Open Source Software and Linux


December 25, 2008  11:23 PM

Merry Christmas!

John Little Profile: Xjlittle

I hope all you geeks and nerds and people who generally like hi tech toys got all that you wanted for Christmas.

I know that I did. I got a 1TB external drive that I can use to back up all of my family’s computers on the server. I’ll probably create a virtual host using the rpath Openfiler NAS/SAN appliance for the virtual machine image. If you’ve never visited rpath you should give them a look. They have all kinds of appliance images for different makes of virtual machines. Most of these are located on a subweb of rpath called rbuilder.

On rbuilder you can find lots of information about the virtual applicance that you want to download. If you are unsure of which image file that you need for an appliance they have a list that explains how each image installs and under what conditions it should be installed. All in one paragraph and in plain english. Very nice!

I also got a Wii. Well actually it is for my daughter and I. We got Wii Sports, Wii Fit and Wii music. I never new that this gaming system could be so much fun!. We play it everyday and are always finding new things to do on it. If you’ve never tried the Wii you should get one. You won’t be sorry!

I need to get busy setting up my new external drive and virtual machine. Merry Christmas everyone!

-j

December 25, 2008  4:55 AM

Quick Subnetting and IP calculations Part 2

John Little Profile: Xjlittle

In my last post I discussed how to make quick subnetting and IP calculations. This post is will help us determine how many hosts on a network.

Suppose that you know your IP address and an abbreviated notation subnet mask. What you need to find out is the IP of your default gateway.

The address that you are given is 192.168.200.120/26. The last assignable IP is your gateway. Before we get started a quick note about abbreviated subnet masks. You can determine the standard subnet mask by dividing the abbreviated notation by 8 and using the remainder to add together that number of bits starting from the leftmost bit in a subnet mask. In our case 8 will go into 26 three times with two left over. Adding together the two leftmost bits in a subnet mask, 128+64 gives us 192. So our standard subnet mask is 255.255.255.192.

To start solving our gateway problem we first the 192 into bit values which = 11000000.

The smallest bit is 64 so our subnets are incremented by 64. Recall from the previous post how we laid this out:

Network Address Range
0 192.168.200.1 through 63
64 192.168.200.65 through 127
128 192.168.200.129 through 191
192 192.168.200.193 through 255

As we can see from above our machine falls into the second address range with an IP of 192.168.200.120. The first addressable IP is 192.168.200.65 and the broadcast address is 192.168.200.127. Remember that the broadcast address for a network is the last IP shown for that range. This makes the default gateway one less than the broadcast address giving us 192.168.200.126 for the gateway. There are 62 host IP address available on your network segment after taking out the network and broadcast IP.

So there it is. You have now found your default gateway and know how many hosts are on your network segment and what their IP addresses are.

-j


December 21, 2008  11:15 PM

Quick Subnetting and IP calculations Part 1

John Little Profile: Xjlittle

With all of the ip and subnetting calculators all over the internet it might seem to some that learning subnetting is unnecessary. I think that it is a skill that is underused and should be learned by all network administrators. It’s really not that hard to get the basics down.

In this article and the next I am going to show you how to do two things quickly and easily with subnetting. I’m going to show you how to build a custom subnet from scratch and how to calculate how many hosts on a network. The only part of the binary code of this that I’m going to discuss is this which we should all know:

128 64 32 16 8 4 2 1

The above numbers represent the 8 bits in a subnet mask.

To start building our custom subnet we are going to assume a class C network. With this we know that our default mask covers the first 24 bits which would make it 255.255.255.0. Notice that 255 is the sum of all of the numbers above. Second let’s assume that our class C address in 192.168.10.0 and that we want to build 6 subnets from this to cover six of our departments.

First convert the number of subnets to binary. We can see that adding bits 2 and 4 above make 6. We will turn all of the bits on that are to the right of the 4:

00000111

Next flip the entire octet from end to end:

11100000

Add the bits together that are on the left end of the bits shown in the 1st code box:

128+64+32=224

So now we know that 224 is our new subnet mask and that we can get 6 networks out of this. The 32 in this scenario is known as the Least Significant Bit or LSB. Pretty straightforward isn’t it?

