[Liferay] Install SSL certificate on Apache for Liferay portal
sudo a2enmod ssl1. Setup SSL on Apache2 (Unauthenticated SSL Certificates)
S1. Generating a Certificate Signing Request (CSR)
To generate the keys for the Certificate Signing Request (CSR)
openssl genrsa -des3 -out server.key 2048Now create the insecure key, the one without a passphrase, and shuffle the key names:
openssl rsa -in server.key -out server.key.insecureThe insecure key is server.key, we can use this file to generate the CSR without passphrase.
mv server.key server.key.secure
mv server.key.insecure server.key
To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.
S2. Creating a Self-Signed Certificate
To create the self-signed certificate, run the following command at a terminal prompt:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtEnter the correct passphrase, your certificate will be created, it will be stored in the server.crt file.
S3. Installing the Certificate
Install the key file server.key and certificate file server.crt, or the certificate file issued by your CA:
sudo mkdir /etc/apache2/sslS4. Enable SSL config in Apache
sudo cp server.crt /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl
In this step, you must enable SSL website in Apache by creating a symlink of ‘default-ssl’.
sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
Then edit /etc/apache2/sites-available/default-ssl file using your favorite text editors (I prefer nano!) and change the config from something this:
In the same default-ssl file, find a line that begins with “SSLEngine on” and add the following lines.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pemS5. Final step, Copying certificates and activating SSL
#SSLCertificateKeyFile /etc/ssl/certs/ssl-cert-snakeoil.key
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Ensure that the config file has been saved. Then as root, create/etc/apache2/ssl/ directory, then copy the certificate and server key generated from Step 1 to /etc/apache2/ssl/ directory.
mkdir /etc/apache2/sslFinally, restart apache2 by typing (as root, sudo) :
cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
/etc/init.d/apache2 restart2. Install authenticated SSL certificates from COMODO with Apache mod_ssl
S1. Generating a Certificate Signing Request (CSR)
To generate the private key for the Certificate Signing Request (CSR)
openssl genrsa -des3 -out server.key 2048Now create the insecure key, the one without a passphrase, and shuffle the key names:
openssl rsa -in server.key -out server.key.insecureThe insecure key is server.key, we can use this file to generate the CSR without passphrase.
mv server.key server.key.secure
mv server.key.insecure server.key
To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
NOTE: With Symantec verisign, do not enter an email address, challenge password or an optional company name when generating the CSR.
If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.
S2. We use content of server.csr created bottom, example:-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCVk4xEDAOBgNVBAgMB0hhaWNoYXUxDzAN
BgNVBAcMBkRhbmFuZzEMMAoGA1UECgwDTUhDMRYwFAYDVQQDDA1taG9uZ2NodW5n
LnRrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwsmg3l7LklZFOzKT
OY4Ph7ifC1kt1OQ/gFwC91ZhiZsSHlCZWJ6hFZ2e+0StJnNYPUJfRMOX6iw2LF4U
Kc7IoY0lRx+4UjoFQI38GMJL6GT6I9NRYT+9R8lAjl3nznnR08g2DhJXrueFTz2H
yqnItFUMAwZFDPHgKiPP/znMz9GEKLeQxY92HaJC6KCVI2pc2O6zFD5YShMiUpfB
6Gtz8TIBRM2unHdO+8LNQHJ2WW4capqamjTgVxla7WN9u7qFHlDx0uuATqDVslwi
UBF2s0cPbfd3ecbVDZXg/bOHc9SpWlNMkWoIqA4pAd1GEMPOCMX9x6jGHsksjsL1
nwBWHwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAANuamhjCryvfq7FqqVW3wdH
mocQ+wC3NuUuyqhg5Hsgn6e5nIi1OgwACin9h3bFmuE9qM9q0sg5f2N2g59JWa2M
VIpOxe7d14Bq+gXVdBwrhW4+iHcNgZdYwk4pf6yIaCTKk/SALcuPF+BspcU2ldKE
2+MqfjLSG8yuk4fYzbDcbBeARlen9g+voEx5K6JR4nNVsh5JQJwQ1DvPeMmY+sVb
qZEJYF0vkLUYyxsFJSKb+4pbOI3iQ2sr6cPKMRFOGRAoc2/561JmAeCK7HGjrQOy
hFuNtlaNbO9vFUraCnsTxYWK6k5yUP/Dwz95w6wg4F80NvFE03TQ0YN8YNvIcpE=
-----END CERTIFICATE REQUEST-----
S3. Access to Comodo's website at http://instantssl.com
S5.After, define name in other fields
S6.Check mail and confirm, download *.crt file in zip file
S7. In the same default-ssl file, find a line that begins with “SSLEngine on” and add the following lines.
SSLEngine onS8.Final step, Copying certificates and activating SSL
SSLCertificateFile /etc/apache2/ssl/mhongchung_tk.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Ensure that the config file has been saved. Then as root, create/etc/apache2/ssl/ directory, then copy the certificate and server key generated from Step 1 to /etc/apache2/ssl/ directory.
mkdir /etc/apache2/sslFinally, restart apache2 by typing (as root, sudo) :
cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
/etc/init.d/apache2 restart
3. Use SSL for Liferay Portal
S1. Edit virtual host in filedefault-ssl, this services listering on port 443.
<IfModule mod_ssl.c>S2.Only use https while singing Liferay Portal.
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
JkMount / worker1
JkMount /* worker1
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
......
...
.
</VirtualHost>
</IfModule>
Add the line in file $tomcat_home/webapps/ROOT/WEB-INF/classes/portal-ext.properties
## Enable authentication requires by https
company.security.auth.requires.https=true
auth.forward.by.last.path=true
### Enable session
session.timeout=30
session.timeout.warning=1
session.timeout.auto.extend=true
session.timeout.redirect.on.expire=false
session.enable.url.with.session.id=false
session.enable.phishing.protection=false
session.shared.attributes=LIFERAY_SHARED_
auth.token.ignore.actions=\ /login/create_account
