完整安全系统信息库示例

此示例配置三个名为 repo1、repo2 和 repo3 的安全系统信息库。repo1 和 repo2 系统信息库是使用专用证书配置的。因此，repo1 的证书将不在 repo2 上运行，repo2 的证书将不在 repo1 上运行。repo3 系统信息库配置为接受两个证书之一。

该示例假定您已具有 Apache 实例的可用正确服务器证书。如果您没有 Apache 实例的服务器证书，请参见创建自签名服务器证书颁发机构中的说明创建一个测试证书。

这三个系统信息库分别在 https://pkg-sec.example.com/repo1、https://pkg-sec.example.com/repo2 和 https://pkg-sec.example.com/repo3 下进行设置。这些系统信息库分别指向在端口 10001、10002 和 10003 上的 http://internal.example.com 设置的 depot 服务器。确保已按照创建密钥库中所述正确设置 SOFTTOKEN_DIR 环境变量。

如何配置安全系统信息库

1. 为 repo1 创建 CA 证书。

   $ pktool gencert label=repo1_ca subject="CN=repo1" serial=0x01
   $ pktool export objtype=cert label=repo1_ca outformat=pem \
   outfile=repo1_ca.pem

2. 为 repo2 创建 CA 证书。

   $ pktool gencert label=repo2_ca subject="CN=repo2" serial=0x01
   $ pktool export objtype=cert label=repo2_ca outformat=pem \
   outfile=repo2_ca.pem

3. 创建合并的 CA 证书文件。

   $ cat repo1_ca.pem > repo_cas.pem
   $ cat repo2_ca.pem >> repo_cas.pem
   $ cp repo_cas.pem /path-to-certs

4. 创建一个客户机证书/密钥对，以允许用户 myuser 访问系统信息库 repo1。

   $ pktool gencsr subject="C=US,CN=myuser" label=repo1_0001 format=pem \
   outcsr=repo1_myuser.csr
   $ pktool signcsr signkey=repo1_ca csr=repo1_myuser.csr  \
   serial=0x02 outcert=repo1_myuser.crt.pem issuer="CN=repo1"
   $ pktool export objtype=key label=repo1_0001 outformat=pem \
   outfile=repo1_myuser.key.pem
   $ cp repo1_myuser.key.pem /path-to-certs
   $ cp repo1_myuser.crt.pem /path-to-certs

5. 创建一个客户机证书/密钥对，以允许用户 myuser 访问系统信息库 repo2。

   $ pktool gencsr subject="C=US,CN=myuser" label=repo2_0001 format=pem \
   outcsr=repo2_myuser.csr
   $ pktool signcsr signkey=repo2_ca csr=repo2_myuser.csr  \
   serial=0x02 outcert=repo2_myuser.crt.pem issuer="CN=repo2"
   $ pktool export objtype=key label=repo2_0001 outformat=pem \
   outfile=repo2_myuser.key.pem
   $ cp repo2_myuser.key.pem /path-to-certs
   $ cp repo2_myuser.crt.pem /path-to-certs

6. 配置 Apache。

   将以下 SSL 配置添加到 httpd.conf 文件的结尾：

   # Let Apache listen on the standard HTTPS port
   Listen 443
   
   <VirtualHost 0.0.0.0:443>
           # DNS domain name of the server
           ServerName pkg-sec.example.com
           
           # enable SSL
           SSLEngine On
   
           # Location of the server certificate and key.
           # You either have to get one from a certificate signing authority like
           # VeriSign or create your own CA for testing purposes (see "Creating a 
           # Self-Signed CA for Testing Purposes") 
           SSLCertificateFile /path/to/server.crt
           SSLCertificateKeyFile /path/to/server.key
   
           # Intermediate CA certificate file. Required if your server certificate
           # is not signed by a top-level CA directly but an intermediate authority.
           # Comment out this section if you don't need one or if you are using a
           # test certificate 
           SSLCertificateChainFile /path/to/ca_intermediate.pem
   
           # CA certs for client verification.
           # This is where the CA certificate created in step 3 needs to go.
           # If you have multiple CAs for multiple repos, just concatenate the
           # CA certificate files
           SSLCACertificateFile /path/to/certs/repo_cas.pem
   
           # If the client presents a certificate, verify it here. If it doesn't, 
           # ignore.
           # This is required to be able to use client-certificate based and
           # anonymous SSL traffic on the same VirtualHost. 
           SSLVerifyClient optional
   
           <Location /repo1>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo1/ )
                   # proxy request to depot running at internal.example.com:10001
                   ProxyPass http://internal.example.com:10001 nocanon max=500
           </Location>
   
           <Location /repo2>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo2/ )
                   # proxy request to depot running at internal.example.com:10002
                   ProxyPass http://internal.example.com:10002 nocanon max=500
           </Location>
   
           <Location /repo3>
                   SSLVerifyDepth 1
                   SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
                   # proxy request to depot running at internal.example.com:10003
                   ProxyPass http://internal.example.com:10003 nocanon max=500
           </Location>
   
   </VirtualHost>

7. 测试对 repo1 的访问。

   $ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \
   -c /path-to-certs/repo1_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo1/

8. 测试对 repo2 的访问。

   $ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \
   -c /path-to-certs/repo2_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo2/

9. 测试对 repo3 的访问。

   使用 repo1 证书测试对 repo3 的访问。

   $ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \
   -c /path-to-certs/repo1_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo3/

   使用 repo2 证书测试对 repo3 的访问。

   $ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \
   -c /path-to-certs/repo2_myuser.crt.pem \
   -p https://pkg-sec.example.com/repo3/