In the protocol stack used in the internet. The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP.

The SSL protocol includes two sub-protocols:
1) SSL record protocol
2) SSL handshake protocol

The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection.

Now SSL for the layman
SSL basically creates an encrypted communication channel between the two parties involved in the communication. For a third person involved in the middle of this communication channel, the data seems to be garbled.

Suppose Alice (A, the browser) wishes to communicate with Bob (B, the server) then the exact steps that takes place inorder to begin the encrypted communication are:

1) A -> B hello
Alice contacts Bob and requests for a private communication (request for an https link at port 443)

2) B -> A Hi, I’m Bob, bobs-certificate
Bob send back to Alice his certificate. A certificate authenticates that it is Bob who is actually communicating with Alice. It is like a unique ID card displayed.

3) A -> B prove it
Alice requests Bob to prove his identity.

4) B -> A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
Bob sends back a message and its digest encrypted with his private key. This step can also be like sending a document with a digital signature (when you have Alice’s public key).

5) A -> B ok bob, here is a secret {secret} bobs-public-key
Alice sends back to Bob some secret. Usually a session key encrypted using Bob’s public key obtained from his certificate

6) B -> A {some message,MAC}secret-key
Next Bob generates a secret key from Alice’s secret (earlier step) and sends back to Alice the real message and its MAC encrypted with this secret key. This is actually the encrypted website.

Terminologies

Certificate
This is actually bobs public key containing document which is digitally signed by a certificate issuer’s private key (like Verisign). In this process Verisign gets all the necessary documents to verify that Bob’s identity is correct and it gets Bob’s public key (and some other data like certificate expiry period, Bobs identity) and encrypts it with its own private key. Now Verisign’s public key comes built-in along with every browser (so that the browser can get bobs public key from within it).

Digest
Digest or more appropriately Message Digest is like a summary of the actual message or a portion of the message. The digest of a message is is unique for every unique message, it is a one way function such that obtaining the digest, it is never possible to recover the original message (This does not involve using any key in the process). Message Digest always appears with the original message. Upon reception of this Message and its digest at the receiver’s end, the receiver can once again calculate the digest from the original message and verify the integrity of the message.

Digital signature
Let Bob send a document to Alice which is digitally signed. For this Bob must have Alice’s public key and Alice must have Bob’s public key.Bob takes the document, encrypts it first with Alice’s public key and next with its own private key(Bob’s)

B -> A [{message}alices-public-key ]bobs-public-key

Session Key
The only secret which is communicated using public key encryption is a session key. Now the session key is chosen from the ’secret’ that the parties accept. the session key could be the secret itself or a portion of the secret or the result when the secret is passed through a previously agreed algorithm. The SSL encrypted communication does’t necessary have to be created using a public key encryption technique (This uses a lot of overhead, i.e. processing and time), it may be simple symmetric cypher(less overhead) using this session key once agreed upon. There are a variety of cypher suites available (IDEA Blow-fish RSA DES MD5 KEA) and both the parties may choose some encryption technique based on the protocol used (SSL1.0 SSL2.0 TLS etc)

MAC
MAC or Message Authentication Code is similar to the Message Digest we have discussed. It is used to verify the integrity of the Message.

MAC := Digest[ some message, secret ]

Files associated with SSL

CSR
CSR or Certificate Signing Request is a string of text generated by the server. This file is sent to the SSL vendor while purchasing an SSL. In the process of generating your CSR, you provide a number of details regarding the domain being registered. Excerpts of text from all these are taken to generate your private key. This private key is present only within the server and nowhere else. The content of the CSR basically contains the public key along with all the details you have used. You get this as domain.com.csr or domain_com.csr.

CA bundle
CA (Certificate Authority) bundle file is one which contains the public key of the Certificate Issuer (Like Verisign’s public key). Usually this is not required while installing the SSL and most browsers will have this detail in advance to decrypt the SSL certificate (the CRT file) from the server. You get this as domain.com.cabundle or domain_com.ca-bundle.

CRT
This is the actuall SSL certificate as obtained from the SSL vendor. It is a file (containing the public key of the domain secured with SSL and other details like the expiry date, owner information, address etc of the SSL) which is encrypted with the private key of the SSL vendor (Digitaly signed by the SSL vendor). You get this as domain.com.crt or domain_com.crt .

