Changes

Jump to: navigation, search

OPS335 Lab 8 2018

282 bytes removed, 14:29, 2 September 2020
COMPLETING THE LAB
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have '''on VM2'''. Run the following, replacing <u>andrewsmith.ops</u> with '''<u>your</u> domain name''':
<source>mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.ops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
'''Perform the following steps:'''
# Let's start by generating a new certificate for Dovecot '''on your vm3 ''' machine by issuing the following commands:
<source>mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm3.andrewsmith.ops.key 2048
Now that the webmail application is using an encrypted connection when communicating with the email servers, it is time to encrypt the client's connection to the web server.
# First you need to generate a new certificate for apache '''on your vm1 ''' machine by issuing the following commands:
<source>mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm1.andrewsmith.ops.key 2048
::'''NOTE:''' This process is identical to what you've done for the other two certificates.
#Install the '''mod_ssl ''' package to allow apache to use ssl.
#Add the following parameters to the apache configuration file:
<source>
SSLEngine on
SSLCertificateFile "<absolute path to the absolute_path_to_the_.crt file>crt_file"SSLCertificateKeyFile "<abolute path to the abolute_path_to_the_.key file>key_file"
</source>
#restart Restart apache and modify your firewall to allow traffic to '''port 443'''.
#Open a web-browser on your host and try to connect to https://vm1.<yourdomain>.ops/webmail
::You should get a security exception similar to the one's you saw with the email, and for the same reason (the site you are trying to contact has a self-signed certificate). Add the exception and login to access your email.
==COMPLETING THE LAB==
In completing this lab you have gained experience...
'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.''' ===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 8 on blackboard.
<!--
===In Class Submission (Murray Saul's Classes only)===
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Completed Lab8 log-book notes.
-->
==EXPLORATION QUESTIONS==

Navigation menu