| Table of Contents |
|---|
There are 11 servers in use at Hearst, no one wants to put the passwords in all the time, so we use SSO, and SSL makes it more secure (apparently).
| Table of Contents |
|---|
Configuring SSO for opCharts and opOthers
Currently SSO with NMIS and other application does not interoperate. for opCharts this is done in opCommon.nmis, the second . is required.
| Code Block |
|---|
'auth_sso_domain' => '.companynet.org' |
Setting up Apache Web Server
Enterprises will typically require that all access is over SSL and that SSO features are supported. This requires Apache to be configured to support this.
For SSO configuration please see SSO for Opmantek Applications
| Info | ||
|---|---|---|
| ||
BELOW is based on Apache 2.2 which has differing vhosts configuration from version 2.4 You will need to consider how you create, manage and install the certficates you need. This varies based on company policy, certificate sources and a number of other factors. Usually the simplest is to use a Certificate Signing Request and this is discussed below. |
Using VHosts to Ensure the FQDN is used.
For HTTPS and for SSO to work right, all access needs to use the FQDN of the server. So we get Apache to handle that.
...
| Code Block |
|---|
#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
<VirtualHost *:80>
ServerAdmin opmantek@hearstopmantek@example.com
DocumentRoot "/var/www/html"
ServerName het001stropk002servername002
RewriteEngine on
RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} !=127.0.0.1
RewriteCond %{REMOTE_ADDR} !=127.0.0.1
RewriteCond %{REMOTE_ADDR} !=::1
RewriteRule (.*) http://het001stropk002servername002.companynetexample.org$1
</VirtualHost>
<VirtualHost *:80>
ServerAdmin opmantek@hearstopmantek@example.com
DocumentRoot "/var/www/html"
ServerName het001stropk002servername002.companynetexample.org
</VirtualHost> |
Creating CSR (Certificate Signing Request)
You must create a CSR for each server, these are used to create the final SSL Cert
The details used for Hearst example were:
Country: US
State/Province: New York
Locality: New York
Organisation: The Hearst example Corporation
Common Name (CN): FQDN of the server, e.g. het001wesopk001 servername001.companynetexample.org
To generate the CSR's easily, the following SHELL script generate-csr.sh was created:
| Code Block |
|---|
#!/bin/sh
if [ "$1" == "" ]
then
echo Please define HOSTNAME AND DOMAINNAME seperated by space
echo eg. $0 het001stropk001servername001 companynetexample.org
exit
else
SERVER=$1
DOMAIN=$2
fi
echo Working on $SERVER $DOMAIN
openssl req -nodes -newkey rsa:2048 -keyout $SERVER.key -out $SERVER.csr -subj "/C=US/ST=New York/L=New Tork/O=The Hearstexample Corporation/OU=HearstExample Enterprise TechnologiesDepartment/CN=$SERVER.$DOMAIN" |
View the CSR
To view a CSR, run this:
| Code Block |
|---|
openssl req -text -in het001sclopk001servername001.csr |
Converting a CER into a CRT
If the certificates come from a Microsoft system, they will likely have the extension "CER", these will be in the format DER/Binary, and they need to be converted to Standard PEM for Apache.
This web page helped with that. https://www.sslshopper.com/ssl-converter.html
View the CRT
To view a CSR, run this:
| Code Block |
|---|
openssl x509 -text -in het001sclopk001servername001.cer |
You can check the contents and make sure the names match up if required.
Installing the Certificate
TBD