This is a compilation of a few different resources, none of which I can put my
finger on at the moment. Most of this writeup came from one of the
university's network engineers, and I just updated it for 2.1. Rest assured
that most of this probably came from someone else; I'm only relaying what
worked for me and how it looked when it was done. And to be fair, there are
other ways to do this, and even a howto on it somewhere, so if this seems a bit
much you can always dig up the other howtos. :-)
There are a few files that will need to be edited, so in places where it's
easier I'll just show a unified diff of the original and modified files.
Please be sure you understand how to read a unified diff and how to apply such
a diff before attempting these instructions.
Oh, and if you're reading this as an email, you'll probably want to actually
view it on the forums since I put a bit of markup in here. The link should be
at the bottom of the email.
Installing M2Crypto to enable ZServerSSL in Zope
Make sure you've backed up $ZENHOME and whatever else you deem
important in case your server blows up (in which case I'm not responsible!)
Install the prerequisites, if needed.
Code:
[EMAIL PROTECTED] ~]$ rpm -q python openssl swig
python-2.4.3-19.el5
openssl-0.9.8b-8.3.el5_0.2
openssl-0.9.8b-8.3.el5_0.2
swig-1.3.29-2.el5
Since I did a lot of this as my user account and not the zenoss
account, I set up the $ZENHOME environment variable to point to my zenoss
installation:
Code:
[EMAIL PROTECTED] ~]$ export ZENHOME=/opt/zenoss
Download M2Crypto from here:
http://chandlerproject.org/bin/view/Projects/MeTooCrypto
Code:
[EMAIL PROTECTED] ~]$ wget
http://chandlerproject.org/pub/Projects/MeTooCrypto/m2crypto-0.18.2.tar.gz
Untar and build it.
Code:
[EMAIL PROTECTED] m2crypto-0.18.2]$ tar xvfz m2crypto-0.18.2.tar.gz
[EMAIL PROTECTED] ~]$ cd m2crypto-0.18.2
[EMAIL PROTECTED] ~]$ python setup.py build
[EMAIL PROTECTED] m2crypto-0.18.2]$ python setup.py build
/usr/lib64/python2.4/distutils/dist.py:236: UserWarning: Unknown distribution
option: 'test_suite'
warnings.warn(msg)
running build
running build_py
creating build
{snip}
building 'M2Crypto.__m2crypto' extension
swigging SWIG/_m2crypto.i to SWIG/_m2crypto_wrap.c
swig -python -I/usr/include/python2.4 -I/usr/include -includeall -o
SWIG/_m2crypto_wrap.c SWIG/_m2crypto.i
/usr/include/openssl/opensslconf.h:25: Error: Unable to find
'opensslconf-x86_64.h'
error: command 'swig' failed with exit status 1
NOTE: I am running a 64-bit environment, hence the ''opensslconf-x86_64.h''.
I believe that SWIG can't find the openssl include directory. I hacked the
''setup.py'' file to compensate for this:
Code:
[EMAIL PROTECTED] m2crypto-0.18.2]$ diff -u setup.py.orig setup.py
--- setup.py.orig 2007-11-06 16:46:11.000000000 -0500
+++ setup.py 2007-11-06 16:44:00.000000000 -0500
@@ -52,6 +52,7 @@
self.swig_opts = ['-I%s' % i for i in self.include_dirs + \
[opensslIncludeDir]]
+ self.swig_opts.append('-I/usr/include/openssl')
self.swig_opts.append('-includeall')
#self.swig_opts.append('-D__i386__') # Uncomment for early OpenSSL
0.9.7 versions, or on Fedora Core if build fails
#self.swig_opts.append('-DOPENSSL_NO_EC') # Try uncommenting if you
can't build with EC disabled
...then continued on:
Code:
[EMAIL PROTECTED] m2crypto-0.18.2]$ python setup.py clean
[EMAIL PROTECTED] m2crypto-0.18.2]$ python setup.py build
Lots of warnings will happen at this point, probably because of the 64-bit
environment. But it does build successfully.
