NextTypes Software Installation
The installation instructions are for the Debian GNU/Linux 12 Bookworm operating system. Other operating systems may require different actions for various of the steps. Some packages must be installed from the Unstable version, for this you must add its repository to the configuration file /etc/apt/sources.
deb http://ftp.es.debian.org/debian/ sid main
It is also necessary to set the preference of the repositories in the file /etc/apt/preferences for giving more preference to stable version packages.
Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=unstable Pin-Priority: 800
Once configured we can update the list of packages.
# apt-get update
Authentication
The system has two authentication modes: certificates and passwords. When the system is installed the admin user with "Admin#44" password and the "CN=Admin,O=NextTypes" certificate assigned is created. The first thing to do is to change the password or remove it and assign the user a valid certificate. When a user is created they can be assigned a password and/or several certificates. Passwords must be at least 8 characters long, uppercase, lowercase, numbers, and special characters. The admin user belongs to the administrators group, which has permissions to perform system administration tasks.
Certificate Authority
As one of the authentication system are X.509 digital certificates it is necessary to have them, at least for the servers, signed by a Certificate Authority (CA). Its use is also recommended for users.
In the case of not having certificates or a CA, a CA and the necessary certificates can be created using OpenSSL. The computer used for the CA must be different from the servers and users computers, preferably without a network connection and with access as restricted as possible.
OpenSSL Installation
If OpenSSL is not installed yet you can install it with the following command:
# apt-get install openssl
OpenSSL Configuration
Once OpenSSL is installed the CA directory is prepared with the following commands:
# cd /etc/ssl # mkdir ca -m 700 # cd ca # mkdir private newcerts # touch index.txt # echo "01" > serial
In the private directory the private keys are stored, in newcerts the certificates created, in index.txt an index of the certificates and in serial the serial number to use to create the next certificate.
The next step is to modify the /etc/ssl/openssl.cnf configuration file to assign the created directory to the CA.
[ CA_default ] dir = /etc/ssl/ca
The size of the private keys must be set to at least 2048 bits.
[ req ] default_bits = 2048
CA certificate and private key
After configuring OpenSSL it is necessary to create the certificate and private key of the CA with the following command:
# openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
During creation the program asks for a password for the private key and information about the organization that manages the CA (country code, state, locality, organization, department, internet address and email).
Generating a RSA private key .....+++++ ................................+++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Madrid Locality Name (eg, city) []:Madrid Organization Name (eg, company) [Internet Widgits Pty Ltd]:NextTypes Project Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:NextTypes CA Email Address []:admin@nexttypes.com
At the end the certificate is found in the cacert.pem file and the private key in the private/cakey.pem file. We can check the data of the certificate created with the following command:
# openssl x509 -in cacert.pem -text
The output of the program shows a description of the certificate and the certificate itself between the labels -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:96:d9:d5:60:1a:b9:35:08:4d:77:cd:03:52:7b:d1:51:2a:23:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Madrid, L = Madrid, O = NextTypes Project, CN = NextTypes CA, emailAddress = admin@nexttypes.com
Validity
Not Before: Nov 16 20:20:23 2020 GMT
Not After : Nov 14 20:20:23 2030 GMT
Subject: C = ES, ST = Madrid, L = Madrid, O = NextTypes Project, CN = NextTypes CA, emailAddress = admin@nexttypes.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:b1:19:35:b1:a5:5b:6b:83:2d:c1:dd:b4:ab:
cd:d1:ea:e6:a0:67:2b:bc:2e:bb:72:28:a7:76:e0:
c4:87:17:bb:91:f7:33:d8:59:4c:87:c4:9d:39:f4:
02:9a:cb:7f:89:61:12:e1:7e:bb:d3:b3:84:32:c9:
96:f4:85:99:16:1a:a4:1d:ec:60:25:d0:27:4c:87:
d4:f4:ab:c4:93:1a:19:95:73:72:8a:fc:b6:de:f4:
3b:b4:09:a8:b1:2b:0b:fc:b2:7e:ff:0d:98:07:3b:
4a:3f:dc:8d:73:63:c9:0b:b2:6a:4a:11:c7:9e:74:
46:5e:4c:f4:20:f7:1a:29:1d:83:44:6f:25:64:12:
eb:4b:1d:91:64:c0:5a:8e:5b:f0:c3:27:9a:7e:fa:
c2:34:79:45:32:78:25:b8:74:23:21:76:4a:11:3c:
c4:28:ee:39:d0:e2:c0:c8:68:6b:83:da:e2:fb:76:
0e:52:d9:3c:54:69:53:3e:40:8c:de:f8:a8:d6:c7:
41:ac:d6:9b:b5:58:19:0e:28:b4:64:7a:09:61:2b:
fd:98:d1:ae:d7:fe:4e:1f:62:d3:ab:5e:fe:3e:99:
d0:ec:4f:ca:32:6e:82:fc:df:ea:94:d8:64:f7:f9:
8e:e6:13:1a:7a:3c:5e:c7:d2:cc:6c:b7:42:e6:d0:
79:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
55:45:97:F3:E0:71:DF:3F:39:19:DA:5E:34:76:41:70:36:9E:FE:0D
X509v3 Authority Key Identifier:
keyid:55:45:97:F3:E0:71:DF:3F:39:19:DA:5E:34:76:41:70:36:9E:FE:0D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
1d:b5:75:0a:84:10:c3:55:03:cb:28:6e:e3:ab:1d:3f:2a:7b:
c8:32:5d:07:4a:b6:9f:de:de:0b:23:d0:f5:04:d8:1a:ec:25:
1a:02:7e:2c:4b:8c:a3:94:65:56:c6:4d:e7:55:fb:f1:c9:31:
54:5d:a7:d0:b7:95:8e:db:31:26:9f:0a:73:bb:ba:90:4c:a4:
6b:3f:75:5d:de:f1:7b:04:33:80:3c:be:58:a3:6e:c9:30:cf:
d9:98:df:4f:27:46:cf:34:cd:49:2a:a6:56:bb:84:53:d3:f5:
c0:0a:de:4d:34:f3:44:e1:8c:bb:f0:9d:69:6d:e5:dc:91:39:
c7:ca:b0:0f:fe:d5:4c:f8:0a:51:1d:cf:50:11:28:2a:0b:6a:
35:0f:74:1b:ba:05:61:ae:87:95:38:42:51:b8:1b:e2:ff:82:
c9:aa:04:a5:da:7a:75:4c:d0:34:a0:38:8d:66:69:69:d5:ed:
11:f1:1e:9d:a4:3c:05:03:d9:5b:11:61:b8:6a:a7:99:ca:19:
ca:8b:22:d8:a2:c5:da:d8:41:31:5f:5e:9c:0e:76:0e:b4:e1:
2d:fd:70:a1:4d:bb:0f:76:56:17:ca:9c:40:6c:9b:8e:5e:01:
dd:5a:51:7b:61:4c:dc:41:2d:45:0a:c1:fc:da:d8:3c:ea:ba:
17:71:0f:af
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIUPpbZ1WAauTUITXfNA1J70VEqI0swDQYJKoZIhvcNAQEL
BQAwgYYxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIDAZNYWRyaWQxDzANBgNVBAcMBk1h
ZHJpZDEaMBgGA1UECgwRTmV4dFR5cGVzIFByb2plY3QxFTATBgNVBAMMDE5leHRU
eXBlcyBDQTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AbmV4dHR5cGVzLmNvbTAeFw0y
MDExMTYyMDIwMjNaFw0zMDExMTQyMDIwMjNaMIGGMQswCQYDVQQGEwJFUzEPMA0G
A1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRyaWQxGjAYBgNVBAoMEU5leHRUeXBl
cyBQcm9qZWN0MRUwEwYDVQQDDAxOZXh0VHlwZXMgQ0ExIjAgBgkqhkiG9w0BCQEW
E2FkbWluQG5leHR0eXBlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC4sRk1saVba4Mtwd20q83R6uagZyu8LrtyKKd24MSHF7uR9zPYWUyHxJ05
9AKay3+JYRLhfrvTs4QyyZb0hZkWGqQd7GAl0CdMh9T0q8STGhmVc3KK/Lbe9Du0
CaixKwv8sn7/DZgHO0o/3I1zY8kLsmpKEceedEZeTPQg9xopHYNEbyVkEutLHZFk
wFqOW/DDJ5p++sI0eUUyeCW4dCMhdkoRPMQo7jnQ4sDIaGuD2uL7dg5S2TxUaVM+
QIze+KjWx0Gs1pu1WBkOKLRkeglhK/2Y0a7X/k4fYtOrXv4+mdDsT8oyboL83+qU
2GT3+Y7mExp6PF7H0sxst0Lm0HmLAgMBAAGjUzBRMB0GA1UdDgQWBBRVRZfz4HHf
PzkZ2l40dkFwNp7+DTAfBgNVHSMEGDAWgBRVRZfz4HHfPzkZ2l40dkFwNp7+DTAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAdtXUKhBDDVQPLKG7j
qx0/KnvIMl0HSraf3t4LI9D1BNga7CUaAn4sS4yjlGVWxk3nVfvxyTFUXafQt5WO
2zEmnwpzu7qQTKRrP3Vd3vF7BDOAPL5Yo27JMM/ZmN9PJ0bPNM1JKqZWu4RT0/XA
Ct5NNPNE4Yy78J1pbeXckTnHyrAP/tVM+ApRHc9QESgqC2o1D3QbugVhroeVOEJR
uBvi/4LJqgSl2np1TNA0oDiNZmlp1e0R8R6dpDwFA9lbEWG4aqeZyhnKiyLYosXa
2EExX16cDnYOtOEt/XChTbsPdlYXypxAbJuOXgHdWlF7YUzcQS1FCsH82tg86roX
cQ+v
-----END CERTIFICATE-----
Private keys and requests for certificates for servers and users
Once the CA is configured the next step is to create the certificates for the servers and users. This can be done through a CSR (Certificate Signing Request) created with OpenSSL.
