SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

SSL protection of authentication pages

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    FirstSpot Forum Index -> Pre-sales Support Forum
View previous topic :: View next topic  
Author Message
kevin
Forum facilitator


Joined: 26 Sep 2003
Posts: 442

PostPosted: Wed May 12, 2004 2:48 pm    
Post subject: SSL protection of authentication pages

Q: Starting from version 2.1.4, FirstSpot supports SSL protection of authentication pages so that all information submitted by end-users can be encrypted using 128-bit encryption.

With the new SSL feature is there a way to stop the security alert popping up. The browser alerts box currently displays because the certificate was issued by a company you have not chosen to trust. What does it means and is there any way to get rid of it?

A: The alert is due to the self-signed nature of the SSL certificates generated by FirstSpot itself, instead of from a trusted agent/CA. We haven't included a SSL cert from a trusted agent because administrators can always change the private ip (from the 10.20.7.1 to anything else); while a trusted SSL cert always assumes a static one (while bindding to an ip address).

However, you can purchase your own from the net if you really want to eliminate that warning. Frankly, that's a common challenge to those solutions where the SSL protection is on the private-side. We see more and more end-users are getting used to that warning though.

~ Patronsoft Limited ~
Back to top
kevin
Forum facilitator


Joined: 26 Sep 2003
Posts: 442

PostPosted: Wed May 12, 2004 2:49 pm    
Post subject: Using a trusted SSL certificate with FirstSpot

Q: I'm going to purchase an SSL certificate from a trusted CA and use it with FirstSpot to protect the authentication pages. How can I do it technically?

A: Generally, here're the things you need to do:

- generate a private key for the SSL certificate from the FirstSpot machine;
- generate a CSR (Certificate Signing Request) using that private key;
- send the CSR to your trusted CA for approval;
- receive the SSL cert from the CA and copy it to the FirstSpot machine;

Technically, here're the steps:

1. On the FirstSpot machine, open a DOS command prompt

2. change directory to FirstSpot\www\Apache\conf directory

3. run this command:

openssl genrsa -out my-server.key 1024

which creates the private key (my-server.key) of 1024 bits for the SSL cert, please back up this file; you need this to run SSL session in the future

4. run the following command:

openssl req -new -key my-server.key -out my-server.csr -config openssl.cnf

You will then be prompted to enter values for the distinguished name of the cert. The most important one is the value of Common Name, you should put in exactly the ip address you're planning to use for the *private* interface of FirstSpot. If you're asked to provide values for 'extra' attributes, simply press the Enter key will do.

The command will generate a file called my-server.csr. When you purchase a SSL cert from a trusted CA, they will ask you to supply a CSR. What you need to do is simply open the my-server.csr file using a text editor and copy-and-paste the content inside onto their online form.

5. When the trusted CA send you the SSL cert of your server, please rename the cert to my-server.cert and copy it to the FirstSpot\www\Apache\conf directory

6. The trusted CA will also provide you the public cert of their own root CA; please rename that cert to ca.crt and copy it to the FirstSpot\www\Apache\conf directory as well

7. You will need these 3 files under the FirstSpot\www\Apache\conf directory:

my-server.key
my-server.cert
ca.crt

Please remember to back up these 3 files for future recovery purposes

8. After you have all the cert and key files in place, you can then go to Configuration Manager. Under the Dispatcher tab, enable both the "SSL-enable authentication pages" and "Use 3rd party SSL Certificate" and click Save. Please also make sure the *private* ip of FirstSpot is the one issued to the SSL cert you obtained. With the "Use 3rd party SSL Certificate" option enabled, FirstSpot will not generate or use its self-signed SSL certificates.

9. Restart FirstSpot and try to login from a client machine, your browser should show the authentication pages encrypted with with a trusted SSL cert.

~ Patronsoft Limited ~
Back to top
kevin
Forum facilitator


Joined: 26 Sep 2003
Posts: 442

PostPosted: Wed May 12, 2004 2:50 pm    
Post subject:

Q: Where can I purchase an SSL certificate issued to a private ip (e.g. 10.20.7.1) that we are using as the private interface's IP?

A: do a search on Google using keywords like "private ip ssl" will yield some companies offering such certificates.

Examples are:

http://certs.myostrich.net/intranetssl.html

http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html

~ Patronsoft Limited ~
Back to top
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    FirstSpot Forum Index -> Pre-sales Support Forum All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group