Setting up the LOCKSS UI with HTTPS/SSL

We recently had a support query on how to enable SSL for the user interface on a LOCKSS box running Linux. It seemed worth making the response available to members for future reference.

A help page on Network Administration is available on the LOCKSS website. This page describes the various options and parameters for administering access to the LOCKSS user interface.

The following guidance steps through basic configuration of HTTPS.  We’ll try to update it as we ourselves learn more about the process.  If you require additional support on the process, we suggest you contact us directly.

  1. Login to your LOCKSS box and, as root, generate a key:
    keytool -genkey  -keystore adminks -alias lockss
  2. Put your keystore in /etc/lockss. These instructions assume it’s renamed admin.keystore
    mv adminks /etc/lockss/admin.keystore
  3. Write the following into /etc/lockss/adminssl.txt:
    org.lockss.accounts.policy=ssl
    org.lockss.ui.sslKeystoreName=adminks
    org.lockss.keyMgr.keystore.ks1.name=adminks
    org.lockss.keyMgr.keystore.ks1.file=/etc/lockss/admin.keystore
    org.lockss.keyMgr.keystore.ks1.keyPassword=<password>

    where <password> is the private key password you assigned when running keytool. (Not the keystore password, which isn’t needed.)

  4. Edit /etc/lockss/config.dat and change the LOCKSS_PROPS_URL line to:
    LOCKSS_PROPS_URL="http://props.lockss.org:8001/daemon/lockss.xml -p /etc/lockss/adminssl.txt"
  5. Restart the daemon:
    /etc/init.d/lockss stop
    /etc/init.d/lockss start
  6. When it comes back up you should be able to connect to your LOCKSS box at https://your.lockssbox.ac.uk:8081/

Updated: 1st July 2011
An administrator in the UK has supplied documentation for using a JANET/TERENA certificate for the UI (or another CA signed certificate).

  1. Make a key that one can actually get signed (2048 bit RSA)
    [root@lockss ~]# keytool -genkey -keystore adminks -alias lockss -keyalg RSA -keysize 2048
  2. Make cert signing request
    [root@lockss ~]# keytool -certreq -alias lockss -keystore adminks -keypass redacted -storepass  redacted
  3. Send the CSR off to whoever to get a CA signed certificate. In our JANET/TERENA setup, I was returned an apache-type cert & keychain bundle.
  4. Concatenate the cert and chain together.
    [root@lockss ~]# cat longnumber.ca-bundle longnumber.crt >import
  5. Import the signed cert and chain
    keytool -importcert -trustcacerts -alias lockss -file import -keypass redacted -keystore adminks -storepass redacted
  6. Then follow the rest of the instruction on the UK lockss alliance website to move it into place, and make the adminssl text file etc.
This entry was posted in Documentation, Support. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *