Π peb tau tham txog qhov tseem ceeb ntawm ob qhov kev lees paub qhov tseeb ntawm cov tuam txhab portals ntawm cov tuam txhab. Lub sijhawm dhau los peb tau qhia yuav ua li cas teeb tsa kev lees paub tseeb hauv IIS lub vev xaib.
Hauv cov lus hais, peb tau hais kom sau cov lus qhia rau cov vev xaib uas muaj ntau tshaj plaws rau Linux - nginx thiab Apache.
Koj nug - peb sau.
Koj xav tau dab tsi los pib?
- Ib qho kev faib tawm Linux niaj hnub. Kuv tau sim teeb tsa ntawm MX Linux 18.2_x64. Qhov no yog qhov tseeb tsis yog server faib, tab sis tsis zoo li yuav muaj qhov sib txawv rau Debian. Rau lwm qhov kev faib tawm, txoj hauv kev mus rau cov tsev qiv ntawv teeb tsa yuav txawv me ntsis.
- Token. Peb txuas ntxiv siv tus qauv , uas yog zoo tagnrho nyob rau hauv cov nqe lus ntawm ceev yam ntxwv rau cov neeg siv.
- Txhawm rau ua haujlwm nrog lub token hauv Linux, koj yuav tsum nruab cov pob hauv qab no:
libccid libpcsclite1 pcscd pcsc-cov cuab yeej opensc
Tshaj tawm daim ntawv pov thawj
Hauv cov ntawv dhau los, peb tso siab rau qhov tseeb tias cov neeg rau zaub mov thiab cov ntawv pov thawj yuav raug muab siv Microsoft CA. Tab sis txij li thaum peb tab tom teeb tsa txhua yam hauv Linux, peb tseem yuav qhia koj txog lwm txoj hauv kev los tawm cov ntawv pov thawj no - yam tsis tau tawm hauv Linux.
Peb yuav siv XCA li CA (), uas muaj nyob rau ntawm txhua qhov kev faib tawm Linux niaj hnub. Txhua qhov kev ua uas peb yuav ua hauv XCA tuaj yeem ua tiav hauv hom kab hais kom ua siv OpenSSL thiab pkcs11-cov cuab yeej siv, tab sis kom yooj yim dua thiab meej dua, peb yuav tsis nthuav tawm lawv hauv kab lus no.
Pib
- Nruab:
$ apt-get install xca - Thiab peb khiav:
$ xca - Peb tsim peb cov ntaub ntawv rau CA - /root/CA.xdb
Peb pom zoo kom khaws daim ntawv pov thawj Authority database nyob rau hauv ib daim nplaub tshev uas tsuas yog tus thawj coj nkag tau. Qhov no yog qhov tseem ceeb los tiv thaiv tus yuam sij ntiag tug ntawm cov ntawv pov thawj hauv paus, uas yog siv los kos npe rau tag nrho lwm daim ntawv pov thawj.
Tsim cov yuam sij thiab hauv paus CA daim ntawv pov thawj
Lub hauv paus tseem ceeb ntawm pej xeem (PKI) yog ua raws li cov txheej txheem hierarchical. Qhov tseem ceeb hauv qhov system no yog lub hauv paus ntawv pov thawj txoj cai lossis hauv paus CA. Nws daim ntawv pov thawj yuav tsum tau tsim ua ntej.
- Peb tsim RSA-2048 tus yuam sij ntiag tug rau CA. Txhawm rau ua qhov no, ntawm lub tab Cov yuam sij ntiag tug Kev lag luam Tshiab tus yuam sij thiab xaiv hom tsim nyog.
- Teem lub npe rau tus khub tseem ceeb tshiab. Kuv hu nws CA Key.
- Peb muab daim ntawv pov thawj CA nws tus kheej, siv tus khub tseem ceeb tsim. Txhawm rau ua qhov no, mus rau lub tab Daim ntawv pov thiab thawb Daim ntawv pov thawj tshiab.
- Nco ntsoov xaiv SHA-256, vim tias siv SHA-1 tsis tuaj yeem suav tias muaj kev nyab xeeb ntxiv lawm.
- Nco ntsoov xaiv ua tus qauv [default]CA. Tsis txhob hnov ββqab nias rau Siv tag nrho, txwv tsis pub tus qauv tsis siv.
- Hauv tab Subject xaiv peb tus khub tseem ceeb. Nyob ntawd koj tuaj yeem sau tag nrho cov teb tseem ceeb ntawm daim ntawv pov thawj.
Tsim cov yuam sij thiab daim ntawv pov thawj https server
- Ib yam li ntawd, peb tsim RSA-2048 tus yuam sij ntiag tug rau tus neeg rau zaub mov, kuv hu ua Server Key.
- Thaum tsim daim ntawv pov thawj, peb xaiv tias daim ntawv pov thawj server yuav tsum tau kos npe nrog daim ntawv pov thawj CA.
