Wednesday, June 20, 2007

Authentication using client SSL certificates

  1. Creating your own self-signed trusted certificate. And creating client certificate
    1. First of all you have to download openssl library (http://www.openssl.org/)
    2. Install it. (I installed on UNIX)

$ ./config
$ make
$ make test
$ make install

    1. Create self-signed certificate
 # openssl req -new -newkey rsa:1024 -nodes -keyout ca.key -x509 -days 500 \
-subj /C=RU/ST=Msk/L=Msk/O=My\ Inc/OU=Sale/CN=bla/emailAddress=usr@dom.ru \
-out ca.crt

 You can use next commands for previewing key and certificate:
 # openssl rsa -noout -text -in ca.key              (key)
# openssl x509 -noout -text -in ca.crt (
certificate)
    1. Creating clients certificate

Creating clients certificates configuration file ca.config

 [ ca ]
default_ca = CA_CLIENT # When signing certificate
# use section CA_CLIENT
 [ CA_CLIENT ]
dir = ./db # Catalog for service files
certs = $dir/certs # Catalog for certificates
new_certs_dir = $dir/newcerts # Catalog for new certificates
database = $dir/index.txt # File with db of signed certificates
serial = $dir/serial # File with serial number of certificate (HEX)
certificate = ./ca.crt # File of trusted CA
private_key = ./ca.key # CA key
default_days = 365 # Expired date of signed certificates
default_crl_days = 7 # CRL expired date
default_md = md5 # Algorithm
policy = policy_anything # The name of policy description section

[ policy_anything ]
countryName = optional # Country - not required
stateOrProvinceName = optional # ......
localityName = optional # ......
organizationName = optional # ......
organizationalUnitName = optional # ......
commonName = supplied # ...... -
required
emailAddress = optional # ......


Create directories that fit to config file
 # mkdir db
# mkdir db/certs
# mkdir db/newcerts
# touch db/index.txt
# echo "01" > db/serial
 

Create client key and certificate request (CSR)

 # openssl req -new -newkey rsa:1024 -nodes -keyout client01.key \
-subj /C=RU/ST=Msk/L=Msk/O=Inc/OU=Web/CN=usr/emailAddress=usr@dm.ru \
-out client01.csr

    1. Sign client certificate request using trusted certificate (CA)
 # openssl ca -config ca.config -in client01.csr -out client01.crt –batch
  Preparing client certificate for transferring it to client
 # openssl pkcs12 -export -in client01.crt -inkey client01.key \
-certfile ca.crt -out client01.p12 -passout pass:q1w2e3

  1. Create Wallet
    1. Open Oracle Wallet Manager
    2. Press create new wallet (Wallet - > New)
    3. Enter password. (standard type)
    4. Create Certificate Request. (Enter CN – domain name - required) or export certificate that was created in 1.с
    5. Export Certificate Request to file. Sign it in CA
    6. Import Trusted Certificate
    7. Import signed certificate
    8. Check Auto_login (Wallet - > Auto-Login)
    9. Save Wallet

  1. Configure Oracle HTTP Server.
    1. In ssl.conf (ORACLE_HOME\Apache\Apache\conf) enter pass to Wallet.

SSLWallet file:c:\oracle\product\10.2.0\db_2\MyWallet

    1. In ssl.conf change port 4443 to 443 (Listener, Port, Virtual Server)
    2. In file opmn.xml (ORACLE_HOME\opmn\conf) change ssl-disabled on ssl-enabled (start-mode)
    3. In the end of httpd.conf (ORACLE_HOME\Apache\Apache\conf) set rule for ssl. For example:

RewriteEngine On

RewriteRule ^/pls/apex/(.*)$ https://support.gtsupport.ru:443/pls/apex/$1 [L,R]

    1. Configure authentication by client certificate

SSLVerifyClient require

    1. Restart Oracle HTTP Server

SSLVerifyClient require

  1. Transferring certificate to user
    1. You have to transfer file that was created in part 1.f
    2. If user use Mozilla, than he have to press Import (Tools –> Options -> Advanced -> Encryption -> View certificates -> Import) and choose file.

No comments:

Google