SSL Support

• Overview

• Server Authentication

• Client Authentication

• Setting Up Your Own OpenSSL Certificate Authority

• Enabling SSL Support in Agent Compiler

• Compiling the Generated code

• Testing HTTP Adapter with SSL Support

Overview

SSL (Secure Sockets Layer) protocol is being used universally for authenticated and encrypted communication between clients and servers. In general, SSL is used when

• You need to prove to others who you are

• You need to make sure that other people are legitimate

SSL allows the SSL-enabled server to authenticate itself to an SSL-enabled client. This also allows the client to authenticate itself to the server.

However, this step is optional. Next, it enables both machines to establish an encrypted connection. The steps involved in achieving secure communication between server and client using SSL are

• Server Authentication: Client can check the server's authenticity using public key cryptography technique, i.e., check if the server's certificate and public key are valid and have been issued by a Certificate Authority (CA) listed in the client's list of trusted CAs.

• Client Authentication: This is optional. Here, the server confirms the client's identity by checking the validity of the client's certificate and private key and whether they were issued by a certificate authority listed in the server's list of trusted CAs.

• Establishing encrypted SSL connection: After the server and client authenticate each other, they negotiate a cipher suite which specifies the algorithm to be used for encrypting the data. Now, an encrypted connection is established between both the server and the client and all data are encrypted when being sent and decrypted when received on the other side.

This whole process is referred to as the SSL Handshake. An SSL session always begins with this SSL handshake.

Server Authentication

For communicating through SSL, server authentication is mandatory. Here, the client tries to confirm the identity of the server based on the server's certificate, i.e., the server gets authenticated by the client.

To accomplish this, on receiving a request from the client, the server sends its certificate to the client. This certificate contains information, such as server's public key, certificate's serial number, certificate's validity period, server's distinguished name, issuer's distinguished name, and issuer's digital signature (a message signed using the issuer's private key).

The client, on receiving this certificate, authenticates the server through the following steps:

• Checks if the current date and time are within the certificate's validity period.

• Checks if the CA (certificate authority/ issuer) is present in the client's list of trusted CAs.

• Validates the issuer's digital signature, present in the certificate, using the public key of the CA.

• Checks if the Server's distinguished name is same as the distinguished name specified in the certificate.

For performing the above authentication, the server must have a Public Certificate and Keystore containing the key and the client must have a list of trusted CAs.

Client authentication

Client Authentication is not mandatory, but the server can be configured to require client authentication. Here, the client presents the server with the following information:

• A certificate containing the client's public key.

• A digitally signed random data. The random data is generated during the handshake and is known only to the server and the client. The client encrypts this data using its private key (digitally signs the data) and this can be decrypted only using the client's public key.

The server on receiving this information, performs the following checks:

• Is the user's digital signature validated by the user's public key?

• Is the current date and time within the validity period of the certificate?

• Is the CA (certificate authority/ issuer) present in the client's list of trusted CAs?

• Is the issuer's digital signature, present in the certificate, validated using the public key of the CA?

For performing client authentication, the server must be configured to require client authentication. In addition to this, the CA who issued the client's certificate must be included in the trusted CA list (trust store) of the server.

Setting Up Your Own OpenSSL Certificate Authority

WebNMS Agent Toolkit C Edition - HTTP adapter uses OpenSSL's library for SSL support. The default certificate and key provided by WebNMS is available in <WebNMS>/C-Agent/agent/conf/http/ssl directory. To implement your own OpenSSL Certificate Authority, follow the steps given below:

1. Download OpenSSL source and install it in you machine from the following URL : http://www.openssl.org

2. Create the following directories to put your certificates

• <SSL>/certificates/CA - Putting keypair and certificate for certifying authority

• <SSL>/certificates/server - Putting keypair and certificate for server authentication

• <SSL>/certificates/client - Putting keypair and certificate for client authentication

3. Create Certifying Authority

The Certifying Authority is an entity which is a trusted third party between two communicating entities. The certifying authority signs certificate requests for both parties and issues certificates. These certificates are used by both the communicating entities, to test authenticity.