A private key must be created on the server or user computer if it is not already available with the following command:
# openssl genrsa -out privkey.pem 2048
The private key can be encrypted using an algorithm like AES by adding the -aes256 parameter. The next step is to use the private key to create a certificate request using the following command:
# openssl req -new -key privkey.pem -out certrequest.csr -utf8
The program asks for the information to be entered in the certificate such as the country code or the state. The Common Name must be the internet address in the case of servers and the name and surname in the case of a user. The -utf8 parameter allows non-ASCII characters to be used in the Common Name.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Madrid Locality Name (eg, city) []:Madrid Organization Name (eg, company) [Internet Widgits Pty Ltd]:NextTypes Project Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:demo.nexttypes.com Email Address []:admin@nexttypes.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
At the end the private key is in the privkey.pem file and the certificate request in the certrequest.csr file. The certificate request must be sent to the CA computer to be signed.
Certificate signing by the CA
The previously created certificate request must be signed by the CA with the following command:
# openssl ca -in certrequest.csr -out cert.pem
The program asks for the password of the CA private key, displays the certificate request data and asks for confirmation to sign it and add it to the certificate database.
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/ca/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 16 20:24:08 2020 GMT
Not After : Nov 16 20:24:08 2021 GMT
Subject:
countryName = ES
stateOrProvinceName = Madrid
organizationName = NextTypes Project
commonName = demo.nexttypes.com
emailAddress = admin@nexttypes.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C2:D8:A7:80:FC:CF:12:1D:69:85:6A:A4:AB:6B:31:77:B2:00:C1:CA
X509v3 Authority Key Identifier:
keyid:55:45:97:F3:E0:71:DF:3F:39:19:DA:5E:34:76:41:70:36:9E:FE:0D
Certificate is to be certified until Nov 16 20:24:08 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
The signed certificate is saved in the cert.pem file and in the certificates database of the CA. The file contains a text description of the certificate and the certificate itself between the labels -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Madrid, L = Madrid, O = NextTypes Project, CN = NextTypes CA, emailAddress = admin@nexttypes.com
Validity
Not Before: Nov 16 20:24:08 2020 GMT
Not After : Nov 16 20:24:08 2021 GMT
Subject: C = ES, ST = Madrid, O = NextTypes Project, CN = demo.nexttypes.com, emailAddress = admin@nexttypes.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ad:46:2c:58:18:24:af:73:e7:8b:62:ae:74:bc:
58:7a:ad:93:25:30:09:a1:e1:8b:a1:b1:81:f8:2d:
08:52:96:6c:b8:78:21:00:24:dd:17:b3:be:20:0d:
77:c2:2e:14:5c:29:56:d6:49:d5:29:98:a5:80:9b:
75:30:c0:e7:e7:13:a1:55:cb:13:27:89:2a:03:8a:
8a:7c:5c:73:8d:82:d7:7f:15:8b:c7:27:0a:14:51:
79:2b:17:a6:d6:03:d2:4b:1e:41:47:19:b6:f4:a0:
3b:c6:7a:91:71:55:e0:6c:57:ba:fb:23:11:67:e8:
f3:a7:d4:18:64:20:bb:09:15:76:31:ff:89:e0:fb:
e4:b6:0d:2b:8a:c2:e4:e0:43:2b:52:5e:32:41:ce:
62:d3:61:1c:c5:c3:f3:a4:e1:ae:e5:c5:4e:6f:e8:
f9:d5:69:c6:46:3c:f9:39:cd:b7:b7:ed:ae:91:6a:
b7:6d:f6:d6:9b:38:5a:ad:9c:2c:87:e9:67:10:3a:
bf:ca:63:72:db:78:db:c7:00:d6:b1:34:8c:59:fa:
37:01:8f:ea:4a:ec:31:4d:62:93:9a:61:be:d3:e6:
c6:cc:79:6c:73:59:50:d1:8f:84:99:72:5d:fa:03:
9d:23:c2:50:f9:68:50:95:31:13:a9:fe:e2:d8:db:
1d:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C2:D8:A7:80:FC:CF:12:1D:69:85:6A:A4:AB:6B:31:77:B2:00:C1:CA
X509v3 Authority Key Identifier:
keyid:55:45:97:F3:E0:71:DF:3F:39:19:DA:5E:34:76:41:70:36:9E:FE:0D
Signature Algorithm: sha256WithRSAEncryption
14:8a:8a:b9:a1:18:38:d9:a7:c1:a3:85:df:e0:f0:60:3f:10:
73:8f:78:f7:25:0b:30:61:f9:10:f6:7e:07:a7:b3:50:69:d2:
ba:ea:3f:59:b7:e6:2d:1f:15:6c:dc:aa:4c:83:30:4e:7e:03:
