Monday, April 29, 2013

Have you ever tried installing Apache 2.4.4 in Linux.?

Hello Guys,

Just for sometime I was away from my blogging, but recently had to touch the pages for self signed certs in WebLogic Server on one of my friends request, hoping to get the blogging on the track from now.

Today I tried to install Apache Web Server in Linux Environment, it may sound silly thing however you may need to know few of the things while you get your arms ready when you work with Apache Web Server Administration.

I found that you may face few of the difficulties while you install Apache Web Server in Linux Environment, common ones are : Steps to Install, Supporting Libraries and Any Utilities required for install to be successful.

Well.. Steps.!!

Step 1. Download the Apache WebServer

Click the link here or visit site : http://httpd.apache.org/ for downloading the binaries for different operating system

Step 2. Save it in a safe location and Unzip and Untar it.

Move it to your required location and unzip and untar it as you have tar.gz file.

#mv httpd-2.4.4.tar.gz /labs 
#cd /labs
#gunzip httpd-2.4.4.tar.gz
#tar -xvf httpd-2.4.4.tar

you will see huge number of lines showing the extracted files in the the directory called httpd-2.4.4, with this you have extracted the tar'ed files into httpd-2.4.4 directory.

Step 3. Install it

#cd httpd-2.4.4
#./configure --prefix=/labs/apache2.4.4
#make
#make install

Well, this looks simple but is not..!!

The steps for installing are very simple, you just need follow below 3 commands and you are done, however you may need to make the operating system understand that you are installing the Apache WebServer for that you might need APR, APR-UTIL and PCRE binaries to be installed before Apache Web Server, failing which you will see the below error messages.

while you are running the first command above you will get to see the below error messages each for above 3 modules.

I am setting the prefix for install path for the apache webserver.

If you do not have APR (Apache Portable Runtime) installed prior to Apache Install, you will see : 

checking for APR … no 
configure error APR not found. please read the documentation 

This can be fixed by installing APR from the link : http://apr.apache.org/ and download the latest tar file, gunzip, untar and then install the binary as below.

NOTE : We may need to install the APR same way we do for HTTPD Server ( Apache Web Server)

# cd apr-1.4.6
# ./configure  (you can add --prefix to supply the install path, it will install in     /usr/local/ if not specified)
#make
#make install

Now try running Apache configure and see the difference, however this time you need to pass one more argument with ./configure command as below.

./configure --prefix=/usr/local/apache2 --with-apr=/usr/local/apr

This doesn't show error which occurred before, but turns in to a new error as below.

checking for apr-util … no 
configure error apr-util not found. please read the documentation

Well for this you need to follow the same steps you have done for APR, you need to visit the same site and download the apr-util file.


This time while you are installing the apr-util you need to run the below command after extracting the file.

#cd apr-util-1.5.2
#./configure --prefix=/usr/local/apr-util/  --with-apr=/usr/local/apr/
#make
#make install

This will create a one more directory under /usr/local as apr-util

Now try to Run Apache Install, but with a brand new command.

#./configure --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util

This command will by pass both of the above errors, but we are not done yet..!!, You will see below error while trying to execute the above command.

configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/

We need one more library called PCRE (Perl Compatible Regular Expression) which is used by our httpd server, download it from  http://pcre.org/ - move it your Linux/Unix Filesystem and gunzip and untar it.

You can go ahead and install this library without any dependency on APR or apr-util, you can use the below commands to install PCRE.

#./configure --prefix=/usr/local/pcre
#make
#make install

Once you are done, now its the turn of Apache Server finally with below command.

#cd httpd-2.4.4
#./configure --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre#make
#make install
:
 /usr/local/apr/build-1/libtool --silent --mode=install install mod_env.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_expires.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_headers.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_unique_id.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_setenvif.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_version.la /usr/local/apache2/modules/
/usr/local/apr/build-1/libtool --silent --mode=install install mod_remoteip.la /usr/local/apache2/modules/


:
 

Installing configuration files
mkdir /usr/local/apache2/conf
mkdir /usr/local/apache2/conf/extra
mkdir /usr/local/apache2/conf/original
mkdir /usr/local/apache2/conf/original/extra
Installing HTML documents
mkdir /usr/local/apache2/htdocs
Installing error documents
mkdir /usr/local/apache2/error
Installing icons
mkdir /usr/local/apache2/icons
mkdir /usr/local/apache2/logs
Installing CGIs
mkdir /usr/local/apache2/cgi-bin
Installing header files
mkdir /usr/local/apache2/include
Installing build system files
mkdir /usr/local/apache2/build
Installing man pages and online manual
mkdir /usr/local/apache2/man
mkdir /usr/local/apache2/man/man1
mkdir /usr/local/apache2/man/man8
mkdir /usr/local/apache2/manual
make[1]: Leaving directory `/labs/httpd-2.4.4'


Done with installation, now if you would like to verify whether your httpd server is working fine or not.

