Friday, September 20, 2013

SSL Implementation in Liferay 6.1 clustered environment

SSL Implementation in Liferay 6.1 clustered environment

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server

Pre-requisite:
       ·         Install Apache 2.2 or latest stable version from here.
       ·         Download Liferay 6.1 CE version from here.
       ·         Install OpenSSL from here.


Configuration Steps:

Step 1: To configure SSL, your first step would be to create self-signed certificates.
        
          ·         Generate a private key
o   The openssl toolkit is used to generate RSA private key and CSR (Certified Signed Request).
o   The first step is to create your RSA private key. This key is 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text

openssl genrsa -des3 -out server.key 1024

output
Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

        ·         Generate a CSR (Certified Signing Request)
o   Once private key is generated a CSR can be generated.
o   During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.

openssl req -new -key server.key -out server.csr

output
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

       ·         Remove Passphrase from the key
o   One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.
o   To remove the pass-phrased from the key hit the following command

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.
-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

      ·         Generating a Self Signed Certificate
o   At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
o   To generate a temporary certificate which is good for 365 days, issue the following command

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

output
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Now at this step you should have server.key, server.csr and server.crt generated.

Step 2: Configure Apache Server

[Note: Here we assume that you already have Liferay clustered setup as per the above information]

      ·         Copy generated server.key, server.crt, and server.csr to conf directory of the Apache_Home
      ·         Open httpd.conf in apache and uncomment the following lines to enable mod_ssl and                     configuration file for https.

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

Step 3: Configure Liferay servers

      ·         Open portal-ext.properties of all the Liferay instances that you configured and add the                     following properties to it.

# SSL properties
company.security.auth.requires.https=true
web.server.http.port=80
web.server.https.port=443
  # if you want to make all page SSL secure: add the following  property otherwise if you want that only your login page should be SSL secured then don’t keep the following property.

web.server.protocol=https

·         Restart your Liferay instances.

Step 4: Disabling SSL with apache web server [Optional]
       
      ·         Open portal-ext.properties of all the Liferay instances that you configured and comment out or remove the following properties to it.

# SSL properties
company.security.auth.requires.https=true
web.server.http.port=80
web.server.https.port=443
  # if you want to make all page SSL secure: add the following  property otherwise if you want that only your login page should be SSL secured then don’t keep the following property.

web.server.protocol=https

      ·         Restart your Liferay instances.

Restart your Apache Web server and all tomcat servers and solr servers,

Test Case:  Open browser and hit https://localhost, it will first of all ask for security exception and once you confirm then it loads the default Liferay home page.


Congratulation! It’s done.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.