Now we need to get our network, host and broadcast addresses. To do this take the Least Significant Bit from the three bits that we used above. This would be 32. So starting with 0 we start setting up our networks like so:

Network Address Range Broadcast
0 192.16.10.1 thru 30 192.168.10.31
32 192.16.10.33 thru 62 192.168.10.63
64 192.16.10.65 thru 94 192.168.10.95
96 192.16.10.97 thru 126 192.168.10.127
128
160
192
224

and so on. As you can see each network starts with 0 and then the LSB is the increment to the next network so we have 0 32 64 and so on. The broadcast address is 1 less than the next network number. This leaves the host addresses as the network number plus 1 through the broadcast address less 1 giving us 30 hosts per network

Next post we’ll see how to determine how many hosts on a network.

-j


December 20, 2008  6:45 PM

Streamtuner and Shoutcast

John Little Profile: Xjlittle

The other day I fired up Streamtuner to listen so some Christmas tunes on Shoutcast. Imagine my surprise when Streamtuner wouldn’t bring up any channels. What a disappointment. A quick check of the Streamtuner site indicated the application is no longer maintained. Bummer.

Not willing to give up I made some checks around the internet and found that the Shoutcast site was alive and well. Apparently they have brought up a new site with a different connection api and Streamtuner won’t connect to it.

I checked some more and found what sounded like some not so good fixes. The one that I did find though was quite simple. The folks at Shoutcast are nice enough to keep the old site up and running so all you need is the ip address to the archive site.

To make a long story short make the following entry into the /etc/hosts file:

205.188.234.120 www.shoutcast.com

Now pull up Streamtuner. Unfortunately all you will get are the top streams which is probably ok for most purposes.

An alternative to this is to use Songbird. Songbird promises to “help enable new ways to playback, manage, and discover music”. Since they rely on having a 3rd party music player they have a long ways to go but they do handle Shoutcast streams quite well.

-j


December 20, 2008  3:57 AM

Learning Sun Solaris at the Sun Open Learning Center

John Little Profile: Xjlittle

I admit I have become intrigued with OpenSolaris and Sun Solaris. Sun has made it extremely easy to get started learning these two operating systems with their Sun Open Learning Center.

The SOLC is free to use for just getting a Sun account. The curriculum at the beginner level include Desktop Components, File Systems and Directories, Working with Process, Working with the Shell and Archiving Files and Remote Transfer.

The SOLC includes an intermediate level which is currently in beta. The curriculum here includes Intermediate Booting SPARC and x86 Based Systems, Installing Solaris 10 and Safely Shutting Down a Solaris System. Sun promises more to come at this level.

You can also join the Sun community at the Solaris Campus at Second Life. Here they have various times setup for “live” classroom learning via the Second Life application.

According to Sun the curriculum should prepare you for a Solaris Certified System Administrator. I have taken the first course as was quite impressed with it although it is at very beginning level.

The application works beautifully walking you through the subjects and giving you some brief tests at the end to check your learning. The course takes some time to get through so you will probably need to shutdown or close your browser before you are done. When you log back into the application it will ask you if you want to start where you left off. You can click yes and go directly to the lesson where you stopped. If you need to back up a few pages for review and start from their just click the back button.

Given the cost of certification materials and classes this is a giant step for Sun, should help them get more certified admins, while taking it easy on your wallet. You should go try one of the courses today.

-j


December 18, 2008  2:03 PM

Recovering files from an LVM or ext3 partition with testdisk

John Little Profile: Xjlittle

I recently had a virtual server crash that was using LVM as the disk on which the VM was installed. To complicate matters even further the virtual machine was using LVM formatted with ext3 for it’s file systems. I had 25 GB of music on here that I did not want to lose so I was bent on figuring a way out of my dilemma.

I eventually ran across an application called testdisk. Testdisk turned out to be the answer to my problem. Although not very intuitive and lacking in documentation I am going to lead you through using the testdisk application in case you ever need it.

Testdisk runs as a static application. All you need to do is download and extract it. Once it is extracted cd into the directory call linux. Execute the program testdisk_static followed by device path of the disk from which you want to recover data. Shown below is the command that I used.

./testdisk_static /dev/linux-virtuals/music.repo

The first screen that you see will look like the following screenshot. The disk from which you want to recover should be highlighted. Click on proceed to bring up the next screen.
1st screen after running testdisk

Choose Intel as your disk type unless you know that you are using one of the other types listed.
choose Intel for partition

On the next screen hit enter to have test disk analyze analyze your partition.
analyze partition
Test disk to perform a quick search of your partiton. After you hit enter you are asked if you want testdisk to look for Vista partitions. Click no unless you have Vista partitions.