Key file
This is the file which holds your private key (strictly confidential material). The file will have the RSA private key as generated by your server software. You get this as customcardsplus.com.key or customcardsplus_com.key. This file is not usually send to your SSL vendor unlike the CSR. You get this as domain.com.key or domain_com.key .

SSL in a cPanel server
Any service can be secured in a communication channel which is encrypted with SSL. Each of this service on the encrypted channel will be on a different port. Some of them are as follows:

A domain served as a secure webpage will require a dedicated IP (in a shared environment). SSL protocol is designed to use IP-based mapping. SSL does not support host headers. Therefore, you should have a unique IP address assigned to your secure site. These pages are served from the port 443. Let us examine the configuration of such a website in the apache’s config file /usr/local/apache/conf/httpd.conf.

Every website (in our example domain.com with username: doma) enabled with SSL has a unique set of directives in the VirtualHost section for the 443 port as:

<VirtualHost 266.11.208.293:443\> Dedicated IP of the domain

ServerName domain.com #Domain name secured with SSL
ServerAlias www.domain.com

DocumentRoot /home/doma/public_html

ServerAdmin webmaster@domain.com
UseCanonicalName off
CustomLog /usr/local/apache/domlogs/domain.com combined

CustomLog /usr/local/apache/domlogs/domain.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
ScriptAlias /cgi-bin/ /home/doma/public_html/cgi-bin/
SSLEngine on #This directive enables the SSL on this domain
SSLCertificateFile /etc/ssl/certs/www.domain.com.crt #Location of CRT file
SSLCertificateKeyFile /etc/ssl/private/www.doma.com.key #Location of Private key
SSLCACertificateFile /etc/ssl/certs/www.domain.com.cabundle #Location of CAbundle file
CustomLog /usr/local/apache/domlogs/domain.com-ssl_log combined #Log specific for the SSL served webpage
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<Directory "/home/doma/public_html/cgi-bin">
SSLOptions +StdEnvVars #This directive will pass mod_ssl environment variables to the server scripts.
</Directory>

</VirtualHost>

Some times the directive SSLCertificateChainFile is used in place of SSLCACertificateFile. The minimal addition you will have to make to enable SSL in your httpd.conf file is:

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

There are two locations where you are likely to find the SSL related files in your cPanel server. Usually the crt, key and the ca bundle are present in the home directory of the user in /home/username/ssl/, if it was installed using the client’s cpanel. However if the WHM was used instead to install the same, you will find it in /etc/ssl/. In either of these locations you will find two directories: certs/ and private/. certs contain the crt and cabundle while the private contains the keys.

Now you know how ssl works in your server, Any more questions? just comment!

Tweet This Post

Here we are going to install apache using the source only. The choice of Operating System here is Linux (distro: Centos). The procedure we follow here will lead to a simple apache installation for dynamic loading of php. PHP will be installed as a module to apache. With a little bit of patience and time, all the necessary modules can be installed with apache. I will be giving a brief idea about the installation of the other modules later.
The basics of installation from the source involves mainly three simple steps (assuming you are lucky):

./configure
make
make install

./configure creates the MAKEFILE on the fly. We can provide the necessary options to configure. To list the available options in the configuring step use

./configure --help

–prefix=/path/… mentions where the executable and its files are installed. If not mentioned it takes the default values.
–enable-[Feature] will enable the specified Feature in apache as it is being built. We are only interested in the DSO capability and hence we enable it with: –enable-so

As a convention we always keep the source code tar ball inside a directory in /usr/src/, thus source installation begins in this directory.

Apache Compilation

Download the required source tar ball of the apache you would like to compile. Here I am installing httpd-2.0.63 from http://httpd.apache.org/download.cgi#apache20. I save it in the /usr/src/ folder.

cd /usr/src/
wget http://www.bizdirusa.com/mirrors/apache/httpd/httpd-2.0.63.tar.gz

This will result in the generation of the file httpd-2.0.63.tar.gz

tar -xzf httpd-2.0.63.tar.gz

This will result in the creation of the directory httpd-2.0.63. Next enter inside this directory and execute the ./configure command.

