Forum OpenACS Q&A: An OpenSSL/Aolserver HOWTO
I have created a first draft for a HOWTO install nsOpenSSL and get a
server certificate. I would very much appreciate it if someone would
test it.
After you have installed openssl this you will need to install the
patch at
http://pascal.scheffers.net/patch/openssl.patch (which has NOT been
tested by anyone but me, AFAIK, so use with care and read my previous
post).
server certificate. I would very much appreciate it if someone would
test it.
After you have installed openssl this you will need to install the
patch at
http://pascal.scheffers.net/patch/openssl.patch (which has NOT been
tested by anyone but me, AFAIK, so use with care and read my previous
post).
You can find the HOWTO at
http://pascal.scheffers.net/patch/openssl.txt
The .txt does not look very pretty in Mozilla, sorry.
Posted by
Hans Gaasenbeek
on 07/24/01 11:12 AM
Hello!
I have almost finished converting the howto in HTML format, and will
post it when ready. I will be needing it in due course.
Note to Pascal in Dutch:
Vreemd eigenlijk dat Nederlanders hier met elkaar in het Engels
communiceren of niet? Zijn er eigenlijk nog meer met OpenACS bezig?
Posted by
Michel Henry de Generet
on 07/24/01 09:17 PM
ik ben niet nerderlander maar ik begrijp en spreek nederlands, alleen matig. Je parle aussi francais, mon anglais n'est cependant pas aussi bon que celui de Ben!
Tot zien.
Posted by
Jade Rubick
on 12/20/01 11:10 PM
Pascal, in your Howto, you mention you'll talk about beginning your own certificate authority, but AFAICT, you don't discuss how to do this.
I did this a year ago using Sean's older howto, but I don't remember exactly what I did, and my certificate has expired.
Do you just use the test certificate?
How do I sign my certificate without using a third party service?
Posted by
Pascal Scheffers
on 12/21/01 10:11 AM
Its in the openssl howto on my server, search for 'Creating a certificate'. Use the genrsa to generate a new key and the 'req' openssl command to create a new self signed certificate.
- Pascal
I tried to install nsopenssl for OPENACS4.5 beta but without any luck.
I followed the insturction here and copied the configuration from http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration/.
After I restart the server, I still can't have https work. How can I install nsopenssl and configure nsopenssl under OACS4.5?
Thanks,
Posted by
Bart Teeuwisse
on 06/01/02 11:03 PM
Jay, did you read the https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0003NP thread? That might be your problem. Can you connect to your secure server when you type the https address? Are there any error messages in the log?
/Bart
Bart, thanks.
I read the https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0003NP thread.
The /web/birdnotes/packages/acs-tcl/tcl/admin-procs.tcl has been modified to set ssl_port [ns_config -int "ns/server/[ns_info server]/module/nsopenssl" ServerPort 443].
I can't connect to the secure server when I type the https address. No page served. And I can't find any error messages in the log.
Port 443 is open. I followed the instruction in https://openacs.org/doc/openacs-4/ and copied the nsd.tcl from https://openacs.org/doc/openacs-4/files/openacs4.tcl.txt.
I comment out the following nsssl configuration setting:
#
# nsssl: Only loads if keyfile.pem and certfile.pem exist.
# If you are using SSL, make sure you have these dirs and files (refer
# to the AOLserver docs)
#set sslkeyfile ${homedir}/servers/${server}/modules/nsssl/keyfile.pem
#set sslcertfile ${homedir}/servers${server}/modules/nsssl/certfile.pem
#
# Socket driver module (HTTPS) -- nsssl
#
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).
#
#ns_section ns/server/${server}/module/nsssl
#ns_param port $httpsport
#ns_param hostname $hostname
#ns_param address $address
#ns_param keyfile $sslkeyfile
#ns_param certfile $sslcertfile
#
## nsssl: loads only if requisite files already exist (see top of this
# file).
#
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsssl ${bindir}/nsssle.so
#
#} else {
# ns_log warning "nsd.tcl: nsssl not loaded because key/cert files #do not exist."
#}
The port I set is 80/443, not 8000/8443 in the sample configuration file.