A short list of the partitions that testdisk found will show on your screen. Click enter to continue.
testdisk short list of partitions

On this screen you will be prompted to continue a deeper search. Click enter to have testdisk thoroughly search the partition and find anything that is deleted. This may take awhile to complete depending on the size of the partition.
testdisk deeper search

Once it is finished it will let you know. This is where things can get a little tricky. Scroll down through the list of partitions until you find one that is marked with a P in the legend below the list. Click P to see the list of files contained in that partition. Note that not all listed partitions will show the P in the testdisk legend. If they don’t there isn’t any data their to collect.
partition with P data

Once you’ve pressed the P you will see a list of directories. Highlight the directory where you believe your files are and hit enter. You will have to work down through the original directory structure that you had on disk. If those don’t contain the files use the right arrow key to back your way out to the top level of the file system. Scroll down until you find another partition marked with a P and check it for your files.
directory tree

directory tree

directory tree

my music!

An Voila! Here is my music. At the bottom of the screen you are told to hit copy. If you want the whole directory back up one level by hitting the left arrow key. Highlight the directory to copy it by pressing c. This will bring up a list of your current working directory. Keep hitting the left and down arrow keys until you are in the directory where you want to save your recovered files.

Hope this helps. Everything I’ve ever read said ext3 couldn’t be recovered. Don’t believe it-here it is in black and white. So go get those files that you didn’t back up! :-) (Yes I learned my lesson.. here comes Amanda or Bacula or Backup Manager!)

-j


December 17, 2008  3:16 PM

Sometimes it’s the tech support and not the user..

John Little Profile: Xjlittle

Ok we’ve always had a good laugh at users saying and doing dumb things that to us are obvious. I ran across this web site that not only points out user foolishness but some not so smart tech support as well. Read on…

* Customer: “Hi, I can’t seem to connect you guys are you having a problem?”
* Tech Support: “Well sir, what dialup software are you using?”
* Customer: “The one you provided.”
* Tech Support: “And what version is it?”
* Customer: (says the version number)
* Tech Support: “Oh, that’s the problem you need the latest version.”
* Customer: “Ok, how do I get it?”
* Tech Support: “Well, just transfer the file via FTP.”
* Customer: “Well that would be nice, but I can’t connect to the Internet.”
* Tech Support: (sounding exasperated) “I told you just to FTP the file sir.”

I hung up.

I’m not the most technical of people, but a few years ago, I got the infamous “blue screen of death.” I called in the IT department, and the new guy told me that my monitor just had to be “de-gassed” (degaussed). Needless to say, I rolled around the floor laughing, and someone else was called in to replace my hard drive.

And this one goes both ways..

My boyfriend and I were sitting in my dorm room, when there was a power surge, causing my computer to reboot. Unfortunately, it never got very far and popped up an error message about a missing file. Panicking, I reboot again, and the same thing happened. Foolishly, I decided to call my computer’s tech support line, and after struggling with their automated system, I finally got through to someone.

* Tech Support: “Thank you for calling tech support. How may I help you?”
* Me: “Yeah, um, I just had a power surge in my dorm room, and my computer won’t reboot. It’s giving me the error message: [error message]”
* Tech Support: “Have you tried rebooting?”
* Me: “Yeah. Want me to try again?”
* Tech Support: “Yes, go ahead. Tell me when Windows comes up.”
* Me: “Ok…it’s giving me the same error message. It’s not even getting into Windows.”
* Tech Support: “Ok, let’s try rebooting again, but this time, hold the button down for longer.”
* Me: “Er…how much longer?”
* Tech Support: “About five seconds.”
* Me: “All right. Holding it down now…ok, it’s rebooting.”
* Tech Support: “Good. Tell me when Windows comes up.”
* Me: “Same error.”
* Tech Support: “Ok. Let’s try a hard reboot. Turn your computer all the way off, then unplug the power cable.”
* Me: (??) “All right, it’s out.”
* Tech Support: “Ok, now hold down your power button and plug it back in. But don’t let go of the power button yet.”
* Me: “Er. Ok. Tell me when to let go.”
* Tech Support: “Ok, let go. Tell me when Windows comes up.”
* Me: “Same error message. Windows isn’t coming up.”
* Tech Support: “Ok, let’s try looking at your BIOS.”
* Me: “All right.”
* Tech Support: “Reboot your computer, and when it’s coming up, hit F1 as many times as you can.”
* Me: “Can’t I just hit it once?”
* Tech Support: “No, your computer should start beeping. I want to make sure it beeps.”
* Me: “All right, it beeped. BIOS came up a while ago.”
* Tech Support: “Ok, let’s walk through some things….”

