Monday, February 1, 2010

Creating a EON ZFS storage self signed certificate

Your EON ZFS storage is available with 3 web server options, apache2(default), lighttpd, and nginx. They are provided with a self signed certificate that I created to simplify configuration and ease getting them started. The proper thing to do is replace it with your own certificate or create a self signed replacement.

Prerequisite(s): This requires the binary kit or an alternate system with a working openssl, to create your own self signed certificate.
The "\" means the command is one continuous line to create the self signed certificate. Feel free to experiment and substitute your own arguments for:
days = set to 365 x 10 = 3650 or ~10 yrs
CN = $HOSTNAME = replace with your own storage hostname
O = Gibraltar Engineering
OU = EON Secure Certificate
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout cert.key -out cert.pem \
-subj "/C=US/ST=NY/CN=$HOSTNAME/O=Gibraltar Engineering/OU=EON Secure Certificate"
This will produce 2 files cert.key and cert.pem. For Apache2 they are configured and the proper permissions set as follows:
cp cert.pem /etc/apache2/2.2/server.crt
cp cert.key /etc/apache2/2.2/server.key
chmod 400 /etc/apache2/2.2/server.crt
chmod 400 /etc/apache2/2.2/server.key
For lighttpd the pem and key file are concatenated to create a single file
cp cert.pem /your_pool/lighttpd/etc
cat cert.key >> /your_pool/lighttpd/etc/cert.pem
chmod 400 /your_pool/lighttpd/etc/cert.pem
For nginx
cp cert.pem /your_pool/nginx/conf
cp cert.key /your_pool/nginx/conf
chmod 400 /your_pool/nginx/conf/cert.pem
chmod 400 /your_pool/nginx/conf/cert.key

8 comments:

Bob Snodgrass said...

I haven't tested the examples but I think I see an issue or two -
In the lighttpd exampe I think the second line (if the files are to be concatenated) should end in "cert.pem, not "cert.pm". In the nginxcp example I think the second line should end with at "/".

Andre Lue said...

Hi Bob,

Thanks for the cert.pm catch. It's been corrected. The cp example can end with or without the "/", I removed them for consistency.

Thanks

zhangyibin said...

I've used EON for two months. Thanks for your excellent work! One question: how can I add PHP/Python to EON?

Andre Lue said...

Zhangyibin,

Couple of ways:
1. Add the packages and dependencies to the bin-pkg.list and build your own binary kit. The script can be found in the downloads section. Requires SXCE packages and root access on a SXCE system.

2. Compile them with prefix /usr/local and copy the binaries over. Requires a opensolaris system with a working gcc compiler.

zhangyibin said...

Hi Andre,

A small problem in "updimg.sh": after "gzip -f -9 -c ...", you run "gzip -v -t ..." to verify the new gzipped image, but actually it verifies the image in pagecache so it's no use doing this. Am I right?

Andre Lue said...

zhangyibin,

It verifies the integrity of the updated gzip'ed image. The image location being USB/CF/writable media, not pagecache. It's an extra step but it does serve a purpose.

zhangyibin said...

I mean UFS uses memory to cache data, so when gzip verifies the image in whatever media, it's the cached data in memory that it verifies, not the data on media.

Sorry for my poor English :)

Andre Lue said...

zhangyibin,

I am not clear if you're saying UFS or gzip is responsible for caching the data. gzip has been known to cache but I do not understand your conern.

If the gzip data was in cache it would eventually get flushed to media (assuming a crash does not occur before) and the integrity test will have done it's job to indicate success or failure.

You can also turn on the forcedirectio mount option on UFS to eliminate caching.

The gzip integrity test can also be disabled by editing updimg.sh.