[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 130/156: Document sample mod_nss use cases, including FIPS.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:35 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit 8eff5df729dcad9c229e637b752b762a4ad5472a
Author: Rob Crittenden <rcritten at redhat.com>
Date: Thu Feb 20 16:27:06 2014 -0500
Document sample mod_nss use cases, including FIPS.
Matthew Harmsen <mharmsen at redhat.com>
Resolvds #1036940
---
docs/mod_nss.html | 299 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 297 insertions(+), 2 deletions(-)
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index a1e14e2..b2fda6c 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -33,6 +33,7 @@
<a href="#Database_Management">Database Management</a><br>
<a href="#SSLv2">Why is SSLv2 disabled?</a><br>
<a href="#FAQ">Frequently Asked Questions</a><br>
+<a href="#Sample_Use_Cases">Sample Use Cases</a><br>
<h1><a name="Introduction"></a>Introduction</h1>
The <a href="http://www.modssl.org/">mod_ssl</a> package was
@@ -1056,7 +1057,7 @@ man-in-the-middle attack so leaving this as on is strongly recommended.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProcyCheckPeerCN on</code><br>
+<code>NSSProxyCheckPeerCN on</code><br>
<br>
<h1><a name="Environment"></a>Environment Variables</h1>
@@ -1467,6 +1468,300 @@ Q. Does mod_nss support mod_proxy?<br>
<br>
A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
provides a single interface for SSL providers and mod_nss defers to
-mod_ssl if it is loaded.
+mod_ssl if it is loaded.<br>
+
+<h1><a name="Sample_Use_Cases"></a>Sample Use Cases</h1>
+<h2>I. Restart Apache using the NSS Internal Software Token</h2>
+<ul>
+1. Become the <b>root</b> user.<br>
+<br>
+2. Install mod_nss.<br>
+<br>
+3. This use case will utilize the NSS security databases created during installation of mod_nss:<br>
+<br>
+<ul>
+<code>
+# certutil -L -d /etc/httpd/alias<br>
+<pre>
+Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+cacert CTu,Cu,Cu
+Server-Cert u,u,u
+alpha u,pu,u
+</pre>
+</code>
+<table>
+<tr>
+<td valign="top"><b>NOTE: </b></td>
+<td valign="top">For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in <code>/etc/httpd/alias</code>), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the <code>/etc/httpd/conf.d/nss.conf</code> file such that mod_nss uses these NSS security databases.</td>
+</tr>
+</table>
+<br>
+</ul>
+4. Use <code>certutil</code> to apply a password to the NSS security databases configured in step 3 above:<br>
+<br>
+<ul>
+<code>
+# certutil -W -d /etc/httpd/alias<br>
+Enter Password or Pin for "NSS Certificate DB":<br>
+Enter a password which will be used to encrypt your keys.<br>
+The password should be at least 8 characters long,<br>
+and should contain at least one non-alphabetic character.<br>
+<br>
+Enter new password:<br>
+Re-enter password:<br>
+Password changed successfully.<br>
+</code>
+</ul>
+<br>
+5. Configure mod_nss to use the NSS internal software token:<br>
+<br>
+<ul>
+Edit <code>/etc/httpd/conf.d/nss.conf</code>:<br>
+<br>
+<ul>
+Replace:<br>
+<ul>
+<code>NSSPassPhraseDialog builtin</code><br>
+</ul>
+with:<br>
+<ul>
+<code>NSSPassPhraseDialog file:/etc/httpd/password.conf</code>
+</ul>
+<br>
+<ul>
+<table>
+<tr>
+<td valign="top"><b>NOTE: </b></td>
+<td valign="top">Whenever <code>httpd</code> is invoked as a service/systemd process, the <code>NSSPassPhraseDialog builtin</code> parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt <code>Please enter password for "internal" token:</code> on the command line is only displayed when the command <code>isatty(fileno(stdin))</code> is set to 'true', and when the comman [...]