59:94:1f:b7:63:6a:0a:79:0b:cb:2c:64:af:49:86:64:da:f0:
4b:9d:4c:08:f1:a8:18:38:da:43:a7:47:b2:85:5b:ab:36:be:
1a:b5:b4:b6:7e:f0:47:de:8e:4f:ef:28:ad:b9:80:da:c2:2d:
97:5e:7f:2f:46:ac:f2:24:c8:4a:a4:c2:01:3d:d6:a1:cc:64:
01:0b:2f:88:6c:db:52:ef:6f:a3:32:60:9a:81:88:41:82:92:
1b:de:c6:8f:79:fd:10:60:17:e9:6e:86:1a:9f:05:50:dc:8b:
58:c0:7f:db:55:4d:2b:c2:24:be:20:7b:ab:82:52:2a:bc:47:
7e:13:3f:ab:86:ec:1a:6d:e7:5f:cb:6e:90:a6:91:e3:90:fa:
6a:d4:32:1e:df:2d:bd:12:64:bd:0e:89:d6:db:39:c9:70:53:
7a:2a:7a:82:15:95:e9:17:91:86:51:a5:7a:15:a5:87:04:ba:
1c:54:ea:f8:b1:fc:64:e8:fb:33:0e:f7:c3:c6:ea:24:6f:d0:
a4:6a:28:75
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCRVMx
DzANBgNVBAgMBk1hZHJpZDEPMA0GA1UEBwwGTWFkcmlkMRowGAYDVQQKDBFOZXh0
VHlwZXMgUHJvamVjdDEVMBMGA1UEAwwMTmV4dFR5cGVzIENBMSIwIAYJKoZIhvcN
AQkBFhNhZG1pbkBuZXh0dHlwZXMuY29tMB4XDTIwMTExNjIwMjQwOFoXDTIxMTEx
NjIwMjQwOFowezELMAkGA1UEBhMCRVMxDzANBgNVBAgMBk1hZHJpZDEaMBgGA1UE
CgwRTmV4dFR5cGVzIFByb2plY3QxGzAZBgNVBAMMEmRlbW8ubmV4dHR5cGVzLmNv
bTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AbmV4dHR5cGVzLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAK1GLFgYJK9z54tirnS8WHqtkyUwCaHhi6Gx
gfgtCFKWbLh4IQAk3RezviANd8IuFFwpVtZJ1SmYpYCbdTDA5+cToVXLEyeJKgOK
inxcc42C138Vi8cnChRReSsXptYD0kseQUcZtvSgO8Z6kXFV4GxXuvsjEWfo86fU
GGQguwkVdjH/ieD75LYNK4rC5OBDK1JeMkHOYtNhHMXD86ThruXFTm/o+dVpxkY8
+TnNt7ftrpFqt2321ps4Wq2cLIfpZxA6v8pjctt428cA1rE0jFn6NwGP6krsMU1i
k5phvtPmxsx5bHNZUNGPhJlyXfoDnSPCUPloUJUxE6n+4tjbHd0CAwEAAaN7MHkw
CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFMLYp4D8zxIdaYVqpKtrMXeyAMHKMB8GA1UdIwQY
MBaAFFVFl/Pgcd8/ORnaXjR2QXA2nv4NMA0GCSqGSIb3DQEBCwUAA4IBAQAUioq5
oRg42afBo4Xf4PBgPxBzj3j3JQswYfkQ9n4Hp7NQadK66j9Zt+YtHxVs3KpMgzBO
fgNZlB+3Y2oKeQvLLGSvSYZk2vBLnUwI8agYONpDp0eyhVurNr4atbS2fvBH3o5P
7yituYDawi2XXn8vRqzyJMhKpMIBPdahzGQBCy+IbNtS72+jMmCagYhBgpIb3saP
ef0QYBfpboYanwVQ3ItYwH/bVU0rwiS+IHurglIqvEd+Ez+rhuwabedfy26QppHj
kPpq1DIe3y29EmS9DonW2znJcFN6KnqCFZXpF5GGUaV6FaWHBLocVOr4sfxk6Psz
DvfDxuokb9Ckaih1
-----END CERTIFICATE-----
In the CA directory you can see how the certificate has been copied to the newcerts directory, an entry has been added in the index file and the value has been increased by one in the serial file. The entry in the index file is as follows:
V 211116202408Z 01 unknown /C=ES/ST=Madrid/O=NextTypes Project/CN=demo.nexttypes.com/emailAddress=admin@nexttypes.com
The certificate and private key are saved in PEM format. To use them in some programs like Firefox or in a smart card, it is necessary to export them to PKCS12 format with the following command:
# openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out keystore.p12 -name nexttypes
The program asks for a password and when it finishes executing the private key and the certificate are saved in the keystore.p12 file ready to be used in programs that require this format. The value of the -name parameter is an alias that is assigned to the key and certificate and that will have to be used to identify them in the program where they are imported.
Certificates revocation
When a certificate and its private key have fallen into the possession of an attacker or you want to renew an expired certificate you must revoke it with the following command:
# openssl ca -revoke cert.pem
Once this is done the procedure described above for creating the certificate request and signing it can be carried out.
Let's Encrypt Certificates
If we need to have servers accessible through the Internet for any user the certificate of the servers should be from a certification authority recognized by the browsers commonly used. One of these authorities is Let's Encrypt, which allows us to obtain free certificates.
To request the certificates we must have the server running and the addresses for which we want the certificates pointing to the IP address of the server in the DNS servers. The Let's Encrypt certificate generation system will use the ACME protocol to connect to our server using the address we want in the certificate and verify that we have control of that address.