And I put the sample configuration for nsopenssl2.1 from http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration/ as the following:
ns_section "ns/server/${server}/module/nsopenssl"
# NSD-driven connections:
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
ns_param ServerCertFile certfile.pem
ns_param ServerKeyFile keyfile.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace false
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile certfile.pem
ns_param SockServerKeyFile keyfile.pem
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache false
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir internal_ca
ns_param SockServerCAFile internal_ca.pem
ns_param SockServerTrace false
# Outgoing SSL connections
ns_param SockClientCertFile clientcertfile.pem
ns_param SockClientKeyFile clientkeyfile.pem
ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache false
ns_param SockClientSessionCacheID 3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockClientCADir ca
ns_param SockClientCAFile ca.pem
ns_param SockClientTrace false
# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${server}/modules/nsopenssl
ns_param ModuleDir /Path/to/dir
# OpenSSL library support:
ns_param RandomFile /some/file
ns_param SeedBytes 1024
I changed ns_param ModuleDir to ns/server/${server}/module/nsopenssl and create certfile.pem and keyfile.pem in the directory /usr/local/aolserver/servers/birdnotes/module/nsopenssl.
I changed the combination in the configuration file for several times but no luck.
When I tried to put nsopenssl.so under the ns_section ns/server/${server}/modules, like ns_param nsopenssl ${bindir}/nsopenssl.so, the server just died.
If I comment that out, aolserver works with the following error message (from log):
[03/Jun/2002:21:34:20][12723.1024][-main-] Notice: modload: loading '/usr/local/ aolserver/bin/nsopenssl.so' [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: Module directory set by Modul eDir to [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerPeerVerify = 1 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerPeerVerifyDe pth = 3 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerTrace = 0 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerCertFile = / certfile.pem [03/Jun/2002:21:34:20][12723.1024][-main-] Error: nsopenssl: error loading certi ficate file "/certfile.pem" [03/Jun/2002:21:34:20][12723.1024][-main-] Debug: nsopenssl: freeing(0x8165938) [03/Jun/2002:21:34:20][12723.1024][-main-] Error: modload: failed to load '/usr/ local/aolserver/bin/nsopenssl.so': 'Ns_ModuleInit' returned -1 [03/Jun/2002:21:34:21][12735.1024][-main-] Fatal: modload: failed to load module '/usr/local/aolserver/bin/nsopenssl.so'Any idea? Thanks, Jay
Posted by
Bart Teeuwisse
on 06/04/02 05:01 AM
Jay, it appears that the ModuleDir parameter in the nsopenssl has no effect. The error message indicates that nsopenssl is looking for the .pem in the root directory. I checked my configuration and noticed that I don't use the ModuleDir parameter at all. Instead I refer to the .pem files by there full path.
Give that a shot and report back if you can.
/Bart
Thanks. Bart.
I comment out ModuleDir part. But it didn't fix the problem. Also I noticed this thread and follow Zack's configuration for nsopenssl.
I set up my sslcertfile and sslkeyfile as follows:
set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/keyfile.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/certfile.pem
I copied the test-key.pem and test-cert.pem from nsopenssl package into /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/ as keyfile.pem and certfile.pem.
I restarted the server. Aolserver restarted and I can connect to the non-secure page. When I tried to connect to secure page, I got an error saying "This page cannot be displayed".
And I can't find any error in the log file.
However, if I use the configuration from ReadMe.txt of nsopenssl, I put
ns_section "ns/server/${server}/modules"
ns_param nsopenssl ${bindir}/nsopenssl.so
instead of
if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
ns_param nsopenssl ${bindir}/nsopenssl.so
} else {
ns_log warning "nsd.tcl: nsopenssl not loaded because key/cert files do not exist."
