Index: openacs-4/packages/acs-core-docs/www/install-ssl.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-ssl.html,v diff -u -r1.6 -r1.7 --- openacs-4/packages/acs-core-docs/www/install-ssl.html 22 Jun 2004 12:53:54 -0000 1.6 +++ openacs-4/packages/acs-core-docs/www/install-ssl.html 16 Feb 2005 00:21:03 -0000 1.7 @@ -1,9 +1,11 @@ -Installing SSL Support for an OpenACS service

Installing SSL Support for an OpenACS service

Debian Users: apt-get install openssl before proceeding.

  1. Make sure nsopenssl.so is installed for AOLserver.

  2. Uncomment this line from config.tcl.

    #ns_param   nsopenssl       ${bindir}/nsopenssl.so
    +Installing SSL Support for an OpenACS service

    Installing SSL Support for an OpenACS service

    Debian Users: apt-get install openssl before proceeding.

    1. Make sure nsopenssl.so is installed for AOLserver.

    2. Uncomment this line from config.tcl.

      #ns_param   nsopenssl       ${bindir}/nsopenssl.so
       
    3. Prepare a certificate directory for the service.

      [$OPENACS_SERVICE_NAME etc]$ mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
       [$OPENACS_SERVICE_NAME etc]$ chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
       [$OPENACS_SERVICE_NAME etc]$ 
       mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
      -chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
    4. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

      Use an OpenSSL perl script to generate a certificate and key.

      [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
      +chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
    5. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

      Use an OpenSSL perl script to generate a certificate and key.

      + Debian users: use /usr/lib/ssl/misc/CA.pl instead of /usr/share/ssl/CA +

      [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
       [$OPENACS_SERVICE_NAME certs]$ perl /usr/share/ssl/misc/CA -newcert
       Using configuration from /usr/share/ssl/openssl.cnf
       Generating a 1024 bit RSA private key
      @@ -22,4 +24,8 @@
       S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T
       (11 lines omitted)
       1MU24SHLgdTfDJprEdxZOnxajnbxL420xNVc5RRXlJA8Xxhx/HBKTw==
      ------END RSA PRIVATE KEY-----
    View comments on this page at openacs.org
    +-----END RSA PRIVATE KEY-----
  3. + If you start up using the etc/daemontools/run script, you will + need to edit this script to make sure the ports are bound for + SSL. Details of this are in the run script. +
View comments on this page at openacs.org