If you're working in a 32-bit environment, you might have this error instead:
Code:
[EMAIL PROTECTED] m2crypto-0.16]$ python setup.py build
/usr/lib/python2.3/distutils/extension.py:128: UserWarning: Unknown Extension
options: 'swig_opts'
warnings.warn(msg)
To fix that, comment out `swig_opts = [swig_opts_str]` line in that file.
Apparently it's a Python 2.4-only thing.
Start moving stuff from the m2crypto build dirs to the zenoss
installation. We can't just execute
`python setup.py install` because Zenoss includes its own versions of Zope,
python, etc.
Code:
[EMAIL PROTECTED] m2crypto-0.18.2]$ sudo cp -R
build//lib.linux-x86_64-2.4/M2Crypto/ $ZENHOME/lib/python/
[EMAIL PROTECTED] m2crypto-0.18.2]$ sudo chown -R zenoss:zenoss
$ZENHOME/lib/python/M2Crypto/
[EMAIL PROTECTED] m2crypto-0.18.2]$cd demo/Zope27/install_dir/lib/python/ZServer
[EMAIL PROTECTED] ZServer]$ sudo cp HTTPS_Server.py $ZENHOME/lib/python/ZServer/
[EMAIL PROTECTED] ZServer]$ sudo cp medusa/https_server.py
$ZENHOME/lib/python/ZServer/medusa/
[EMAIL PROTECTED] ZServer]$ sudo cp *patch $ZENHOME/lib/python/ZServer/
[EMAIL PROTECTED] ZServer]$ cd ../../../../instance_home/ssl/
[EMAIL PROTECTED] ssl]$ sudo mkdir $ZENHOME/ssl
[EMAIL PROTECTED] ssl]$ sudo cp *pem $ZENHOME/ssl
[EMAIL PROTECTED] ssl]$ cd ../etc
[EMAIL PROTECTED] etc]$ sudo cp zope.conf.patch $ZENHOME/etc
[EMAIL PROTECTED] zenoss]$ cd $ZENHOME
[EMAIL PROTECTED] zenoss]$ sudo chown -R zenoss:zenoss lib etc ssl
At this point I change to the zenoss user to make editing config files
a bit easier:
Code:
[EMAIL PROTECTED] etc]$ sudo su - zenoss
[EMAIL PROTECTED] ~]$ cd $ZENHOME/etc
[EMAIL PROTECTED] etc]$ sudo cp zope.conf zope.conf.orig
patch doesn't like the zope.conf.patch file included with m2crypto. Use this
diff instead:
Code:
[EMAIL PROTECTED] etc]$ diff -u zope.conf.orig zope.conf
--- zope.conf.orig 2007-11-06 14:03:03.000000000 -0500
+++ zope.conf 2007-11-06 14:34:45.000000000 -0500
@@ -875,11 +875,18 @@
#
# An HTTP server starts on port 8080.
-<http-server>
+#<http-server>
# valid keys are "address" and "force-connection-close"
- address 8080
+# address 8080
# force-connection-close on
-</http-server>
+#</http-server>
+
+<https-server>
+ # valid keys are "address", "force-connection-close"
+ address 8443
+ # force-connection-close on
+ x509-remote-user off
+</https-server>
# Database (zodb_db) section
Note: I commented out the <http-server> section so that Zope doesn't listen on
8080. Later I tell Apache to listen on 8080 in order to redirect all traffic
to 8443 by default.
Continue applying the m2crypto patches.
Code:
[EMAIL PROTECTED] etc]$ cd ../lib/python/ZServer
[EMAIL PROTECTED] etc]$ cp component.xml component.xml.bak
[EMAIL PROTECTED] etc]$ cp datatypes.py datatypes.py.bak
[EMAIL PROTECTED] etc]$ cp __init__.py __init__.py.bak
[EMAIL PROTECTED] ZServer]$ patch component.xml component.xml.patch
[EMAIL PROTECTED] ZServer]$ patch datatypes.py datatypes.py.patch
[EMAIL PROTECTED] ZServer]$ patch __init__.py __init__.py.patch
[EMAIL PROTECTED] ZServer]$ zopectl restart
And that should be it. Zope / Zenoss is now configured for SSL.
