Skip to content
Yicong Huang edited this page Apr 30, 2021 · 23 revisions

1 Prepare Key Files and KeyStores.

1.1 Generate a key file (server.key) and a Certificate Signing Request (CSR) file (server.csr).

Note: the key file should have a KeyPassword set by you.

  • Generate key file:
openssl genrsa -des3 -out server.key 2048
  • Generate CSR file:
openssl req -new -key server.key -out server.csr

Here's the information that you'll need to create the CSR.

  • Country Name (2 letter code) [XX]:US
  • State or Province Name (full name) []:California
  • Locality Name (eg, city) [Default City]:Irvine
  • Organization Name (eg, company) [Default Company Ltd]:University of California, Irvine
  • Organizational Unit Name (eg, section) []:Donald Bren School of Information and Computer Sciences
  • Common Name (eg, your name or your server's hostname) []: <=== ENTER THE DOMAIN NAME OF THE SERVER (e.g., cloudberry.ics.uci.edu)
  • Email Address []:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request

  • A challenge password []: <=== LEAVE BLANK
  • An optional company name []: <=== LEAVE BLANK

1.2 Get a signed certificate from a CA (Certificate Authority).

Send server.csr to UCI HelpDesk([email protected]), server.key is not needed to be sent. They will generate a signed certificate file. There are multiple formats for that certificate file, please use PEM format (if multiple files are available, use the first link in the download email for the following example), and here we name it server.crt.

1.3 Put all certs-related files under apache. (i.e, /etc/httpd/cert or /etc/apache2/cert).

Note: So far there are three files: server.key, server.csr, server.crt. Please note for the difference. You only need server.csr to obtain server.crt, and no longer needed it for following steps. For all following steps, you should be using server.crt

1.4 Generate keystore with PKCS#12 (Public Key Cryptography Standard #12) encryption.

openssl pkcs12 -export -in server.crt -inkey server.key -out keystore.p12

Enter pass phrase for server.key: [password setup in step 1.1]
Enter Export Password: [new password for keystore.p12]
Verifying - Enter Export Password:

Put keystore.p12 to /etc/httpd/cert/ or /etc/apache2/cert/.

sudo cp keystore.p12 /etc/httpd/cert/

1.5 Generate keystore with JKS (Java KeyStore) format.

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Importing keystore keystore.p12 to keystore.jks...
Enter destination keystore password:  [new password for keystore.jks]
Re-enter new password: 
Enter source keystore password:  [password for keystore.p12 setup in step 1.4]

Put keystore.jks to /etc/httpd/cert/ or /etc/apache2/cert/.

sudo cp keystore.jks /etc/httpd/cert/

1.6 Save to default java keystore named cacerts.

sudo keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts -deststoretype JKS

Enter destination keystore password:  changeit (by default)
Enter source keystore password:  [password for keystore.p12 setup in step 1.4]

2 Setup HTTPS on Apache.

2.1 Add SSL support to Apache.

If 000-default-le-ssl.conf already exists under /etc/httpd/sites-available/ or /etc/apache2/sites-available/, ignore this step.

(1) Install mod_ssl module for Apache (if not installed yet).

sudo yum install mod_ssl openssl

(2) Create 000-default-le-ssl.conf file and symbolic link if it does not exist under /etc/httpd/sites-available/ or /etc/apache2/sites-available/.

sudo echo "" > /etc/httpd/sites-available/000-default-le-ssl.conf
sudo ln -s /etc/httpd/sites-available/000-default-le-ssl.conf /etc/httpd/sites-enabled/000-default-le-ssl.conf

2.2 Add HTTPS Virtual Host.

Edit /etc/httpd/sites-enabled/000-default-le-ssl.conf or /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot /var/www/html
    ServerName ochca.ics.uci.edu

    SSLEngine on
    SSLProxyEngine on

    # -- Proxy settings go here --
    
    ErrorLog "/etc/httpd/logs/error.log"
    CustomLog "/etc/httpd/logs/access.log" combined

    SSLCertificateFile /etc/httpd/cert/server.crt
    SSLCertificateKeyFile /etc/httpd/cert/server.key
    #SSLCertificateChainFile /etc/apache2/cert/server-chain.crt
</VirtualHost>
</IfModule>