}
the aolserver just died. And I got the following error in the log:
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: modload: loading '/usr/local/ aolserver/bin/nsopenssl.so' [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: Module directory defaults to /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/ [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerPeerVerify = 1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerPeerVerifyDe pth = 3 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerTrace = 0 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCertFile = / usr/local/aolserver/servers/birdnotes/modules/nsopenssl/certfile.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerKeyFile = /u sr/local/aolserver/servers/birdnotes/modules/nsopenssl/keyfile.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCAFile = /us r/local/aolserver/servers/birdnotes/modules/nsopenssl/ca.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCADir = /usr /local/aolserver/servers/birdnotes/modules/nsopenssl/ca [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate fil e does not exist [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate dir ectory does not exist [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache = 0 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache Id = 1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionTimeo ut = 300 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache Size = 512 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerPeerVeri fy = 1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerPeerVeri fyDepth = 3 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerTrace = 0 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerProtocol s = SSLv2, SSLv3, TLSv1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCipherSu ite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCertFile = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/certfile.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerKeyFile = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/keyfile.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCAFile = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/internal_ca.pem [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCADir = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/internal_ca [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate fil e does not exist [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate dir ectory does not exist [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC ache = 0 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC acheId = 2 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionT imeout = 300 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC acheSize = 512 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientPeerVeri fy = 1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientPeerVeri fyDepth = 10 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientTrace = 0 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientProtocol s = SSLv2, SSLv3, TLSv1 [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc ol [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientCipherSu ite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientCertFile = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/clientcertfile.p em [05/Jun/2002:00:54:58][21228.1024][-main-] Error: nsopenssl: error loading certi ficate file "/usr/local/aolserver/servers/birdnotes/modules/nsopenssl/client certfile.pem" [05/Jun/2002:00:54:58][21228.1024][-main-] Debug: nsopenssl: freeing(0x8164f50) [05/Jun/2002:00:54:58][21228.1024][-main-] Error: modload: failed to load '/usr/ local/aolserver/bin/nsopenssl.so': 'Ns_ModuleInit' returned -1 [05/Jun/2002:00:54:58][21228.1024][-main-] Fatal: modload: failed to load module '/usr/local/aolserver/bin/nsopenssl.so'
I think that's because I put two lines of ns_section "ns/server/${server}/modules" in the configuration file.
So I comment the second one and restart the server. It still doesn't fix the problem. But this time Aolser doesn't die but there is nothing in the log I can find about nsopenssl module loading.
Still don't know what's the problem. I tried to change httpsport from 443 to 8443 and it didn't work either.
Can anyone put a working sample nsd.tcl file for nsopenssl?
Thanks,
Jay
Posted by
Dan Wickstrom
on 06/05/02 01:48 PM
The log message indicates that the sock client certfile: "/usr/local/aolserver/servers/birdnotes/modules/nsopenssl/clientcertfile.pem" is not loading. Does the file exist and is it a valid certficate?
Thanks. I guess that's the problem.
I haven't created the clientcert.pem and clientkey.pem. I notice that error. I just copied & pasted the sample configuration, which didn't mention how to create a client cert and key. So I took it for granted that without that client cert and key file, nsopenssl can still work.
But the truth is: it won't. I commented that out. Do a little bit tweak here and there. Finally get it work. Here is the my configuration file I created with the same nsd.tcl of birdnotes. Hope it can help if someone has my problem.
ns_log notice "nsd.tcl: starting to read config file..."
# which database do you want? postgres or oracle
set database postgres
if {$database == "oracle"} {
set db_password "mysitepassword"
}
set httpport 80
set httpsport 443
# The hostname and address should be set to actual values.
set hostname 10.10.10.11 (Change to your hostname)
set address 10.10.10.11 (change to your internal IP)
set server "birdnotes"
set db_name $server
set servername "birdnotes.com Community"
set serverroot "/web/${server}"
# if debug is false, all debugging will be turned off
set debug true
# you shouldn't need to adjust much below here
# for a standard install
#
# AOLserver's home and binary directories. Autoconfigurable.
#
set homedir [file dirname [ns_info config]]
set bindir [file dirname [ns_info nsd]]
