Introduction to Encryption

I thought I would post a guide here to explain how a practice could enable SSL (Secure Socket Layer) protection for the practice management system.

Why do I want SSL?

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

Visualize the internet like one of those old style Soup Can telephones....you speak into one "Can" and the string goes to a second Can and the friend on the end can hear you...any passerby cant over hear you because you are not yelling.  BUT if that passerby was malicious and they had there own tin can and string ...they could tie the string to your string ...and now they can hear everything...particularly your password. With SSL your can ties to a special box that turns what you say into gobblygook - so the evil evesdropper only overhears gobblygook, at the other end another box knows how to decode the gobblygook and retransmits it to your friend on the other Soup can.

Ok so who cares noone wants to steal my data - WRONG WRONG WRONG WRONG - most practices have names, home address, postal addresses, email addresses, pet names etc stored for over 10000 people...ignoring the sensitive medical records we are spose to protect...mailing lists like this sell very well on the net...not to mention some hackers just want to ruin all your data for kicks

But hangon my server is local I dont need it?

True - if you server is ONLY accessible from within the building then you probably should stop reading this and forget about it.  However if you have ever considered wanting to allow vets to access from home or while mobile, keep reading.

Ok so I want mobile access?

There are a number ways you can setup remote access to a server. 2 examples follow.

1. Using a VPN - whether that be a "dial in" vpn or persistant (always on)

Using a vpn generally already involves a decent level of encryption assuming someone set it up properly. 

Vpn can be tempermental and slow but they are definitely a good protection.

2. Port forwarding and using firewalls to disallow ips /macs etc

This is when you DEFINITELY want to ensure you use encryption. When your computer at homes accesses your work without encryption your password is available for anyone to see, steal and then use.  

SSl can be used in both cases in the first it just provides an additional layer of security.  Its worth it because if your system does get hacked and you have to contact police ...you need to able to show you bothered to lock the doors.(metaphorically speaking).

 

So how do I implement it.

1. Firstly you need to generate a private key 

      login as an administrator on your server: 

keytool -genkey -keysize 2048 -keyalg RSA -sigalg SHA1withRSA \
  -alias [name of server] -keystore [Tomcat path]\security\keystore.jks -keypass changeit -storepass changeit

This will ask for :-

Your name: [PMS System Some Vet]

Your organizational unit: [public.vet.com.au (put in the public domain address you type to access the server)]

Your Organization: Vet Compay Pty Ltd

Your City: [Anywhereville]

Your State: [State]

Your Country: [AU] or the 2 digit code

It should complete and your private key is generated - you could use this key but a webbrowser will tell you that it cant be sure you are who you say you are - so you need to ask a public authority to verify you.

So you generate a CSR (Certificate Signing Request)

keytool -certreq -alias [name of server] -keystore "[Tomcat path]\security\keystore.jks" -file "C:\somepath\cert.csr"

For this example I used a free ssl authority called Startcom - they provide a basic FREE ssl certificate 

I needed to signup for an account in order to use StartSSL. Signing-up involves generating a signed private key which proves my identity. Here onwards, the key is used by StartSSL to authenticate my access to their website.

Note that it is important to keep a back-up copy of this private key for future use. This file needs to be imported on all computers used to access StartSSL.

Figure 1: StartSSL

Once I have an account, I can use the Control Panel to generate my certificate. The first step is to validate that I own the domain mysurgergery.com.au The aptly named Validation Wizard takes care of this.

Once my domain is validated, I used the Certificates Wizard to submit my certificate request (.csr file):

  • Select Web Server SSL/TLS Certificate.
  • Because I already have a private key and a certificate request, I skip the next screen
  • I pasted the contents of my certificate request (.csr file) to the text area provided
  • When finished, the generated certificate is displayed on another text area -- I copied this and saved to a file called ssl.crt.

 Import the Generated Certificate and StartSSL Certificate Chains

The next step is import the generated certificate to my keystore. The StartSSL certificate chain is also required to be imported.

The StartSSL certificate chain can be downloaded from:

The free SSL certificate from StartSSL is only a Class 1 level certificate. With an upgraded package (Class 2 and higher), all applicable class certificates must be downloaded.

I again used keytool to import these certificates:

keytool -import -alias startsslca -file ca.crt -keystore "[Tomcat path]\security\keystore.jks" -trustcacerts
keytool -import -alias startsslca1 -file sub.class1.server.ca.crt -keystore "[Tomcat path]\security\keystore.jks" -trustcacerts
keytool -import -alias [name of server]-file ssl.crt -keystore "[Tomcat path]\security\keystore.jks"

Ok cool I have my certificates...now we need to configure tomcat.

Enabling SSL with Tomcat involves creating a new connector which listens to HTTPS connections. This connector needs to know the location of the keystore file as well as the password to access the keystore.

So navigate to [Tomcat Home]\conf and open server.xml with a text editor.

You will find a section that looks like

 <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

 <!--  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true" 
            keystoreFile="security/keystore.jks" keystorePass="changeit"
            clientAuth="false" sslProtocol="TLS" /> -->

Remove the red parts that is UNCOMMENT this section.  If you used my suggestions for where to put the keystore then you can copy the green section above and add it.  

