| |
|
|
Apache based WebDAV Server with LDAP and SSLSaqib Ali
1. IntroductionThe Objective of this document in to Setup a Apache + mySQL + PHP + WebDAV based Web Application Server, that uses LDAP for Authentication. The documentation will also provide details on the encrypting LDAP transactions.
1.1. About this documentThis document was originally written in 2001. Since then many updates and new additions have been made. Thanks to all the people who submitted updates and corrections. The XML source of this document is available at http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml. The latest version of the document is available at http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html. 1.2. Contributions to the documentIf you like to contribute to the HOWTO, you can d/l the XML source from http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml , and send in the updated source to saqib@seagate.com ALONG WITH YOUR NAME IN THE LIST OF AUTHORS AND REVISION HISTORY :). That makes it easier for me contact the person if there are any updates/corrections. Thanks. 1.3. What is Apache?The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX and Windows NT. It provides HTTP services in sync with the current HTTP standards. Thei Apache WebServer is available for free download from http://httpd.apache.org/ 1.4. What is WebDAV?WebDAV stands for Web enabled Distributed Authoring and Versioning. It provides a collaborative environment for users to edit/manage files on web-servers. Technically DAV is an extension to the http protocol. Here is a brief description of the extensions provided by DAV: Overwrite Protection: Lock and Unlock mechanism to prevent the "lost update problem". DAV protocol support both shared and exclusive locks. Properties: Metadata (title, subject, creater, etc) Name-space management: Copy, Rename, Move and Deletion of files Access Control: Limit access to various resources. Currently DAV assumes access control is already in place, and does not provide strong authentication mechanism. Versioning: Revision control for the documents. Versioning is not implemented yet. 1.5. What is PHP?PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP is available from http://www.php.net 1.6. What is mySQL?MySQL, the most popular Open Source SQL database, is developed, distributed, and supported by MySQL AB mySQL DB Engine can be downloaded from http://www.mysql.com/ 1.7. What do we need?The tools needed to achieve this objective are:
1.8. AssumptionsThis document assumes that you have the following already installed on your system.
2. RequirementsYou'll have to download and compile several packages. This document will explain the compilation process, but you should be fimiliar with installing from source code. 2.1. BasicsYou will need a machine running Solaris / Linux and GCC Compiler. GNU gnzip and GNU tar is also needed. 2.2. Apache 2.0.46Apache is the HTTP server, it will be used to run the Web Application Server. Please download the Apache 2.0.46 source code from http://www.apache.org/dist/httpd/. 2.3. OpenSSLYou will need to download the OpenSSL from http://www.openssl.org/source/ . Please download the latest version. OpenSSL installation will be used for SSL libraries for compiling mod_ssl with Apache, and for managing SSL certificates on the WebServer. Please download the OpenSSL source code gzipped file into /tmp/downloads 2.4. iPlanet LDAP LibraryDownload the iPlanet LDAP SDK from http://wwws.sun.com/software/download/products/3ec28dbd.html. We will use iPlanet LDAP SDK, because it includes libraries for ldaps:// (LDAP over SSL) 2.5. mod_auth_ldapmod_auth_ldap will be used for compiling LDAP support into Apache. Please download mod_auth_ldap from http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html 2.6. mySQL DB EngineDownload the appropriate mySQL build for your platform from http://www.mysql.com/downloads/index.html 3. InstallationFirst we hve take care of the few pre-requisites, and then we will get into the main installtion. 3.1. Pre-requisitesThe application server as we plan to install, requires the SSL libraries and LDAP libraries. SSL engine is also required for managing the SSL certs for Apache 2.x 3.1.1. iPlanet LDAP SDKBecome root by using the su command:
Create the /usr/local/iplanet-ldap-sdk.5 directory. Copy the ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar.gz form /tmp/downloads to /usr/local/iplanet-ldap-sdk.5 directory.