#
# Where are your pages going to live ?
#
set pageroot ${serverroot}/www
set directoryfile index.tcl,index.adp,index.html,index.htm
#
# nsssl: Only loads if keyfile.pem and certfile.pem exist.
# If you are using SSL, make sure you have these dirs and files (refer
# to the AOLserver docs)
#set sslkeyfile ${homedir}/servers/${server}/modules/nsssl/keyfile.pem
#set sslcertfile ${homedir}/servers/${server}/modules/nsssl/certfile.pem
set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/keyfile.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/certfile.pem
#
# Global server parameters
#
ns_section ns/parameters
ns_param serverlog ${homedir}/log/${server}-error.log
ns_param home $homedir
ns_param maxkeepalive 5
ns_param logroll on
ns_param maxbackup 5
ns_param debug $debug
#
# Thread library (nsthread) parameters
#
ns_section ns/threads
ns_param mutexmeter true ;# measure lock contention
ns_param stacksize [expr 2*512*1024]
#
# MIME types.
#
# Note: AOLserver already has an exhaustive list of MIME types, but in
# case something is missing you can add it here.
#
ns_section ns/mimetypes
ns_param Default text/plain
ns_param NoExtension text/plain
ns_param .pcd image/x-photo-cd
ns_param .prc application/x-pilot
ns_param .xls application/vnd.ms-excel
ns_param .pdf application/pdf
#
# Tcl Configuration
#
ns_section ns/server/${server}/tcl
ns_param library ${serverroot}/tcl
ns_param autoclose on
ns_param debug $debug
############################################################
#
# Server-level configuration
#
# There is only one server in AOLserver, but this is helpful when multiple
# servers share the same configuration file. This file assumes that only
# one server is in use so it is set at the top in the "server" Tcl variable
# Other host-specific values are set up above as Tcl variables, too.
#
ns_section ns/servers
ns_param $server $servername
#
# Server parameters
#
ns_section ns/server/${server}
ns_param directoryfile $directoryfile
ns_param pageroot $pageroot
ns_param maxconnections 5
ns_param maxdropped 0
ns_param maxthreads 5
ns_param minthreads 5
ns_param threadtimeout 120
ns_param globalstats false ;# Enable built-in statistics
ns_param urlstats false ;# Enable URL statistics
ns_param maxurlstats 1000 ;# Max number of URL's to do stats on
#ns_param directoryadp $pageroot/dirlist.adp ;# Choose one or the other
#ns_param directoryproc _ns_dirlist ;# ...but not both!
#ns_param directorylisting fancy ;# Can be simple or fancy
#
# ADP (AOLserver Dynamic Page) configuration
#
ns_section ns/server/${server}/adp
ns_param map /*.adp ;# Extensions to parse as ADP's
#ns_param map "/*.html" ;# Any extension can be mapped
ns_param enableexpire false ;# Set "Expires: now" on all ADP's
ns_param enabledebug $debug ;# Allow Tclpro debugging with "?debug"
ns_param defaultparser fancy
ns_section ns/server/${server}/adp/parsers
ns_param fancy ".adp"
#
# Socket driver module (HTTP) -- nssock
#
ns_section ns/server/${server}/module/nssock
ns_param timeout 120
ns_param address $address
ns_param hostname $hostname
ns_param port $httpport
#
# Socket driver module (HTTPS) -- nsssl
#
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).
#
#ns_section ns/server/${server}/module/nsssl
#ns_param port $httpsport
#ns_param hostname $hostname
#ns_param address $address
#ns_param keyfile $sslkeyfile
#ns_param certfile $sslcertfile
#
# Database drivers
# The database driver is specified here. PostgreSQL driver being loaded.
# Make sure you have the driver compiled and put it in {aolserverdir}/bin
#
ns_section "ns/db/drivers"
