From a87e4ea6e5ae2eed8d66bf09c6397f21ced16869 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aitor=20Mag=C3=A1n=20Garc=C3=ADa?= Date: Wed, 26 Nov 2014 16:16:18 +0100 Subject: [PATCH 1/3] Add instructions to secure the notif callback Add instrucions to secure the notification callback using Client Side Verification over HTTPs. --- README.md | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/README.md b/README.md index 53d4721..50e3766 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Install this extension in your CKAN is instance is as easy as intall any other C * If you want you can also add some preferences to set if the Acquire URL should be shown when the user is creating and/or editing a dataset: * To show the Acquire URL when the user is **creating** a dataset, you should set the following preference: `ckan.privatedatasets.show_acquire_url_on_create = True`. By default, the value of this preference is set to `False`. * To show the Acquire URL when the user is **editing** a dataset, you should set the following preference: `ckan.privatedatasets.show_acquire_url_on_edit = True`. By default, the value of this preference is set to `False`. +* In some cases you will want to secure the notification callback in order to filter the entities (user, machines...) that can send them. To do so, you can follow the instructions in the section [Securing the Notification Callback](#securing-the-notification-callback). * Restart your apache2 reserver (`sudo service apache2 restart`) * That's All! @@ -41,6 +42,86 @@ At this point, you will be able to add users via API by accessing the following http://:/api/action/dataset_acquired ``` +Securing the Notification Callback +----------------------------------- +In some cases, you are required to filter the entities (users, machines...) that can send notifications to the notification callback. To do so, you must relay on Client Side Verification over HTTPs, so the first step here is to deploy your CKAN instance over HTTPs. If you haven't already done it, you can use the following tutorial: [Starting CKAN over HTTPs](https://github.com/conwetlab/ckanext-oauth2/wiki/Starting-CKAN-over-HTTPs). + +Once that your CKAN instance is running over HTTPs, you have to configure the Client Side Verification. To achieve this, the first thing that you must do is creating an OpenSSL config file. You can use the following one or modify it to your liking: + +``` +[ req ] +default_md = sha1 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = Country +countryName_default = SP +countryName_min = 2 +countryName_max = 2 +localityName = Locality +localityName_default = Madrid +organizationName = Organization +organizationName_default = FIWARE +commonName = Common Name +commonName_max = 64 + +[ certauth ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +crlDistributionPoints = @crl + +[ server ] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +nsCertType = server +crlDistributionPoints = @crl + +[ client ] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, dataEncipherment +extendedKeyUsage = clientAuth +nsCertType = client +crlDistributionPoints = @crl + +[ crl ] +URI=http://testca.local/ca.crl +``` + +Then, you should create your CA using the previous config file. To do so, you can execure the following line: + +``` +$ openssl req -config -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer +``` + +Afterwards, you will need to filter the notification callback to be callable only by those entities that use a valid certificate (the one signed by the CA created previously). To achieve this, edit the file `/etc/apache2/sites-available/ckan_default` and add the following lines inmediatly after the SSL configuration: + +``` + + SSLCACertificateFile + SSLVerifyClient require + + +``` + +Finally, you must restart your Apache server. To do so, execute the following command: + +``` +$ sudo service apache2 restart +``` + +From now own, you should consider that a valid certificate will be required to call the notification callback. To generate a new certificate you can execute the following lines: + +``` +$ openssl genrsa -out client.key 2048 +$ openssl req -config ./openssl.cnf -new -key client.key -out client.req +$ openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer +$ openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 +``` + +That's all! You notification callback is completly secure now! Enjoy it :) + Tests ----- This sofware contains a set of test to detect errors and failures. You can run this tests by running the following command: From a3e7d738d67a5773d0050a663382b076ca0f7d3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aitor=20Mag=C3=A1n=20Garc=C3=ADa?= Date: Wed, 26 Nov 2014 16:20:56 +0100 Subject: [PATCH 2/3] Minor fixes in section to secure Notif Callback --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 50e3766..9e97bf8 100644 --- a/README.md +++ b/README.md @@ -89,13 +89,13 @@ crlDistributionPoints = @crl URI=http://testca.local/ca.crl ``` -Then, you should create your CA using the previous config file. To do so, you can execure the following line: +Then, you should create your CA using the previous config file. To do so, you can execure the following line (replace `` by the real path of your OpenSSL config file): ``` $ openssl req -config -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer ``` -Afterwards, you will need to filter the notification callback to be callable only by those entities that use a valid certificate (the one signed by the CA created previously). To achieve this, edit the file `/etc/apache2/sites-available/ckan_default` and add the following lines inmediatly after the SSL configuration: +Afterwards, you will need to filter the notification callback to be callable only by those entities that use a valid certificate (the one signed by the CA created previously). To achieve this, edit the file `/etc/apache2/sites-available/ckan_default` and add the following lines inmediatly after the SSL configuration (replace `` by the real path of your OpenSSL config file): ``` @@ -111,12 +111,12 @@ Finally, you must restart your Apache server. To do so, execute the following co $ sudo service apache2 restart ``` -From now own, you should consider that a valid certificate will be required to call the notification callback. To generate a new certificate you can execute the following lines: +From now own, you should consider that a valid certificate will be required to call the notification callback. To generate a new certificate you can execute the following lines (replace `` by the real path of your OpenSSL config file): ``` $ openssl genrsa -out client.key 2048 -$ openssl req -config ./openssl.cnf -new -key client.key -out client.req -$ openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer +$ openssl req -config -new -key client.key -out client.req +$ openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile -extensions client -days 365 -outform PEM -out client.cer $ openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 ``` From 745e4d147fb57f57233a7745dd097befe4c81581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aitor=20Mag=C3=A1n=20Garc=C3=ADa?= Date: Wed, 26 Nov 2014 16:22:38 +0100 Subject: [PATCH 3/3] Remove unneeded line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9e97bf8..845cfe7 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,6 @@ Afterwards, you will need to filter the notification callback to be callable onl SSLCACertificateFile SSLVerifyClient require - ``` Finally, you must restart your Apache server. To do so, execute the following command: