Php5 Hosting, Mysql, Java, Jsp, Servlet, Tomcat, Ssh, Http Web Server Blog

Chapter 6 . Securing Linux 227 # cd /etc/hhtpd/conf/ssl.key # /usr/bin/openssl rsa -in server.key -out server.key Troubleshooting Your Certificates If you are having problems with your SSL certificate, here are some troubleshooting tips: . Only one SSL certificate per IP address is allowed. If you want to add more than one SSL-enabled Web site to your server, you must bind another IP address to the network interface. . Make sure the permission mask on the /etc/httpd/conf/ssl.* directories and their contents is 700 (rwx——). . Make sure you aren t blocking port 443 on your Web server. All https requests come in on port 443. If you are blocking it, you will not be able to get secure pages. . The certificate only lasts for one year, and then you must renew it with your certificate authority. Each CA has a different renewal procedure, so check your CA s Web site for details. . Make sure you have the mod_ssl package installed. You will not be able to serve any SSL-enabled traffic without it. Using the Secure Shell Package The Secure Shell package (SSH) provides shell services similar to the rsh, rcp, and rlogin commands, but encrypts the network traffic. It uses private-key cryptography, so it is ideal for use with Internet-connected computers. Starting the SSH Service If you have installed the openssh-server software package, the SSH server is automatically configured to start. The SSH daemon is started from the /etc/init.d/sshd startup script. To make sure the service is set up to start automatically, type the following (as root user) on a Fedora Core system: # chkconfig –list sshd sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off This result shows that the sshd service is set to run in system states 2, 3, 4, and 5, which means that whenever the system is up and connected to the network, the sshd service is running. If the service is off, you can turn it on so it comes up when you boot Linux by typing the following as root user: # chkconfig sshd on
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

226 Part II . Running the Show 3. Make the server.key file readable and writable only by root: # chmod 600 ssl.key/server.key 4. Create the self-signed certificate by typing the following: # make testcert umask 77 ; /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.key/server.crt … At this point, it is time to start adding some identifying information to the certificate that the third-party source will later validate. Before you can do this, you must unlock the private key you just created. Do so by typing the password you typed earlier. Then follow this sample procedure: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter . , the field will be left blank. —– Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]: Ohio Locality Name (e.g., city) [Newbury]: Cincinnati Organization Name (e.g., company) [My Company Ltd]:Industrial Press, Inc. Organizational Unit Name (e.g., section) []:IT Common Name (e.g., your name or your server s hostname) []:www.industrialpressinc.com Email Address []: webmaster@industrialpressinc.com This generation process places all files in the proper place. All you need to do is restart your Web server and add https instead of http in front of your URL. (The https protocol is used when you want transmissions to be encrypted.) Remember, you ll get a certificate validation message from your Web browser, which you can safely ignore. Restarting Your Web Server Your Web server requires you to enter your certificate password every time it is started. This is to prevent someone from breaking into your server, stealing your private key, and masquerading as you. Should someone manage to break in and take your key, you are safe in the knowledge that the private key is a jumbled mess. If you just cannot stand having to enter a password every time your Web server starts and are willing to accept the increased risk, you can remove the password encryption on your private key. Simply do the following:
Looking for affordable and reliable webhost to host and run your business application? Then look no more and go to servlet web hosting services.