if { $database == "oracle" } {
ns_param ora8 ${bindir}/ora8.so
} else {
ns_param postgres ${bindir}/postgres.so ;# Load PostgreSQL driver
}
#
# Database Pools: This is how AOLserver ``talks'' to the RDBMS. You need
# three for OpenACS: main, log, subquery. Make sure to replace ``yourdb''
# and ``yourpassword'' with the actual values for your db name and the
# password for it.
# AOLserver can have different pools connecting to different databases
# and even different different database servers.
#
ns_section ns/db/pools
ns_param pool1 "Pool 1"
ns_param pool2 "Pool 2"
ns_param pool3 "Pool 3"
ns_section ns/db/pool/pool1
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/db/pool/pool2
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/db/pool/pool3
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/server/${server}/db
ns_param pools "*"
ns_param defaultpool pool1
ns_section ns/server/${server}/redirects
ns_param 404 "global/file-not-found.html"
ns_param 403 "global/forbidden.html"
#
# Access log -- nslog
#
ns_section ns/server/${server}/module/nslog
ns_param file ${homedir}/log/${server}.log
ns_param enablehostnamelookup false
ns_param logcombined true
#ns_param logrefer false
#ns_param loguseragent false
ns_param maxbackup 5
ns_param rollday *
ns_param rollfmt %Y-%m-%d-%H:%M
ns_param rollhour 0
ns_param rollonsignal true
ns_param rolllog true
#
# nsjava - aolserver module that embeds a java virtual machine. Needed to
# support webmail. See http://nsjava.sourceforge.net for further
# details. This may need to be updated for OpenACS4 webmail
#
ns_section ns/server/${server}/module/nsjava
ns_param enablejava off ;# Set to on to enable nsjava.
ns_param verbosejvm off ;# Same as command line -debug.
ns_param loglevel Notice
ns_param destroyjvm off ;# Destroy jvm on shutdown.
ns_param disablejitcompiler off
ns_param classpath /usr/local/jdk/jdk118_v1/lib/classes.zip:${bindir}/nsjava.jar:${pageroot}/webmail/java/activation.jar:${pageroot}/webmail/java/mail.jar:${pageroot}/webmail/java
#
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files inside
# AOLserver are vastly superior to CGIs. I haven't tested these params but they
# should be right.
#
#ns_section "ns/server/${server}/module/nscgi"
# ns_param map "GET /cgi-bin/ /web/$server/cgi-bin"
# ns_param map "POST /cgi-bin/ /web/$server/cgi-bin"
# ns_param Interps CGIinterps
#ns_section "ns/interps/CGIinterps"
# ns_param .pl "/usr/bin/perl"
#
# Modules to load
#
ns_section ns/server/${server}/modules
ns_param nssock ${bindir}/nssock.so
ns_param nslog ${bindir}/nslog.so
ns_param nssha1 ${bindir}/nssha1.so
ns_param nscache ${bindir}/nscache.so
ns_param nsrewrite ${bindir}/nsrewrite.so
ns_param nsxml ${bindir}/nsxml.so
#ns_param nsopenssl ${bindir}/nsopenssl.so
#ns_param nsfts ${bindir}/nsfts.so
#ns_param nsperm ${bindir}/nsperm.so
#ns_param nscgi ${bindir}/nscgi.so
#ns_param nsjava ${bindir}/libnsjava.so
#
## nsssl: loads only if requisite files already exist (see top of this
# file).
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsssl ${bindir}/nsssle.so
# ns_param nsssl ${bindir}/nsopenssl.so
#} else {
# ns_log warning "nsd.tcl: nsssl not loaded because key/cert files do not exist."
#}
ns_section "ns/server/${server}/module/nsopenssl"
# NSD-driven connections:
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
ns_param ServerCertFile certfile.pem
ns_param ServerKeyFile keyfile.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace false
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile certfile.pem
ns_param SockServerKeyFile keyfile.pem
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache false
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir internal_ca
ns_param SockServerCAFile internal_ca.pem
ns_param SockServerTrace false
# Outgoing SSL connections
#ns_param SockClientCertFile clientcertfile.pem
#ns_param SockClientKeyFile clientkeyfile.pem
#ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
#ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param SockClientSessionCache false
#ns_param SockClientSessionCacheID 3
#ns_param SockClientSessionCacheSize 512
#ns_param SockClientSessionCacheTimeout 300
#ns_param SockClientPeerVerify true
#ns_param SockServerPeerVerifyDepth 3
#ns_param SockClientCADir ca
#ns_param SockClientCAFile ca.pem
#ns_param SockClientTrace false
# OpenSSL library support:
ns_param RandomFile /some/file
ns_param SeedBytes 1024
ns_section "ns/server/${server}/modules"
ns_param nsopenssl ${bindir}/nsopenssl.so
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsopenssl ${bindir}/nsopenssl.so
#} else {
# ns_log warning "nsd.tcl: nsopenssl not loaded because key/cert files do not exist."
#}
ns_log notice "nsd.tcl: finished reading config file."
