H-Sphere Documentation Sysadmin Guide

For more information contact us at info@psoft.net

Securing Your CP Server with SSL
 

Related Docs:  

Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Reseller Shared SSL Securing Transferred Data through SSL (User guide)

This document gives a step-by-step instruction on how to secure your CP apache server with SSL.

  1. Create or choose a directory to store SSL-related files. E.g.:
    #mkdir cert
    Make this directory available only for root:
    #chmod 700 cert
    Go to this directory:
    #cd cert
  2. Generate an SSL private key with the OpenSSL utility:
    #openssl genrsa -des3 -out server.key 1024
    When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234. A unique private key will be generated into the server.key file.
    For more on this, read modssl documentation.
  3. Important: Copy this file to a secure location. You will need it later.
  4. Make the newly generated file readable only by root:
    #chmod 600 server.key
  5. To view the content of the private key file, use the command:
    #openssl rsa -noout -text -in server.key
  6. Remove pass phrase from the private key:
    7. #openssl rsa -in server.key -out server.key.unsecure
  7. Now you don't need the private key with the pass phrase any more. Overwrite it with the private key without the pass phrase:
    #cp server.key.unsecure server.key
  8. Generate an SSL certificate signing request based on the private key:
    #openssl req -new -key server.key -out server.csr
    You will have to answer many questions related to your company. Your answers are required to be included in the certificate.
    Note: Common name is the URL at which you want your control panel to be available, e.g. cp.yourdomain.com (not yourdomain.com).
  9. Check the content of the certificate request file:
    #openssl req -noout -text -in server.csr
    If you find a mistake in the data you have submitted, you can re-generate the request anew.
  10. Important: Make sure to back up your SSL files:
    # mkdir backup
    # chmod 700 backup
    # cp ./*.* backup/
  11. Send the generated CSR file to a trusted Certificate Authority for signing. They will send you back the certificate. Save it as server.crt.
  12. To view the content of the certificate, run:
    # openssl x509 -noout -text -in server.crt
  13. Save the private key and the certificate:
    # cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/
    # cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  14. Important: Make sure to back up the ssl.key and ssl.crt files to a safe location. You might need them in the future.
  15. If your certificate was signed by a non-trusted certificate authority, run the following command:
    # cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  16. If your certificate was signed by a non-trusted certificate authority, open the file httpd.conf:
    # vi /hsphere/local/home/cpanel/apache/etc/httpd.conf
    and find the following lines: 
    <VirtualHost _default_:8443>

DocumentRoot "/hsphere/local/home/cpanel/shiva/shiva-templates"
ServerName cp.domain.com
ServerAdmin root@domain.com
ErrorLog /hsphere/local/home/cpanel/apache/logs/error_log
TransferLog /hsphere/local/home/cpanel/apache/logs/access_log

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/server.crt
SSLCertificateKeyFile /hsphere/local/home/cpanel/apache/etc/ssl.key/server.key
    At the end of this block add the following line:
    SSLCACertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca-bundle.crt
  17. Open the file hsphere.properties:
    # vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties
    and change lines:
    CP_PORT = 8080
    CP_PROTOCOL=http://
    to:
    CP_PORT = 8443
    CP_PROTOCOL=https://
  18. Restart Apache:
    /etc/init.d/httpdcp stop
    /etc/init.d/httpdcp start
    FreeBSD users must restart apache with different commands:
    /usr/local/etc/rc.d/apachecp.sh stop
    /usr/local/etc/rc.d/apachecp.sh start
  19. check the log file:
    # vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log

Now your control panel must be available at both http://cp.yourdomain.com:8080 and https://cp.yourdomain.com:8443

In order to disable http access and leave only https access available, the following will suffice:

  1. Open the file ~cpanel/apache/etc/httpd.conf
  2. If you would like to exclude http access and use only secure connections, comment out the line "Listen 8080" in the block IfDefine SSL. Mind, though, that this will totally disable SiteStudio, as it doesn't work with HTTPS.
  3. Change directory to /hsphere/shared/SiteStudio/psoft_config and in each file in this directory find SS links containing port 8080 and replace this port to 8443.
  4. Restart apache

Note: you can't have your control panel available both by domain name and IP address. You can have only one. To switch between IP and domain name control panel access:
1. Open the /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties file.
2. Set the value of CP_HOST to your new CP URL/IP. Make sure not to change the value of the PATH_SITE_STUDIO property.
3. Save and exit the file.
4. Restart your control panel.

-

Click here for feedback from H-Sphere owners on how to use H-Sphere with POP3 SSL, IMAP SSL, SMTP SSL and SFTP.

Related Docs:  

Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Reseller Shared SSL Securing Transferred Data through SSL (User guide)



Home   Products   Services   Partners   Support   News   Contact   Forum
© Copyright 1998-2003. Positive Software Corporation.
All rights reserved.