Chapter 6 . Securing Linux 225 Within 48 to 72 hours after you complete the validation and have paid for the signing, you should receive an e-mail with your shiny new SSL certificate in it. The certificate will look similar to the following: —–BEGIN CERTIFICATE—– MIIEFjCCA3+gAwIBAgIQMI262Zd6njZgN97tJAVFODANBgkqhkiG9w0BAQQFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluXy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gZ2xhc3MgMzFJMEcG10rY2g0Dd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ51FJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w MzAxMTUwMDAwMDBaFw0wNDAxMTUyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzETMBEG A1UECBMKV2FzaG1uZ3RvHiThErE371UEBxQLRmVkZXJhbCBXYXkxGzAZBgNVBAoU EklETSBTZXJ2aWMlcywgSW5jLjEMMAoGA1UECxQDd3d3MTMwMQYDVQQLFCpUZXJt cyBvZiB1c2UgYXQgd3d3LnZlcmlzawduLmNvbS9ycGEgKGMpMDAxFDASBgNVBAMU C2lkbXNlcnYuY29tMIGfMA0GCSqGS1b3DQEBAQUAA4GNADCBiQKBgQDaHSk+uzOf 7jjDFEnqT8UBa1L3yFILXFjhj3XpMXLGWzLmkDmdJjXsa4×7AhEpr1ubuVNhJVI0 FnLDopsx4pyr4n+P8FyS4M5grbcQzy2YnkM2jyqVF/7yOW2pDl30t4eacYYaz4Qg q9pTxhUzjEG4twvKCAFWfuhEoGu1CMV2qQ1DAQABo4IBJTCCASEwCQYDVR0TBAIw ADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCOwKAYIKwYBBQUHAgEWHGh0dHBz Oi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwCwYDVRRPBAQDAgWgMCgGA1UdJQQhMB8G CWCGSAGG+EIEM00c0wIYBQUHAwEGCCsGAQUFBwmCMDQGCCsGAQUFBwEBBCgwJjAk BggrBgEFBQcwAYYYaHR0cDovL29jc2AudmVyaXNpZ24uY29tMEYGA1UdHwQ/MD0w O6A5oDeGNWh0dHA6Ly9jcmwudmVyaxNpZ24uY29tL0NsYXNzM0ludGVybmF0aW9u YWxTZXJ2ZXIuY3JsMBkGCmCGSAgG+E+f4Nfc3zYJODA5NzMwMTEyMA0GCSqGSIb3 DQEBBAUAA4GBAJ/PsVttmlDkQai5nLeudLceb1F4isXP17B68wXLkIeRu4Novu13 8lLZXnaR+acHuCkW01b3rQPjgv2y1mwjkPmC1WjoeYfdxH7+Mbg/6fomnK9auWAT WF0iFW/+a8OWRYQJLMA2VQOVhX4znjpGcVNY9AQSHm1UiESJy7vtd1iX —–END CERTIFICATE—– Copy and paste this certificate into an empty file called server.crt, which must reside in the /etc/httpd/conf/ssl.crt directory, and restart your Web server. In Fedora Core, you restart your Web server by typing: # service httpd restart Assuming your Web site was previously working fine, you can now view it in a secure fashion by placing an s after the http in the Web address. So if you previously viewed your Web site at http://acmemarina.com, you can now view it in a secure fashion by going to https://acmemarinacom. Creating Self-Signed Certificates Generating and running a self-signed SSL certificate is much easier than having a signed certificate. To generate a self-signed SSL certificate, do the following: 1. Remove the key and certificate that currently exist: # cd /etc/httpd/conf # rm ssl.key/server.key ssl.crt/server.crt 2. Create your own server key: # /usr/bin/openssl genrsa 1024 > ssl.key/server.key
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

224 Part II . Running the Show There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter . , the field will be left blank. —– Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]: Connecticut Locality Name (eg, city) [Newbury]: Mystic Organization Name (eg, company) [My Company Ltd]:Acme Marina, Inc. Organizational Unit Name (eg, section) []:InfoTech Common Name (eg, your name or your server s hostname) []:www.acmemarina.com Email Address []: webmaster@acmemarina.com To complete the process, you are asked if you want to add any extra attributes to your certificate. Unless you have a reason to provide more information, simply press Enter at each of the prompts to leave them blank: Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []: Getting the CSR Signed After your CSR is created, select a certificate authority (from the list in the Using Third-Party Certificate Signers section earlier in this chapter). Then send your CSR to the CA for validation. Instructions at each CA s Web site describe where to send your CSR for validation. You will have to go through some validation steps. Each signer has a different method of validating identity and certificate information. Some require that you fax articles of incorporation, while others require that a company officer be made available to talk to a validation operator. At some point in the process you are asked to copy and paste the contents of the CSR you created into the signer s Web form. # cd /etc/httpd/conf/ssl.csr # cat server.csr —–BEGIN CERTIFICATE REQUEST—– MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtDb25uZWN0aWN1 dDEPMA0GA1UEBxMGTXlzdGljMRowGAYDVQQKExFBY21lIE1hcmluYSwgSW5jLjER MA8GA1UECxMISW5mb1RlY2gxGzAZBgNVBAMTEnd3dy5hY21lbWFyaW5hLmNvbTEn MCUGCSqGSIb3DQEJARYYd2VibWFzdGVyQGFjbWVtYXJpbmEuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDcYH4pjMxKMldyXRmcoz8uBVOvwlNZHyRWw8ZG u2eCbvgi6w4wXuHwaDuxbuDBmw//Y9DMI2MXg4wDq4xmPi35EsO1Ofw4ytZJn1yW aU6cJVQro46OnXyaqXZOPiRCxUSnGRU+0nsqKGjf7LPpXv29S3QvMIBTYWzCkNnc gWBwwwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEANv6eJOaJZGzopNR5h2YkR9Wg l8oBl3mgoPH60Sccw3pWsoW4qbOWq7on8dS/++QOCZWZI1gefgaSQMInKZ1II7Fs YIwYBgpoPTMC4bp0ZZtURCyQWrKIDXQBXw7BlU/3A25nvkRY7vgNL9Nq+7681EJ8 W9AJ3PX4vb2+ynttcBI= —–END CERTIFICATE REQUEST—– You can use your mouse to copy and paste the CSR into the signer s Web form.
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