My default web folder is /web/birdnotes/ and aolserver directory is /usr/local/aolserver.I follow the instruction in ReadMe.txt and copy the test-cert.pem and test-key.pem to /user/local/aolserver/servers/birdnotes/modules/nsopenssl.
Thank you for your help.
Jay
Posted by
Titi Ala'ilima
on 07/10/02 09:55 PM
Here's the standard config file I use for MACS, which allows you to turn SSL on and off just by setting
use_openssl at the beginning:
# AOLServer ACS Virtual Server Configuration File Template
# Replace SERVICE_NAME, SERVICE_IP, SERVICE_DNS, and SERVICE_PORT
# and all will go well.
#
# Basic settings
#
set service_name "SERVICE_NAME"
set service_database_username $service_name
set service_database_password $service_name
set aol_home [file dirname [ns_info config]]
set aol_bin [file dirname [ns_info nsd]]
set service_short_name $service_name
set service_short_description "a description of your service"
set service_email "service@ybos.net"
set acs_home "/web/$service_name"
set service_ip_address "SERVICE_IP"
set service_ip_name "SERVICE_DNS"
set service_port "SERVICE_PORT"
set service_ip_address_ssl $service_ip_address
set service_ip_name_ssl $service_ip_name
set service_port_ssl "443"
set db_version "ora9"
set use_openssl "0"
# nscp: Uncomment the sample password and log in with "nsadmin", password "x",
# type "ns_crypt newpassword salt" and put the encrypted string below.
set nscp_port 9999
# Assume the IP is 127.0.0.1
set nscp_user ""
#set nscp_user "nsadmin:t2GqvvaiIUbF2:" ;# sample user="nsadmin", pw="x".
#
# The nitty gritty, which you usually won't need.
#
ns_section "ns/db/drivers"
ns_param $db_version "$aol_bin/$db_version.so"
ns_section "ns/db/pool/main"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "4"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pool/subquery"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "4"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pool/log"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "3"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pools"
ns_param main "main"
ns_param subquery "subquery"
ns_param log "log"
ns_section "ns/parameters"
# This used to handled with a file under acs/parameters, but
# parameters are now stored in the database.
ns_param User "nsadmin"
ns_param Group "web"
ns_param ServerLog "$aol_home/log/$service_name-error.log"
# Display logging with 'dev' and 'debug' severity
ns_param dev true
ns_param debug false
ns_param Home $aol_home
ns_param StackSize "500000"
ns_param MaxKeepAlive "0"
ns_section "ns/threads"
# use more than 1 processor (Solaris)
ns_param SystemScope "on"
ns_section "ns/server/$service_name"
ns_param PageRoot "$acs_home/www"
ns_param DirectoryFile "index.tcl,index.adp,index.html,index.htm"
ns_param Webmaster $service_email
ns_param NoticeBgColor {"#ffffff"}
ns_param EnableTclPages "On"
ns_param NotFoundResponse "/global/file-not-found.html"
ns_param ServerBusyResponse "/global/busy.html"
ns_param ServerInternalErrorResponse "/global/error.html"
ns_param MaxThreads "10"
ns_param MinThreads "10"
ns_param MaxBusyThreads "15"
ns_param MaxWait "2"
ns_section "ns/server/$service_name/db"
ns_param Pools "main,subquery,log"
ns_param DefaultPool "main"
ns_section "ns/server/$service_name/adp"
ns_param Map "/*.adp"
ns_param DefaultParser "fancy"
ns_section "ns/server/$service_name/module/nslog"
ns_param EnableHostnameLookup "On"
ns_param File "$aol_home/log/$service_name.log"
ns_param LogCombined "On"
ns_param LogRefer "On"
ns_param LogUserAgent "On"