He proceeded to do nothing more than confirm there was nothing wrong with my BIOS. He had me reboot again, and, of course, I got the same error message.

* Tech Support: “Ok, let’s try bios one more time.”
* Me: “All right.”
* Tech Support: “Now, when it’s rebooting, I want you to hit the F1 key as many times as you can. It has to beep for this to work.”
* Me: “I really don’t think my computer ‘beeping’ has anything to do with the problem.”
* Tech Support: “I think I know a little more about computers than you do, ma’am.”
* Me: “All right, fine, I’m hitting it. My computer is beeping.”
* Tech Support: “I don’t believe you.”
* Me: “…Excuse me?”
* Tech Support: “I think you’re lying. I need you to hit it as many times as you can. This is very important.”

Finally, I gave up on the guy and made my boyfriend finish the call. About half a minute into the call, my boyfriend gets a really funny look on his face and ejects the floppy disk that was in the drive. He rebooted it, and it worked fine.

I suppose this doubles as a stupid user story too, but you’d think a tech support person would have checked for that early on, instead all the other dumb things he had me do.

Many thanks to rinkworks for providing some humor for our day.

-j


December 13, 2008  10:59 PM

Adding the iptables firewall to the Xen domU (part 2)

John Little Profile: Xjlittle

In my last column we set up a physical NIC in our Xen domU to expose it to the internet and setup our iptables firewall.

At this point you should have 2 interfaces in your domU. One should be facing the internet and have an IP Address assigned from your ISP. The other should be a typical Xen interface with a static IP that connects to the rest of your network.

To start off our iptables network let’s open up the system-config-security application and make sure that iptables is enabled. Go ahead and close this once that is done. That should create a standard Red Hat\CentOS firewall setup as a starting point. You can check this by issuing the command:

iptables -L

Notice the chain that Red Hat\Centos adds to the typical iptables -L output. It is referenced by the input and forward chains. Generally when you put in a reference to the input chain you need a corresponding reference to the forward chain. This extra chain is the one that we will work with the most. Since it is referenced by both the forward and input chains we don’t need to put corresponding rules in both chains It is called:

RH-Firewall-1-INPUT

The first thing that we want to do is get the machines on our network out to the internet. We do this by using the nat table and the postrouting chain. This is the command to accomplish that:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

This will let any internet request from your internal network access the internet. My internet facing NIC is eth1. Your’s may vary. Notice the -o eth1. This indicates that it is looking for outbound packets on eth1.

By default anything coming in from the internet is blocked. You’re probably going to want to let ssh and maybe openvpn come in from the internet. The solution that I use for this is to use domUs behind the firewall so that these requests land there rather than on the firewall machine. Here is how to setup an inbound request and have it directed to the landing server. From there you can go where you need on the network.

##ssh
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 172.16.0.201
##openvpn
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1194 -j DNAT --to 172.16.0.201

Any port that you need uses the exact same syntax except for the port number.

We also need to enable port forwarding so that it will survive a reboot. Use the following commands to enable it for your current session and set it up to survive a reboot:

[root@virtual-host ~]# sysctl -w net.ipv4.ip_forward=1
[root@virtual-host ~]# sysctl -p
#output
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
[root@virtual-host ~]#

As we can see from the first line under #output ip forwarding is set to 1 which means that it is turned on.

Note that if you go back and use any of the firewall GUIs provided you will lose all of the settings that used the nat table. I suggest that you stick with the command line after making your initial setup.