To receive the connection we must install and run a program like certbot. It will give us two options to do the verification: run an HTTP server from certbot or write the necessary files in the root directory of a server that we already have running. If we have a server running, such as Tomcat, but we prefer to use the certbot server, we must stop our server first.
# systemctl stop tomcat10 # apt-get install certbot # certbot certonly
When executing the program it asks us to choose between the two options and press enter.
Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Next it will ask us for a contact email address.
Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): alex@nexttypes.com
The next step is to read and accept the terms of service.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
Then we can choose if we want them to share our email address with the Electronic Frontier Foundation so that they can send us informational emails.
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
Finally we must indicate the addresses that we want to include in the certificate.
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): nexttypes.com www.nexttypes.com
Once this data has been entered the process of verifying that we have control of the addresses and the generation of the certificate and the private key takes place.
Obtaining a new certificate Performing the following challenges: http-01 challenge for nexttypes.com http-01 challenge for www.nexttypes.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/nexttypes.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/nexttypes.com/privkey.pem Your cert will expire on 2021-07-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le - We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
Once the process is finished, in the /etc/letsencrypt/live/nexttypes.com directory is the certificate (cert.pem), the private key (privkey.pem) and the full chain of certificates (fullchain.pem) that includes the server certificate and the certificate authority certificate. The certificate is valid for three months, before it expires it is necessary to renew it by running certbot again.
With the openssl command we can see the certificate information.
# openssl x509 -in cert.pem -text
La salida del programa muestra una descripciĆ³n del certificado y el propio certificado entre las etiquetas -----BEGIN CERTIFICATE----- y -----END CERTIFICATE-----.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:bb:43:b8:2f:d3:85:fe:e2:87:ce:53:5a:4e:11:27:90:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Apr 3 19:05:33 2021 GMT
Not After : Jul 2 19:05:33 2021 GMT
Subject: CN = nexttypes.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:98:d4:9c:45:61:a2:37:35:b3:9f:5f:c2:4c:2c:
ad:a7:d6:02:d6:bd:a6:15:d0:75:f1:40:82:ef:18:
64:7f:b2:e5:93:37:42:20:08:d7:24:21:01:a6:09:
87:27:f0:61:a5:b4:57:cd:2f:2b:48:d2:c8:49:82:
fa:a2:f0:02:46:3e:00:50:9b:00:b5:58:05:73:87:
fa:15:ec:f8:89:02:f2:e8:82:c6:23:1c:d7:ff:03:
c8:18:6b:a2:57:c4:43:33:79:5e:3a:71:0f:9e:d0:
14:05:0e:a2:40:f2:40:13:63:2c:b0:66:f9:2c:4b:
d5:2f:e5:ad:06:bd:d8:40:bb:77:67:30:bb:a2:10:
49:c8:37:e3:84:65:79:5a:26:25:d5:00:2f:86:72:
7d:2c:22:1b:f8:59:a9:b1:28:26:c2:8a:46:0c:52:
c1:cd:a9:cc:f5:04:42:66:05:ae:ae:3f:33:e1:06:
69:94:50:b1:2d:8a:4b:bc:00:63:ba:98:c7:34:02:
88:1d:4d:f1:10:1c:f1:72:f3:dd:1e:77:eb:10:67:
66:e0:c1:ab:75:99:ea:d8:3e:2a:ab:1b:d6:17:27:
22:89:90:d8:0a:c7:b1:00:50:70:ab:8c:66:bd:b7:
b6:eb:76:9d:59:39:81:a5:d8:fe:59:eb:3b:c5:69:
59:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
16:01:84:21:53:75:C4:64:0F:30:03:B6:19:E5:E1:18:A1:B0:4A:6E
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:nexttypes.com, DNS:www.nexttypes.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : Apr 3 20:05:33.686 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:49:A9:85:58:DD:5F:9B:DC:6C:2B:7C:35:
93:46:A3:C4:36:96:E8:C8:2A:54:2E:70:94:01:42:F6:
