>

웹호스팅

>

보안서버 SSL

>

SSL 설치가이드

>

Oracle 9i이하

[oracle@ucert default]$ vi /App/UCERT/opmn/conf/opmn.conf

<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
* 설명 : disabled 로 되어있을 경우 enabled 로 수정 합니다.
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>

[oracle@ucert default]$ vi /App/UCERT/Apache/Apache/conf/httpd.conf

* 설명 : 주석 처리 되어있을 경우 해제
<IfDefine SSL>
LoadModule ossl_module "/App/UCERT/Apache/Apache/modules/mod_ossl.so"
</IfDefine>

* 설명 : 참조 된 파일을 확인 합니다.
# Include the SSL definitions and Virtual Host container
include "/App/UCERT/Apache/Apache/conf/ssl.conf"

[oracle@ucert default]$ vi /App/UCERT/Apache/Apache/conf/ssl.conf

<IfDefine SSL>

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache dbm:/App/UCERT/Apache/Apache/logs/ssl_scache
#SSLSessionCache shmht:/App/UCERT/Apache/Apache/logs/ssl_scache(512000)
SSLSessionCache shmcb:/App/UCERT/Apache/Apache/logs/ssl_scache(512000)

# SessionCache Timeout:
# This directive sets the timeout in seconds for the information stored
# in the global/inter-process SSL Session Cache. It can be set as low as
# 15 for testing, but should be set to higher values like 300 in real life.

SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.

SSLMutex file:/App/UCERT/Apache/Apache/logs/ssl_mutex

# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.

SSLLog /App/UCERT/Apache/Apache/logs/ssl_engine_log
SSLLogLevel warn

##
## SSL Virtual Host Context
##
#
# NOTE: this value should match the SSL Listen directive set previously in this

# file otherwise your virtual host will not respond to SSL requests.
#

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
#
# NOTE: if virtual hosts are used and you change a port value below
# from the original value, be sure to update the default port used
# for your virtual hosts as well.
#

* 설명 : 서비스 포트 설정
Listen 443

* 설명 : 가상호스트 설정
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/App/UCERT/Apache/Apache/htdocs"
ServerName sso.ucert.co.kr
ServerAdmin you@your.address
ErrorLog "|/App/UCERT/Apache/Apache/bin/rotatelogs \
/App/UCERT/Apache/Apache/logs/error_ssl_log 43200"
TransferLog "|/App/UCERT/Apache/Apache/bin/rotatelogs \
/App/UCERT/Apache/Apache/logs/access_ssl_log 43200"
Port 443
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# Server Wallet:
# The server wallet contains the server's certificate, private key
# and trusted certificates. Set SSLWallet at the wallet directory
# using the syntax: file:
* 설명 : 인증서 경로 설정
SSLWallet file:/App/UCERT/Apache/Apache/conf/ssl.wlt/default
* 설명 : 인증서 패스워드 설정
SSLWalletPassword ucert1234

# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /App/UCERT/Apache/Apache/conf/ssl.crl
#SSLCARevocationFile /App/UCERT/Apache/Apache/conf/ssl.crl/ca-bundle.crl

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require
#SSLVerifyClient require

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>

<Directory "/App/UCERT/Apache/Apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.

CustomLog /App/UCERT/Apache/Apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteEngine on
RewriteOptions inherit
</VirtualHost>

</IfDefine>

[oracle@ucert default]$ pwd
/App/UCERT/Apache/Apache/conf/ssl.wlt/default
[oracle@ucert default]$ ls
ewallet.p12
[oracle@ucert default]$

[oracle@ucert default]$ opmnctl stopall
[oracle@ucert default]$ opmnctl startall

[root@localhost ~]# netstat -nap | grep httpd
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN

443포트 Listen 된 상태에서 아래의 명령어를 사용하여 로컬에서 인증서를 확인 합니다.
[root@localhost ~]# openssl s_client -connect 127.0.0.1:443 | openssl x509

depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN CERTIFICATE-----
MIIE2jCCA8KgAwIBAgICD/cwDQYJKoZIhvcNAQEFBQAwPDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRQwEgYDVQQDEwtSYXBpZFNTTCBDQTAe
Fw0xMDEyMTQxMDQ4NTlaFw0xMjAyMTUyMTM4MjBaMIHlMSkwJwYDVQQFEyBrdW9u
SXgyYmI0a0lxZGpvWWE1bklYQWRxNVl6dG9RUDELMAkGA1UEBhMCS1IxGDAWBgNV
BAoTD3d3dy51Y2VydC5jby5rcjETMBEGA1UECxMKR1Q1NDc2OTQxMDExMC8GA1UE
CxMoU2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMDEvMC0G
A1UECxMmRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gUmFwaWRTU0woUikxGDAW
BgNVBAMTD3d3dy51Y2VydC5jby5rcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMl6qA1dEc/FKw2qSjlh0iZDVGp+zqjBXW/iwkcnEZCzy/wxauh85OwM
G4TZ2FhJQabssuyVocWJGE/Fq3sO6U6lYZwycUKWN45sZTLGhdCbC0ZSb0OUq7tx
A8pDSqH/2/kG8a/Yfn8zGmXgsWi5swgfPKIa7dcmnmglA1x4YDquo0npWMizgt2z
mqQcuY5S/QKCDZo5Ee1BXaS4D7ZHiXzw5W9sDtsqo1nO37gLHTpNhIQrYnzN4ay7
l0FHLxiwEi2O/gndd4Z4/Rr0loFTdemStSPQlIRTag/+8/tMo+BoxHmPFTuWyNAb
MShN1eti+c0qWGsHigjvXMWtyg0NT4UCAwEAAaOCATowggE2MB8GA1UdIwQYMBaA
FGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIPd3d3LnVjZXJ0LmNvLmty
ggt1Y2VydC5jby5rcjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wt
Y3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUkHru
EM3YsHLS8SjMWr7kBkyKu/YwDAYDVR0TAQH/BAIwADBJBggrBgEFBQcBAQQ9MDsw
OQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3QuY29tL3Jh
cGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAcjR0KR5MnA8gJFhZ4GRHSfvD
N2WX88pZPtE0BlEOU18HLLg8xL5Bb8exvX5+sExHS9zasRHUIPAYpwALSf4/WP7M
96ZMAEAggR9Dt8pCyFO7QXgkB3QQ7EsEK+s01wSWxMN5/ZcSV7O0k/DF83DH118x
/DFVeGNJsbwC0BEzVe/HnmBo77dxCdG+M16R59s2BjEr9Lq9sNnnE3drqs51qrs+
T0CyUWSpZ9KhlwjcLCMKe/SY8WIXIYaAx+IqJ7XJQU+GV1AJP3zHldhngL7eMMFo
ROpAHbjfkI0XboRtTAVs0K46omCAA4JViVF1DDKaXPZ+swif4GlzY/ijwPLDkA==
-----END CERTIFICATE-----

인증서 만료일 확인 방법
[root@mail ~]# openssl s_client -connect localhost:443 < /dev/null 2>&1 | openssl x509 -noout -enddate
notAfter=Feb 15 21:38:20 2012 GMT

설명 : 로컬에서 인증서 출력이 정상적이고 외부에서 https://[도메인]으로 브라우저 접속 시 통신이 되지 않을 경우
내부 방화벽(예. iptables), 외부 방화벽 등에 SSL포트가 Allow (또는 웹방화벽에 인증서가 설치가) 되어있는지
확인 합니다.