Π
Kumazwana, sicelwe ukuthi sibhale imiyalo yamaseva ewebhu ajwayelekile eLinux - nginx ne-Apache.
Yini oyidingayo ukuze uqalise?
- Noma yikuphi ukusatshalaliswa kweLinux yesimanje. Ngenze ukusetha kokuhlola ku-MX Linux 18.2_x64. Lokhu akukona ukusatshalaliswa kweseva, kodwa mancane amathuba okuthi kube khona umehluko we-Debian. Kokunye ukusatshalaliswa, izindlela eziya kulabhulali yokulungisa zingahluka kancane.
- Uphawu. Siyaqhubeka nokusebenzisa imodeli
URutoken EDS PKI , okuyinto ekahle mayelana nezici zejubane zokusetshenziswa kwezinkampani. - Ukuze usebenze ngethokheni ku-Linux, udinga ukufaka amaphakheji alandelayo:
libccid libpcsclite1 pcscd pcsc-amathuluzi opensc
Ukukhipha izitifiketi
Ezihlokweni ezedlule, sithembele eqinisweni lokuthi izitifiketi zeseva nezeklayenti zizokhishwa kusetshenziswa i-Microsoft CA. Kodwa njengoba simisa yonke into ku-Linux, sizophinde sikutshele ngenye indlela yokukhipha lezi zitifiketi - ngaphandle kokushiya i-Linux.
Sizosebenzisa i-XCA njenge-CA (
Ukuqalisa
- Faka:
$ apt-get install xca
- Futhi sigijima:
$ xca
- Sakha isizindalwazi sethu se-CA - /root/CA.xdb
Sincoma ukuthi ugcine isizindalwazi Sokugunyazwa Kwesitifiketi kufolda lapho umlawuli kuphela anokufinyelela khona. Lokhu kubalulekile ukuze kuvikelwe okhiye abayimfihlo bezitifiketi zempande, ezisetshenziselwa ukusayina zonke ezinye izitifiketi.
Dala okhiye nesitifiketi se-CA sempande
Ingqalasizinda yokhiye womphakathi (i-PKI) isuselwe kusistimu yokulandelana kwezigaba. Into eyinhloko kulolu hlelo yigunya lesitifiketi sezimpande noma i-CA yezimpande. Isitifiketi saso kufanele sidalwe kuqala.
- Sakha ukhiye oyimfihlo we-RSA-2048 we-CA. Ukuze wenze lokhu, kuthebhu Okhiye Abayimfihlo Phusha Ukhiye omusha bese ukhetha uhlobo olufanele.
- Setha igama lokubhanqwa kokhiye abasha. Ngayibiza ngokuthi i-CA Key.
- Sikhipha isitifiketi se-CA ngokwaso, sisebenzisa amabhangqa okhiye adaliwe. Ukuze wenze lokhu, yiya kuthebhu Izitifiketi bese uqhafaza Isitifiketi Esisha.
- Qiniseka ukuthi uyakhetha I-SHA-256, ngoba ukusebenzisa i-SHA-1 ngeke kusabhekwa njengokuphephile.
- Qiniseka ukuthi ukhetha njengesifanekiso [okuzenzakalelayo] CA. Ungakhohlwa ukuchofoza Faka konke, ngaphandle kwalokho isifanekiso asisetshenziswa.
- Kuthebhu Isihloko khetha ipheya yethu eyisihluthulelo. Lapho ungagcwalisa zonke izinkambu eziyinhloko zesitifiketi.
Ukudala okhiye nesitifiketi seseva ye-https
- Ngendlela efanayo, sakha ukhiye oyimfihlo we-RSA-2048 weseva, ngayibiza ngokuthi Ukhiye Weseva.
- Lapho udala isitifiketi, sikhetha ukuthi isitifiketi seseva kufanele sisayinwe ngesitifiketi se-CA.
- Ungakhohlwa ukukhetha I-SHA-256.
- Sikhetha njengesifanekiso [okuzenzakalelayo] HTTPS_server. Chofoza ku- Faka konke.
- Bese kuba kuthebhu Isihloko khetha ukhiye wethu bese ugcwalisa izinkambu ezidingekayo.