Chapter 6 . Securing Linux 223 Each signing authority has different deals, prices, and products. Check out each of the signing authorities listed in the Using Third-Party Certificate Signers section earlier in this chapter to determine which works best for you. The following are areas where signing authorities differ: . Credibility and stability . Pricing . Browser recognition . Warranties . Support . Certificate strength For good comparisons, studies, and inside information to make the job of finding an SSL signer easier, go to www.whichssl.org. Creating a Certificate Service Request To create a third-party validated SSL certificate, you start with a Certificate Service Request (CSR). To create a CSR, do the following on your Web server: # cd /etc/httpd/conf # make certreq umask 77 ; /usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key … You are asked to enter a password to secure your private key. This password should be at least eight characters long, and should not be a dictionary word or contain numbers or punctuation. The characters you type do not appear on the screen to prevent someone from shoulder surfing your password. Enter the password once again to verify. The certificate generation process now begins. At this point, it is time to start adding some identifying information to the certificate that the third-party source will later validate. Before you can do this, you must unlock the private key you just created. Do so by typing the password you just created. Then enter information as you are prompted. Here s an example of a session for adding information for a certificate: Enter pass phrase for /etc/httpd/conf/ssl.key/server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.

222 Part II . Running the Show Each of these certificate authorities has a chunk of cryptographic code embedded into nearly every Web browser in the world. This chunk of cryptographic code allows a Web browser to determine whether an SSL certificate is authentic. Without this validation, it would be trivial for crackers to generate their own certificates and dupe people into thinking they are giving sensitive information to a reputable source. Each certificate authority has different deals, prices, and products. Check out each of the CAs in the preceding list to determine which works best for you. Certificates that are not validated are called self-signed certificates. If you come across a site that has not had its identity authenticated by a trusted third party, your Web browser will display a message similar to the one shown in Figure 6-2. Figure 6-2: A pop-up window alerts you when a site is not authenticated. This does not necessarily mean that you are encountering anything illegal, immoral, or fattening. Many sites opt to go with self-signed certificates, not because they are trying to pull a fast one on you, but because there may not be any reason to validate the true owner of the certificate and they do not want to pay the cost of getting a certificate validated. Some reasons for using a self-signed certificate include: . The Web site accepts no input. In this case, you as the end user have nothing to worry about no one is trying to steal your information because you aren t giving out any information. The certificate simply secures the Web transmission from the server to you. The data in and of itself may not be sensitive, but, being a good netizen ( net citizen), the site has enabled you to secure the transmission to keep third parties from sniffing the traffic. . The Web site caters to a small clientele. If you run a Web site that has a very limited set of customers, such as an Application Service Provider (ASP), you can simply inform your users that you have no certificate signer and that they can browse the certificate information and validate it with you over the phone or in person. . Testing. It makes no sense to pay for an SSL certificate if you are only testing a new Web site or Web-based application. Use a self-signed certificate until you are ready to go live.
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

Chapter 6 . Securing Linux 221 The make command utilizes the Makefile to create SSL certificates. Without any arguments the make command simply prints the information as just shown. The following are the arguments you can give to make: Argument Description make server.key Creates generic public/private key pairs. make server.csr Generates a generic SSL certificate service request. make server.crt Generates a generic SSL test certificate. make stunnel.pem Generates a generic SSL test certificate, but puts the private key in the same file as the SSL test certificate. make genkey Same as make server.key except it places the key in the ssl.key directory. make certreq Same as make server.csr except it places the certificate service request in the ssl.csr directory. make testcert Same as make server.crt except it places the test certificate in the ssl.crt directory. Using Third-Party Certificate Signers In the real world, I know who you are because I recognize your face, your voice, and your mannerisms. On the Internet, I cannot see these things and must rely on a trusted third party to vouch for your identity. To ensure that a certificate is immutable, it has to be signed by a trusted third party (certificate authority) when the certificate is issued and validated every time an end user taking advantage of your secure site loads it. The following are trusted third-party certificate signers: . GlobalSign (www.globalsign.net) . Baltimore (www.baltimore.com) . GeoTrust (www.geotrust.com) . VeriSign (www.verisign.com) . FreeSSL (www.freessl.com) . Thawte (www.thawte.com) . EnTrust (www.entrust.com) . ipsCA (www.ipsca.com) . COMODO Group (www.comodogroup.com)
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.