- Tsis txhob hnov ββqab xaiv SHA-256.
- Peb xaiv ua tus qauv [default] HTTPS_server. Nyem rau Siv tag nrho.
- Tom qab ntawd ntawm lub tab Subject xaiv peb tus yuam sij thiab sau rau hauv daim teb xav tau.
Tsim cov yuam sij thiab daim ntawv pov thawj rau tus neeg siv
- Tus neeg siv tus yuam sij ntiag tug yuav muab khaws cia rau ntawm peb lub token. Txhawm rau ua haujlwm nrog nws, koj yuav tsum nruab PKCS # 11 lub tsev qiv ntawv los ntawm peb lub vev xaib. Rau cov khoom lag luam nrov, peb faib cov pob npaj ua tiav, uas nyob ntawm no - . Peb kuj muaj cov rooj sib txoos rau arm64, armv7el, armv7hf, e2k, mipso32el, uas tuaj yeem rub tawm los ntawm peb SDK - . Ntxiv rau cov rooj sib txoos rau Linux, kuj tseem muaj cov rooj sib txoos rau macOS, freebsd thiab hauv.
- Ntxiv tus tshiab PKCS#11 Tus Muab Kev Pab rau XCA. Txhawm rau ua qhov no, mus rau cov ntawv qhia zaub mov Options mus tab PKCS#11 Tus Muab Kev Pab.
- Peb nias Ntxiv thiab xaiv txoj kev mus rau lub tsev qiv ntawv PKCS#11. Hauv kuv rooj plaub nws yog usrliblibrtpkcs11ecp.so.
- Peb yuav xav tau ib tug formatted Rutoken EDS PKI token. Download tau lub rtAdmin siv -
- Peb ua
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ> - Peb xaiv tus yuam sij RSA-2048 rau Rutoken EDS PKI ua hom tseem ceeb. Kuv hu tus yuam sij no Client Key.
- Sau tus lej PIN. Thiab peb tos rau qhov ua tiav ntawm kev tsim kho vajtse ntawm tus khub tseem ceeb
- Peb tsim ib daim ntawv pov thawj rau tus neeg siv los ntawm kev sib piv nrog rau daim ntawv pov thawj server. Lub sijhawm no peb xaiv tus qauv [default] HTTPS_client thiab tsis txhob hnov ββqab nias Siv tag nrho.
- Hauv tab Subject sau cov ntaub ntawv hais txog tus neeg siv. Peb teb hauv qhov kev lees paub rau qhov kev thov kom txuag tau daim ntawv pov thawj rau lub token.
Yog li ntawd, ntawm lub tab Cov ntawv pov thawj hauv XCA koj yuav tsum tau txais tej yam zoo li no.
Qhov tsawg kawg ntawm cov yuam sij thiab daim ntawv pov thawj no txaus los pib teeb tsa cov servers lawv tus kheej.
Txhawm rau teeb tsa, peb yuav tsum xa daim ntawv pov thawj CA, daim ntawv pov thawj server thiab tus yuam sij server ntiag tug.
Txhawm rau ua qhov no, xaiv qhov xav tau nkag rau ntawm qhov sib txuas tab hauv XCA thiab nyem export.
Nginx
Kuv yuav tsis sau yuav ua li cas rau nruab thiab khiav nginx server - muaj cov lus txaus ntawm cov ncauj lus no hauv Is Taws Nem, tsis hais txog cov ntaub ntawv raug cai. Cia peb ncaj nraim rau kev teeb tsa HTTPS thiab ob qhov kev lees paub tseeb uas siv lub token.
Ntxiv cov kab hauv qab no rau ntu server hauv nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}Cov lus piav qhia ntxaws ntxaws ntawm txhua qhov tsis muaj feem cuam tshuam nrog kev teeb tsa ssl hauv nginx tuaj yeem pom ntawm no -
Kuv yuav piav luv luv txog cov uas kuv nug kuv tus kheej:
- ssl_verify_client - qhia tias cov saw ntawm kev ntseeg siab rau daim ntawv pov thawj yuav tsum tau ua pov thawj.
- ssl_verify_depth - Txhais qhov tob tshawb nrhiav rau daim ntawv pov thawj hauv paus ntseeg hauv cov saw. Txij li thaum peb cov neeg siv daim ntawv pov thawj tau kos npe tam sim ntawm daim ntawv pov thawj hauv paus, qhov tob yog teem rau 1. Yog tias tus neeg siv daim ntawv pov thawj tau kos npe rau ntawm qhov nruab nrab CA, ces 2 yuav tsum tau teev nyob rau hauv qhov parameter no, thiab lwm yam.
- ssl_client_certificate - qhia txog txoj hauv kev rau daim ntawv pov thawj hauv paus ntseeg, uas yog siv thaum kuaj xyuas kev ntseeg siab ntawm tus neeg siv daim ntawv pov thawj.
