• All Files
Administration  >  The ListManager Web Server  >  Adding SSL to the ListManager Web Server

Adding SSL to the ListManager Web Server

SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. Aurea List Manager supports SSL 3 and TSL 1.

In order to use SSL with the Lyris Aurea List Manager Webserver, it is necessary to generate a private key file and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc file.

The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org), but a similar process can be done with tools from RSA (http://www.rsa.com). You must have OpenSSL installed and have an openssl (or openssl.exe) binary to follow this example.

We include (in the 'tclweb/bin/certs/' directory) the openssl program so that you do not need to obtain it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for Linux), or obtained from Cygwin (http://www.cygwin.com).

SSL is a feature of Aurea List Manager Pro and Enterprise, and is unavailable for standard Aurea List Manager. Contact your account representative at sales@lyris.com if you'd like to upgrade to Aurea List Manager Pro or Enterprise.

Please note: These examples are for illustrative purposes only. If you need extra assistance please contact sales@lyris.com to learn about our professional services.

SSL Installation Information: 

Adding SSL for Windows

Adding SSL for Linux

Installing an Intermediate Root Certificate

Adding SSL for Windows

  1. Open a command prompt, and then change the directory to ...tclweb/bin/certs/.
  2. Generate a CSR file (Certificate Request) and the private key file
    3. NOTE

    This should all be on the same line: penssl req -new -nodes -keyout skey2.pem -out public2.csr -config openssl.conf.

    You are prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you do not have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.

  3. You have generated two files: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world.
  4. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.

    The certificate request should look something like-----BEGIN CERTIFICATE REQUEST-----
    JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

    More letters and numbers....

    -----END CERTIFICATE REQUEST-----

    To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.

  5. Fill out the technical contact information and submit. You receive your certificate via email.
  6. Install the certificate in the Aurea List Manager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.
  7. Copy the server.pem and skey.pem (from step 1 above) to the Aurea List Manager tclweb\bin\certs directory.
  8. Turn on the SSL option for the Aurea List Manager webserver. Open tclweb\bin\tclhttpd.rc in the Aurea List Manager directory with a plain text editor (such as Notepad or Wordpad) and edit the following line to be as follows:

    Config USE_TLS1 1
    Config USE_SSL2 1
    Config USE_SSL3 1

    By default this option is off (0).

  9. Add a list of SSL ciphers to support, if necessary, to the Config SSL_CIPHERS setting.

    10. Config SSL_CIPHERS { }

    Note

    OpenSSL provides the SSL support for TclHttpd. The TclHttpd setting "Config SSL_CIPHERS { }" takes a string of the same form expected by OpenSSL's "ciphers" command:

    opensslciphers [-v] [-V] [-ssl2] [-ssl3] [-tls1] [cipherlist]

    Multiple ciphers are listed with ":" (colon) between each cipher name:

    Config SSL_CIPHERS {ALL:eNULL}

    Config SSL_CIPHERS {3DES:+RSA}

    You can learn more about OpenSSL and ciphers here.

  10. Restart the webserver. You should see output like this (if started from the command line).

    ListManager Web Interface: now running on port 80
    secure httpd started on SSL port 443

Adding SSL for Linux

  1. 1. Generate a CSR file (Certificate Request) and the private key file:

    2. openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf

    You are prompted for a passphrase, and various data about your organization. If you wish, you can edit the openssl.cnf file to provide default information for your organization, so you do not have to type it each time you create a certificate. Verisign (http://www.verisign.com ) has some example input for creating the certificate request.

  2. You have two files generated: your public key for requesting a certificate (public.csr), and a private key (skey.pem). These files should be protected from the outside world. To set the file permissions appropriately, run: chmod 600 skey.pem
  3. Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.

    4. The certificate request should look something like

    -----BEGIN CERTIFICATE REQUEST-----
    JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda

    More letters and numbers....

    -----END CERTIFICATE REQUEST-----

    To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.

  4. Fill in the technical contact information and submit. You receive your certificate via email.
  5. Install the certificate in the ListManager web server. The file you receive back from Verisign (or you favorite certificate authority) should be copied into a file called server.pem.
  6. Copy the server.pem and skey.pem (from step 1 above) to the Aurea List Manager tclweb/bin/certs directory.
  7. Turn on the SSL option for the Aurea List Manager webserver. Open tclweb/bin/tclhttpd.rc in the Aurea List Manager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows:

    8. Config USE_TLS1 1
    Config USE_SSL2 1
    Config USE_SSL3 1

    By default this option is off (0).

  8. Restart the webserver. You should see output like this (if started from the command line).

    9. ListManager Web Interface: now running on port 80
    secure httpd started on SSL port 443

Installing an Intermediate Root Certificate

When using an intermediate root certificate, you may get an error indicating that the certificate is not yet valid, or has expired, when it clearly is in the correct date range. Here is how you solve that problem with Verisign:

1. Cd to tclweb/bin (underneath the directory where you installed ListManager)

2. Make a backup copy of the file tclhttpd.rc.

3. Open tclhttpd.rc with a plain text editor.

4. Replace

Config SSL_CAFILE  "

with

Config SSL_CAFILE  [file join [Config SSL_CADIR] intermediate.crt]

5. Save tclhttpd.rc.

In the "certs" directory (underneath "bin"), create a file "intermediate.crt" and add this to it (including the CERTIFICATE headers)
(obtained from https://www.verisign.com/support/site/caReplacement.html ):

-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----

6. Restart the ListManager tclhttpd web server.

Note:

ListManager 9.x uses OpenSSL 0.9.7. This version may give false positives under certain circumstances.

Try now for free

Related Topics

Aurea List Manager Help System
Copyright © GFI Software 2021
Free Trial