Now you should have all the required iPlanet LDAP lib files in the correct directory 3.1.2. OpenSSL EngineNext we need to install the OpenSSL Engine OpenSSL is an open source implementation of the SSL/TLS protocol. It is required to create and manage SSL certificates on the webserver. The installion is also necessary for the lib files that will be used by the SSL module for apache. Change to the directory where you placed the OpenSSL source code files
Upon successful completion of the make install the openssl binaries should reside in /usr/local/ssl 3.2. mySQLInstallaing mySQL is quite simple. The downloaded binaries have to be place in appropriate directory. We start creating a user:group for mysql daemon, and copying the files to appropriate directories.
Next run the install_db script, and change permission on the files
3.2.1. Starting mySQLNow start the mySQL server to verify the installation
Verify mySQL daemon is running, by using the ps -ef command. You should see the following output:
3.2.2. Stopping mySQLTo stop the MySQL server, follow the instructions below
3.2.3. Locating Data DirectorymySQL deamon stores all the information in a direcory called "Data Directory". If you followed the installation instructions above, your Data Directory should be located under /use/local/mysql/data. To locate where your Data Directory is located, use the mysqladmin utility as follows:
3.3. Apache 2.0Start by setting some FLAGS for the compiler
Next UNTAR the apache 2.0 source files, and execute the configure script.
Next run the make command
3.4. mod_auth_ldapUntar modauthldap_apache2.tar.gz
Now configure and install mod_auth_ldap
3.5. CERT DB for LDAPS://You will also need to get the cert7.db and key7.db from http://www.xml-dev.com/xml/key3.db and http://www.xml-dev.com/xml/cert7.db and place it in the /usr/local/apache2/sslcert/directory. 3.6. PHPUnzip the PHP Source Files
Configure and run the make command
Compile the source code
Copy the php.ini file to the appropriate directory
4. Configuring and Setting up the WebDAV servicesNow for the easy part. In this section we will WebDAV enable a directory under Apache root. 4.1. Modifications to the /usr/local/apache/conf/httpd.confPlease verify that the following Apache directive appears in the /usr/local/apache/conf/httpd.conf :
If it does not please add it. This directive informs Apache about DAV capability. The directive must be placed outside any container. Next we must specify where Apache should store the DAVLockDB file. DAVLockDB is a lock database for the WebDAV. This directory should be writable by the httpd process. I store the DAVLock file under /usr/local/apache/var. I use this directory for other purposes as well. Please add the following line to your /usr/local/apache/conf/httpd.conf to specify that the DAVLockDB file will be under /usr/local/apache/var :
The directive must be placed outside any container. 4.2. Creating a directory for DAVLockDBAs mentioned above a directory must be created for DAVLockDB that can be written by the web server process. Usually web server process runs under the user 'nobody' . Please verify this for your system using the command:
4.3. Enabling DAVEnabling DAV is a trivial task. To enable DAV for a directory under Apache root, just add the following directive in the container for that particular directory:
This directive will enable DAV for the directory and its sub-directories. The following is a sample configuration that will enable WebDAV and LDAP authentication on /usr/local/apache/htdocs/DAVtest. Place this in the /usr/local/apache/conf/httpd.conf file.
