Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

From Resin 4.0 Wiki

Revision as of 00:00, 17 January 2013 by Rick (Talk | contribs)
Jump to: navigation, search

For this exercise, I am using Amazon EC2 to startup a clean Ubuntu 12.0.4 instance.

I started up a 64 bit large instance.

I am following the instructions here for setup:

 $ sudo add-apt-repository http://caucho.com/download/debian


Then update the repo cache

$ sudo apt-get update


This is now broken with Ubuntu 12.0.4. We will get it working again.

instead do this

$ wget http://www.caucho.com/download/debian/dists/unstable/multiverse/binary-amd64/resin-pro_4.0.32-amd64.deb

Install Java 7 SDK (or Java 6 SDK) and OpenSSL as follows:

$ sudo apt-get -f install
$ sudo apt-get install openjdk-7-jdk
$ sudo apt-get install libssl-dev


Turn stuff on.

# resin.properties - configuration variable values
# 
# See resin.xml, cluster-default.xml, and health.xml for full configuration.
# Any variable defined by ${...} can be set as a property in this file.
# 
# Individual server overrides can be specified by prepending the server.id.
# For example, increasing the log level for an individual server:
#
log_level : finest
# app-0.log_level : finest
#
# Like Resin XML configuration, modification of this file will trigger
# a restart.
#

# General log level (modify resin.xml for more granular log level adjustments)
# log_level     : finer

# Enable verbose browser error reporting
dev_mode      : true

# How often Resin should check for updated files.
# dependency_check_interval : 5m

# Enable /resin-doc Resin documentation
resin_doc     : true

# List Triad server ip-addresses:hmux-port for each tier, space separated
# App tier Triad servers must be listed to enable web-tier to 
# app-tier load-balancing

# web-tier Triad servers: web-0 web-1 web-2
# web_servers      : 127.0.0.1:6810

# app-tier Triad servers: app-0 app-1 app-2
app_servers      : 127.0.0.1:6800

# Configures Resin for a memcached server tier
# memcached-tier Triad servers: memcached-0 memcached-1 memcached-2
# memcached_servers    : 127.0.0.1:6820
# memcached_port : 11211

# Allow elastic nodes to join the cluster (enable for cloud mode)
# elastic_cloud_enable : true

# The cluster that elastic nodes should join - each will contact a Triad server
# Use a separate resin.properties file for each cluster
home_cluster : app

# Used for an elastic server to join the cluster in home_cluster
# elastic_server : true

# Create a distinct webapps/ directory for each server, for vertical scaling
# elastic_webapp : true

# Used for cloud servers with dynamic IP addresses where the DNS name for the
# server is assigned after the server starts. Resin will retry the start.
# elastic_dns : true

# specifies the --server in the config file
# home_server : app-0

# Set HTTP and HTTPS bind address
# http_address  : *

# Set HTTP and HTTPS ports.
# Use overrides for individual server control, for example: app-0.http : 8081
app.http          : 8080
app.https         : 8443

web.http          : 8080
web.https         : 8443

# memcached.http      : 8080
# memcached.https     : 8443

# For security, Resin can switch to a non-root user after binding to port 80
setuid_user : resin
setuid_group : resin

# Arg passed directly to the JVM
# jvm_args  : -Xmx2048m -XX:MaxPermSize=256m

# Local URLs for the watchdog to check to ensure the server is up,
# space separated
# http_ping_urls : http://127.0.0.1/test.jsp

# Throttle the number of active threads for a port
port_thread_max   : 256
accept_thread_max : 32
accept_thread_min : 4

# Enable JNI TCP speed optimizations
tcp_cork : true
sendfile : true

# OpenSSL certificate configuration
# Keys are typically stored in the resin configuration directory.
# openssl_file : keys/test.crt
# openssl_key : keys/test.key
# openssl_password : changeme

# JSSE certificate configuration
# Keys are typically stored in the resin configuration directory.
# jsse_keystore_type : jks
# jsse_keystore_file : /etc/resin/keys/server.keystore
# jsse_keystore_password : changeme

# In absence of a signed certificate, Resin will fallback to using a 
# self-signed development certificate if HTTPS is enabled

# Enable the proxy-cache - for caching static content in memory
proxy_cache_enable : true

# Sets the proxy cache memory size
proxy_cache_size : 256m

# Enable clustered persistent sessions (for failover)
session_store : true

# Web-apps named with numeric suffixes, e.g. foo-10.0.war and can be browsed
# as /foo. When a new version of the web-app is deployed, Resin continues
# to route active session requests to the previous web-app version while
# new sessions go to the new version, so users will not be aware of the
# application upgrade.
# webapp_multiversion_routing : true

# Set the email address to receive weekly and restart PDF reports
# email : admin@example.com

# Set a global password to prevent foreign Resin instances from connecting.
# Must be identical between web, app, and cache clusters.
cluster_system_key : changeme

# Enable remote admin (for remote CLI and for EC2 ext: triad discovery)
remote_admin_enable : true

# Enable /resin-admin web administration console
web_admin_enable : true

# Permit access to /resin-admin from non-local network ip-addresses
web_admin_external : true

# Require HTTPS to access /resin-admin
web_admin_ssl : true

# Enable Resin REST Admin
rest_admin_enable : true

# Require SSL for REST Admin
rest_admin_ssl : true

# Access to /resin-admin and remote CLI is password restricted.
# Use "resinctl generate-password" and copy/paste here to set the admin
# admin_user : admin
# admin_password : {SSHA}xxxxxxxx
admin_user : admin
admin_password : {SSHA}ypqpON4IGSWY6XZ6NtU9uadsfasdfasdfasdfasdf

# Enable reading EC2 user data as resin properties
# properties_import_url : http://169.254.169.254/latest/user-data


Resin will create a self signed certificate so go ahead and load the admin. In order to get OpenSSL to work you need a Resin license.

