В mun yi magana game da mahimmancin tantancewar abubuwa biyu akan hanyoyin haɗin gwiwar kamfanoni. Lokaci na ƙarshe mun nuna yadda ake saita ingantaccen tabbaci a cikin sabar gidan yanar gizo na IIS.
A cikin maganganun, an nemi mu rubuta umarni don sabar yanar gizo da aka fi sani don Linux - nginx da Apache.
Kun tambaya - mun rubuta.
Me kuke bukata don farawa?
- Duk wani rarraba Linux na zamani. Na yi saitin gwaji akan MX Linux 18.2_x64. Wannan ba shakka ba rarrabawar uwar garke bane, amma da wuya a sami bambance-bambance na Debian. Don sauran rabawa, hanyoyin zuwa ɗakunan karatu na iya bambanta kaɗan.
- Alama. Muna ci gaba da amfani da samfurin , wanda ya dace da yanayin halayen saurin don amfani da kamfanoni.
- Don yin aiki tare da alamar a cikin Linux, kuna buƙatar shigar da fakiti masu zuwa:
libccid libpcsclite1 pcscd pcsc-kayan aikin buɗewa
Bayar da takaddun shaida
A cikin labaran da suka gabata, mun dogara ga gaskiyar cewa za a ba da takaddun sabar uwar garken da abokin ciniki ta amfani da Microsoft CA. Amma tunda muna saita komai a cikin Linux, za mu kuma gaya muku game da wata hanya ta dabam don ba da waɗannan takaddun shaida - ba tare da barin Linux ba.
Za mu yi amfani da XCA a matsayin CA (), wanda ke samuwa akan kowane rarraba Linux na zamani. Duk ayyukan da za mu yi a cikin XCA za a iya yin su a cikin yanayin layin umarni ta amfani da kayan aikin OpenSSL da pkcs11-kayan aiki, amma don mafi sauƙi da tsabta, ba za mu gabatar da su a cikin wannan labarin ba.
FarawaEND_LINK
- Shigar:
$ apt-get install xca - Kuma muna gudu:
$ xca - Mun ƙirƙira bayanan mu don CA - /root/CA.xdb
Muna ba da shawarar adana bayanan Hukumar Takaddun shaida a cikin babban fayil inda mai gudanarwa kawai ke da damar shiga. Wannan yana da mahimmanci don kare maɓallan sirri na tushen takaddun shaida, waɗanda ake amfani da su don sanya hannu kan duk sauran takaddun shaida.
Ƙirƙiri maɓalli da tushen takardar shaidar CA
Maɓalli na jama'a (PKI) ya dogara ne akan tsarin matsayi. Babban abu a cikin wannan tsarin shine ikon tabbatar da tushen tushen ko tushen CA. Dole ne a fara ƙirƙirar takaddun shaida.
- Mun ƙirƙiri maɓallin keɓaɓɓen RSA-2048 don CA. Don yin wannan, a kan tab Makullin masu zaman kansu tura Sabon maɓalli kuma zaɓi nau'in da ya dace.
- Saita suna don sabon maɓalli biyu. Na kira shi CA Key.
- Muna ba da takardar shedar CA da kanta, ta amfani da maɓalli da aka ƙirƙira. Don yin wannan, je zuwa shafin Takaddun kuma danna Sabuwar Takaddun shaida.
- Tabbatar zabar SHA-256, saboda amfani da SHA-1 ba za a iya la'akari da lafiya ba.
- Tabbatar zabar azaman samfuri [default] CA. Kar ku manta ku danna Aiwatar duka, in ba haka ba a yi amfani da samfuri.
- A cikin shafin subject zaɓi maɓallan mu biyu. A can za ku iya cika dukkan manyan filayen takardar shaidar.
Ƙirƙirar maɓallai da takardar shaidar uwar garken https
- Hakazalika, muna ƙirƙirar maɓallin sirri na RSA-2048 don uwar garken, na kira shi Maɓallin Sabar.
- Lokacin ƙirƙirar takaddun shaida, mun zaɓi cewa takardar shaidar uwar garken dole ne a sanya hannu tare da takardar shedar CA.
- Kar a manta don zaɓar SHA-256.
- Muna zaɓa azaman samfuri [default] HTTPS_server. Danna kan Aiwatar duka.
- Sannan akan tab subject zaɓi maɓallin mu kuma cika filayen da ake buƙata.
Ƙirƙiri maɓallai da takaddun shaida don mai amfani
- Za a adana maɓalli na sirri na mai amfani akan alamar mu. Don yin aiki da shi, kuna buƙatar shigar da ɗakin karatu na PKCS#11 daga gidan yanar gizon mu. Don mashahurin rabawa, muna rarraba fakitin da aka shirya, waɗanda suke nan - . Hakanan muna da majalisai don arm64, armv7el, armv7hf, e2k, mipso32el, waɗanda za'a iya saukewa daga SDK ɗin mu - . Baya ga taruka na Linux, akwai kuma taruka na macOS, freebsd da android.
- Ƙara sabon PKCS#11 Mai bayarwa zuwa XCA. Don yin wannan, je zuwa menu Zabuka zuwa tab PKCS#11 Mai bayarwa.
- Muna danna Add kuma zaɓi hanyar zuwa ɗakin karatu na PKCS#11. A cikin yanayina shine usrliblibrtpkcs11ecp.so.
- Za mu buƙaci alamar Rutoken EDS PKI da aka tsara. Zazzage kayan aikin rtAdmin -
- Muna aiwatarwa
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-код пользователя> - Mun zaɓi maɓallin RSA-2048 don Rutoken EDS PKI azaman nau'in maɓalli. Na kira wannan maɓalli na Client Key.
- Shigar da lambar PIN. Kuma muna jira don kammala kayan aikin kayan aiki na maɓalli na maɓalli
- Mun ƙirƙiri takaddun shaida ga mai amfani ta kwatanci tare da takardar shaidar uwar garken. A wannan lokacin muna zaɓar samfuri [default] HTTPS_abokin ciniki kuma kar a manta da dannawa Aiwatar duka.
- A cikin shafin subject shigar da bayanai game da mai amfani. Mun amsa a cikin tabbatacce ga buƙatar don ajiye takaddun shaida don alamar.
A sakamakon haka, a kan shafin .Ертификаты a cikin XCA ya kamata ku sami wani abu kamar wannan.
Wannan ƙaramin maɓalli da takaddun shaida sun isa su fara saita sabar da kansu.
Don daidaitawa, muna buƙatar fitarwa takardar shaidar CA, takardar shaidar uwar garken da maɓallin keɓaɓɓen uwar garken.
Don yin wannan, zaɓi shigarwar da ake so akan shafin da ya dace a cikin XCA kuma danna Export.
Nginx
Ba zan rubuta yadda ake shigarwa da gudanar da sabar nginx ba - akwai isassun labarai akan wannan batu akan Intanet, ba tare da ambaton takaddun hukuma ba. Bari mu kai tsaye don saita HTTPS da ingantaccen abu biyu ta amfani da alama.
Ƙara layin masu zuwa zuwa sashin uwar garke a nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}Ana iya samun cikakken bayanin duk sigogin da suka danganci daidaitawa ssl a cikin nginx anan -
A takaice zan yi bayanin wadanda na tambayi kaina:
- ssl_verify_client - yana ƙayyadad da cewa jerin amintattun takaddun takaddun yana buƙatar tabbatarwa.
- ssl_verify_depth - Yana bayyana zurfin bincike don amintaccen tushen takaddun shaida a cikin sarkar. Tun da takardar shaidar abokin cinikinmu ta sanya hannu nan da nan akan takardar shaidar tushe, an saita zurfin zuwa 1. Idan an sanya hannu kan takardar shaidar mai amfani akan matsakaicin CA, to dole ne a ƙayyade 2 a cikin wannan siga, da sauransu.
- ssl_client_certificate - yana ƙayyadad da hanyar zuwa amintaccen takardar shaidar tushe, wacce ake amfani da ita lokacin bincika amincin takardar shaidar mai amfani.