4.4. Create a Directory called DAVtestAs mentioned in a earlier section, all DAV directories have to be writable by the WebServer process. In this example we assume WebServer is running under username 'nobody'. This is usually the case. To check httpd is running under what user, please use:
Create a test directory called 'DAVtest' under /usr/local/apache2/htdocs : # mkdir /usr/local/apache/htdocs/DAVtest Change the permissions on the directory to make it is read-writable by the httpd process. Assuming the httpd is running under username 'nobody', use the following commands:
4.5. Restart ApacheFinally you must run the configuration test routine that comes with Apache to verify the syntax in httpd.conf :
If you get error messages please verify that you followed all of the above mentioned steps correctly. If you can not figure out the error message feel free to email me with the error message (saqib@seagate.com). If the configtest is successful start the apache web-server: # /usr/local/apache/bin/apachectl restart Now you have WebDAV enabled Apache Server with LDAP authentication and SSL encryption. 4.6. WebDAV server protocol compliance testingIt is very important that the WebDAV that we just implemented be fully complaint with the WebDAV-2 protocol. If it is not fully compatible, the client side WebDAV applications will not function properly. To test the complaince we will use a tool called Litmus. Litmus is a WebDAV server protocol compliance test suite, which aims to test whether a server is compliant with the WebDAV protocol as specified in RFC2518. Please download the Litmus source code from http://www.webdav.org/neon/litmus/ and place it in the /tmp/downloads directory. Then use gzip and tar to extract the files:
Compiling and installing Litmus is easy:
make install will install the Litmus binary files under /usr/local/bin and the help files under /usr/local/man To the test the complaince of the WebDAV server that you just installed, please use the following command
5. WebDAV server managementIn this section we will discuss about the various management task - e.g. using LDAP for access control, and working with DAV method on Apache Most of the configuration changes for the DAV will have to done using the httpd.conf file. This file is located at /usr/local/apache/conf/httpd.conf httpd.conf is a text based configuration file that Apache uses. It can b editted using any text editor - I preffer using vi. Please make backup copy of this file, before changing it. After making changes to the httpd.conf the Apache server has to be restarted using the /usr/local/apache/bin/apachectl restart command. However before restarting you test for the validity of the httpd.conf by using the /usr/local/apache/bin/apachectl configtest comand. 5.1. Restricting access to DAV sharesIn the previous section when we created the DAVtest share, we used the LDAP for authentication purposes. However anyone who can authenticates using their LDAP useri/passwd will be able to access that folder. Using the require directive in the httpd.conf file, we can limit access to certain individuals or groups of individuals. If we look at the DAVtest configuration from the previosu section:
5.2. Restricting write access to DAV sharesIt maybe be required that the editting for the resources on the DAV shares be restricted to certain individual, however anyone can view the resources. This can be easily done using the <Limit> tags in the httpd.conf file
You restrict write access to certain individuals by changing the <limit> to
Basically we are limiting the PUT POST DELETE PROPPATH MKCOL COPY MOVE LOCK and UNLOCK to an individual who has the UID of 334455. Everone else will be able to use the methods GET and PROPFIND on the resources, but not any other method. 6. Implementing and using SSL to secure HTTP trafficSecurity of the data stored on a file server is very important these days. Compromised data can cost thousands of dollars to company. In the last section, we compiled LDAP authentication module into the Apache build to provide a Authentication mechanism. However HTTP traffic is very insecure, and all data is transferred in clear text - meaning, the LDAP authentication (userid/passwd) will be transmitted as clear text as well. This creates a problem. Anyone can sniff these userid/passwd and gain access to DAV store. To prevent this we have to encrypt HTTP traffic, essentially HTTP + SSL or HTTPS. Anything transferred over HTTPS is encrypted, so the LDAP userid/passwd can not be easily deciphered. HTTPS runs on port 443. The resulting build from the last section's compilation process will have Apache to listen to both port 80 (normal HTTP) and 443 (HTTPS). If you are just going to use this server for DAV, then I will highly suggest that you close port 80. In this section of the HOWTO I will provide some information regarding SSL and maintaining SSL on a Apache HTTP server. 6.1. Introduction to SSLSSL (Secure Socket Layer) is a protocol layer that exists between the Network Layer and Application layer. As the name suggest SSL provides a mechanism for encrypting all kinds of traffic - LDAP, POP, IMAP and most importantly HTTP. The following is a over-simplified structure of the layers involved in SSL.
6.1.1. Encryption algorithms used in SSLThere are three kinds of cryptographic techniques used in SSL: Public-Private Key, Symmetric Key, and Digital Signature. Public-Private Key Crytography - Initiating SSL connection: In this algorithm, encryption and decryption is performed using a pair of private and public keys. The Web-server holds the private Key, and sends the Public key to the client in the Certificate.