1. Go to <SSL>/certificates/CA directory

2. Create CA keypair by executing the following command at the prompt :
   openssl genrsa -des3 -out CA.key

3. Once you execute the command, it will prompt for password. Enter password for keypair.

4. Create CA certificate by executing the following command at the prompt :
   openssl req -new -key CA.key -x509 -days 365 -out CA.crt

5. While executing the above command, you will be prompted for the following questions:

Enter PEM pass phrase:

Country Name (2 letter code) [AU]:in

State or Province Name (full name) [Some-State]:TamilNadu

Locality Name (eg, city) []:Chennai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebNMS

Organizational Unit Name (eg, section) []:Agent

Common Name (eg, YOUR name) []:murali

Email Address []:murali@india.WebNMS.com

6. Create server certificates

7. Goto <SSL>/certificates/server

8. Create private RSA key for server by executing the following command at the prompt :
   openssl genrsa -out server_pri.key

9. Generate a certificate signing request which will be used by the CA to generate a certificate for client by executing the following command at the prompt :
   openssl req -new -key server_pri.key -out server_auth.csr

Enter PEM pass phrase:

Country Name (2 letter code) [AU]:in

State or Province Name (full name) [Some-State]:TamilNadu

Locality Name (eg, city) []:Chennai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebNMS

Organizational Unit Name (eg, section) []:Agent

Common Name (eg, YOUR name) []:murali

E-mail Address []:murali@india.WebNMS.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:murali

An optional company name []:WebNMS

10. Generate the server certificate by executing the following command at the prompt :
    openssl x509 -req -days 365 -in server_auth.csr -CA <SSL>/certificates/CA/CA.crt -CAkey <SSL>/certificates/CA/CA.key -CAcreateserial -out server_auth.cert

11. You will be prompted with the following question.
    Enter PEM pass phrase:
    Enter the password which you have given for the certifying authority.

12. Create Client Certificates
    Go to <SSL>/certificates/client
    Create private RSA key for client openssl genrsa -out client_pri.key
    Generate a certificate signing request which will be used by the CA to generate a certificate for client by executing the following command at the prompt :

13. openssl req -new -key client_pri.key -out client_auth.csr

Enter PEM pass phrase:

Country Name (2 letter code) [AU]:in

State or Province Name (full name) [Some-State]:TamilNadu

Locality Name (eg, city) []:Chennai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebNMS

Organizational Unit Name (eg, section) []:Agent

Common Name (eg, YOUR name) []:murali

Email Address []:murali@india.WebNMS.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:murali

An optional company name []:WebNMS

14. Generate the client certificate

openssl x509 -req -days 365 -in client_auth.csr -CA <SSL>/certificates/CA/CA.crt -CAkey

<SSL>/certificates/CA/CA.key -CAcreateserial -out client_auth.cert

15. You will be prompted for the following question.

Enter PEM pass phrase:

Enter the password which you have given for the certifying authority.

16. Converting client certificates to PKCS12 format. Browsers accept only PKCS12 format

openssl pkcs12 -export -in client_auth.cert -inkey client_pri.key -out client_cert.p12

17. The certificate can be imported in the browser by using the following option :

In IE : Tools -> Internet Options -> Content -> Certificates -> Import

In Netscape: Communicator->Tools->Security Info

18. Go to Certificates->Yours

19. Click "Import a certificate " button to load a client certificate(PKCS12 format)

Enabling SSL Support in Agent Compiler

1. Select Setting -> Protocols -> HTTP -> SSL from the menu bar of the Agent Compiler.

2. Check SSL option

3. Enter server privatekey . Load server_pri.key

4. Enter key file type as SSL_FILETYPE_PEM

5. Enter client certificate. Load server_auth.cert

6. Enter certificate file type as SSL_FILETYPE_PEM

7. Enter password : Enter the password which you have given while generating server certificate.

8. Enter client authentication file name , if you want client authentication. This is optional. This file should CA certificate. Load CA.crt.

Compiling the Generated code

After generating the code for the loaded MIB file(s), along with the SSL support enabled, the next step in agent development is compiling the source code. You can instrument the source code according to your requirements before compilation.

If your target operating system is Linux / Unix / BSD based operating systems, then follow the steps given below.

1. As the SSL support is provided using the OpenSSL's library, download the OpenSSL source from the http://www.openssl.org

2. Extract the OpenSSL source under the <WebNMS>/C-Agent/projects/<project-name>/agent/conf/http/ssl directory or to your desired directory.

3. If you have extracted the OpenSSL source under your own directory, make sure that the same directory path is specified for the SSL_HDR_DIR and SSL_LIB_DIR variables available in Makefile present under <WebNMS>/C-Agent/projects/<project-name>/agent/ and <WebNMS>/C-Agent/projects/<project-name>/agent/source/protocols/http directories.

4. Compile the source code in any of the following ways.

1. From the Agent Compiler UI, compile the source code by choosing the Build >> Compile Source from the File Menu or click Compile source icon in the toolbar.

