Adding SSL to the ListManager Web Server
SSL (Secure Sockets Layer) is a protocol that allows you to manage security of your web server. Aurea List Manager supports SSL 3 and TSL 1.
In order to use SSL with the Lyris Aurea List Manager Webserver, it is necessary to generate a private key file
and go through the process of acquiring a certificate file, as well as enabling SSL in the tclhttpd.rc
file.
The example we provide here for generating the SSL files use OpenSSL (http://www.openssl.org
),
but a similar process can be done with tools from RSA (http://www.rsa.com
). You must have OpenSSL
installed and have an openssl (or openssl.exe
) binary to follow this example.
We include (in the 'tclweb/bin/certs/
' directory) the openssl program so that you do not need to obtain
it yourself. However, if you prefer, openssl can also be compiled from source, downloaded as an RPM (for
Linux), or obtained from Cygwin (http://www.cygwin.com
).
SSL is a feature of Aurea List Manager Pro and Enterprise, and is unavailable for standard Aurea List Manager. Contact your account representative at sales@lyris.com if you'd like to upgrade to Aurea List Manager Pro or Enterprise.
Please note: These examples are for illustrative purposes only. If you need extra assistance please contact
sales@lyris.com
to learn about our professional services.
SSL Installation Information:
Installing an Intermediate Root Certificate
Adding SSL for Windows
- Open a command prompt, and then change the directory to
...tclweb/bin/certs/
. - Generate a CSR file (Certificate Request) and the private key file
- You have generated two files: your public key for requesting a certificate (
public.csr
), and a private key (skey.pem
). These files should be protected from the outside world. - Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.
- Fill out the technical contact information and submit. You receive your certificate via email.
- Install the certificate in the Aurea List Manager web server. The file you receive back from Verisign (or
you favorite certificate authority) should be copied into a file called
server.pem
. - Copy the
server.pem
andskey.pem
(from step 1 above) to the Aurea List Managertclweb\bin\certs
directory. - Turn on the SSL option for the Aurea List Manager webserver. Open
tclweb\bin\tclhttpd.rc
in the Aurea List Manager directory with a plain text editor (such as Notepad or Wordpad) and edit the following line to be as follows:Config USE_TLS1 1
Config USE_SSL2 1
Config USE_SSL3 1By default this option is off (0).
- Add a list of SSL ciphers to support, if necessary, to the
Config SSL_CIPHERS
setting. - Restart the webserver. You should see output like this (if started from the command line).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
This should all be on the same line: penssl req -new -nodes -keyout skey2.pem -out public2.csr -config openssl.conf.
You are prompted for a passphrase, and various data about your organization. If you wish, you can
edit the openssl.cnf
file to provide default information for your organization, so you do not have to type
it each time you create a certificate. Verisign (http://www.verisign.com
) has some example input for
creating the certificate request.
Config SSL_CIPHERS { }
OpenSSL provides the SSL support for TclHttpd
. The TclHttpd
setting "Config SSL_CIPHERS
{ }
" takes a string of the same form expected by OpenSSL's "ciphers" command:
opensslciphers [-v] [-V] [-ssl2] [-ssl3] [-tls1] [cipherlist]
Multiple ciphers are listed with ":" (colon) between each cipher name:
Config SSL_CIPHERS {ALL:eNULL}
Config SSL_CIPHERS {3DES:+RSA}
You can learn more about OpenSSL and ciphers here.
Adding SSL for Linux
- 1. Generate a CSR file (Certificate Request) and the private key file:
- You have two files generated: your public key for requesting a certificate (public.csr), and
a private key (
skey.pem
). These files should be protected from the outside world. To set the file permissions appropriately, run:chmod 600 skey.pem
- Submit the CSR file you created to a Certifying Authority (CA) such as Verisign.
- Fill in the technical contact information and submit. You receive your certificate via email.
- Install the certificate in the ListManager web server. The file you receive back from Verisign (or
you favorite certificate authority) should be copied into a file called
server.pem
. - Copy the
server.pem
andskey.pem
(from step 1 above) to the Aurea List Managertclweb/bin/certs
directory. - Turn on the SSL option for the Aurea List Manager webserver. Open
tclweb/bin/tclhttpd.rc
in the Aurea List Manager directory with a plain text editor (such as emacs or vim) and edit the following line to be as follows: - Restart the webserver. You should see output like this (if started from the command line).
openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf
You are prompted for a passphrase, and various data about your organization. If you wish, you can
edit the openssl.cnf
file to provide default information for your organization, so you do not have to type
it each time you create a certificate. Verisign (http://www.verisign.com
) has some example input for
creating the certificate request.
The certificate request should look something like
-----BEGIN CERTIFICATE REQUEST-----
JLKJSDKLSJDLKJLKjdfakslfjaldkfafLSKJDSL234324/a/adsfasaadadfasda
More letters and numbers....
-----END CERTIFICATE REQUEST-----
To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.
Config USE_TLS1 1
Config USE_SSL2 1
Config USE_SSL3 1
By default this option is off (0).
ListManager Web Interface: now running on port 80
secure httpd started on SSL port 443
Installing an Intermediate Root Certificate
When using an intermediate root certificate, you may get an error indicating that the certificate is not yet valid, or has expired, when it clearly is in the correct date range. Here is how you solve that problem with Verisign:
1. Cd to tclweb/bin
(underneath the directory where you installed ListManager)
2. Make a backup copy
of the file tclhttpd.rc
.
3. Open tclhttpd.rc
with a plain text editor.
4. Replace
Config SSL_CAFILE "
with
Config SSL_CAFILE [file join [Config SSL_CADIR] intermediate.crt]
5. Save tclhttpd.rc
.
In the "certs" directory (underneath "bin"), create a file "intermediate.crt
"
and add this to it (including the CERTIFICATE headers)
(obtained from https://www.verisign.com/support/site/caReplacement.html ):
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----
6. Restart the ListManager tclhttpd
web server.
ListManager 9.x uses OpenSSL 0.9.7. This version may give false positives under certain circumstances.