F6:BB:64:A4:02:20:40:A0:96:F8:02:A0:0D:4D:D0:AA:
E0:FD:15:4F:55:17:52:8D:77:0C:8E:22:48:DC:E2:6A:
64:E5:46:7B:1D:0F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
Timestamp : Apr 3 20:05:33.680 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:1D:D3:F0:20:B5:6B:D2:15:D5:DD:28:0D:
57:B2:7D:FA:3A:DD:76:A1:62:33:09:14:FE:15:8F:4A:
ED:3A:3D:01:02:21:00:FF:73:0E:EB:FA:9B:8D:2E:AF:
5B:22:1A:B0:AC:D7:3C:56:5F:BC:55:45:85:A6:E2:DD:
66:BD:28:39:BA:D7:15
Signature Algorithm: sha256WithRSAEncryption
5f:01:ed:17:6d:99:2d:b9:72:fa:6c:d8:24:ac:61:73:cb:34:
a1:b0:c4:2c:dc:8d:97:0f:69:ab:8f:33:bd:88:81:c1:17:d3:
a7:90:0f:eb:00:53:28:c5:a1:1a:f6:b9:cc:cf:10:b5:f2:91:
24:f9:dc:03:9f:f1:13:8a:6e:1a:ef:08:8b:d9:aa:a8:fd:bc:
b4:ec:49:14:bb:ce:2a:2b:38:c6:86:f8:44:9d:4c:8a:ba:7b:
45:07:c0:21:4f:d2:11:32:a2:7e:c7:bf:9f:4c:e1:79:98:ca:
cd:8b:15:25:f1:42:c8:55:d8:9e:0d:1a:80:89:eb:a3:77:ee:
78:88:c0:ac:5a:d3:48:d6:77:d6:f2:b6:04:db:5a:92:70:1a:
4b:0a:bf:05:5a:a6:07:8c:d4:ae:f1:35:03:3c:14:22:8c:ab:
7d:dc:75:85:f3:3d:7e:42:1b:1c:42:b4:84:ac:b2:62:a2:1d:
1f:15:75:a8:f7:81:a1:10:7b:21:a8:29:6f:38:07:87:ab:d9:
b7:76:8c:4b:af:49:ce:ac:a6:ae:0f:3e:27:a3:29:26:e3:a6:
d0:38:8e:c4:c8:e9:93:80:d8:8f:44:33:bf:5b:9a:24:69:87:
8f:39:ed:21:82:7b:d2:8c:40:1c:da:dd:6b:0d:65:02:dd:01:
47:7a:c3:33
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgISBLtDuC/Thf7ih85TWk4RJ5DKMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA0MDMxOTA1MzNaFw0yMTA3MDIxOTA1MzNaMBgxFjAUBgNVBAMT
DW5leHR0eXBlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY
1JxFYaI3NbOfX8JMLK2n1gLWvaYV0HXxQILvGGR/suWTN0IgCNckIQGmCYcn8GGl
tFfNLytI0shJgvqi8AJGPgBQmwC1WAVzh/oV7PiJAvLogsYjHNf/A8gYa6JXxEMz
eV46cQ+e0BQFDqJA8kATYyywZvksS9Uv5a0GvdhAu3dnMLuiEEnIN+OEZXlaJiXV
AC+Gcn0sIhv4WamxKCbCikYMUsHNqcz1BEJmBa6uPzPhBmmUULEtiku8AGO6mMc0
AogdTfEQHPFy890ed+sQZ2bgwat1merYPiqrG9YXJyKJkNgKx7EAUHCrjGa9t7br
dp1ZOYGl2P5Z6zvFaVlbAgMBAAGjggJ5MIICdTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFBYBhCFTdcRkDzADthnl4RihsEpuMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MEoGA1UdEQRDMEGCHW1lZGlhLmN1YWRlcm5vaW5mb3JtYXRpY2EuY29tgg1uZXh0
dHlwZXMuY29tghF3d3cubmV4dHR5cGVzLmNvbTBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABeJlXOXYAAAQDAEYwRAIgSamFWN1fm9xs
K3w1k0ajxDaW6MgqVC5wlAFC9va7ZKQCIECglvgCoA1N0Krg/RVPVRdSjXcMjiJI
3OJqZOVGex0PAHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF4
mVc5cAAABAMARzBFAiAd0/AgtWvSFdXdKA1Xsn36Ot12oWIzCRT+FY9K7To9AQIh
AP9zDuv6m40ur1siGrCs1zxWX7xVRYWm4t1mvSg5utcVMA0GCSqGSIb3DQEBCwUA
A4IBAQBfAe0XbZktuXL6bNgkrGFzyzShsMQs3I2XD2mrjzO9iIHBF9OnkA/rAFMo
xaEa9rnMzxC18pEk+dwDn/ETim4a7wiL2aqo/by07EkUu84qKzjGhvhEnUyKuntF
B8AhT9IRMqJ+x7+fTOF5mMrNixUl8ULIVdieDRqAieujd+54iMCsWtNI1nfW8rYE
21qScBpLCr8FWqYHjNSu8TUDPBQijKt93HWF8z1+QhscQrSErLJioh0fFXWo94Gh
EHshqClvOAeHq9m3doxLr0nOrKauDz4noykm46bQOI7EyOmTgNiPRDO/W5okaYeP
Oe0hgnvSjEAc2t1rDWUC3QFHesMz
-----END CERTIFICATE-----
If we stopped our HTTP server we can restart it again.
# systemctl start tomcat10
PostgreSQL
The PostgreSQLNode storage node uses the PostgreSQL database manager, so a server of this type is required to be able to use the node. To install it you need to run the following command:
# apt-get install postgresql
Database and users creation
The creation of the database and the users must be done with the postgres system user. To switch to using that user execute the following command:
# su postgres
The next step is to create the database:
# createdb nexttypes
Then three users are created to whom NextTypes will assign different permissions for each of the tables created to isolate the different types of operations and that they are carried out with the minimum permissions necessary to increase security. One read user (select), one read and write user (select, insert, update, delete) and one for administrative tasks (select, insert, update, create, alter, drop). The "admin" user must be given permission to create types and tables.