2. To compile from the command line, open a command prompt or console, go to <WebNMS>/C-Agent/projects/<project-name>/agent/ directory and execute the command make.

5. The above command will compile all the .c files and on successful compilation, mpaagent executable will be created in the ./bin directory. Now, the Multi-Protocol Agent can be executed.

For compiling in Windows operating system, follow the steps given below

1. Download the OpenSSL (Say OpenSSL version v0.9.8e) for Windows from the following website.
   
   http://www.slproweb.com/products/Win32OpenSSL.html

2. Install the OpenSSL under default installation directory (C:\OpenSSL)

3. Copy the directory "C:\OpenSSL\include" and it contents "projects\<project-name>\agent\conf\http\ssl" directory. Rest of the directories and its files are not required for compilation with the agent.

4. As the library files bundled along with the above package are statically compiled for Visual Studio C++ compiler, its better to download the "libeay32.lib" file and "ssleay32.lib" file from the following link
   
   http://www.deanlee.cn/programming/openssl-for-windows/
   
   Libraries for the OpenSSL versiob v0.9.8e can be downloaded from here.

5. Extract the libraries under the "projects\<proj-name>\agent\conf\http\ssl" directory.

6. Open the "Makefile" available under the "projects\<proj-name>\agent" directory, specify the path for the following variables (excluding quotes) and save it

1. "SSL_HDR_DIR" as ".\conf\http\ssl\include"

2. "SSL_LIB_DIR" as ".\conf\http\ssl\lib"

7. Similarly open the "Makefile" available under "projects\<project-name>\agent\source\protocols\http" directory, specify the path for "SSL_HDR_DIR" variable as "..\..\..\conf\http\ssl\include" and save it.

8. Compile the source code in any of the following ways.

1. From the Agent Compiler UI, compile the source code by choosing the Build >> Compile Source from the File Menu or click Compile source icon in the toolbar.

2. To compile from the command line, open a command prompt or console, go to <WebNMS>\C-Agent\projects\<project-name>\agent\ directory and execute the command nmake.

9. The above command will compile all the .c files and on successful compilation, mpaagent.exe will be created in the .\bin directory. Now, the Multi-Protocol Agent can be executed.
    

 Testing HTTP Adapter with SSL support

1. Enter the following URL to test HTTP adapter with SSL enabled https://hostname:8040 Web Browser will prompt you the following wizards.

A. 'hostname' is a site that uses encryption to protect transmitted information. However, Netscape does not recognize the authority who signed its Certificate. Although Netscape does not recognize the signer of this Certificate, you may decide to accept it anyway so that you can connect to and exchange information with this site.

This assistant will help you decide whether or not you wish to accept this Certificate and to what extent.

Here is the Certificate that is being presented:

• Certificate for:

• Signed by:

• Encryption:

• Export Grade (RC4-40 with 40-bit secret key)

B. The signer of the Certificate promises you that the holder of this Certificate is who they say they are. The encryption level is an indication of how difficult it would be for someone to eavesdrop on any information exchanged between you and this Web site.

Are you willing to accept this certificate for the purposes of receiving encrypted information from this Web site?

This means that you will be able to browse through the site and receive documents from it and that all of these documents are protected from observation by a third party by encryption.

• Accept this certificate for this session

• Do not accept this certificate and do not connect

• Accept this certificate forever (until it expires)

C. By accepting this certificate you are ensuring that all information you exchange with this site will be encrypted.

However, encryption will not protect you from fraud. To protect yourself from fraud, do not send information (especially personal information, credit card numbers, or passwords) to this site if you have any doubt about the site's integrity.

For your own protection, Netscape can remind you of this at the appropriate time.

Warn me before I send information to this site

D. You have finished examining the certificate presented by: 'hostname'

You have decided to accept this certificate and have decided that you would not want the Netscape Communicator to warn you before you send information to this site.

If you change your mind, open Security Info from the Communicator Menu edit Site Certificates.

Click the Finish button to begin receiving documents.

E. Certificate Name Check

The certificate that the site 'murali' has presented does not contain the correct site name. It is possible, though unlikely, that someone may be trying to intercept your communication with this site. If you suspect the certificate shown below does not belong to the site you are connecting with, please cancel the connection and notify the site administrator.

Here is the Certificate that is being presented:

• Certificate for:

• Signed by:

• Encryption:

• Export Grade (RC4-Export with 40-bit secret key)

Now server authentication will be over.

If client authentication is enabled , it will prompt client authentication-related wizard. It will prompt you a dialog to select client certificate. This certificated should be imported in the browser.