Dala okhiye nesitifiketi somsebenzisi
- Ukhiye oyimfihlo womsebenzisi uzogcinwa kuthokheni yethu. Ukuze usebenze ngakho, udinga ukufaka umtapo wezincwadi we-PKCS#11 kuwebhusayithi yethu. Ngokusatshalaliswa okudumile, sisabalalisa amaphakheji esenziwe ngomumo, atholakala lapha -
https://www.rutoken.ru/support/download/pkcs/ . Siphinde sibe nemihlangano ye-arm64, armv7el, armv7hf, e2k, mipso32el, engalandwa ku-SDK yethu -https://www.rutoken.ru/developers/sdk/ . Ngaphezu kwemihlangano ye-Linux, kukhona nemihlangano ye-macOS, i-freebsd ne-android. - Ingeza i-PKCS#11 Provider ku-XCA. Ukuze wenze lokhu, yiya kumenyu Izinketho kuthebhu I-PKCS#11 Umhlinzeki.
- Siyacindezela Engeza bese ukhetha indlela eya kulabhulali ye-PKCS#11. Esimeni sami yi-usrliblibrtpkcs11ecp.so.
- Sizodinga ithokheni efomethiwe ye-Rutoken EDS PKI. Landa insiza ye-rtAdmin -
https://dev.rutoken.ru/pages/viewpage.action?pageId=7995615 - Siyaqhuba
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ>
- Sikhetha ukhiye we-RSA-2048 we-Rutoken EDS PKI njengohlobo lokhiye. Ngibize lokhiye weKlayenti.
- Faka i-PIN khodi. Futhi silinda ukuqedwa kokukhiqizwa kwezingxenyekazi zekhompiyutha zamabhangqa okhiye
- Sakha isitifiketi somsebenzisi ngokufanisa nesitifiketi seseva. Kulokhu sikhetha isifanekiso [okuzenzakalelayo] HTTPS_client futhi ungakhohlwa ukuchofoza Faka konke.
- Kuthebhu Isihloko faka ulwazi mayelana nomsebenzisi. Siphendula ngokuvumayo esicelweni sokulondoloza isitifiketi sethokheni.
Ngenxa yalokho, kuthebhu Izitifiketi ku-XCA kufanele uthole into efana nale.
Le sethi encane yokhiye nezitifiketi kwanele ukuqala ukumisa amaseva ngokwawo.
Ukuze ulungiselele, sidinga ukuthekelisa isitifiketi se-CA, isitifiketi seseva nokhiye oyimfihlo weseva.
Ukuze wenze lokhu, khetha okufakiwe okufunayo kuthebhu ehambisanayo ku-XCA bese uchofoza Thumela.
Nginx
Ngeke ngibhale indlela yokufaka nokusebenzisa iseva ye-nginx - kunezindatshana ezanele kulesi sihloko ku-inthanethi, ingasaphathwa eyombhalo osemthethweni. Masiqonde ekusetheni i-HTTPS kanye nokuqinisekiswa kwezinto ezimbili sisebenzisa ithokheni.
Engeza imigqa elandelayo esigabeni seseva kokuthi nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}
Incazelo enemininingwane yawo wonke amapharamitha ahlobene nokumisa i-ssl ku-nginx ingatholakala lapha -
Ngizochaza kafushane nje lezo engizibuze yona:
- ssl_verify_client - icacisa ukuthi uchungechunge lokwethenjwa lwesitifiketi ludinga ukuqinisekiswa.
- ssl_verify_depth - Ichaza ukujula kosesho kwesitifiketi sempande ethembekile kuketango. Njengoba isitifiketi sethu seklayenti sisayinwe ngokushesha kusitifiketi sempande, ukujula kusethelwe ku-1. Uma isitifiketi somsebenzisi sisayinwe ku-CA ephakathi, khona-ke i-2 kufanele icaciswe kule parameter, njalonjalo.
- ssl_client_certificate - icacisa indlela eya kusitifiketi sempande ethembekile, esetshenziswa lapho kuhlolwa ukwethenjwa kwesitifiketi somsebenzisi.
- ssl_certificate/ssl_certificate_key - bonisa indlela eya kusitifiketi seseva/ukhiye oyimfihlo.