#cd /usr/local/apache2/bin
#apachectl status
#apachectl start

You can verify the httpd processes running by using ps -ef | grep httpd then you will see around 3-4 processes running in the console.

Access the URL : http://localhost/ -- you will see the text saying : It works! on the browser.

Well.. I hope this post will help you a bit with getting track of Apache Web Server install in Linux Operating System.

Thank you..

Regards
Shailesh Dyade.

Wednesday, April 17, 2013

Setting Up Two Way SSL for WebLogic Server - Self Signed Certificates

Hello There, 

In this blog post we will be seeing step by step instructions to setup 2 - Way SSL in WebLogic, we have seen 1 - Way SSL set up already here by the way what are these One Way SSL and Two Way SSL?

One Way SSL
-----------------

Here Server needs to present the certificate to the Client, Certificates from clients are not really verified as a part of Authentication process, but client needs to understand if it has reached the valid server or not by verifying the server certificates.

Example : Simple Banks Web Site, Whenever we are hitting netbanking site, it will present the certificate to the Browser to trust



Two Way SSL
------------------
Here client needs to authenticate to server resources by providing its certificate, it depends on how strong the server requirement is to verify the clients certificate, Here Client verifies server certificate and server verifies client certificates.

Example : WebServer Connecting to WebLogic Server and exchanging certificates for their communication to establish.

Following Fig. Shows how the client and server go through the initial communication when they are setup in 2 Way SSL


As above picture is self explanatory, I do not see space to explain the whole process, we will proceed to the practicals directly.

Step 1. Create the Identity and Trust Key Store for the WebLogic Server.

Identity Key Store is required to define identity of the WebLogic Server, so that clients can use to Trust the server

And Trust Keystore is required to store the Root Certificates of the clients so that it can trust or Identity the incoming requests from the clients.

Create A Server Identity Keystore with your Public Key and Private Key

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -keystore server_identity.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ShaileshDyade
What is the name of your organizational unit?
  [Unknown]:  Personal
What is the name of your organization?
  [Unknown]:  Technology
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  yes

Enter key password for <server_cert>
        (RETURN if same as keystore password):
Re-enter new password:

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>


Note : Here I have used Keystore and Key Passwords as different

I am done with creating server identity key store file (.JKS extension stands for Java Key Store). you have multiple formats of Keystore available for use with WebLogic Server.

Generate Certificate Signing Request

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -certreq -v -alias server_cert -file csr_for_mysite.csr -keystore server_identity.jks
Enter keystore password:
Enter key password for <server_cert>
Certification request stored in file <csr_for_mysite.pem>
Submit this to your CA


Open your CSR file and Go to this link for Getting it Signed from Authorized CA's  (Certificate Authorities)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ
QmFuZ2Fsb3JlMRMwEQYDVQQKEwpUZWNobm9sb2d5MREwDwYDVQQLEwhQZXJzb25hbDEeMBwGA1UE
AxMVd3d3LnNoYWlsZXNoZHlhZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
l3BDvo48cqxwHH1KrzAHeABRpkrzxnxi7tLt3SK5ces1hHGMG6Vu7FKttDijssA0t//nDFGIVIub
Q049Do+gvbeWEPHy2N0HD1zglNdBTC+qD1LmbMQeNqW0Fl+DBnAoW0/RyltfRT6xcfg6h/c5o+7h
Id9TH8VpXvCs9GCxMaEKlxz5TKJYY+mkfitvI714jIvhH++xOMCiUXkqsSZa6mZROVE5vDx3SHje
Ea+eYiEhWMg3SgO9fmch/kIzmD094GBIK/uQllDnZcAx6ltXENX3KDcFrNviT7O3Wcxt4M7MI+Fs
sIvWGEi+/Lw5/3FIZ0G9mzrpeTnPFvmu1Ssx5QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAD+B
+RDwGoOc8isMrcS+/fCTIbFg+4wkrV457GC6/+stK6o71uyYxJl/Aunr05cqp8htO5WQa6BWKxB1
OQNoHXr2O0NkxDBllfPFKBO7w8HG2ewzHcCvJow/hlV+9feJ7LZ4BEGX3c6PCyq7+kOXk0u/8B/D
hivs9/TU0w+AJpgEiwsb3C11WuT0KoS7ceqHOzXLBsriLPG5yQ5N6PNBinJcvNN96cGuK2jEKMhn
NKqJga6p06fWSmjX2GCrxvGM1ijHe6vwdcpvi1XhahdQPUg/RUSbHTCDWbc6GtvhiRuRFCWbpURs
UDr6uU9yqzmKe/nvFs28xAvALDlrFmoni8o=
-----END NEW CERTIFICATE REQUEST-----


Here I am using GeoTrust as my CA for Signing my Certificate Request

Go to the Link and Provide necessary details.