cd httpd-2.0.63
./configure --prefix=/usr/local/webserver --enable-so

We are installing apache inside /usr/local/webserver and enable DSO to run php as a module to apache. During this process we may get a lot of errors. We resolve these by manually installing the unresolved dependencies either by obtaining their rpms or by using yum. Normally the first dependency we will get to resolve are:

gcc
glibc
libxml and
their corresponding devel packages

In the days where there were no package management tools like yum, pirut, apt-get etc. The old rpms served the installation of these packages with some effort. The task of determining the required rpm package for the required architecture and resolving the other dependencies which arise due to the installation of this rpm may be a tedious task. Some sites which helped in obtaining the necessary rpm suited for our installation and its other dependancies are:

http://rpm.pbone.net/

http://www.rpmfind.net/linux/RPM/

http://ftp.freshrpms.net/

http://dries.ulyssis.org/rpm/packages.html

http://apt.sw.be/

http://rpms.famillecollet.com/ (Remi RPM Repository)

Once everything goes well (we do the ./configure step again to determine this), the make command is executed.

make

If errors are encountered in this stage, We resolve them by installing the unresolved dependencies (Same as the previous step) and then do:

make clean

After this we repeat the make command and then issue:

make install

This process installs the package finally within the system. Modify the init script ( /etc/rc.d/init.d/httpd or /etc/init.d/httpd they are symbolic links) Or sometimes you may even have to create one from the apache site.

The following is the content of one such init script I have used. The line beginning with apachectl/some/path/here and httpd=/some/path/here have to replaced with the appropriate line we have used in the –prefix portion of ./configure.

#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server.  It is used to serve \
#              HTML files and CGI.
# processname: httpd
# processname: httpd
# pidfile: /usr/local/apache2/logs/httpd.pid
# config: /usr/local/apache2/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/webserver/bin/apachectl
httpd=/usr/local/webserver/bin/httpd
pid=$httpd/logs/httpd.pid
prog=httpd
RETVAL=0
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure.  So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd $pid
}
reload() {
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f $pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status"
echo $"|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL

Next we add the daemon name to the list of services and run it. For this follow the below steps.

chkconfig --add httpd
chkconfig --level 2345 httpd on
chkconfig --list httpd
/etc/init.d/httpd start
lynx http://localhost/ will display the default apache page which means success.

PHP Compilation
Now we are going to install PHP 5.2.13 from source!
Go to /usr/src/

cd /usr/src/

Download the PHP source tarball and extract it

wget http://in3.php.net/get/php-5.2.13.tar.gz/from/in.php.net/mirror
tar -xzf php*
cd php*

Just like in the previous apache installation, we are going to do the ./configure step with the required setting which are displayed using

./configure --help

We are only interested in enabling php as a module (–with-apxs2) support for mysql (–with-mysql) and prefix line. So we go for:

./configure --with-apxs2=/usr/local/webserver/bin/apxs --with-mysql --prefix=/usr/local/webserver/php

The long command can be written in a shorter, more clearer format with:

./configure --with-apxs2=/usr/local/webserver/bin/apxs \
--with-mysql \
--prefix=/usr/local/webserver/php

The same instructions go for the errors here.
Once everything goes smooth:

make
make install

We can provide the recommeneded php.ini setting in the path /usr/local/webserver/php/lib (what ever is the –prefix + /lib) or just copy the recommended settings to /usr/local/webserver/php/lib (This file may have the name php.ini-recommended or php.ini-production)
cp php.ini-recommended /usr/local/webserver/php/lib/php.ini

From now on we can have php’s index page to be the default index page. For this in the apache’s config file append index.php to the directive – DirectoryIndex

The line would thus look like:

DirectoryIndex index.html index.html.var index.php

To make make apache call modular php to execute the php script when encountered, add the following lines to the conf file.

AddType application/x-httpd-php .php
DirectoryIndex index.html index.html.var index.php

Next to test your installation.
In the default document root, create a phpinfo file with the file name index.php an d the contents as:

<?
phpinfo();
?>

Now we will test the apache configuration for any syntax errors and then reload the apache webserver:

apachectl configtest (No errors should be reported)
/etc/init.d/httpd reload

Open a browser window and load the localhost as URL, we will be viewing the phpinfo page in here. In the phpinfo page, the portion Configure Command shows the actual compilation time options used while ./configure is used. The row corresponding to Server API mentions how the php is loaded. ‘Apache 2.0 Handler’ means that php was loaded as a module of apache. The rest of the values can be globally changed by making the required changes in php.ini or locally in .htaccess (which is possible only because it is loaded as an apache module).

