incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmuer <reto.bachm...@trialox.org>
Subject Re: notes for setting up Clerezza with SSL
Date Mon, 16 Aug 2010 07:21:17 GMT
On Thu, Aug 12, 2010 at 11:23 PM, Henry Story <henry.story@gmail.com> wrote:

> A couple of extra points...
>
And a little specification: These extra points apply when using the
CLEREZZA-243 issue branch.

>
>
> On 12 Aug 2010, at 13:55, Reto Bachmann-Gmuer wrote:
>
> > Thanks Henry for summarizing this!
> >
> > Additionally to what you describe I also had to create the following
> file:
> >
> > [root@retobg reto]# cat /etc/xinetd.d/ssl
> > service https
> > {
> > disable = no
> > flags = REUSE
> > socket_type = stream
> > protocol = tcp
> > user = root
> > wait = no
> > port = 443
> > redirect = 127.0.0.1 8443
> > log_type = FILE /tmp/xinetdssl.log
> > }
> >
> > and restart xinetd with:
> > $ /etc/init.d/xinetd restart
> >
> > What I do for running clerezza in the background is using screen (
> > http://de.wikipedia.org/wiki/GNU_Screen), is the following
> >
> > $ ssh myserver
> > $ screen
> > SCREEN_PROMT$ java -jar ....
> >
> > disconnect by closing terminal windows or turning off local machine
> >
> >
> > $ ssh myserver
> > $ screen -d -r
> >
> > ... and I'm back to my running instance
> >
> > It would of course be nice to have a clerezza-launch script, but for this
> we
> > should have options to start in non-interactive mode.
> >
> > Cheers,
> > reto
> > On Wed, Aug 11, 2010 at 9:28 PM, Henry Story <henry.story@gmail.com>
> wrote:
> >
> >> Here is what I did to get https://bblfish.net:8443/ going. I just
> thought
> >> I might as well write it down
> >> here before going on.
> >>
> >> Note that to get keygen working I need to publish the keygen module on
> the
> >> main maven repository. I should do that in the next day or so.
> >>
> >> 0. Compile Clerezza
> >> ===================
> >>
> >> $ svn co
> >>
> http://svn.apache.org/repos/asf/incubator/clerezza/trunk/org.apache.clerezza.parent
> >> $ export MAVEN_OPTS=-Xmx524m
> >> $ mvn compile install
> >>
> >> tips:
> >>
> >> if it breaks half way say while compiling
> org.apache.clerezza.platform.mail
> >> $ mvn -rf org.apache.clerezza.platform.mail install -o
> >> -Dmaven.test.skip=true
> >>
> >> (remove -o if all dependencies have not yet been downloaded)
> >>
> >> 1. Get a free certificate from StartSSL
> >> =======================================
> >>
> >> - general overview of how to do this
> >>   http://www.h-online.com/security/features/In-practice-906870.html
> >>
> >> - more detailed java specific way
> >>   http://forum.startcom.org/viewtopic.php?t=1390
> >>
> >> Warning
> >> -------
> >>
> >> note, everything works as explained on the starcom forum but watch out
> for
> >> the following: you need to import the reply to your certificate request
> >> under the same alias as the alias that contains the private key.
> >>
> >> So after creating a key with alias 'server' and importing the root and
> >> intermediary CA certificate I have
> >>
> >> $ keytool -keystore keystore -list
> >> Enter keystore password:
> >>
> >> Keystore type: JKS
> >> Keystore provider: SUN
> >>
> >> Your keystore contains 3 entries
> >>
> >> startcom.ca.sub, Aug 11, 2010, trustedCertEntry,
> >> Certificate fingerprint (MD5):
> >> 30:B0:5A:F7:B2:F4:BE:0C:28:67:15:EA:CC:5B:24:20
> >> startcom.ca, Aug 11, 2010, trustedCertEntry,
> >> Certificate fingerprint (MD5):
> >> 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
> >> server, Aug 11, 2010, PrivateKeyEntry,
> >> Certificate fingerprint (MD5):
> >> 18:2F:3F:D7:E2:8E:0C:65:46:67:37:21:0A:53:C6:EE
> >>
> >> $ # I then import the reply under the same alias!!!
> >>
> >> $ keytool -keystore keystore -import -alias server -file ssl.crt
> >> Enter keystore password:
> >> Certificate reply was installed in keystore
> >>
> >> 2. Start Clerezza
> >> =================
> >>
> >> After moving the certificate to ~/.keystore I could start clerezza with
> the
> >> sesame launcher
>
> Before doing this it is probably good to replace the cacerts file that
> comes with unix jdks
> with ones that come with desktop JDKs such as OSX, as those tend to have a
> lot more CAs in them,
> especially for example ones such as startssl .
>
> >>
> >> $ cd org.apache.clerezza.platform.launcher.sesame/target
> >> $ java -Xmx248m -XX:MaxPermSize=128M -jar
> >> org.apache.clerezza.platform.launcher.sesame-0.5-incubating-SNAPSHOT.jar
> >> --https_keystore_password changeme --https_keystore_clientauth want
> >> --https_keystore_type JKS --https_port 8443
> >>
> >> Note that clerezza now has a command line -help arguments
> >>
> >> At that point you will then need to go to
> >> https://bblfish.net:8443/dashboard
> >> to login as admin/admin, change password, and set the default url for
> the
> >> server to be https://bblfish.net:8443/
>
> [[TEMPORARY
>
> currently I also need to
>
> install mvn:org.jsslutils.keygen/keygenapp-base/0.3.2-SNAPSHOT
> start it
>
> then reload the Clerezza - Platform Account Control Panel Core
> (0.2.0.incubating-SNAPSHOT)
>
> As soon as org.jssutils.keygen is realease to maven central (Friday
> hopefully) then this should no longer
> be needed.
> ]]
>
>
> 1. login as admin/admin
> 2. Change password to something else
> 3. change the default base URI in Administration->Configuration
> https://bblfish.net:8443/admin/configuration#
>
>
> 4. The one can go create a certificate for the user in
> Administration/Account Control Panel/Profile
>
>
>
> >>
> >>
> >> Question
> >> ========
> >>
> >> How do I start Clerezza in the background, so it can continue running
> when
> >> I am disconnected from my server?
> >> I tried using nohup, but that did not seem to work.
> >>
> >> Henry
> >>
> >>
> >> Social Web Architect
> >> http://bblfish.net/
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message