Symmetric Cryptography - Actual transmission of data: After the SSL connection has been established, Symmetric cryptography is used for encrypting data as it uses less CPU cycles. In symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography is exchanged during the initiation process, using Public Key Cryptography. Message Digest The server uses message digest algoritm such as HMAC, SHA-1, MD5 to verify the integrity of the transferred data. 6.1.2. Ensuring Authenticity and IntegrityEncryption Process
Decryption Process
6.2. Test CertificatesWhile compiling Apache we created a test certificate. We used the makefile provided by mod_ssl to create this custom Certificate. We used the command:
This certificate can be used for testing purposes. 6.3. Certificates for Production useFor production use you will need a certificate from a Certificate Authority (hereafter CA). Certificate Authorities are certificate vendors, who are listed as a Trusted CA in the user's browser. As mentioned in the Encryption Algorithms section, if the CA is not listed as a trusted authority, your user will get a warning message when trying to connect to a secure location. Similarly the test certificates will also cause a warning message to appear on the user's browser. 6.4. How to generate a CSRCSR or Certificate Signing Request must be sent to the trusted CA for signing. This section discusses howto create a CSR, and send it to the CA of your choice. # openssl req command can be used to a CSR as follows:
At this point you will be asked several questions about your server to generate the Certificate Singning Request Note: Your Common Name (CN) is the Fully Qualified DNS (FQDN) name of your webserver e.g. dav.server.com . If you put in anything else, it will NOT work. Remember the password that you use, for future reference. Once the process is complete, you will have private.key and a public.csr . You will need to submit the public.csr to the Certification Authority. At this pointe the public.key is not encrypted. To encrypt:
6.5. Installing Server Private Key, and Server CertificateOnce the Certification Authority processes your request, they will send an encoded certificate (Digital Certificate) back to you. The Digital Certificate is in the format defined by X.509 v3. The following shows the structure of a typical X509 v3 Digital Certificate
6.5.1. Verifying a Digital CertificateTo verify a X.509 Certificate use the following command
Where server.crt is the name of the file that contains the Digital Certificate 6.5.2. Viewing the contents of a Digital CertificateThe contents of a Digital Certificate can be viewed by using the # openssl x509 command as follows:
6.5.3. Modifying the httpd.conf to Install the CertificatesYou will need to place this certificate on the server, and tell Apache where to find it. For this example, the Private Key is placed in the /usr/local/apache2/conf/ssl.key/ directory, and the Sever Certificate is placed in the /usr/local/apache2/conf/ssl.crt/. Copy the file received from the Certification to a file called server.crt in the /usr/local/apache2/conf/ssl.crt/. And place the private.key generated in the previous step in the /usr/local/apache2/conf/ssl.key/ Then modify the /usr/local/apache2/conf/ssl.conf to point to the correct Private Key and Server Certificate files:
6.6. Removing passphrase from the RSA Private KeyRSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you are prompted for a passphrase when start Apache with modssl:
Encrypting the RSA Private Key is very important. If a cracker gets hold of your "Unencrypted RSA Private Key" he/she can easily impersonate your webserver. If the Key is encrypted, the cracker can not do anything without brute forcing the passphrase. Use of a strong (ie: long) passphrase is encouraged. However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Especially if you are using rc scripts to start the webserver at boot time. The prompt for a passphrase will stop the boot process, waiting for your input. You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver. To decrypt the Key: First make a copy of the encrypted key
Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase
One way to secure the decrypted Private Key is to make readable only by the root:
6.7. SSL Performance Tuning6.7.1. Inter Process SSL Session CacheApache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to to handshake information. SSLSessionCache Directive the in /usr/local/apache2/conf/ssl.conf file can be used to specify the location of the SSL Session Cache:
Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk. Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment
6.7.2. Verifying SSLSession CacheTo verify if the SSLSessionCache is working properly, you can use the openssl utility with the -reconnect as follows:
-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above. A. HTTP/HTTPS Benchmarking toolsThe following is a list of some of the OpenSource BenchMarking tools for WebServers B. Hardware based SSL encryption solutionsThe following is a Hardware Based SSL encryption solution available:
C. Certificate AuthoritiesThe following is list of Certificate Authorities that are trusted by the various browsers: Glossary of PKI TermsC
D
M
P
S
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