+</tr>
+</table>
+</ul>
+<br>
+If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the <code>NSSNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
+<ul>
+<code>NSSNickname Server-Cert</code>
+</ul>
+<br>
+If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the <code>NSSECCNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
+<ul>
+<code>NSSECCNickname Server-Cert</code>
+</ul>
+<br>
+Make certain that the <code>NSSCertificateDatabase</code> parameter is uncommented and points to the NSS security databases directory configured in step 3 above:<br>
+<ul>
+<code>NSSCertificateDatabase /etc/httpd/alias</code>
+</ul>
+</ul>
+<br>
+Create the <code>/etc/httpd/password.conf</code> file:<br>
+<br>
+<ul>
+Add:<br>
+<ul>
+<code>internal:<password></code><br>
+</ul>
+Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.<br>
+</ul>
+<br>
+Apply the appropriate ownership and permissions to the <code>/etc/httpd/password.conf</code> file:<br>
+<br>
+<ul>
+<code># chgrp apache /etc/httpd/password.conf</code><br>
+<br>
+<code># chmod 640 /etc/httpd/password.conf</code><br>
+<br>
+<code>
+# ls -l /etc/httpd/password.conf<br>
+-rw-r-----. 1 root apache 18 Nov 27 14:05 /etc/httpd/password.conf<br>
+</code>
+<br>
+</ul>
+</ul>
+6. Restart the Apache server:<br>
+<br>
+<ul>
+<code>
+# service httpd restart<br>
+Redirecting to /bin/systemctl restart httpd.service<br>
+</code>
+<code>
+<pre>
+# service httpd status
+Redirecting to /bin/systemctl status httpd.service
+httpd.service - The Apache HTTP Server
+ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
+ Active: active (running) since Wed 2013-11-27 15:25:48 PST; 1min 11s ago
+ Process: 20804 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
+ Main PID: 20807 (httpd)
+ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
+ CGroup: name=systemd:/system/httpd.service
+ |_____20807 /usr/sbin/httpd -DFOREGROUND
+ |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
+ |_____20809 /usr/sbin/httpd -DFOREGROUND
+ |_____20810 /usr/sbin/httpd -DFOREGROUND
+ |_____20811 /usr/sbin/httpd -DFOREGROUND
+ |_____20812 /usr/sbin/httpd -DFOREGROUND
+ |_____20813 /usr/sbin/httpd -DFOREGROUND
+
+Nov 27 15:25:48 server.example.com systemd[1]: Started The Apache HTTP Server.
+</pre>
+</code>
+</ul>
+</ul>
+<h2>II. Restart Apache using the NSS FIPS Software Token</h2>
+<ul>
+1. Become the <b>root</b> user.<br>
+<br>
+2. Install mod_nss.<br>
+<br>
+3. This use case will utilize the NSS security databases created during installation of mod_nss:<br>
+<br>
+<ul>
+<code>
+# certutil -L -d /etc/httpd/alias<br>
+<pre>
+Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+cacert CTu,Cu,Cu
+Server-Cert u,u,u
+alpha u,pu,u
+</pre>
+</code>
+<table>
+<tr>
+<td valign="top"><b>NOTE: </b></td>
+<td valign="top">For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in <code>/etc/httpd/alias</code>), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the <code>/etc/httpd/conf.d/nss.conf</code> file such that mod_nss uses these NSS security databases.</td>
+</tr>
+</table>
+<br>
+</ul>
+4. Use <code>certutil</code> to apply a password to the NSS security databases configured in step 3 above:<br>
+<br>
+<ul>
+<code>
+# certutil -W -d /etc/httpd/alias<br>
+Enter Password or Pin for "NSS Certificate DB":<br>
+Enter a password which will be used to encrypt your keys.<br>
+The password should be at least 8 characters long,<br>
+and should contain at least one non-alphabetic character.<br>
+<br>
+Enter new password:<br>
+Re-enter password:<br>
+Password changed successfully.<br>
+</code>
+</ul>
+<br>
+5. Configure mod_nss to use the NSS FIPS software token:<br>
+<br>
+<ul>
+Edit <code>/etc/httpd/conf.d/nss.conf</code>:<br>
+<br>
+<ul>
+Replace:<br>
+<ul>
+<code>NSSPassPhraseDialog builtin</code><br>
+</ul>
+with:<br>
+<ul>
+<code>NSSPassPhraseDialog file:/etc/httpd/password.conf</code>
+</ul>
+<br>
+<ul>
+<table>
+<tr>
+<td valign="top"><b>NOTE: </b></td>
+<td valign="top">Whenever <code>httpd</code> is invoked as a service/systemd process, the <code>NSSPassPhraseDialog builtin</code> parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt <code>Please enter password for "NSS FIPS 140-2 Certificate DB" token:</code> on the command line is only displayed when the command <code>isatty(fileno(stdin))</code> is set to 'true' [...]
