Login | Register
My pages Projects Community openCollabNet

Discussions > commits > svn commit: r2434 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup

fsvs
Discussion topic

Back to topic list

svn commit: r2434 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup

Author tekknokrat
Full name Gunnar Thielebein
Date 2010-03-09 17:44:51 PST
Message Author: tekknokrat
Date: 2010-03-09 17:44:50-0800
New Revision: 2434

Added:
   branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup

Log:
add fsvs-ssl setup howto

Added: branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup
Url: http://fsvs.tigris.o​rg/source/browse/fsv​s/branches/fsvs-1.2.​x/fsvs/doc/fsvs-ssl-​setup?view=markup​&pathrev=2434
====================​====================​====================​==================
--- (empty file)
+++ branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup 2010-03-09 17:44:50-0800
@@ -0,0 +1,112 @@
+Repository Access with SSL Client Certificate (passwordless)
+===================​====================​====================​=
+
+Prerequisites:
+
+The basic configuration for access of to a repository via http is explained in
+http://svnbook.red-b​ean.com/en/1.5/svn-b​ook.html#svn.serverc​onfig.httpd
+
+The steps are:
+
+a) install webdav and svn support
+b) configure apache2 to point to the repository
+c) setup of basic authentication
+
+For https access the additional steps are neccessary:
+
+a) enable ssl module for the webserver
+b) install ssl certificate and authority
+c) for passwordless access install host key (pkcs12)
+
+If the repository is open to public it is recommended to get a certificate / host key from from an external ca-authority.
+Otherwise self-signed keys can be used.
+
+Creating self-signed keys
+=========================
+
+Creation of self-signed keys can be done with the openssl-toolkit.
+It contains a script CA.pl to perform ca/certificate creation.
+Within Ubuntu/Debian the script can be found in /usr/lib/ssl/misc.
+
+CA.pl has a few options:
+
+ $ CA.pl -h
+ usage: CA -newcert|-newreq|-ne​wreq-nodes|-newca|-s​ign|-verify
+ usage: CA -signcert certfile keyfile|-newcert|-ne​wreq|-newca|-sign|-v​erify
+
+To create a new authority use
+
+ $ CA.pl -newca
+
+First a key is created. Afterwards a few questions about locality and company information will be asked.
+The ca-certificate and index files for ca-management are stored in ./default of the current directory.
+
+Creating the certificate is done via
+
+ $ CA.pl -newcert
+
+This creates a new certificate.
+
+Both ca-authority, certificate and key will be used on the server where the repository is installed.
+Additionally a host certificate is created for the individual hosts to access the repository.
+
+ $ CA.pl -newcert
+
+For use with subversion/fsvs the key needs first be converted to pkcs12.
+
+ $ openssl pkcs12 -in newcert.pem -out $(hostname).p12
+
+Replace $(hostname) with the hostname of the server.
+
+Installation of SSL certificate for SVN repository
+===================​====================​===========
+
+A certificate .pem file contains both, the x509 certificate and the key.
+Before installation of the .pem file the password of the key should be removed.
+Otherwise on bootup the server will prompt for the password which is not convenient in HA environments.
+Of course the password should only be removed in trusted environments.
+
+This command removes the password from a pem file.
+
+openssl rsa -in newcert.pem -out server.pem
+
+On Debian/Ubuntu, the ca-authority and the certificate should be placed in the /etc/ssl folder. The authority file should be moved to /etc/ssl/certs.
+The certificate that contains the key should be moved to /etc/ssl/private.
+Folders are created with installation of the openssl package.
+
+Configuration of ca-authority/certificate
+===================​====================​==
+
+The SSL configuration part for the apache server:
+
+ SSLKeyFile /etc/ssl/private/newkey.pem
+ SSLCertificate /etc/ssl/private/newkey.pem
+ SSLAuthorityFile /etc/ssl/certs/ca.crt
+ SSLCipherSuite HIGH:MEDIUM
+
+ <Location />
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ SSLRequireSSL
+ # ... SVN related config
+ </Location>
+
+
+Global configuration for an host with fsvs-client:
+
+The global configuration takes place by default in /etc/fsvs/auth/servers
+
+[groups]
+fsvs = fsvs.repository.host
+[fsvs]
+ssl-client-cert-file = /etc/ssl/private/myhost.p12
+ssl-client-cert-password = mysecretpass
+[global]
+ssl-authority-files = /etc/ssl/default/cacert.pem
+store-plaintext-passwords=yes
+
+The global configuration takes place by default in /etc/fsvs/auth/servers.
+The configuration for the authentication credentials is stored in ~/.subversion. If the
+folder does not exists it will be created. Be aware that the creation tooks place with root
+privileges so if another svn client needs write access these access should be restored
+e.g. via chown -R username: ~/subversion.

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

svn commit: r2434 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup tekknokrat Gunnar Thielebein 2010-03-09 17:44:51 PST
Messages per page: