M Web Server/Enabling TLS

From VistApedia
Revision as of 12:24, 7 May 2018 by DavidWhitten (talk | contribs) (Created page with "<pre> Here's how to turn on TLS on GT.M/YDB: There is precious little documentation on doing it: 1. As root, go to the install dir of GTM/YDB, then plugin, then gtmcrypt: c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Here's how to turn on TLS on GT.M/YDB: There is precious little documentation on doing it:

 1. As root, go to the install dir of GTM/YDB, then plugin, then gtmcrypt:
 cd $gtm_dist/plugin/gtmcrypt.

 2. Extract source.tar:
 tar x < source.tar

 3. You will need to compile some files. Before doing that, make sure
 you openssl-dev, libconfig-dev, and gpgme-dev libraries are installed.

 You may need more, but that's what I figured out right now.

 4. login to root account, (to allow installing of libraries)

 5.  define the gtm_dist environment variable then call simple make
   gtm_dist=../.. make
 6.  define the gtm_dist environment variable then call make install to enable installation of libraries

   gtm_dist=../.. make install

  Log out of root; and go back to your application directory.
    
  mkdir certs

 7. Create your certificate with a key that has a password. I know from
 previous interaction with the GT.M developers is that they don't allow
 passwordless keys for business reasons. Here's is how I did it; but
 you may already have a certificate. I moved all the files into a cert
 directory after this.

 # openssl genrsa -aes128 -passout pass:monkey1234 -out ./mycert.key 2048
 # openssl req -new -key ./mycert.key -passin pass:monkey1234 -subj  '/C=US/ST=Washington/L=Seattle/CN=www.smh101.com' -out ./mycert.csr
 # openssl req -x509 -days 365 -sha256 -in ./mycert.csr -key
 .//mycert.key -passin pass:monkey1234 -out ./mycert.pem
 # mv cert* certs/

 8. Create a file (name doesn't matter) called
 gtmcrypt_config.libconfig with the following contents. Note the
 section called dev. This can be called anything. It lets you put a
 pair of cert/key for each environment you need to configure.

  tls: {
   dev: {
     format: "PEM";
     cert: "/home/sam/workspace/db/foia201712/certs/mycert.pem";
     key:  "/home/sam/workspace/db/foia201712/certs/mycert.key";
   }
 }

 9. In your file that sets up the GT.M environment, add set the env
 variable gtmcrypt_config to be the path to your config file:
 export gtmcrypt_config="$vista_home/gtmcrypt_config.libconfig"

 10. Find out the hash of your key password using the maskpass utility.
 For example, for me it's:
  gtm_dist/plugin/gtmcrypt/maskpass <<< 'monkey1234' | cut -d ":" -f2 | tr -d ' 7064420FDCAEE313B222

 11. In your environment file, gtmtls_passwd_{section name} to be that hash.
  For me (Sam Habiel), it's:
  export gtmtls_passwd_dev="7064420FDCAEE313B222"

 12. Start the M Web server with the config name ("dev") like this:
  D JOB^VPRJREQ(9081,"dev")

 At this point, if you go to your browser and type the address:
  https://localhost:9081
  you should be able  to see the web pages via TLS