멀티 & 와일드 1. OHS 인증서설치 * $ORACLE_HOME/opmn/conf/opmn.xml 파일확인하기 default]$ vi /App/UCERT/opmn/conf/opmn.conf <ias-component id="http_serve

Oracle HTTP Server ( 멀티도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 02-512-9375

멀티 & 와일드 1. OHS 인증서설치 * $ORACLE_HOME/opmn/conf/opmn.xml 파일확인하기 [oracle@ucert default]$ vi /App/UCERT/opmn/conf/opmn.conf <ias-component id="http_server"> <process-type id="http_server" module-id="ohs"> <module-data> <category id="start-parameters"> * 설명 : disabled 로되어있을경우 enabled 로수정합니다. <data id="start-mode" value="ssl-enabled"/> </category> </module-data> <process-set id="http_server" numprocs="1"/> </process-type> </ias-component> 1) OHS 의환경파일인 httpd.conf 파일을 vi 로편집합니다. [oracle@ucert default]$ vi /App/UCERT/Apache/Apache/conf/httpd.conf * 설명 : 주석처리되어있을경우해제 <IfDefine SSL> LoadModule ossl_module "/App/UCERT/Apache/Apache/modules/mod_ossl.so" </IfDefine> * 설명 : 참조된파일을확인합니다. Include the SSL definitions and Virtual Host container include "/App/UCERT/Apache/Apache/conf/ssl.conf"

2) SSL 환경파일인 ssl.conf 를 vi 로편집합니다. [oracle@ucert default]$ vi /App/UCERT/Apache/Apache/conf/ssl.conf <IfDefine SSL> SSL Global Context All SSL configuration in this context applies both to the main server and all SSL-enabled virtual hosts. Pass Phrase Dialog: Configure the pass phrase gathering process. The filtering dialog program (`builtin' is a internal terminal dialog) has to provide the pass phrase on SSLPassPhraseDialog builtin Inter-Process Session Cache: Configure the SSL Session Cache: First either `none' or `dbm:/path/to/file' for the mechanism to use and second the expiring timeout (in seconds). SSLSessionCache none SSLSessionCache dbm:/app/ucert/apache/apache/logs/ssl_scache SSLSessionCache SSLSessionCache shmcb:/app/ucert/apache/apache/logs/ssl_scache(512000) SessionCache Timeout: This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache. It can be set as low as 15 for testing, but should be set to higher values like 300 in real life. SSLSessionCacheTimeout 300

Semaphore: Configure the path to the mutual explusion semaphore the SSL engine uses internally for inter-process synchronization. SSLMutex file:/app/ucert/apache/apache/logs/ssl_mutex Logging: The home of the dedicated SSL protocol logfile. Errors are additionally duplicated in the general error log file. Put this somewhere where it cannot be used for symlink attacks on a real server (i.e. somewhere where only root can write). Log levels are (ascending order: higher ones include lower ones): none, error, warn, info, trace, debug. SSLLog /App/UCERT/Apache/Apache/logs/ssl_engine_log SSLLogLevel warn SSL Virtual Host Context NOTE: this value should match the SSL Listen directive set previously in this file otherwise your virtual host will not respond to SSL requests. Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl SSL Support When we also provide SSL we have to listen to the standard HTTP port (see above) and to the HTTPS port NOTE: if virtual hosts are used and you change a port value below from the original value, be sure to update the default port used for your virtual hosts as well.

* 설명 : 서비스포트설정 Listen 443 * 설명 : 가상호스트설정 <VirtualHost *:443> General setup for the virtual host DocumentRoot "/App/UCERT/Apache/Apache/htdocs" ServerName sso.ucert.co.kr ServerAdmin you@your.address ErrorLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/error_ssl_log 43200" TransferLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/access_ssl_log 43200" Port 443 SSL Engine Switch: Enable/Disable SSL for this virtual host. SSLEngine on SSL Cipher Suite: List the ciphers that the client is permitted to negotiate. SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Server Wallet: The server wallet contains the server's certificate, private key and trusted certificates. Set SSLWallet at the wallet directory using the syntax: file: * 설명 : 인증서경로설정 SSLWallet file:/app/ucert/apache/apache/conf/ssl.wlt/default * 설명 : 인증서경로는폴더를경로로한다. * 설명 : 인증서패스워드설정 SSLWalletPassword ucert1234 Certificate Revocation Lists (CRL): Set the CA revocation path where to find CA CRLs for client authentication or alternatively one huge file containing all of them (file must be PEM encoded) Note: Inside SSLCARevocationPath you need hash symlinks to point to the certificate files. Use the provided Makefile to update the hash symlinks after changes. SSLCARevocationPath /App/UCERT/Apache/Apache/conf/ssl.crl SSLCARevocationFile /App/UCERT/Apache/Apache/conf/ssl.crl/ca-bundle.crl Client Authentication (Type): Client certificate verification type and depth. Types are none, optional and require SSLVerifyClient require

