Oracle HTTP Server ( 단일도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀

Transcription

1 Oracle HTTP Server ( 단일도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀

2 1. OHS 인증서설치 * $ORACLE_HOME/opmn/conf/opmn.xml 파일확인하기 [oracle@ucert default]$ vi /App/UCERT/opmn/conf/opmn.conf <ias-component id="http_server"> <process-type id="http_server" module-id="ohs"> <module-data> <category id="start-parameters"> * 설명 : disabled 로되어있을경우 enabled 로수정합니다. <data id="start-mode" value="ssl-enabled"/> </category> </module-data> <process-set id="http_server" numprocs="1"/> </process-type> </ias-component> 1) OHS 의환경파일인 httpd.conf 파일을 vi 로편집합니다. [oracle@ucert default]$ vi /App/UCERT/Apache/Apache/conf/httpd.conf * 설명 : 주석처리되어있을경우해제 <IfDefine SSL> LoadModule ossl_module "/App/UCERT/Apache/Apache/modules/mod_ossl.so" </IfDefine> * 설명 : 참조된파일을확인합니다. # Include the SSL definitions and Virtual Host container include "/App/UCERT/Apache/Apache/conf/ssl.conf" 2) 인증서파일을백업할수있도록한다. [oracle@ucert default]$ ll drwxr-xr-x. 2 root root :03 cwallet.sso [oracle@ucert default]$ mkdir /App/UCERT/Apache/Apache/conf/ssl.wlt/default [oracle@ucert default]$ cp cwallet.sso [oracle@ucert default]$ ll drwxr-xr-x. 2 root root :03 cwallet.sso

3 3) 새로운인증서파일을업로드할수있도록한다. /]$ ll drwxr-xr-x. 2 root root :03 cwallet.sso [oracle@ucert /]$ mv /App/UCERT/Apache/Apache/conf/ssl.wlt/default [oracle@ucert /]$ cd /App/UCERT/Apache/Apache/conf/ssl.wlt/default [oracle@ucert default]$ ll drwxr-xr-x. 2 root root :03 cwallet.sso

4 2) SSL 환경파일인 ssl.conf 를 vi 로편집합니다. default]$ vi /App/UCERT/Apache/Apache/conf/ssl.conf <IfDefine SSL> SSL Global Context All SSL configuration in this context applies both to the main server and all SSL-enabled virtual hosts. # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache dbm:/app/ucert/apache/apache/logs/ssl_scache #SSLSessionCache SSLSessionCache shmcb:/app/ucert/apache/apache/logs/ssl_scache(512000) # SessionCache Timeout: # This directive sets the timeout in seconds for the information stored # in the global/inter-process SSL Session Cache. It can be set as low as # 15 for testing, but should be set to higher values like 300 in real life. SSLSessionCacheTimeout 300

5 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/app/ucert/apache/apache/logs/ssl_mutex # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog /App/UCERT/Apache/Apache/logs/ssl_engine_log SSLLogLevel warn SSL Virtual Host Context # # NOTE: this value should match the SSL Listen directive set previously in this # file otherwise your virtual host will not respond to SSL requests. # # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl SSL Support When we also provide SSL we have to listen to the standard HTTP port (see above) and to the HTTPS port # NOTE: if virtual hosts are used and you change a port value below # from the original value, be sure to update the default port used # for your virtual hosts as well. #

6 * 설명 : 서비스포트설정 Listen 443 * 설명 : 가상호스트설정 <VirtualHost *:443> # General setup for the virtual host DocumentRoot "/App/UCERT/Apache/Apache/htdocs" ServerNae sso.ucert.co.kr ServerAdmin you@your.address ErrorLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/error_ssl_log 43200" TransferLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/access_ssl_log 43200" Port 443 # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Wallet: # The server wallet contains the server's certificate, private key # and trusted certificates. Set SSLWallet at the wallet directory # using the syntax: file: * 설명 : 인증서경로설정 SSLWallet file:/app/ucert/apache/apache/conf/ssl.wlt/default * 설명 : 인증서경로는폴더를경로로한다. * 설명 : 인증서패스워드설정 SSLWalletPassword ucert1234 # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /App/UCERT/Apache/Apache/conf/ssl.crl #SSLCARevocationFile /App/UCERT/Apache/Apache/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional and require #SSLVerifyClient require

7 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER}!~ m/^(exp NULL)-/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31zmtzzkva'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o CompatEnvVars: # This exports obsolete environment variables for backward compatibility # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

8 <Files ~"\.(cgi shtml)$"> SSLOptions +StdEnvVars </Files> <Directory "/App/UCERT/Apache/Apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /App/UCERT/Apache/Apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" RewriteEngine on RewriteOptions inherit </VirtualHost> </IfDefine> 3) 완성된인증서를 ssl.conf 파일의 "SSLWallet" 에설정된경로로위치시킵니다. [oracle@ucertdefault]$ pwd /App/UCERT/Apache/Apache/conf/ssl.wlt/default 2.OHS 재시작 [oracle@ucert default]$ opmnctl stopall [oracle@ucert default]$ opmnctl startall Copyright Korea Corporation Security Co., Ltd All pictures cannot be copied without permission.

9 3. 인증서확인 ~]# netstat -nap grep httpd tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::443 :::* LISTEN * 설명 : 443 포트 Listen 된상태에서아래의명령어를사용하여로컬에서인증서를확인합니다. 인증서만료일확인방법 [root@localhost ~]# openssl s_client -connect localhost:443 < /dev/null 2>&1 openssl x509 - noout enddate notafter=dec 20 23:59: GMT 설명 : 로컬에서인증서출력이정상적이고외부에서 도메인 ] 으로브라우저접속시통신이 되지않을경우내부방화벽 ( 예. iptables), 외부방화벽등에 SSL 포트가 Allow ( 또는웹방화벽에 인증서가설치가되어있는지확인합니다. 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다 Copyright Korea Corporation Security Co., Ltd All pictures cannot be copied without permission.

10 접속예 도메인접속후에 Alt 키를누르고파일 속성 인증서클릭후인증서보기를선택하시면인증서정보를확인할수있습니다. 발급대상과유효기간이맞는지 확인합니다. 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다 Copyright Korea Corporation Security Co., Ltd All pictures cannot be copied without permission.