Configure Apache to redirect all URLs to HTTPS on 8443
By using Apache's mod_rewrite module, we can redirect all traffic destined for
ports 80, 443, and 8080 to port 8443.
Create the file https-all.conf and add the rewrite rules:
Code:
[EMAIL PROTECTED] ~]$ cd /etc/httpd/conf.d/
[EMAIL PROTECTED] conf.d]$ cat https-all.conf
RewriteEngine on
# Rewrite all URLs for HTTPS
RewriteRule ^(.*) https://%{SERVER_NAME}:8443/$1
Now modify the ssl.conf file and add the same rules.
Code:
[EMAIL PROTECTED] conf.d]$ diff -u ssl.conf.orig ssl.conf
--- ssl.conf.orig 2007-11-06 17:33:51.000000000 -0500
+++ ssl.conf 2007-11-06 14:29:50.000000000 -0500
@@ -224,5 +224,9 @@
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+RewriteEngine on
+RewriteRule ^(.*) https://%{SERVER_NAME}:8443/$1 [R]
+
</VirtualHost>
Creating self-signed SSL certificates
The rest of this documentation came verbatim from one of the university's
network engineers.
The steps to create a self-signed cert include the following:
Create a request
Generate a certificate
Install into Apache
Install into Zope/ZServerSSL
Code:
[EMAIL PROTECTED] ~]$ mkdir sslcert
[EMAIL PROTECTED] ~]$ cd sslcert
The passphrase will have to be removed, but that's later
Code:
[EMAIL PROTECTED] sslcert]$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: <test>
Verifying - Enter pass phrase for server.key: <test>
[EMAIL PROTECTED] sslcert]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: <test>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:>
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
----
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Remove the passphrase
Code:
[EMAIL PROTECTED] sslcert]$ cp server.key server.key.org
[EMAIL PROTECTED] sslcert]$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: <test>
writing RSA key
Generate the actual certificate
Code:
[EMAIL PROTECTED] sslcert]$ openssl x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
Signature ok
subject=/C=xxxx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx/CN=xxxx/emailAddress=xxxx
Getting Private key
Put the files where Apache wants them
Code:
[EMAIL PROTECTED] sslcert]$ sudo cp server.crt /etc/httpd/conf/ssl.crt
[EMAIL PROTECTED] sslcert]$ sudo cp server.csr /etc/httpd/conf/ssl.csr
[EMAIL PROTECTED] sslcert]$ sudo cp server.key /etc/httpd/conf/ssl.key
[EMAIL PROTECTED] sslcert]$ sudo service httpd restart
Put the files where ZServerSSL wants them, in the way it wants them
Code:
[EMAIL PROTECTED] sslcert]$ sudo mv $ZENHOME/ssl/server.pem
$ZENHOME/ssl/server.pem.old
[EMAIL PROTECTED] sslcert]$ sudo mv $ZENHOME/ssl/ca.pem $ZENHOME/ssl/ca.pem.old
[EMAIL PROTECTED] sslcert]$ sudo -s
[EMAIL PROTECTED] sslcert]# cat server.crt >> $ZENHOME/ssl/server.pem
[EMAIL PROTECTED] sslcert]# cat server.key >> $ZENHOME/ssl/server.pem
[EMAIL PROTECTED] sslcert]# exit
[EMAIL PROTECTED] sslcert]$ sudo cp server.csr $ZENHOME/ssl/ca.pem
[EMAIL PROTECTED] sslcert]$ sudo zopectl stop
. daemon process stopped
[EMAIL PROTECTED] sslcert]$ sudo zopectl start
. daemon process started, pid=31809
You should now be able to hit your Zenoss install at:
https://zenoss_svr:8443
http://zenoss_svr:8080
https://zenoss_svr:443
http://zenoss_svr
And everything should be redirected back to port 8443. Congratulations!
Please let me know if you have any questions and I'll try to answer them as
best I can.
---
seth wright ([EMAIL PROTECTED])
windows engineer (no, seriously)
540.568.2912 (office)
james madison university
-------------------- m2f --------------------
Read this topic online here:
http://community.zenoss.com/forums/viewtopic.php?p=12991#12991
-------------------- m2f --------------------
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