# psql nexttypes create user read with password 'aaaaaa'; create user write with password 'aaaaaa'; create user admin with password 'aaaaaa'; grant create on schema public to admin;
UUID Extension
In order for NextTypes to create UUID identifiers for objects it is necessary to install the extension uuid-ossp. For this it is required to execute the following commands from the postgres system user:
# psql nexttypes create extension "uuid-ossp";
Configuration
In the /etc/postgresql/15/main/postgresql.conf configuration file you can increase the maximum number of simultaneous connections if necessary.
max_connections = 150
In order for modifications to be made to many tables and rows in a transaction (such as when importing data) it is necessary to increase the number of locks allowed in a transaction with the following parameters:
max_locks_per_transaction=256 max_pred_locks_per_transaction=256
Once configured it is necessary to return to the root user and restart the server with the following command:
# systemctl restart postgresql
Web Browser
Protection of private keys and passwords
It is recommended that the private keys and passwords stored in the browser are encrypted. In the case of Firefox you can configure a "primary password" to protect private keys and passwords.
CA certificate installation
Whether a CA has been created or certificates from an existing CA are used it is necessary to install the CA certificate in the users browsers if it is not installed by default. For example the procedure to install it in Firefox is as follows:
Menu -> Settings -> Privacy and Security -> Certificates -> View Certificates -> Authorities -> Import -> Select the file that contains the certificate.
Once selected it is necessary to indicate for which uses the CA is trusted. You must select both options (websites and email users).
Installation of the user certificate generated by CSR (Certificate Signing Request)
If the certificate was created from a CSR and exported to a PKCS12 file it is necessary to install this file in the browser. For example the procedure to install it in Firefox is as follows:
Menu -> Preferences -> Privacy and Security -> Certificates -> View Certificates -> Your Certificates -> Import -> Select keystore.p12 file > Insert password.
Certificates on cryptographic cards
As an example in the manual the SCR3310/v2 card reader and the FNMT-RCM cryptographic card are used. The reader complies with the PC/SC and CCID standards and the card PC/SC and PKCS#11.
Drivers can be downloaded from the card reader manufacturer website although it is quite possible that the operating system will automatically detect it as it complies with the PC/SC and CCID standards. On Linux you need to install PCSC-Lite, which implements PCSC and CCID. In Debian you can use the following command:
# apt-get install pcscd pcsc-tools -t unstable
The above command installs the pcscd process that controls smart cards and pcsc-tools utilities. Among the utilities is the pcsc_scan command, which when executed will show the connected readers and cards as follows:
Using reader plug'n play mechanism
Scanning present readers...
0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
Sat Nov 21 17:05:21 2020
Reader 0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B 7F 96 00 00 00 6A 46 4E 4D 54 03 04 11 43 04 30 03 90 00
ATR: 3B 7F 96 00 00 00 6A 46 4E 4D 54 03 04 11 43 04 30 03 90 00
+ TS = 3B --> Direct Convention
+ T0 = 7F, Y(1): 0111, K: 15 (historical bytes)
TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 00 6A 46 4E 4D 54 03 04 11 43 04 30 03 90 00
Category indicator byte: 00 (compact TLV data object)
Tag: 6, len: A (pre-issuing data)
Data: 46 4E 4D 54 03 04 11 43 04 30
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 03 (Initialisation state)
SW: 9000 (Normal processing.)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7F 96 00 00 00 6A 46 4E 4D 54 03 04 11 43 04 30 03 90 00
CERES Spanish SmartCard from the "Fabrica Nacional de Moneda y Timbre" (FNMT) (eID)
http://www.cert.fnmt.es/
Once the reader has been prepared it is necessary to install the smart card software from the manufacturer website. In the case of the FNMT-RCM card it can be downloaded from the FNMT website. In this software is included the PKCS#11 library that allows the card to be used by programs such as Firefox and various applications to configure the card and manage the certificates. For Debian it is necessary to download the libpkcs11-fnmtdnie_1.6.1_Debian_10_Buster_32bits.deb or libpkcs11-fnmtdnie_1.6.1_Debian_10_Buster_64bits.deb package depending on whether the 32 or 64 bits version of the operating system is used. Once downloaded it is installed with the dpkg command. You must first install the pinentry-gtk2 or pinentry-qt package.
# apt-get install pinentry-gtk2 # dpkg -i libpkcs11-fnmtdnie_1.6.1_Debian_10_Buster_64bits.deb
This package provides the /usr/lib/libpkcs11-fnmtdnie.so library with the PKCS#11 cryptographic module that can be installed in Firefox to be able to use the certificates from the browser. In Menu -> Preferences -> Privacy and Security -> Certificates -> Security Devices it is necessary to load this .so file.
With the "Certificates Importer" program we can import the certificate and private key from the keystore.p12 file on the cryptographic card. Once all these steps have been completed the NextTypes system certificates can now be used.
Incompatibilities with browsers
When using Firefox at low screen resolutions when pressing the right mouse button the context menu appears below the mouse pointer, so releasing the mouse button automatically presses the menu option below the pointer. To avoid this you can activate the ui.context_menus.after_mouseup option so that the context menu is displayed after the mouse button has been released.
Tomcat
We must install Tomcat and Java OpenJDK to run it.