  1. Click on Order Now for the Free Rapid SSL Certificates
  2. Provide necessary details on next page, for server type select WebLogic - All Versions
  3. Next Page Provide your contact information in case if you would like GeoTrust to contact for any further business, but remember to some mandatory fields which are required without which it will not understand you.
  4. On Next Page Select, I Already have my own CSR
  5. And paste the contents of your CSR file to the Text Box shown in that page (DO NOT COPY AND PASTE ABOVE CERT REQUEST)  - CONTINUE...
  6. On Next Page you will be able to see the summary of your certificate - Just Verify it
  7. Common Name: www.shaileshdyade.com
    Organization : Technology
    Organizational Unit : Personal
    Locality : Bangalore
    State : Karnataka
    Country : IN
     
  8.  Continue.
  9.  Well this is embarrassing, it went on to check my domain and wants to get the approval of the my site's administrator - admin@shaileshdyade.com
  10.  Well you need to click couple of Continue's.. then you will arrive at Complete Order Summery
  11. At the end you will get the message like :

    Your Free Trial SSL Certificate Has Been Processed

Once you approve it, you will get the mail to your email id which you have specified during certificate request, then you can follow the process of installing the certificate which is given in this link

But we are here to explain the process of installing certificate and setting Two Way SSL with Self Signed Certificates.

Note : Here I have used little modified Keystore, in which I have used the Common Name as ShaileshDyade where as in old file it was www.shaileshdyade.com, please notice this in below commands.

Create Self Signed Certificate

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -export -alias server_cert -file MyRoot.cer -keystore server_identity.jks -storepass keystorepass
Certificate stored in file <MyRoot.cer>


Create Trust Store for Trusting Incoming Connections

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -import -alias server_cert -trustcacerts -file MyRoot.cer -keystore server_trust.jks
Enter keystore password:
Re-enter new password:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain> 


Files we have right now are : server_identity.jks, server_trust.jks and MyRoot.cer.

You can try to list them by using following command : 

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -import -alias server_cert -trustcacerts -file MyRoot.cer -keystore server_trust.jks
Enter keystore password:
Re-enter new password:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -list -v -keystore server_identity.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Apr 17, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************



D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -list -v -keystore server_trust.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Apr 17, 2013
Entry type: trustedCertEntry

Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3


*******************************************
*******************************************

 


70% of the job is done with this...

Now next step is to configure the files in WebLogic Server..

Login to WebLogic Server console.

Navigate to  Home >Summary of Servers >AdminServer>Keystores

 
In Keystores - Change and Select Custom Identity and Custom Trust as We have Both Identity and Trust Files.

And Fill the required values in field as below.




Custom Identity Keystore: D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain\server_identity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: keystorepass
Confirm Custom Identity Keystore Passphrase: keystorepass

Custom Trust Keystore:D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain\server_trust.jks
Custom Trust Keystore Type:JKS
Custom Trust Keystore Passphrase:keystorepass (Note: I have given same password while creating both of the jks files)
Confirm Custom Trust Keystore Passphrase:keystorepass

Navigate to  Home >Summary of Servers >AdminServer>SSL


Here you need to provide the details to open and access the private key information of the server.

Private Key Alias : server_cert

Private Key Passphrase: keypass
Confirm Private Key Passphrase : keypass




On this page Click on Advanced Options.


If you would like authenticate the client on the basis of their hostname then you can very well write your own or use default BEA Hostname Verifier in Hostname Verification field, I will change to None as I do not have valid hostname, for LAB purpose.

In Two Way Client Cert Behavior we need too select the behavior of the Two Way SSL -  Select Client Cert Requested But Not Enforced - This is for Negotiation with Client, if you select the other one Client Cert Requested and Enforced, that will now allow connections from the client if client does not show up its certificates.

And the third one "Client Certs Not Requested", its as good as One Way SSL.

Save the changes and Navigate to Home >Summary of Servers >AdminServer>General

Enable the SSL Listen Port, Save it and Restart the Server, While you access console over SSL port (7002) in my example


You should be able to see a Lock Icon before the address in address bar above, if you click on that and click on More Information you will be able to see the below information.


While you navigate you will see complete certificate information here, its Issued To, Validity and Finger Prints etc..

If you do not specify any time period during the certificate creation, this certificate will be valid for 30 Days.




Work at the WebLogic Server is almost done, but this post still not done, I need to configure how 2 Way SSL works when there is a web server involved here, I will configure Apache Web Server and configure certificate at Apache side and will show you how 2 Way works.

Thanks
Shailesh Dyade