- ssl_certificate/ssl_certificate_key - qhia txoj hauv kev rau daim ntawv pov thawj server / tus yuam sij ntiag tug.
Tsis txhob hnov ββββqab khiav nginx -t los xyuas tias tsis muaj typos hauv kev teeb tsa, thiab txhua cov ntaub ntawv nyob rau hauv qhov chaw, thiab lwm yam.
Thiab yog tag nrho! Raws li koj tuaj yeem pom, kev teeb tsa yooj yim heev.
Tshawb xyuas nws ua haujlwm hauv Firefox
Txij li thaum peb ua txhua yam hauv Linux, peb yuav xav tias peb cov neeg siv kuj ua haujlwm hauv Linux (yog tias lawv muaj Windows, ces .
- Cia peb pib Firefox.
- Cia peb sim nkag mus yam tsis muaj token ua ntej. Peb tau txais daim duab no:
- Wb mus txog: kev nyiam # tsis pub twg paub, thiab peb mus Cov cuab yeej ruaj ntsegβ¦
- Peb nias loadtxhawm rau ntxiv tus tshiab PKCS#11 Ntaus Tsav Tsheb thiab qhia txoj hauv kev rau peb librtpkcs11ecp.so.
- Txhawm rau txheeb xyuas tias daim ntawv pov thawj pom, koj tuaj yeem mus rau Certificate Manager. Koj yuav raug ceeb toom kom nkag mus rau koj tus PIN. Tom qab cov tswv yim raug lawm, koj tuaj yeem tshawb xyuas dab tsi ntawm lub tab Koj Daim Ntawv Pov Thawj peb daim ntawv pov thawj los ntawm lub token tshwm sim.
- Tam sim no cia peb mus nrog lub token. Firefox qhia koj xaiv daim ntawv pov thawj uas yuav raug xaiv rau lub server. Xaiv peb daim ntawv pov thawj.
- TSWV YIM!
Kev teeb tsa tau ua tiav ib zaug, thiab raws li koj tuaj yeem pom hauv daim ntawv thov qhov rai, peb tuaj yeem txuag tau peb cov kev xaiv. Tom qab no, txhua zaus peb nkag mus rau hauv lub portal, peb tsuas yog yuav tsum tau ntxig lub token thiab nkag mus rau tus neeg siv tus lej PIN uas tau teev tseg thaum lub sijhawm formatting. Tom qab xws li authentication, tus neeg rau zaub mov twb paub tus neeg siv tau nkag rau hauv thiab koj tsis tuaj yeem tsim cov qhov rai ntxiv rau kev txheeb xyuas, tab sis tam sim ntawd cia tus neeg siv rau hauv nws tus kheej tus account.
Apache
Ib yam li nrog nginx, tsis muaj leej twg yuav tsum muaj teeb meem txhim kho apache. Yog tias koj tsis paub yuav ua li cas rau nruab qhov web server, tsuas yog siv cov ntaub ntawv raug cai.
Thiab peb pib teeb tsa peb HTTPS thiab ob-factor authentication:
- Ua ntej koj yuav tsum qhib mod_ssl:
$ a2enmod ssl - Thiab tom qab ntawd qhib lub vev xaib raws li HTTPS teeb tsa:
$ a2ensite default-ssl - Tam sim no peb hloov kho cov ntaub ntawv teeb tsa: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10Raws li koj tuaj yeem pom, cov npe ntawm cov kev txwv tsis sib xws nrog cov npe ntawm cov tsis muaj nyob hauv nginx, yog li kuv yuav tsis piav qhia lawv. Ib zaug ntxiv, leej twg txaus siab rau cov ntsiab lus yog txais tos rau cov ntaub ntawv.
Tam sim no peb rov pib dua peb lub server:$ service apache2 reload $ service apache2 restart
Raws li koj tuaj yeem pom, teeb tsa ob qhov kev lees paub tseeb ntawm txhua lub vev xaib server, txawm tias nyob rau Windows lossis Linux, yuav siv sijhawm ntev tshaj li ib teev. Thiab teeb tsa browsers yuav siv sijhawm li 5 feeb. Ntau tus neeg xav tias kev teeb tsa thiab ua haujlwm nrog ob qhov kev lees paub tseeb yog qhov nyuaj thiab tsis meej. Kuv vam tias peb tsab xov xwm debunks cov dab neeg no, tsawg kawg yog me ntsis.
Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. thov.
Koj puas xav tau cov lus qhia rau kev teeb tsa TLS nrog daim ntawv pov thawj raws li GOST 34.10-2012:
-
Yog lawm, TLS-GOST yog qhov tsim nyog heev
-
Tsis yog, kho nrog GOST algorithms tsis nthuav
44 cov neeg siv pov npav. 9 cov neeg siv txwv tsis pub siv.
Tau qhov twg los: www.hab.com