Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

From Resin 4.0 Wiki

Revision as of 00:00, 17 January 2013 by Rick (Talk | contribs)
Jump to: navigation, search

For this exercise, I am using Amazon EC2 to startup a clean Ubuntu 12.0.4 instance.

I started up a 64 bit large instance.

I am following the instructions here for setup:

 $ sudo add-apt-repository http://caucho.com/download/debian


Then update the repo cache

$ sudo apt-get update


This is now broken with Ubuntu 12.0.4. We will get it working again.

instead do this

$ wget http://www.caucho.com/download/debian/dists/unstable/multiverse/binary-amd64/resin-pro_4.0.32-amd64.deb

Install Java 7 SDK (or Java 6 SDK) and OpenSSL as follows:

$ sudo apt-get -f install
$ sudo apt-get install openjdk-7-jdk
$ sudo apt-get install libssl-dev


Turn stuff on.

# resin.properties - configuration variable values
# 
# See resin.xml, cluster-default.xml, and health.xml for full configuration.
# Any variable defined by ${...} can be set as a property in this file.
# 
# Individual server overrides can be specified by prepending the server.id.
# For example, increasing the log level for an individual server:
#
log_level : finest
# app-0.log_level : finest
#
# Like Resin XML configuration, modification of this file will trigger
# a restart.
#

# General log level (modify resin.xml for more granular log level adjustments)
# log_level     : finer

# Enable verbose browser error reporting
dev_mode      : true

# How often Resin should check for updated files.
# dependency_check_interval : 5m

# Enable /resin-doc Resin documentation
resin_doc     : true

# List Triad server ip-addresses:hmux-port for each tier, space separated
# App tier Triad servers must be listed to enable web-tier to 
# app-tier load-balancing

# web-tier Triad servers: web-0 web-1 web-2
# web_servers      : 127.0.0.1:6810

# app-tier Triad servers: app-0 app-1 app-2
app_servers      : 127.0.0.1:6800

# Configures Resin for a memcached server tier
# memcached-tier Triad servers: memcached-0 memcached-1 memcached-2
# memcached_servers    : 127.0.0.1:6820
# memcached_port : 11211

# Allow elastic nodes to join the cluster (enable for cloud mode)
# elastic_cloud_enable : true

# The cluster that elastic nodes should join - each will contact a Triad server
# Use a separate resin.properties file for each cluster
home_cluster : app

# Used for an elastic server to join the cluster in home_cluster
# elastic_server : true

# Create a distinct webapps/ directory for each server, for vertical scaling
# elastic_webapp : true

# Used for cloud servers with dynamic IP addresses where the DNS name for the
# server is assigned after the server starts. Resin will retry the start.
# elastic_dns : true

# specifies the --server in the config file
# home_server : app-0

# Set HTTP and HTTPS bind address
# http_address  : *

# Set HTTP and HTTPS ports.
# Use overrides for individual server control, for example: app-0.http : 8081
app.http          : 8080
app.https         : 8443

web.http          : 8080
web.https         : 8443

# memcached.http      : 8080
# memcached.https     : 8443

# For security, Resin can switch to a non-root user after binding to port 80
setuid_user : resin
setuid_group : resin

# Arg passed directly to the JVM
# jvm_args  : -Xmx2048m -XX:MaxPermSize=256m

# Local URLs for the watchdog to check to ensure the server is up,
# space separated
# http_ping_urls : http://127.0.0.1/test.jsp

# Throttle the number of active threads for a port
port_thread_max   : 256
accept_thread_max : 32
accept_thread_min : 4

# Enable JNI TCP speed optimizations
tcp_cork : true
sendfile : true

# OpenSSL certificate configuration
# Keys are typically stored in the resin configuration directory.
# openssl_file : keys/test.crt
# openssl_key : keys/test.key
# openssl_password : changeme

# JSSE certificate configuration
# Keys are typically stored in the resin configuration directory.
# jsse_keystore_type : jks
# jsse_keystore_file : /etc/resin/keys/server.keystore
# jsse_keystore_password : changeme

# In absence of a signed certificate, Resin will fallback to using a 
# self-signed development certificate if HTTPS is enabled