Here is what my iptables output looks like:

[root@fw0 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:servicetag
ACCEPT udp -- anywhere anywhere udp dpt:servicetag

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
DROP tcp -- yktgi01e0-s4.watson.ibm.com anywhere tcp dpt:https
DROP tcp -- yktgi01e0-s4.watson.ibm.com anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:servicetag
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:servicetag
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@fw0 ~]#

The two drops that you see at the top of the input chain are from somebody that kept hitting on my web server. Usually if you want to put a drop in against a specific target your will want to insert (I) it at the top of the chain like so:

iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 80 --source 11.22.33.444 -j DROP

The 1 just after INPUT instructs iptables to make that the first rule in the chain. Since both the input and forward chains are reference by the RH-Firewall-1-INPUT chain we don't have to concern ourselves with putting the same rule in the forward chain.

I hope this helps you get started with your domU firewall.

-j


December 12, 2008  7:56 PM

Setting up a physical NIC for a firewall on a Xen domU (Part 1)

John Little Profile: Xjlittle

Recently I brought up a new Xen server that needed an iptables firewall on a domU. My first thought had been to setup the firewall on dom0 but that turned out to be a difficult task because of all of the virtual interfaces that are created. Red Hat/Centos also installs a set of rules by default to make sure that all of these interfaces will interact with each other properly. Onward to domU.

The first thing necessary to setting up a domU firewall that is exposed to the internet is to “hide” an interface from dom0 and import it into the domU firewall machine. To start we need to do a few things. Ultimately this is going to cause of reboot of dom0 so consider if this is feasible for your situation.

Let’s get started. First we need to get some numbers from the interface To do this use the lspci command.

[root@virtual-host ~]# lspci |grep -i ethernet
==>01:02.0 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03)
01:02.1 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03)
01:06.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)

As you can see I have three interfaces on this machine. The marked interface requires an entry into modprobe.conf and the xen firewall configuration file.

##modprobe.conf
options pciback hide=(01:02.0)

##xen firewall configuration
pci = [ "01:02.0" ]

Now we need to use the lspci -n command and use this entry in the xend-pci-permissive.sxp file under /etc/xen.

[root@virtual-host xen]# lspci -n
==>01:02.0 0200: 8086:1079 (rev 03)
01:02.1 0200: 8086:1079 (rev 03)
1:06.0 0200: 8086:100e (rev 02)

Match the pci numbers from the lspci command to find the correct line. You’ll want the last 8 characters of this line. In the code above we want the 8086:1079 part of the output.

Open the xend-pci-permissive.sxp and make an entry like the following:

(unconstrained_dev_ids
('8086:1079')
)

Once we have this done we need to make a new initrd image that preloads the pciback module. Before running the following code you should make a copy of your current initrd. If you run into problems you can use this to replace the one that you created and try again. Use the following code to create the new initrd:

cd /boot
mkinitrd -f --preload pciback initrd-$(uname -r).img $(uname -r)

After creating the new initrd it’s time to reboot and check your work.

Once dom0 is up we need to look for certain entries in /var/log/messages:

[root@virtual-host ~]# grep pciback /var/log/messages
vpci: 0000:01:02.0: assign to virtual slot 0
virtual-host kernel: pciback 0000:01:02.0: seizing device
virtual-host kernel: pciback 0000:01:02.0: enabling permissive mode configuration space accesses!
virtual-host kernel: pciback 0000:01:02.0: permissive mode is potentially unsafe!
virtual-host kernel: pciback: vpci: 0000:01:02.0: assign to virtual slot 0

Once you see that the device is seized and assigned to a virtual slot check your firewall machine to make sure it is getting an ip from your ISP as well as connected to your local lan IP.

[root@fw0 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:36:73:82
inet addr:172.16.0.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe36:7382/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:548690 errors:0 dropped:0 overruns:0 frame:0
TX packets:291190 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:486044371 (463.5 MiB) TX bytes:47023339 (44.8 MiB)

eth1 Link encap:Ethernet HWaddr 00:04:23:A6:C1:0E
inet addr:76.240.xxx.xxx Bcast:76.240.xxx.xxx Mask:255.255.255.0
inet6 addr: fe80::204:23ff:fea6:c10e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:311217 errors:0 dropped:0 overruns:0 frame:0
TX packets:564587 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100
RX bytes:50257788 (47.9 MiB) TX bytes:487593757 (465.0 MiB)
Base address:0xb400 Memory:fea40000-fea60000

As you can see from the above output eth0 is connected to my lan and eth1 has received it’s internet address so that we are connected to the internet. The OS (Red Hat/CentOS) should create the entry for eth1 without any input on your part.

Please read my next post for setting up iptables in your domU.