220 Part II . Running the Show The /etc/httpd/conf and /etc/httpd/conf.d directories contain all of the components necessary to create your SSL certificate. Here are descriptions of the components: Component Description httpd.conf Web server configuration file Makefile Certificate building script ssl.crl Certificate revocation list directory ssl.crt SSL certificate directory ssl.csr Certificate service request directory ssl.key SSL certificate private key directory ssl.prm SSL certificate parameters ssl.conf Primary Web server SSL configuration file Now take a look at the tools used to create SSL certificates: # cd /etc/httpd/conf # make This makefile allows you to create: o public/private key pairs o SSL certificate signing requests (CSRs) o self-signed SSL test certificates To create a key pair, run make SOMETHING.key . To create a CSR, run make SOMETHING.csr . To create a test certificate, run make SOMETHING.crt . To create a key and a test certificate in one file, run make SOMETHING.pem . To create a key for use with Apache, run make genkey . To create a CSR for use with Apache, run make certreq . To create a test certificate for use with Apache, run make testcert . Examples: make server.key make server.csr make server.crt make stunnel.pem make genkey make certreq make testcert
Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

Chapter 6 . Securing Linux 219 . SSL-enabled Web browser (Mozilla, Internet Explorer, Opera, Konquerer, etc.) . SSL-enabled Web server (Apache) . SSL certificate To initiate an SSL session, a Web browser first makes contact with a Web server on port 443, also known as the HTTPS (Hypertext Transport Protocol Secure) port. After a socket connection has been established between the two machines, the following occurs: 1. Server sends SSL certificate to browser. 2. Browser verifies identity of server through SSL certificate. 3. Browser generates symmetric encryption key. 4. Browser uses SSL certificate to encrypt symmetric encryption key. 5. Browser sends encrypted key to the server. 6. Server decrypts the symmetric key with its private key counterpart of the public SSL certificate. 7. Browser and server can now encrypt and decrypt traffic based on a common knowledge of the symmetric key. Secure data interchange can now occur. Creating SSL Certificates To create your own SSL certificate for secure HTTP data interchange, you must first have an SSL-capable Web server such as the Apache Web server (httpd package), which comes with virtually every Linux distribution. Once you have a server ready to go, familiarize yourself with the important server-side components of an SSL certificate: The following example is from a Fedora Core system. A similar procedure for using SSL certificates with an Apache server on a Debian system is contained in Chapter 23. # ls -1 /etc/httpd/conf -rw-r–r– 1 root root 36010 Jul 14 15:45 httpd.conf lrwxrwxrwx 1 root root 37 Aug 12 23:45 Makefile -> ../../../usr/share/ssl/certs/Makefile drwx—— 2 root root 4096 Aug 12 23:45 ssl.crl drwx—— 2 root root 4096 Aug 12 23:45 ssl.crt drwx—— 2 root root 4096 Jul 14 15:45 ssl.csr drwx—— 2 root root 4096 Aug 12 23:45 ssl.key drwx—— 2 root root 4096 Jul 14 15:45 ssl.prm # ls -l /etc/httpd/conf.d/ssl.conf -rw-r–r– 1 root root 11140 Jul 14 15:45 ssl.conf Note
If you are looking for affordable and reliable webhost to host and run your business application visit our ftp web hosting services.

218 Part II . Running the Show Until recently, the United States government was standardized on a symmetric encryption algorithm called DES (Data Encryption Standard) to secure important information. There s no direct way to crack DES-encrypted data, so to decrypt the data without a password requires an unimaginable amount of computing power to try to guess the password the brute force method of decryption. As personal computing power has increased nearly exponentially, the DES algorithm has had to be retired. In its place, after a very long and interesting search, the U.S. government has accepted the Rijndael algorithm as what it calls the AES (Advanced Encryption Standard). Although the AES algorithm is also subject to brute-force attacks, it requires significantly more computing power to crack than the DES algorithm does. Go to http://aescrypt.sourceforge.net/ for more information on AES, including a command line implementation of the algorithm. Public-Key Cryptography Public-key cryptography does not suffer from key distribution problems, and that is why it is the preferred encryption method for secure Internet communication. This method uses multiple keys (usually two), one to encrypt the message and another to decrypt the message. The key used to encrypt the message is called the public key because it is made available for all to see. The key used to decrypt the message is the private key and is kept hidden. Say, for example, that you want to send me a secure message using public-key encryption. Here s how the process works: 1. I must have a public and private key pair. Depending on the circumstances, I may generate the keys myself (using special software) or obtain the keys from a key authority. 2. You want to send me a message, so you first look up my public key (or more accurately, the software you are using looks it up). 3. You encrypt the message with the public key. At this point, the message can only be decrypted with the private key (the public key cannot be used to decrypt the message). 4. I receive the message and use my private key to decrypt it. Secure Socket Layer A classic implementation of public-key cryptography is with SSL (secure socket layer) communication. This is the technology that enables you to securely submit your credit card information to an online merchant. The elements of an SSL encrypted session are:
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.