e gov security_tut_session_4_lab

1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Session 4

LAB

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 mjarrar@birzeit.edu

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

4PalGov © 2011

Tutorial 5:

Information Security

Session 4: Certificates and HTTPS Lab

Session 4 Outline:•Apache with Basic authentications.

•Open SSL certificate and certificate authority

•Apache and HTTPS

5PalGov © 2011

Tutorial 5:

Session 6: HTTPS LAB

This session will contribute to the following

ILOs:• C: Professional and Practical Skills:

• c1: Deploy and configure a secure system to protect their computing

resources.

• c2: Configure an end-to-end secure and available system using

Apache.

• c3: Configure integral and confidentiality services using integrity

and confidentiality algorithms and protocols.

• c4: Configure user authentication and authorization services using

LDAP and SSL certificates.

• D: General and Transferable Skills• d1: Communication and team work.

• d2: Systems configurations.

• d3: Analysis and identification skills.

6PalGov © 2011

Apache Web Server

• In this lab we will explain how to configure secure

Apache web server.

• To set up a web site we need a web server, a

domain name, and an IP address.

• We will use Ubuntu 11.10 in setting up Apache web

server.

Installing Apache

• The desktop version of Ubuntu does not install the

Apache web server by default. Therefore, the first step is

to install Apache.

• To install Apache from the command-line start a terminal

window (Ctrl-Alt-T) and run the following command at the command prompt:

• sudo apt-get install apache2

• Once the installation is complete the next step is to verify

the web server is up and running.

• To do this run the web browser and enter 127.0.0.1 in the

address bar. The browser should load a page that reads It

works!.

8PalGov © 2011

Configuring Apache

• The next step in setting up your web server is to configure it for a domain

name. Edit /etc/hosts and add the domain name:• 127.0.1.1 example.com

• To configure the web server open a terminal window and change directory

to /etc/apache2/sites-available. Edit the default file as follows:

• <VirtualHost *:80>

• ServerAdmin webmaster@example.com

• ServerName example.com

•

• DocumentRoot /var/www/example.com

• <Directory />

• Options FollowSymLinks

• AllowOverride None

• </Directory>

• <Directory /var/www/example.com>

• Options Indexes FollowSymLinks MultiViews

• AllowOverride None

• Order allow,deny

• allow from all

• </Directory>

9PalGov © 2011

Configuring Apache

• Next, create the /var/www/example.com directory and place an index.html

file in it. For example:

• <html>

• <title>Sample Web Page</title>

• <body>

• Welcome to my website.

• </body>

• </html>

• The last step is to restart the Apache web server

• sudo /etc/init.d/apache2 restart

• If the web server sits on a network protected by a firewall, you need to

configure the firewall to forward port 80 to the web server system. The

mechanism for performing this differs between firewalls and devices.

10PalGov © 2011

Configuring HTTPS

• In order for Apache web server to provide HTTPS, a certificate and key file

are also needed. The default HTTPS configuration file use an auto-

generated certificate and key. The auto-generated certificate and key are

used for testing, but should be replaced by a certificate specific to the site

or server.

• To generate a key, change directory to /etc/ssl/private and run the

following command from a terminal window:

• openssl genrsa -des3 -out server.key 2048

• A key without a passphrase is often used with Apache web server to allow

Apache service to start without manual intervention. To remove

passphrase from private key:

• openssl rsa -in server.key -out server.key

• Next, create the Certificate Signing Request (CSR):

• openssl req -new -key server.key -out server.csr

11PalGov © 2011

Configuring HTTPS

• Once you enter all required information, the CSR file will be created.

You can now submit this CSR file to a Certification Authority (CA) to

issue the certificate. Alternatively, you can create your own self-

signed certificate.

• To create a self-signed certificate, run the following commands:

• openssl x509 -in server.csr -out server.crt -req -

signkey server.key -days 365

• chmod 400 server.*

12PalGov © 2011

Configuring HTTPS

• To configure Apache for HTTPS, edit default SSL configuration file in

/etc/apache2/sites-available as follows:• <VirtualHost *:443>

• ServerAdmin webmaster@example.com

• ServerName example.com

•

• DocumentRoot /var/www/example.com

• <Directory />

• Options FollowSymLinks

• AllowOverride None

• </Directory>

• <Directory /var/www/example.com>

• Options Indexes FollowSymLinks MultiViews

• AllowOverride None

• Order allow,deny

• allow from all

• </Directory>

• SSLCertificateFile /etc/ssl/private/server.crt

• SSLCertificateKeyFile /etc/ssl/private/server.key

13PalGov © 2011

Configuring HTTPS

• To enable ssl module and default-ssl site within Apache

configuration:

• sudo a2enmod ssl

• sudo a2ensite default-ssl

• With Apache now configured for HTTPS, restart the service to

enable the new settings:

• sudo /etc/init.d/apache2 restart

14PalGov © 2011

HTTP Basic Authentication

• HTTP basic authentication is used to restrict access to a web site by looking up users in plain text password file.

• To create a password file for protecting the directory /var/www/example.com/secret:

• htpasswd -c /var/www/passwords admin

• Next, we need to configure Apache to request a password and tell the server which users are allowed access.

• To configure Apache, edit default configuration file in /etc/apache2/sites-available as follows:

• <Directory /var/www/example.com/secret>

• AuthType Basic

• AuthName "Restricted Files“

• AuthUserFile /var/www/passwords

• Require valid-user

• </Directory>

15PalGov © 2011

HTTP Basic Authentication

• To add a user to your already existing password file:

• htpasswd /var/www/passwords admin2

• The last step is to check access to the directory by

runing the web browser and enter

http://127.0.0.1/secret in the address bar. The

browser should ask for username and password to

load the page.

16PalGov © 2011

Summary

• In this session we discussed the

following:

• Apache with Basic authentications.

• SSL practical (basic authentication over

SSL, HTTPS)

• Open SSL certificate and certificate

authority

17PalGov © 2011

Thanks

Eng. Ghannam Aljabary