-j


December 11, 2008  3:24 PM

Generate a self signed SSL certificate for your Apache Web Server

John Little Profile: Xjlittle

After getting tired of clicking ok to the certificate messages that popped up every time I or someone else accessed my personal Apache Web Server using SSL I decided to generate my own self signed SSL certificate.

Note that all of these steps are performed on a CentOS or Red Hat apache web server. Depending on the paths that you have setup in your httpd.conf or virtualhost container your paths may be somewhat different. Simply substitute your paths for the ones that I use when I copy my certificates into the designated path.

Let’s get started. First cd into the /etc/pki/tls directory. You have three commands to enter here to finally generate your self signed certificate. You may name the certificate anything that you want. I chose to use my server’s name.

First issue each of the following commands. All three are necessary to generate your ssl certificate. I will comment on them either in the code or just below the code.

##First command to generate the key
[root@web tls]# openssl genrsa -rand /etc/passwd:/etc/group:/etc/httpd/web-sites/hosts-ssl -out secserve.sytes.net.key 1024
7843 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
........++++++
........................++++++
e is 65537 (0x10001)

##second command
[root@web tls]# openssl req -new -key secserve.sytes.net.key -out secserve.sytes.net.csr You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Indiana
Locality Name (eg, city) [Newbury]:Plainfield
Organization Name (eg, company) [My Company Ltd]:MyWeb
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your name or your server's hostname) []:secserve.sytes.net
Email Address []:jlittle_97@yahoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

##third command
[root@web tls]# openssl x509 -req -days 730 -in secserve.sytes.net.csr -signkey secserve.sytes.net.key -out secserve.sytes.net.crt
Signature ok
subject=/C=US/ST=Indiana/L=Plainfield/O=MyWeb/OU=Web/CN=secserve.sytes.net/emailAddress=jlittle_97@yahoo.com
Getting Private key
[root@web tls]# ls
cert.pem certs misc openssl.cnf private secserve.sytes.net.crt secserve.sytes.net.csr secserve.sytes.net.key

The first command generates the rsa key file. You can use random files as I did to help generate the key or leave them out and let openssl generate it’s own key. The 1024 at the end is to make it a 1024 bit key.

The second command generates the csr file. This is where you put in your information about your location and server name. The server name referred to here is the internet name of the web server, not the name of the machine on which the server is running. Be sure and substitute your own values for the ones that I have. Leave the challenge password and optional company name entries blank.

The third command is generating the private key for your server. TThe -req -days is set to 720 days or 2 years.. The ls command is used to verify that the files are there.

Now you need to check your apache web server to find out where it looks for your signed ssl certificate files. My SSL server is on a virtual host. I keep my virtual host container file in a directory located at /etc/httpd/web-hosts with a file name of hosts-ssl. Let’s open that to the secserve container and see where apache expects to see the ssl certificate.

[root@web tls]# vim /etc/httpd/web-sites/hosts-ssl

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/secserve.sytes.net.crt
SSLCertificateKeyFile /etc/httpd/ssl/secserve.sytes.net.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

ServerAdmin jlittle_97@yahoo.com
ServerName secserve.sytes.net

I can see in my container that secserve.sytes.net is my web server and that it expects to find the ssl certificate files under /etc/httpd/ssl/(filename.{crt,key}. Copy all three of the files from the /etc/pki/tls directory where you generated them into this directory. Note that you can designate any directory where you want to place your files.

All that’s left is to restart or reload the web server.

You can check under /var/log/httpd/ to make sure that there are no errors generated by the ssl certificate files. If not you are good to go.

A couple of notes are in order here. In the first command you can use the switch -des3 which will encrypt the files and force you to use a password to complete the ssl certicates. While this a very secure way to protect your web server it is not very practical, at least for me. Every time the web server is restarted you will have to put in the password. Aside from being a little inconvenient what if someone has to reboot the machine or restart the apache web service that doesn’t and should not know the password?

My suggestion around the above scenarios is to chmod your keys to 600 and make sure that root is the owner.

So now you can generate your own self signed SSL certificate. This process will work for other SSL applications such as Dovecot.

One last note. If you have a ServerAlias that you use to access your web site from inside your firewall you can also generate a certificate for it as well. Just use the ServerAlias name in your configuration file.

You can probably have the complete setup done in less time than it takes to read this article.

Have fun!

-j


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: