WebtoB Web Server SSL 설정방법 - Ver 1.0-2008. 6
개정이력 버전개정일개정내용 Ver 1.0 2008 년 6 월 WebtoB Web Server SSL 설명서최초작성 본문서는정보통신부 한국정보보호진흥원의 보안서버구축가이드 를참고하여작성되었습니다. 본문서내용의무단도용및사용을금합니다.
< 목차 > 1. 개인키및 CSR 생성방법 4 2. 보안서버인증서설치 6 가. 발급인증서확인하기 7 나. W e b t o B 환경설정하기 7 3. 보안웹서버가동 9 4. 다른서버에 SSL 인증서와키복사하기 11
1. 개인키및 CSR 생성방법 1 CA 명령어로 CertificateKeyFile( 서버암호키 ) 생성 해당하는모든입력은영문자와숫자만허용합니다. 예시를참조하세요. Country Name ( 국가코드 ) : KR State or Province Name ( 시 / 도 ) : Seoul Locality Name ( 구 / 군 ) : GangNam Organization Name ( 회사명 ) : KFTC Organizational Unit Name ( 부서명 ) : Digital Certificate Center Common Name ( 인증받을도메인주소 ) : www.yessign.or.kr [root:/webtob]./bin/ca -newreq Loading 'screen' into random state - done Generating a 1024 bit RSA private key...++++++...++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: ( 개인키비밀번호설정 ) Verifying - Enter PEM pass phrase: ( 비밀번호재확인 ) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]:KR State or Province Name (full name) []:Gangnam Locality Name (eg, city) []:Seoul Organization Name (eg, company) [Tmax Ltd]:KFTC Organizational Unit Name (eg, section) []:Digital Certificate Center Common Name (eg, YOUR name) []:www.yessign.or.kr Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem 여기서입력한 pa ssword는 CSR 생성, 인증서설치, 보안서버가동에서사용되므로반드시기억하셔야합니다. 2 개인키와 CSR 분리해서저장 - 위의과정에서생성된 "newreq.pem" 에는개인키와 CSR 구문 2개가포함되어
있습니다. 이구문을나누어서개인키부분은 "key.pem", CSR 부분은 "csr.txt" 파일로구분하여따로저장합니다. - newreq.pem 파일의내용예시입니다. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,447AF17A17052543 MIICWwIBAAKBgQCRn2vwN9QfWyP+r27i29SFg3ErzX15T5GqRXc7/0LEKoJcfHDq nplfpioanyubsbptcw0fo0vu38us8kgqwfrrf62wg69zxcjewcwxomqgkmfhhl9e...... Z+zjmc/FF5JPp7lZXQJAILjbM2Rej66NAgK3TgpTfMs/5WshKan+P7MB9z7zEafp 9qPL0nW/QnsIX8i0nElFsQf2Kiv/NhiqBUeXhArnCQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE REQUEST----- MIIBqDCCARECAQAwaDEZMBcGA1UEAxMQd3d3LnRlc3QyNC5jby5rcjELMAkGA1UE BhMCS1IxDjAMBgNVBAgTBXNlb3VsMRAwDgYDVQQHEwdrYW5nbmFtMQ0wCwYDVQQK...... u4q5rijxayl3hajtmroubslw1qau+5tylp9tdyowk/zf4cqqnjtfxhrrlda2jat7 KvGrI4azQr8fJFy+yTy8yH8J3+B19SQjEaBrvR9T8YlcMe9n0UtnFw29IYQ= -----END CERTIFICATE REQUEST----- - key.pem" 파일로저장한예시입니다. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,447AF17A17052543 MIICWwIBAAKBgQCRn2vwN9QfWyP+r27i29SFg3ErzX15T5GqRXc7/0LEKoJcfHDq nplfpioanyubsbptcw0fo0vu38us8kgqwfrrf62wg69zxcjewcwxomqgkmfhhl9e...... Z+zjmc/FF5JPp7lZXQJAILjbM2Rej66NAgK3TgpTfMs/5WshKan+P7MB9z7zEafp 9qPL0nW/QnsIX8i0nElFsQf2Kiv/NhiqBUeXhArnCQ== -----END RSA PRIVATE KEY----- - csr.txt" 파일로저장한예시입니다. -----BEGIN CERTIFICATE REQUEST----- MIIBqDCCARECAQAwaDEZMBcGA1UEAxMQd3d3LnRlc3QyNC5jby5rcjELMAkGA1UE BhMCS1IxDjAMBgNVBAgTBXNlb3VsMRAwDgYDVQQHEwdrYW5nbmFtMQ0wCwYDVQQK...... u4q5rijxayl3hajtmroubslw1qau+5tylp9tdyowk/zf4cqqnjtfxhrrlda2jat7 KvGrI4azQr8fJFy+yTy8yH8J3+B19SQjEaBrvR9T8YlcMe9n0UtnFw29IYQ= -----END CERTIFICATE REQUEST----- 3 yessign 에 CSR 제출 - yessig n SSL 홈페이지 ( https: //www.yessig n.or.kr/ssl/) 에접속하셔서인증서발급요청을하시고 CSR 입력부분에 csr.txt" 파일의내용을붙여넣습니다.
