Creation of all X.509 certificates:
Server configuration:
Create the root certificate authority serial file:
$ echo 01 > MyCompanyCA.srl
Create the Root Authority's Certificate Signing Request and private key:
$ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
Create the Root Certificate Authority for a period of validity of 2 years:
$ openssl x509 -trustout -in MyCompanyCA.csr -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem -days 730
Create the server's serial file:
$ echo 01 > MyServer.srl Create the server's Certificate Signing Request and private key:
$ openssl req -new -out MyServer.csr
Note: By default, openssl outputs the private key in the privkey.pem file.
Remove the password from the private key:
$ openssl rsa -in privkey.pem -out MyServer.pemNote: The key is also renamed in MyServer.pem.
Create the server's Certificate trusted by the Root Certificate Authority:
$ openssl x509 -in MyServer.csr -out MyServer.crt -req -signkey MyServer.pem -CA MyCompanyCA.crt -CAkey MyCompanyCA.pem Note: The purpose of the server's Certificate is to identify the server to any client that connects to it. Therefore, the subject of that server's certificate must match the hostname of the server as it is known on the network; otherwise the client will be suspicious about the server's identity and stop the communication. For instance, if the URL of the server is https:///www.MyServer.com/cgi-bin/fglccgi.exe/ws/r/MyWebService, the subject must be www.MyServer.com.
Create the server's Certificate Authority List:
$ openssl x509 -in MyCompanyCA.crt -text >> ServerCAList.pem
Note: As the server trusts only the Root Certificate Authority, the list contains only that one certificate authority; all other certificates that were trusted by the Root Certificate Authority will also be considered as trusted by the server.
As the Web Server is in charge of the complete HTTPS protocol with all the clients, there is no additional GAS configuration needed to add security. Simply register the 4GL server to the list of Web Services of the GAS. For more information, refer to the Genero Application Server User Guide.
You must configure Apache to support HTTPS by adding the required modules. Please refer to the Apache Web server documentation for more information.
Once the Apache Web server supports HTTPS, you must change or add the following directives to the apache configuration file:
Note: The Apache Web server must be started on a machine where the host is the same as the one defined in the subject of the server's certificate (www.MyServer.com in our case).
You must configure Apache to support HTTP basic authentication by adding the required modules.
Please refer to the Apache Web server documentation for more information.
Once the Apache Web server supports HTTP basic authentication, you must:
Add an user to the Apache Web server basic authentication file with the same login and password as defined for the client.
Apache provides the tool htpasswd that you can use to create the file and add the user. To add the user mylogin with the password mypassword to a new file called myusers:
$ htpasswd -c myusers mylogin mypasswordNote: To add additional users, remove the option '-c'.
Add an Apache Web server location directive that enables you to group several directives for one URL. (In our case, the URL is /cgi-bin/fglccgi.exe/ws/r/MyWebService).
The following example (based on Apache 2.0) defines the HTTP authentication type (Basic), with a user file (user-basic) containing the login and password of those who are allowed to access the service.
<Location /cgi-bin/fglccgi.exe/ws/r/MyWebService>
AllowOverride None
Order allow,deny
Allow from all
#
# Basic HTTP authenticate configuration
#
AuthName "Top secret"
AuthType Basic
AuthUserFile "D:/Apache-Server/conf/authenticate/myusers"
Require valid-user # Means any user in the password file
</Location>
For more information about Apache Web server directives, refer to the Apache Web Server manual.