You can know restart the Tomcat server and it should be accessible on tomcat.address.com:8080 as well as the new tomcat.address.com:8443. When connected to the 8443 port you should see the Padlock symbol in the browser telling you the connection is secure.

Optional extras - you can disable access to 8080 access to openvpms and force people to use the secure connection.  

 

Refs: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

 

Sincerely Ben

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Introduction to Encryption

Thanks for this great article.  It helped me tons in setting up my https connection.

Just as a heads-up, however.  It looks like Mozilla at least is about to remove WoSign/Startcom from its list of trusted CAs due to issuance shenanigans.  LetsEncrypt may be a better way to go if one can get the install and auto-renewal scripts made to work... or just use as I do a self-signed certificate.

Thanks again,

Sam Longiaru

Re: Introduction to Encryption

Having just got our Amazon EC2/RDS system running using LetsEncrypt certificates and a major assist from Damien S, I thought I should provide the recipe (which is for Unbuntu 14.04 and Tomcat 7). Here is my recipe/cheat sheet:

# as per https://certbot.eff.org/#ubuntutrusty-apache
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

### ensure amazon security group has ports 80 (HTTP) and 443 (HTTPS) open [to install certificates]
### MUST have a domain name other that the amazon one (eg ec2-99-99-99-99.ap-southeast-1.compute.amazonaws.com)
### because letsencrypt will not issue certificates for amazon domains. We use dyn.com to provide a domain name
### mapped to the (public) Elastic IP address of the two EC2 instancs we run.

$ sudo certbot --apache
# gives:
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

$ sudo ./tckeys.sh
# gives:
MAC verified OK
    friendlyName: tomcat
subject=/CN=eiah-az-prod.webhop.net
    friendlyName: tomcat
Key Attributes: <No Attributes>
keytool error: java.lang.Exception: Keystore file does not exist: /etc/letsencrypt/tomcat_keystore.jks
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Alias name: tomcat
Certificate chain length: 1
Certificate[1]:
Owner: CN=eiah-az-prod.webhop.net

## now need to edit /var/lib/tomcat7/conf/server.xml

a) to comment out the HTTP/8080 connector - ie make it as:
    <!--
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />
    -->

b) to set the HTTP/8443 connector as follows:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="250" scheme="https" secure="true"
                keystoreFile="/etc/letsencrypt/tomcat_keystore.jks" keystorePass="PASSWORD"
                clientAuth="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" />

NOTE: change clientAuth="true" to clientAuth="false" if you do not want to install certificates in each
client machine' browser(s)

### ensure amazon security group has ports 80 (HTTP) and 443 (HTTPS) closed 
###  and 8443 open to all

## Restart tomcat:
  sudo service tomcat7 restart
 
Now you need to install the certificate in each client machine's browser
Note that the tckeys script leaves a pk12 format version of the certificate in
   /etc/letsencrypt/tmp_cert.p12
which you can use for importing into the client machine's browser(s)

The tckeys.sh script used to transform from pem to java key store came from Damien S - here it is.  You will need to adjust the domain name to yours.

#!/bin/bash
# Thanks to Damien S for this code
# It transforms the LetsEncrypt certificates to java keystore format for Tomcat

export hostsslname=eiah-az-prod.webhop.net

privatekeyfile=/etc/letsencrypt/live/${hostsslname}/privkey.pem
certfile=/etc/letsencrypt/live/${hostsslname}/cert.pem
chainfile=/etc/letsencrypt/live/${hostsslname}/chain.pem
keyalias=tomcat
mypass=PASSWORD
pkcs12_cert=/etc/letsencrypt/tmp_cert.p12
#The keystore defined in server.xml:
tomcatkeystore=/etc/letsencrypt/tomcat_keystore.jks

function setupcert {
openssl pkcs12 -export -in $certfile  -inkey $privatekeyfile -out $pkcs12_cert -name tomcat -CAfile $chainfile -caname root -password pass:$mypass
openssl pkcs12 -in $pkcs12_cert -passin pass:$mypass -passout pass:$mypass | egrep -i 'friendlyName:|subject=|key attributes'
keytool -delete  -keystore $tomcatkeystore -storepass $mypass -alias $keyalias
keytool -importkeystore -noprompt -deststorepass $mypass \
  -destkeystore $tomcatkeystore -srckeystore $pkcs12_cert \
  -srcstoretype PKCS12 -srcstorepass $mypass
keytool -list -v -keystore $tomcatkeystore -storepass $mypass \
  | egrep -i 'alias name|chain length|certificate\[|owner:'
}
setupcert

NOTE: the LetsEncrypt free certificates need to be renewed every three months. Hence you need a cron job to do this (see https://certbot.eff.org/docs/using.html#renewing-certificates ) and also call tckeys.sh process the keys.

I will update this post when I understand the optimum way to do this.

You will also need (if you turn on client authentication) a process for distributing the new certificates to your users.

Regards, Tim G

 

Syndicate content