+</tr>
+</table>
+</ul>
+<br>
+To enable FIPS mode for mod_nss, add the following parameter:
+<ul>
+NSSFIPS on
+</ul>
+after the line marked:
+<ul>
+NSSEngine on
+</ul>
+<br>
+If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the <code>NSSNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
+<ul>
+<code>NSSNickname Server-Cert</code>
+</ul>
+<br>
+If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the <code>NSSECCNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
+<ul>
+<code>NSSECCNickname Server-Cert</code>
+</ul>
+<br>
+Make certain that the <code>NSSCertificateDatabase</code> parameter is uncommented and points to the NSS security databases directory configured in step 3 above:<br>
+<ul>
+<code>NSSCertificateDatabase /etc/httpd/alias</code>
+</ul>
+</ul>
+<br>
+Create the <code>/etc/httpd/password.conf</code> file:<br>
+<br>
+<ul>
+Add:<br>
+<ul>
+<code>NSS FIPS 140-2 Certificate DB:<password></code><br>
+</ul>
+Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.<br>
+<br>
+<table>
+<tr>
+<td valign="top"><b>IMPORTANT: </b></td>
+<td valign="top">Notice that since the NSS FIPS software token is being used, the contents of the <code>/etc/httpd/password.conf</code> file references the password for the NSS FIPS software token (<code>NSS FIPS 140-2 Certificate DB:<password></code>) rather than the NSS internal software token (<code>internal:<password></code>).</td>
+</tr>
+</table>
+</ul>
+<br>
+Apply the appropriate ownership and permissions to the <code>/etc/httpd/password.conf</code> file:<br>
+<br>
+<ul>
+<code># chgrp apache /etc/httpd/password.conf</code><br>
+<br>
+<code># chmod 640 /etc/httpd/password.conf</code><br>
+<br>
+<code>
+# ls -l /etc/httpd/password.conf<br>
+-rw-r-----. 1 root apache 39 Nov 27 15:48 /etc/httpd/password.conf<br>
+</code>
+<br>
+</ul>
+</ul>
+6. Restart the Apache server:<br>
+<br>
+<ul>
+<code>
+# service httpd restart<br>
+Redirecting to /bin/systemctl restart httpd.service<br>
+</code>
+<code>
+<pre>
+# service httpd status
+Redirecting to /bin/systemctl status httpd.service
+httpd.service - The Apache HTTP Server
+ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
+ Active: active (running) since Wed 2013-11-27 16:26:07 PST; 4s ago
+ Process: 21296 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
+ Main PID: 21299 (httpd)
+ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
+ CGroup: name=systemd:/system/httpd.service
+ |_____21299 /usr/sbin/httpd -DFOREGROUND
+ |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
+ |_____21340 /usr/sbin/httpd -DFOREGROUND
+ |_____21341 /usr/sbin/httpd -DFOREGROUND
+ |_____21342 /usr/sbin/httpd -DFOREGROUND
+
+Nov 27 16:26:07 server.example.com systemd[1]: Started The Apache HTTP Server.
+</pre>
+</code>
+</ul>
+</ul>
</body>
</html>
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list