*)”

This line indicates where should my test_apache should connect to provide user authentications. This line say that connect to dc.linuxnix.com on port 3268 with dc values as linuxnix.com.

Require valid-users

This line indicates that only valid users should be allowed to access this portal.

Note : Some times we require to give access to perticular users then you can specify ldap-user variable as shown below.

Required ldap-user surendra_anne suray_t meghana_bm

When your Apache will see above line it will allow only surendra_anne, surya_t, meghana_bm to access to this portal. And remaining AD users are denied to access this portal.

Now save and exit the file

Step6 : Check for the syntax errors in the httpd.conf file before restarting the Apache service.
#httpd -t
or
#httpd -k graceful

Step7 : Now start the service and then add it to booting scripts so that it will start automatically at every boot of the system

#service httpd restart
#chkconfig httpd on

Step8 : Now try to access https://adssl.linuxnix.com you will be prompted to enter AD user-name and password.