2.3 Setup Proxy to redirect all 443 (HTTPS) traffic to port 9001.

Copy the following to the # -- Proxy settings go here -- place within conf file /etc/httpd/sites-enabled/000-default-le-ssl.conf or /etc/apache2/sites-enabled/000-default-le-ssl.conf

    # Production setting -Begin-

    # The following settings are for PROD server, 
    # where the TwitterMap application URL is https://cloudberry.ics.uci.edu/apps/twittermap
    # If you are configuring a standalone server with root domain pointing to the application directly,
    # like the case in https://ochca.ics.uci.edu, then:
    #   (1) remove [Option-1] and [Option-2] proxies
    #   (2) uncomment [Option-3]. (The position of [Option-3] must be at the end because the ProxyPass matches requests in the order of the file. We need subdirectories' proxies are before the root proxy.)
    
    ProxyPass /ws/ wss://cloudberry.ics.uci.edu:9001/ws/
    ProxyPassReverse /ws/ wss://cloudberry.ics.uci.edu:9001/ws/

    # [Option-1] proxy URL /apps/twittermap to 9001 application port
    ProxyPass /apps/twittermap/ https://cloudberry.ics.uci.edu:9001/
    ProxyPassReverse /apps/twittermap/ https://cloudberry.ics.uci.edu:9001/

    # [Option-2] proxy URL /apps/twittermap to 9001 application port
    ProxyPass /apps/twittermap https://cloudberry.ics.uci.edu:9001/
    ProxyPassReverse /apps/twittermap https://cloudberry.ics.uci.edu:9001/

    ProxyPass /apps/city/ https://cloudberry.ics.uci.edu:9001/city/
    ProxyPassReverse /apps/city/ https://cloudberry.ics.uci.edu:9001/city/

    ProxyPass /apps/cityPopulation/ https://cloudberry.ics.uci.edu:9001/cityPopulation/
    ProxyPassReverse /apps/cityPopulation/ https://cloudberry.ics.uci.edu:9001/cityPopulation/

    ProxyPass /assets/ https://cloudberry.ics.uci.edu:9001/assets/
    ProxyPassReverse /assets/ https://cloudberry.ics.uci.edu:9001/assets/

    ProxyPass /apps/assets/ https://cloudberry.ics.uci.edu:9001/assets/
    ProxyPassReverse /apps/assets/ https://cloudberry.ics.uci.edu:9001/assets/

    # [Option-3] proxy URL https://ochca.ics.uci.edu to https://ochca.ics.uci.edu:9001
    # ProxyPass / https://ochca.ics.uci.edu:9001/
    # ProxyPassReverse / https://ochca.ics.uci.edu:9001/

    # Production setting -End-

2.4 Force port 80 (HTTP) traffic to be redirected to 443 (HTTPS).

Edit /etc/httpd/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/000-default.conf, in <VirtualHost *:80>, add the following:

    # Force HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

2.5 Restart Apache.

sudo systemctl restart httpd

Enter SSL pass phrase for ochca.ics.uci.edu:443 (RSA) :  [password for keystore.jks setup in step 1.5]

3 Setup TwitterMap to handle HTTPS.

3.1 Configure TwitterMap.

Edit twittermap.conf (default name application.conf).

cloudberry.register = "http://localhost:9000/admin/register" # talks to cloudberry's HTTP port, not going through Apache
cloudberry.host = "localhost" 
cloudberry.port = "9000" # talks to cloudberry's HTTP port
cloudberry.ws = "ws://"
app.ws = "wss://"

Note: cloudberry.host cannot be localhost, when using HTTPS talks to cloudberry

3.2 Configure TwitterMap start.sh to support HTTPS.

When starting TwitterMap, use command line variables to disable HTTP and enable HTTPS, with specifying the keystore (JKS) location and password.

nohup ./web-1.0-SNAPSHOT/bin/web -Dapplication.secret='changeit' \
-Dconfig.file=./twittermap.conf \
-Dhttp.port=disabled \
-Dhttps.port=9001 \
-Dhttps.keyStore=[/etc/httpd/cert/keystore.jks or /etc/apache2/cert/keystore.jks] \
-Dhttps.keyStorePassword=[password for keystore.jks setup in step 5]
Clone this wiki locally