You should be able to load the admin and such using SSL.


Next let's create a openssl.cnf file in /etc/resin/keys/openssl.cnf

/etc/resin/keys/openssl.cnf

[ req ]
 default_bits            = 1024
 distinguished_name      = Caucho

[ Caucho ]
 C                      = US
 C_default              = US
 ST                     = CA
 ST_default             = CA
 L                      = San Francisco
 L_default              = San Francisco
 O                      = Caucho Tech
 O_default              = Caucho Tech
 OU                     = QA Documentation
 OU_default             = QA Documentation
 CN                     = www.caucho.com
 CN_default             = www.caucho.com
 emailAddress           = info@caucho.com
 emailAddress_default   = info@caucho.com

The above file is not needed per se, but it will save you a lot of typing later on.

Next create your private key file.

$ cd /etc/resin/keys
$ pwd
/etc/resin/keys
$ sudo openssl genrsa -des3 -out myprivate.key 1024

The above generates an RSA key which can be used both for encryption and for signing.

You will be prompted for a protecting pass phrase.

(Note that 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider less secure.)


RSA is an algorithm for public-key cryptography that is based on the difficulty of factoring large integers. RSA acronym is for the names of the three creators. RSA creates and then publishes the product of two large prime numbers, along with an another value, as the public key.


Output

Generating RSA private key, 1024 bit long modulus
...++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/resin/myprivate.key:
Verifying - Enter pass phrase for /etc/resin/myprivate.key:

Enter in a password twice. Remember this password, you will need it later.

At this stage, just create a self-signed certificate to see if openssl is working and installed correctly.

$ sudo openssl req -config openssl.cnf -new -key myprivate.key -x509 -out my-self-signed-certificate.crt

Certificates are for public key cryptography and contain the public key. Public keys are easily derived from private keys, and this is why we created the private key first. The certificate is a file that has the organizations information and the public key.

To know if SSL is working, you want to check to see if you can load resin-admin.

Then look in the resin log (/var/log/resin/jvm*.log), and look for the following:

Resin Professional 4.0.32 (built Mon, 01 Oct 2012 02:34:38 PDT)
Copyright(c) 1998-2012 Caucho Technology.  All rights reserved.

[13-01-17 21:35:23.624] {main}   1013792.license -- 1 Resin server Caucho
                       
  1013792.license -- 1 Resin server Caucho

Starting Resin Professional on Thu, 17 Jan 2013 21:35:21 +0000 (UTC)

...
...
[13-01-17 21:35:27.616] {main} http listening to *:8080
OpenSSL support compiled for OpenSSL 0.9.8o 01 Jun 2010
[13-01-17 21:35:27.710] {main} https listening to *:8443

If you see those two things then all should be well.

Testing your setup if something goes wrong

If for some reason OpenSSL is not working, then you can use the tools that ship with OpenSSL to verify your setup. Open up two terminals.


$  cd /etc/resin/keys
$ sudo openssl s_server -accept 9999 -key myprivate.key -cert my-self-signed-certificate.crt 

The above opens up a TLS server listening on port 9999 that is using the key and certificate that you just generated.

See http://www.openssl.org/docs/apps/s_server.html# for more details.

Now in a separate terminal window connect to this utility server.

$ openssl s_client -connect localhost:9999
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
   i:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCCQCbeymZWYc9lzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVABCDEFGNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
EwtDYXVjaG8gVGVjaDEZMBcGA1UECxMQUUEgRG9jdW1lbnRhdGlvbjEXMBUGA1UE
AxMOd3d3LmNhdWNoby5jb20xHjAcBgkqhkiG9w0BCQEWD2luZm9AY2F1Y2hvLmNv
bTAeFw0xMzAxMTcyMDU2MjhaFw0xMzAyMTYyMDU2MjhaMIGcMQswCQYDVQQGEwJV
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
issuer=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
No client certificate CA names sent
---
SSL handshake has read 1246 bytes and written 376 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 07C6B7627821D29E814F069D2C7Casdfasdfasdfasdfasdfasdfasdfasdf
    Session-ID-ctx: 
    Master-Key: C38B943A0E5570A2662695ABCDEFlkjalkj;lkjl;kjasdlfkjasdlkfjasl;kdfjalksdjf
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 71 24 62 44 f1 c0 bc 95-8f e7 04 FF 73 c1 5c de   q$bD...00...s.\.
    0010 - 13 54 e8 f3 20 1d 2b 82-e8 83 05 62 4d 46 f9 3c   .T.. .+....bMF.<
    0020 - d5 27 e5 7a c6 6b 11 6b-81 95 3b 81 1e 8a f2 8c   .'.z.k.k..;.....
    0030 - e6 14 e6 6d 0c 9d e8 fc-e6 90 b1 f7 79 5d 60 32   ...m........y]`2
    0040 - db 2b 3f d3 fa 7d b9 04-9f 65 95 d8 bb 10 d3 ca   .+?..}...e......
    0050 - 47 79 cf 0c 65 67 e5 5f-90 4e a5 43 c7 b0 31 bb   Gy..eg._.N.C..1.
    0060 - f3 9b a4 c4 72 9c 24 18-5b 7a 90 63 4f 25 35 2c   ....r.$.[z.cO%5,
   ...
    Compression: 1 (zlib compression)
    Start Time: 1358459991
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

See http://www.openssl.org/docs/apps/s_client.html# for more details.

Personal tools
TOOLBOX
LANGUAGES