Securing the connections between the client and SGD server
By Fat Bloke on Aug 18, 2007
When you initially install SGD (at least all versions up to the time of writing which is 4.31) the SGD webserver listens on port 80 and the SGD server listens on port 3144. And the traffic between the client and the SGD server, both http and AIP is unencrypted.
So how do we secure the communications between client and server?
- First we need an X.509 certificate Normally you have to go can buy an X.509 certificate from people like Verisign. Being tight, Fat Bloke uses a little known feature of SGD, which is a "self-signed certificate". This certificate is useless in a production environment as it certifies nothing, but it is free . To get a self-signed certificate you create a CSR (certificate signing request) as usual:
- Start the SGD server in secure mode The self signed certificate has automatically been placed in the /opt/tarantella/var/tsp directory and is used by SGD when you start it up using secure connections:
- Start the web server in secure mode The webserver that is bundled with SGD (apache) has a preconfigured httpd.conf file that looks for certificates in the same place that SGD uses to store certificates. So all we need to do is start the webserver with ssl enabled:
# /opt/tarantella/bin/tarantella security certrequest --country US --state CA --orgname "Acme Widgets Ltd"...and follow the instructions. But instead of sending this request off to Verisign, keep your money in your pocket and type:
# /opt/tarantella/bin/tarantella security selfsignignore the warnings and move on...
# /opt/tarantella/bin/tarantella security startSo now we have secure AIP connections on port 5307. But what about the web server connections?
# /opt/tarantella/bin/tarantella webserver restart --ssl
So now our web traffic and AIP traffic are using ssl on ports 443 and 5307 respectively.
In the next blog, we'll see how we can refine this deployment to work wholly over 443.