Ungakhohlwa ukusebenzisa nginx -t ukuze uhlole ukuthi awekho ama-typos ku-config, nokuthi wonke amafayela asendaweni efanele, njalonjalo.
Futhi yilokho kuphela! Njengoba ubona, ukusetha kulula kakhulu.
Ihlola ukuthi iyasebenza kuFirefox
Njengoba senza yonke into ngokuphelele ku-Linux, sizocabanga ukuthi abasebenzisi bethu nabo basebenza ku-Linux (uma bene-Windows, ke
- Masiqalise iFirefox.
- Ake sizame ukungena ngaphandle kwethokheni kuqala. Sithola lesi sithombe:
- Asambe siye mayelana: izintandokazi # ubumfihlo, bese siya Amadivayisi Okuphepha...
- Siyacindezela Layishaukwengeza i-PKCS#11 Device Driver entsha futhi ucacise indlela eya ku-librtpkcs11ecp.so yethu.
- Ukuhlola ukuthi isitifiketi siyabonakala, ungaya ku Umphathi Wesitifiketi. Uzocelwa ukuthi ufake i-PIN yakho. Ngemva kokufaka okulungile, ungabheka ukuthi yini ekuthebhu Izitifiketi Zakho isitifiketi sethu esivela kuthokheni sivele.
- Manje ake sihambe nophawu. IFirefox ikutshela ukuthi ukhethe isitifiketi esizokhethelwa iseva. Khetha isitifiketi sethu.
- INZUZO!
Ukusetha kwenziwa kanye, futhi njengoba ubona efasiteleni lesicelo sesitifiketi, singagcina ukukhetha kwethu. Ngemva kwalokhu, isikhathi ngasinye lapho singena kuphothali, sizodinga kuphela ukufaka ithokheni futhi sifake ikhodi ye-PIN yomsebenzisi eshiwo ngesikhathi sokufometha. Ngemuva kokuqinisekisa okunjalo, iseva isiyazi kakade ukuthi yimuphi umsebenzisi ongene ngemvume futhi awusakwazi ukudala noma yiziphi ezinye windows ukuze kuqinisekiswe, kodwa ngokushesha vumela umsebenzisi ku-akhawunti yakhe yomuntu siqu.
Apache
Njenge-nginx, akekho okufanele abe nezinkinga zokufaka i-apache. Uma ungazi ukuthi uyifaka kanjani le seva yewebhu, vele usebenzise imibhalo esemthethweni.
Futhi siqala ukusetha i-HTTPS yethu kanye nokuqinisekiswa kwezinto ezimbili:
- Okokuqala udinga ukwenza kusebenze i-mod_ssl:
$ a2enmod ssl
- Bese unika amandla izilungiselelo ze-HTTPS ezizenzakalelayo zesayithi:
$ a2ensite default-ssl
- Manje sihlela ifayela lokumisa: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10
Njengoba ubona, amagama amapharamitha ahambisana cishe namagama amapharamitha ku-nginx, ngakho-ke ngeke ngiwachaze. Futhi, noma ubani onentshisekelo emininingwaneni wamukelekile kumadokhumenti.
Manje siqala kabusha iseva yethu:$ service apache2 reload $ service apache2 restart
Njengoba ubona, ukusetha ukuqinisekiswa kwezinto ezimbili kunoma iyiphi iseva yewebhu, kungakhathaliseki ukuthi iku-Windows noma i-Linux, kuthatha ihora elilodwa eliphezulu. Futhi ukusetha iziphequluli kuthatha cishe imizuzu emi-5. Abantu abaningi bacabanga ukuthi ukusetha nokusebenza ngokuqinisekiswa kwezinto ezimbili kunzima futhi akucacile. Ngithemba ukuthi isihloko sethu sizoyichitha le nganekwane, okungenani kancane.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Ingabe udinga imiyalelo yokusetha i-TLS ngezitifiketi ngokusho kwe-GOST 34.10-2012:
-
Yebo, i-TLS-GOST iyadingeka kakhulu
-
Cha, ukushuna ngama-algorithms e-GOST akujabulisi
Bangu-44 abasebenzisi abavotile. Abasebenzisi abangu-9 bagobile.
Source: www.habr.com