# Enable the proxy-cache - for caching static content in memory
proxy_cache_enable : true

# Sets the proxy cache memory size
proxy_cache_size : 256m

# Enable clustered persistent sessions (for failover)
session_store : true

# Web-apps named with numeric suffixes, e.g. foo-10.0.war and can be browsed
# as /foo. When a new version of the web-app is deployed, Resin continues
# to route active session requests to the previous web-app version while
# new sessions go to the new version, so users will not be aware of the
# application upgrade.
# webapp_multiversion_routing : true

# Set the email address to receive weekly and restart PDF reports
# email : admin@example.com

# Set a global password to prevent foreign Resin instances from connecting.
# Must be identical between web, app, and cache clusters.
cluster_system_key : changeme

# Enable remote admin (for remote CLI and for EC2 ext: triad discovery)
remote_admin_enable : true

# Enable /resin-admin web administration console
web_admin_enable : true

# Permit access to /resin-admin from non-local network ip-addresses
web_admin_external : true

# Require HTTPS to access /resin-admin
web_admin_ssl : true

# Enable Resin REST Admin
rest_admin_enable : true

# Require SSL for REST Admin
rest_admin_ssl : true

# Access to /resin-admin and remote CLI is password restricted.
# Use "resinctl generate-password" and copy/paste here to set the admin
# admin_user : admin
# admin_password : {SSHA}xxxxxxxx
admin_user : admin
admin_password : {SSHA}ypqpON4IGSWY6XZ6NtU9uadsfasdfasdfasdfasdf

# Enable reading EC2 user data as resin properties
# properties_import_url : http://169.254.169.254/latest/user-data


Resin will create a self signed certificate so go ahead and load the admin. In order to get OpenSSL to work you need a Resin license.

You should be able to load the admin and such using SSL.


Next let's create a openssl.cnf file in /etc/resin/keys/openssl.cnf

/etc/resin/keys/openssl.cnf

[ req ]
 default_bits            = 1024
 distinguished_name      = Caucho

[ Caucho ]
 C                      = US
 C_default              = US
 ST                     = CA
 ST_default             = CA
 L                      = San Francisco
 L_default              = San Francisco
 O                      = Caucho Tech
 O_default              = Caucho Tech
 OU                     = QA Documentation
 OU_default             = QA Documentation
 CN                     = www.caucho.com
 CN_default             = www.caucho.com
 emailAddress           = info@caucho.com
 emailAddress_default   = info@caucho.com

The above file is not needed per se, but it will save you a lot of typing later on.

Next create your private key file.

$ cd /etc/resin/keys
$ pwd
/etc/resin/keys
$ sudo openssl genrsa -des3 -out myprivate.key 1024

The above generates an RSA key which can be used both for encryption and for signing.

You will be prompted for a protecting pass phrase.

(Note that 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider less secure.)


RSA is an algorithm for public-key cryptography that is based on the difficulty of factoring large integers. RSA acronym is for the names of the three creators. RSA creates and then publishes the product of two large prime numbers, along with an another value, as the public key.


Output

Generating RSA private key, 1024 bit long modulus
...++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/resin/myprivate.key:
Verifying - Enter pass phrase for /etc/resin/myprivate.key:

Enter in a password twice. Remember this password, you will need it later.

At this stage, just create a self-signed certificate to see if openssl is working and installed correctly.

$ sudo openssl req -config openssl.cnf -new -key myprivate.key -x509 -out my-self-signed-certificate.crt

Certificates are for public key cryptography and contain the public key. Public keys are easily derived from private keys, and this is why we created the private key first. The certificate is a file that has the organizations information and the public key.

To know if SSL is working, you want to check to see if you can load resin-admin.

Then look in the resin log (/var/log/resin/jvm*.log), and look for the following:

Resin Professional 4.0.32 (built Mon, 01 Oct 2012 02:34:38 PDT)
Copyright(c) 1998-2012 Caucho Technology.  All rights reserved.

[13-01-17 21:35:23.624] {main}   1013792.license -- 1 Resin server Caucho
                       
  1013792.license -- 1 Resin server Caucho

Starting Resin Professional on Thu, 17 Jan 2013 21:35:21 +0000 (UTC)

...
...
[13-01-17 21:35:27.616] {main} http listening to *:8080
OpenSSL support compiled for OpenSSL 0.9.8o 01 Jun 2010
[13-01-17 21:35:27.710] {main} https listening to *:8443

If you see those two things then all should be well.

Personal tools
TOOLBOX
LANGUAGES