ns_param MaxBackup "5"
ns_param RollLog "Off"
ns_section "ns/server/$service_name/module/nsperm"
ns_param model "Small"
ns_param enablehostnamelookup "Off"
ns_section "ns/server/$service_name/module/nssock"
ns_param timeout "120"
ns_param Address $service_ip_address
ns_param Hostname $service_ip_name
ns_param Port $service_port
set openssl_able [expr $use_openssl &&
[file exists "$aol_bin/nsopenssl.so"] &&
[file exists "$aol_home/servers/$service_name/modules/nsopenssl/cert.pem"] &&
[file exists "$aol_home/servers/$service_name/modules/nsopenssl/key.pem"]]
if $openssl_able {
# Config for nsopenssl 2.1
ns_section "ns/server/zipcar/module/nsopenssl"
# NSD-driven connections:
ns_param ServerAddress $service_ip_address_ssl
ns_param ServerPort $service_posrt_ssl
ns_param ServerHostname $server_ip_name_ssl
ns_param ServerCertFile "cert.pem"
ns_param ServerKeyFile "key.pem"
ns_param ServerProtocol {SSLv2, SSLv3, TLSv1}
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache "False"
ns_param ServerSessionCacheID "1"
ns_param ServerSessionCacheSize "512"
ns_param ServerSessionCacheTimeout "300"
ns_param ServerPeerVerify "false"
ns_param ServerPeerVerifyDepth "3"
ns_param ServerCADir "ca"
ns_param ServerCAFile "ca.pem"
ns_param ServerTrace "false"
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile "cert.pem"
ns_param SockServerKeyFile "key.pem"
ns_param SockServerProtocol {SSLv2, SSLv3, TLSv1}
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache "False"
ns_param SockServerSessionCacheID "2"
ns_param SockServerSessionCacheSize "512"
ns_param SockServerSessionCacheTimeout "300"
ns_param SockServerPeerVerify "true"
ns_param SockServerPeerVerifyDepth "3"
ns_param SockServerCADir "ca"
ns_param SockServerCAFile "ca.pem"
ns_param SockServerTrace "false"
# Outgoing SSL connections
ns_param SockClientCertFile "cert.pem"
ns_param SockClientKeyFile "key.pem"
ns_param SockClientProtocol {SSLv2, SSLv3, TLSv1}
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache "False"
ns_param SockClientSessionCacheID "3"
ns_param SockClientSessionCacheSize "512"
ns_param SockClientSessionCacheTimeout "300"
ns_param SockClientPeerVerify "true"
ns_param SockClientPeerVerifyDepth "3"
ns_param SockClientCADir "ca"
ns_param SockClientCAFile "ca.pem"
ns_param SockClientTrace "false"
# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${servername}/modules/nsopenssl
ns_param ModuleDir "$aol_home/servers/$service_name/modules/nsopenssl"
# OpenSSL library support:
ns_param RandomFile "/etc/inittab"
ns_param SeedBytes "1024"
}
if {![string equal $nscp_user ""]} {
ns_section "ns/server/${servername}/module/nscp"
ns_param port $nscp_port
ns_param address $nscp_address
ns_section "ns/server/${servername}/module/nscp/users"
ns_param user $nscp_user
}
ns_section "ns/server/$service_name/modules"
ns_param nsperm "$aol_bin/nsperm.so"
ns_param nssock "$aol_bin/nssock.so"
ns_param nslog "$aol_bin/nslog.so"
ns_param nssha1 "$aol_bin/nssha1.so"
ns_param nscache "$aol_bin/nscache.so"
ns_param nsxml "$aol_bin/nsxml.so"
if $openssl_able {
ns_param nsssl "$aol_bin/nsopenssl.so"
}
if {![string equal $nscp_user ""]} {
ns_param nscp "$aol_bin/nscp.so"
}
ns_section "ns/server/$service_name/MimeTypes"
ns_param Default "text/plain"
ns_param NoExtension "text/plain"
ns_param .pcd "image/x-photo-cd"
ns_param .prc "application/x-pilot"
ns_section "ns/server/$service_name/tcl"
ns_param Library "$acs_home/tcl"
ns_section "ns/servers"
ns_param $service_name $service_short_description
