Complete Secure Repositories Example

This example configures three secure repositories named repo1, repo2, and repo3. The repo1 and repo2 repositories are configured with dedicated certificates. Therefore, certificates for repo1 will not work on repo2, and certificates for repo2 will not work on repo1. The repo3 repository is configured to accept either certificate.

The example assumes you have a proper server certificate for your Apache instance already available. If you do not have a server certificate for your Apache instance, see the instructions for creating a test certificate in Creating a Self-Signed Server Certificate Authority.

The three repositories are set up under https://pkg-sec.example.com/repo1, https://pkg-sec.example.com/repo2, and https://pkg-sec.example.com/repo3. These repositories point to depot servers set up at http://internal.example.com on ports 10001, 10002, and 10003 respectively. Make sure the SOFTTOKEN_DIR environment variable is set correctly as described in Creating a Keystore.

How to Configure Secure Repositories

1. Create a CA certificate for repo1.

   $ pktool gencert label=repo1_ca subject="CN=repo1" serial=0x01
   $ pktool export objtype=cert label=repo1_ca outformat=pem \
   outfile=repo1_ca.pem

2. Create a CA certificate for repo2.

   $ pktool gencert label=repo2_ca subject="CN=repo2" serial=0x01
   $ pktool export objtype=cert label=repo2_ca outformat=pem \
   outfile=repo2_ca.pem

3. Create a combined CA certificate file.

   $ cat repo1_ca.pem > repo_cas.pem
   $ cat repo2_ca.pem >> repo_cas.pem
   $ cp repo_cas.pem /path-to-certs

4. Create one client certificate/key pair to allow user myuser to access repository repo1.

   $ pktool gencsr subject="C=US,CN=myuser" label=repo1_0001 format=pem \
   outcsr=repo1_myuser.csr
   $ pktool signcsr signkey=repo1_ca csr=repo1_myuser.csr  \
   serial=0x02 outcert=repo1_myuser.crt.pem issuer="CN=repo1"
   $ pktool export objtype=key label=repo1_0001 outformat=pem \
   outfile=repo1_myuser.key.pem
   $ cp repo1_myuser.key.pem /path-to-certs
   $ cp repo1_myuser.crt.pem /path-to-certs

5. Create one client certificate/key pair to allow user myuser to access repository repo2.

   $ pktool gencsr subject="C=US,CN=myuser" label=repo2_0001 format=pem \
   outcsr=repo2_myuser.csr
   $ pktool signcsr signkey=repo2_ca csr=repo2_myuser.csr  \
   serial=0x02 outcert=repo2_myuser.crt.pem issuer="CN=repo2"
   $ pktool export objtype=key label=repo2_0001 outformat=pem \
   outfile=repo2_myuser.key.pem
   $ cp repo2_myuser.key.pem /path-to-certs
   $ cp repo2_myuser.crt.pem /path-to-certs

6. Configure Apache.

   Add the following SSL configuration at the end of your httpd.conf file:

   # Let Apache listen on the standard HTTPS port
   Listen 443
   
   <VirtualHost 0.0.0.0:443>
           # DNS domain name of the server
           ServerName pkg-sec.example.com
           
           # enable SSL
           SSLEngine On
   
           # Location of the server certificate and key.
           # You either have to get one from a certificate signing authority like
           # VeriSign or create your own CA for testing purposes (see "Creating a 
           # Self-Signed CA for Testing Purposes") 
           SSLCertificateFile /path/to/server.crt
           SSLCertificateKeyFile /path/to/server.key
   
           # Intermediate CA certificate file. Required if your server certificate
           # is not signed by a top-level CA directly but an intermediate authority.
           # Comment out this section if you don't need one or if you are using a
           # test certificate 
           SSLCertificateChainFile /path/to/ca_intermediate.pem
   
           # CA certs for client verification.
           # This is where the CA certificate created in step 3 needs to go.
           # If you have multiple CAs for multiple repos, just concatenate the
           # CA certificate files
           SSLCACertificateFile /path/to/certs/repo_cas.pem
   
           # If the client presents a certificate, verify it here. If it doesn't, 
           # ignore.
           # This is required to be able to use client-certificate based and
           # anonymous SSL traffic on the same VirtualHost. 
           SSLVerifyClient optional
   
           <Location /repo1>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo1/ )
                   # proxy request to depot running at internal.example.com:10001
                   ProxyPass http://internal.example.com:10001 nocanon max=500
           </Location>
   
           <Location /repo2>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo2/ )
                   # proxy request to depot running at internal.example.com:10002
                   ProxyPass http://internal.example.com:10002 nocanon max=500
           </Location>
   
           <Location /repo3>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
                   # proxy request to depot running at internal.example.com:10003
                   ProxyPass http://internal.example.com:10003 nocanon max=500
           </Location>
   
   </VirtualHost>

7. Test access to repo1.

   $ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \
   -c /path-to-certs/repo1_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo1/

8. Test access to repo2.

   $ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \
   -c /path-to-certs/repo2_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo2/

9. Test access to repo3.

   Use the repo1 certificate to test access to repo3.

   $ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \
   -c /path-to-certs/repo1_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo3/

   Use the repo2 certificate to test access to repo3.

   $ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \
   -c /path-to-certs/repo2_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo3/