2. 보안서버인증서설치 SSL 웹서비스를제공하기위해서는보안서버인증서설치시에해당되는체인인증서를설치하여야합니다. 아래설치안내에따라서 보안서버인증서, 체인인증서 를모두웹서버에설치해야모든종류의웹브라우저에서서비스를문제없이제공할수있습니다. 보안서버인증서체인을웹서버에모두설치하기않으면, 웹브라우저에따라서는아래와같이보안경고창이발생할수있습니다. < Microsoft Internet Explorer 6.0 이하버전의경고창 > < Microsoft Internet Explorer 7.0 버전의경고화면 >
가. 발급인증서확인하기 yessign SSL 홈페이지관리자로부터수신한이메일의첨부파일에는다음과같은 3종류의인증서가포함되어있습니다. - sslcert.cer : 발급된보안서버인증서 - sslca.cer : 보안서버체인인증서 - sslroot.cer : 보안서버루트인증서 나. WebtoB 환경설정하기 WebtoB 는환경설정파일을편집한후에컴파일과정을통해서바이너리환경설정파일로생성해서웹서버를재가동해야적용되오니아래과정대로진행해주셔야됩니다. 1 WebtoB 설치디렉토리밑에 config" 디렉토리에서기존에존재하던환경설정파일인 http.m" 파일을 "http_ssl.m" 파일로복사합니다. 2 "http_ssl.m" 파일을아래와같이수정합니다. 443 포트로 SSL 을사용하는 " VH OST 를생성합니다. SSLNAME인 yessignssl 정의에서인증서와개인키파일경로를설정합니다. 빨간구문이외의부분은기존의설정내용을그대로사용합니다. *DOMAIN testweb *NODE test WEBTOBDIR="/usr/local/webtob", SHMKEY = 54000, DOCROOT="/usr/local/webtob/docs", HOSTNAME = "www.yessign.or.kr", PORT = "80", LOGGING = "log1", ERRORLOG = "log2", HTH = 1 *VHOST yessignvhost DOCROOT="/usr/local/webtob/docs", NODENAME= test, HOSTNAME = "www.yessign.or.kr", SSLNAME="yessignssl", PORT="443", SSLFLAG = Y *SSL yessignssl CertificateFile = "/usr/local/webtob/ssl/sslcert.cer",
CertificateKeyFile = "/usr/local/webtob/ssl/key.pem", CACertificateFile = "/usr/local/webtob/ssl/sslca.cer" *SVRGROUP htmlg cgig ssig NODENAME = test, SvrType = HTML NODENAME = test, SVRTYPE = CGI NODENAME = test, SVRTYPE = SSI *SERVER html SVGNAME = htmlg, MinProc = 3, MaxProc = 10 cgi SVGNAME = cgig, MinProc = 3, MaxProc = 10 ssi SVGNAME = ssig, MinProc = 3, MaxProc =10 *URI uri1 Uri = "/cgi-bin/", Svrtype = CGI *ALIAS alias1 URI = "/cgi-bin/", RealPath = "/usr/local/webtob/cgi-bin/" *LOGGING log1 Format = "DEFAULT", FileName = "/usr/local/webtob/log/access.log", Option = "sync" log2 Format = "ERROR", FileName = "/usr/local/webtob/log/error.log", Option = "sync" *EXT htm MimeType = "text/html", SvrType = HTML 3 환경설정파일인 "http_ssl.m" 파일을컴파일합니다. [root:/webtob/config]./bin/wscfl -i http_ssl.m -o sslconfig Current configuration: Number of client handler(hth) = 1 Supported maximum user per node = 975 Supported maximum user per handler = 975 CFL is done successfully for node(test(test))
3. 보안웹서버가동 1 재설정한환경파일이적용되도록 WebtoB 서버를재가동합니다. ssl 가동을위한환경설정은 sslconfig" 로생성됩니다. 비밀번호는 1절 에서 CertificateKeyFile( 서버암호키 ) 생성 단계에서입력한비밀번호를입력합니다. [root:/webtob]./bin/wsboot -f sslconfig WSBOOT for node(test) is starting: Today: 2007/06/22 WSBOOT: WSM is starting: 06/22/04 16:05:22 WSBOOT: HTL is starting: 06/22/04 16:05:22 WSBOOT: HTH is starting: 06/22/04 16:05:22 Current WebtoB Configuration: Number of client handler(hth) = 1 Supported maximum user per node = 975 Supported maximum user per handler = 975 Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server www.yessign.or.kr:443 (RSA) Enter pass phrase: ******** WSBOOT: SVR(/usr/local/webtob/bin/htmls) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/htmls) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/htmls) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/cgis) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/cgis) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/cgis) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/ssis) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/ssis) is starting: 06/22/04 16:05:26 WSBOOT: SVR(/usr/local/webtob/bin/ssis) is starting: 06/22/04 16:05:26 2 웹브라우저로웹서버를 https://" 프로토콜로접근하면브라우저하단에노란자물쇠아이콘 (Internet Explorer 일경우 ) 이표시되고해당아이콘을더블클릭하여인증서의경로가완전하게표시되는것을확인합니다.
4. 다른서버에 SSL 인증서와키복사하기 1 2. 보안서버인증서설치 단계에서사용한서버인증서 (sslcert.cer), CA 인증서 (sslca.cer), 개인키 (key.pem) 파일을다른웹서버에복사합니다. 2 2. 보안서버인증서설치 단계에서설명한대로환경설정을통하여 SSL 인증서사용환경을설정합니다. 3 3 절 의과정대로웹서버를재가동하고 SSL 적용을웹브라우저로확인합니다.