Access Control: With SSLRequire you can do per-directory access control based on arbitrary complex boolean expressions containing server variable checks and other lookup directives. The syntax is a mixture between C and Perl. See the mod_ssl documentation for more details. <Location /> SSLRequire ( %{SSL_CIPHER}!~ m/^(exp NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </Location> SSL Engine Options: Set various options for the SSL engine. o FakeBasicAuth: Translate the client X.509 into a Basic Authorisation. This means that the standard Auth/DBMAuth methods can be used for access control. The user name is the `one line' version of the client's X.509 certificate. Note that no password is obtained from the user. Every entry in the user file needs this password: `xxj31zmtzzkva'. o ExportCertData: This exports two additional environment variables: SSL_CLIENT_CERT and SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server (always existing) and the client (only existing when client authentication is used). This can be used to import the certificates into CGI scripts. o StdEnvVars: This exports the standard SSL/TLS related `SSL_*' environment variables. Per default this exportation is switched off for performance reasons, because the extraction step is an expensive operation and is usually useless for serving static content. So one usually enables the exportation for CGI and SSI requests only. o CompatEnvVars: This exports obsolete environment variables for backward compatibility to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts. o StrictRequire: This denies access when "SSLRequireSSL" or "SSLRequire" applied even under a "Satisfy any" situation, i.e. when it applies access is denied and no other module can change it. o OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in per-directory context. SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~"\.(cgi shtml)$"> SSLOptions +StdEnvVars </Files> <Directory "/App/UCERT/Apache/Apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Per-Server Logging: The home of a custom SSL log file. Use this when you want a compact non-error SSL logfile on a virtual host basis. CustomLog /App/UCERT/Apache/Apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" RewriteEngine on RewriteOptions inherit </VirtualHost> //////////////////////////////////////////////// * 설명 : 다른도메인을여기서설치하도록한다. <VirtualHost *:443> General setup for the virtual host DocumentRoot "/App/UCERT/Apache/Apache/htdocs" ServerName legend.ucert.co.kr ServerAdmin you@your.address ErrorLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/error_ssl_log 43200" TransferLog " /App/UCERT/Apache/Apache/bin/rotatelogs \ /App/UCERT/Apache/Apache/logs/access_ssl_log 43200" Port 443 < 생략 > * 설명 : 인증서경로설정. 위의내용과동일하게설정토록한다. SSLWallet file:/app/ucert/apache/apache/conf/ssl.wlt/default * 설명 : 인증서경로는폴더를경로로한다. * 설명 : 인증서패스워드동일하게설정 SSLWalletPassword ucert1234 </VirtualHost> </IfDefine>

3) 완성된인증서를 ssl.conf 파일의 "SSLWallet" 에설정된경로로위치시킵니다. [oracle@ucertdefault]$ pwd /App/UCERT/Apache/Apache/conf/ssl.wlt/default 2. OHS 재시작 [oracle@ucert default]$ opmnctl stopall [oracle@ucert default]$ opmnctl startall 3. 인증서확인 [root@localhost ~] netstat -nap grep httpd tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::443 :::* LISTEN * 설명 : 443 포트 Listen 된상태에서아래의명령어를사용하여로컬에서인증서를확인합니다. 인증서만료일확인방법 [root@localhost ~] openssl s_client -connect localhost:443 < /dev/null 2>&1 openssl x509 -noout enddate notafter=dec 20 23:59:59 2016 GMT 설명 : 로컬에서인증서출력이정상적이고외부에서 https://[ 도메인 ] 으로브라우저접속시통신이되지 않을경우내부방화벽 ( 예. iptables), 외부방화벽등에 SSL 포트가 Allow ( 또는웹방화벽에인증서가 설치가되어있는지확인합니다.

https://www.ucert.co.kr 접속예 도메인접속후에 Alt 키를누르고파일 속성 인증서클릭후인증서보기를선택하시면인증서정보를확인할수있습니다. 발급대상과유효기간이맞는지 확인합니다. Copyright 2018. Korea Corporation Security Co., Ltd All pictures cannot be copied without permission.