Tips on installing PHP as a CGI

Here we do not require installing apache with the –enable-so option. A normal installation will do. The installation of php will not require the option –with-apxs2. However we will have to mention the location of apache source directory with –with-apache=../apache_1.3.14

In the httpd.conf file you will require adding:

ScriptAlias /php/ [path where your php folder is located]
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
AddType application/x-httpd-php .phtml
Action application/x-httpd-php /php/php5

Tweet This Post

We need to edit or add values ok_languages with the extra languages you would like to have in the two letter code.
This option is used to specify which languages are considered OK for incoming mail.

ok_languages all (allow all languages)
ok_languages en (only allow English)
ok_languages en ja hi (allow English, Japanese, and Hindi)

Tweet This Post

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>WSDL</faultcode>
<faultstring>SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://www.example.com/api/soap/index/wsdl/1/'</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

There could be many reasons for this. But the issue with us for that particular issue is that www.example.com was not resolving from the server. A simple /etc/hosts entry in the server (poor solution) or making it resolve from the server should solve the issue.

Tweet This Post

Loaded plugins: fastestmirror
error: no dbpath has been set
error: cannot open Packages database in /%{_dbpath}
Traceback (most recent call last):
File “/usr/bin/yum”, line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File “/usr/share/yum-cli/yummain.py”, line 229, in user_main
errcode = main(args)
File “/usr/share/yum-cli/yummain.py”, line 84, in main
base.getOptionsConfig(args)
File “/usr/share/yum-cli/cli.py”, line 184, in getOptionsConfig
enabled_plugins=self.optparser._splitArg(opts.enableplugins))
File “/usr/lib/python2.4/site-packages/yum/__init__.py”, line 191, in _getConfig
self._conf = config.readMainConfig(startupconf)
File “/usr/lib/python2.4/site-packages/yum/config.py”, line 754, in readMainConfig
yumvars['releasever'] = _getsysver(startupconf.installroot, startupconf.distroverpkg)
File “/usr/lib/python2.4/site-packages/yum/config.py”, line 824, in _getsysver
idx = ts.dbMatch(‘provides’, distroverpkg)
TypeError: rpmdb open failed

At the same time rpm is also not found to be working for any of the users reporting this issue. ‘rpm’ simply will not install any rpm packaged file. It will exit with no result.

To solve the issue execute the following commands as root:

#rm /dev/urandom
#mknod -m 644 /dev/urandom c 1 9
#yum clean all
#yum update all

Tweet This Post

However in sysadmin profession, we logs into 100s of boxes every day. How do we know which version of Linux is installed and other details ? For debian based boxes, you check /etc/*version and redhat based boxes we do /etc/*release. But what about others and tons of flavors out there ?

Solution resides with Linux Standard Base, best explained at http://en.wikipedia.org/wiki/Linux_Standard_Base which is a joint project by several Linux distributions under the organizational structure of the Linux Foundation

Know the command lsb_release and find them all.

lsb_release –all

Linux tip for the day

Tweet This Post

telnet ip.ip.ip.ip 7777 was working from inside the server, but not from outside network. It was showing,

telnet ip.ip.ip.ip 7777
Trying ip.ip.ip.ip...
telnet: Unable to connect to remote host: No route to host

It was returning the same for every port, except 22. In a normal situation, if the port 22 also was not working, the issue could have been network related, but in this case port 22 was working fine. So the issue was not related to networking, but …… ? Guess what ?

Yes. Any seasoned administrator should have guessed the answer to be the firewall and yes that was right. The iptables ruleset had a line which says,

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Deleted that line and things went smooth after that.

Don’t forget to run save the iptables rules, by executing the commands below,

[root@server ~]# iptables -D RH-Firewall-1-INPUT 10
[root@server ~]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@server ~]# iptables-save

Tweet This Post

Ben Thomas from cPanel has a script written for it, which I am sharing here. Weird fact is that you won’t see this anywhere in a cPanel server, not even in /scripts folder. So why wait ? download the file below and help your customers next time, the easy way

http://www.supportsages.com/blog/wp-content/uploads/2009/05/horde_settings_transferpl.gz

Usage is as below,

./horde_sql_transfer.pl -u <username> -d <data dir> -o <archive | restore>

Tweet This Post