- ssl_certificate/ssl_certificate_key - nuna hanyar zuwa takardar shaidar uwar garken/maɓalli na sirri.
Kar ka manta da gudanar da nginx -t don bincika cewa babu rubutun rubutu a cikin saitin, kuma duk fayiloli suna cikin wurin da ya dace, da sauransu.
Kuma shi ke nan! Kamar yadda kake gani, saitin yana da sauƙi.
Duba yana aiki a Firefox
Tun da muna yin komai gaba ɗaya a cikin Linux, za mu ɗauka cewa masu amfani da mu ma suna aiki a Linux (idan suna da Windows, to .
- Bari mu kaddamar da Firefox.
- Mu yi ƙoƙarin shiga ba tare da wata alama ba tukuna. Mun sami wannan hoton:
- Muna ci gaba game da: zaɓin # bayanin sirri, kuma mu tafi Na'urorin Tsaro…
- Muna danna loaddon ƙara sabon PKCS#11 Direban Na'ura kuma saka hanyar zuwa mu librtpkcs11ecp.so.
- Don duba cewa takardar shaidar tana bayyane, zaku iya zuwa Manajan Takaddun shaida. Za a sa ka shigar da PIN naka. Bayan shigar daidai, zaku iya duba abin da ke kan shafin Takaddun shaida takardar shaidar mu daga alamar ta bayyana.
- Yanzu bari mu tafi tare da alamar. Firefox ta sa ka zaɓi takardar shaidar da za a zaɓa don uwar garken. Zabi takardar shaidar mu.
- RIGA!
Ana yin saitin sau ɗaya, kuma kamar yadda kuke gani a cikin taga buƙatar takaddun shaida, zamu iya adana zaɓin mu. Bayan haka, duk lokacin da muka shiga portal, za mu buƙaci saka alama kawai mu shigar da lambar PIN ɗin mai amfani da aka ƙayyade yayin tsarawa. Bayan irin wannan tabbaci, uwar garken ya riga ya san ko wane mai amfani ya shiga kuma ba za ku iya ƙirƙirar ƙarin windows don tabbatarwa ba, amma nan da nan bari mai amfani ya shiga cikin asusunsa na sirri.
Apache
Kamar dai tare da nginx, babu wanda ya isa ya sami matsala shigar apache. Idan baku san yadda ake shigar da wannan sabar gidan yanar gizon ba, kawai kuyi amfani da takaddun hukuma.
Kuma mun fara kafa HTTPS ɗinmu da ingantaccen abu biyu:
- Da farko kuna buƙatar kunna mod_ssl:
$ a2enmod ssl - Sannan kunna tsoffin saitunan HTTPS na rukunin:
$ a2ensite default-ssl - Yanzu muna gyara fayil ɗin sanyi: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10Kamar yadda kake gani, sunayen sigogi a zahiri sun yi daidai da sunayen sigogi a cikin nginx, don haka ba zan bayyana su ba. Bugu da ƙari, duk wanda ke sha'awar cikakkun bayanai yana maraba da takaddun.
Yanzu mun sake kunna uwar garken mu:$ service apache2 reload $ service apache2 restart
Kamar yadda kuke gani, saita ingantaccen abu biyu akan kowane sabar gidan yanar gizo, ko akan Windows ko Linux, yana ɗaukar iyakar awa ɗaya. Kuma kafa browser yana ɗaukar kusan mintuna 5. Mutane da yawa suna tunanin cewa kafawa da aiki tare da ingantaccen abu biyu yana da wahala kuma ba a bayyana ba. Ina fata labarinmu ya karyata wannan labari, aƙalla kaɗan.
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Kuna buƙatar umarni don kafa TLS tare da takaddun shaida bisa ga GOST 34.10-2012:
-
Ee, TLS-GOST yana da matukar mahimmanci
-
A'a, kunnawa tare da GOST algorithms ba abin sha'awa bane
Masu amfani 44 sun kada kuri'a. Masu amfani 9 sun kaurace.
source: www.habr.com