# apt-get install openjdk-17-jre # apt-get install tomcat10
HTTPS Connection
The server requires a secure HTTPS connection with a private key and a certificate signed by a CA. The first step is to create the directory where they will be stored. By default the directory used by NextTypes is /etc/nexttypes but you can use another directory. Only the user that Tomcat is running under, by default tomcat, should have access.
# mkdir -m 750 /etc/nexttypes # chgrp tomcat /etc/nexttypes
If a certificate was created following the steps indicated in the Certification Authority or Let's Encrypt Certificates points there is a cert.pem file with the certificate and a privkey.pem file with the private key. If we have created a certification authority we will also have the cacert.pem file with its certificate that will allow us to configure client authentication through certificates signed by this authority. We must copy these three files to the /etc/nexttypes directory and give them permissions so that the user tomcat can read them.
# cp cert.pem /etc/nexttypes # cp privkey.pem /etc/nexttypes # cp cacert.pem /etc/nexttypes # chgrp tomcat /etc/nexttypes/*.pem # chmod 640 /etc/nexttypes/*.pem
Once the certificates and private key have been prepared it is necessary to configure an HTTPS connector in Tomcat /etc/tomcat10/server.xml configuration file as follows:
<Connector
port="443"
SSLEnabled="true"
secure="true"
scheme="https">
<SSLHostConfig
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
disableSessionTickets="true"
honorCipherOrder="false"
protocols="TLSv1.2, TLSv1.3"
certificateVerification="optional"
caCertificateFile="/etc/nexttypes/cacert.pem">
<Certificate
certificateFile="/etc/nexttypes/cert.pem"
certificateKeyFile="/etc/nexttypes/privkey.pem" />
</SSLHostConfig>
</Connector>
The certificateVerification parameter indicates the type of client authentication using a certificate signed by one of the trusted CAs. It can have three levels:
- required: It only allows the connection if the client has a valid certificate.
- optional: It asks the client for a valid certificate but allows communication even if it does not have it.
- none: It does not request a certificate.
If you want to use user authentication through certificates the level must be at least optional. In this way certificates or passwords can be used. If you want the authentication to be mandatory with a certificate the level must be required.
The secure parameter must have the value true so that NextTypes can know if the request is made through a secure channel using the isSecure method of the ServletRequest class.
It is important to indicate the most recent versions of the TLS protocol and a list with the most secure sets of encryption algorithms supported by the server and clients using the protocols and ciphers variables since although the server and the client when making the connection choose the most secure algorithm that they have in common it is possible to be the victim of an attack that tries to use an insecure version of the protocol or encryption algorithm. In the Firefox documentation you can see the protocol versions and the sets of algorithms available and recommended according to the degree of backwards compatibility that you want to have with old browsers. A configuration generator is also available for various servers. On the web SSL Labs - SSL Test you can perform a security test of the HTTPS protocol configuration and the certificate.
If you use a set that includes the Diffie Hellman (DH) algorithm it is advisable to configure the size of the temporary key in 2048 bits or higher using the jdk.tls.ephemeralDHKeySize Java virtual machine configuration parameter in the Tomcat /etc/default/tomcat10 configuration file.
JAVA_OPTS="-Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048"
In certain circumstances where /dev/random does not receive enough entropy, such as for example in a virtual machine, it may be necessary to use /dev/urandom by adding the following parameter to JAVA_OPTS:
-Djava.security.egd=file:/dev/urandom
Once the configuration has been modified it is necessary to restart Tomcat with the following command:
# systemctl restart tomcat10
WAR File Deployment
NextTypes is distributed in a WAR file that can be downloaded from the releases directory. The WAR file needs to be deployed as the root application. This can be done in different ways. The simplest way is to replace the webapps/ROOT directory of the default application with the NextTypes WAR.
# cd /var/lib/tomcat10/webapps # mv ROOT ROOT.bak # mv nexttypes-x.x.war ROOT.war
By following these steps Tomcat extracts the contents of the WAR in the ROOT directory and remains as the main application.
Virtual Host
A virtual host can also be added to the Tomcat configuration in /etc/tomcat10/server.xml.
<Host name="demo.nexttypes.com" appBase="demo.nexttypes.com" unpackWARs="true" autoDeploy="false"> </Host>
For the appBase parameter a directory must be created and the user who runs Tomcat must be given permissions on it. Next we must rename the file nexttypes-x.x.war to ROOT.war and copy it to the virtual host directory.
# mkdir -m 770 /var/lib/tomcat10/demo.nexttypes.com # chgrp tomcat /var/lib/tomcat10/demo.nexttypes.com # cp nexttypes-x.x.war /var/lib/tomcat10/demo.nexttypes.com/ROOT.war
Finally it is necessary to configure the Tomcat systemd service to allow reading and writing in the directory.
# mkdir /etc/systemd/system/tomcat10.service.d/ # vi /etc/systemd/system/tomcat10.service.d/extend.conf [Service] ReadWritePaths=/var/lib/tomcat10/demo.nexttypes.com/
Once edited, the systemd configuration must be reloaded and the service restarted.
# systemctl daemon-reload # systemctl restart tomcat10
You can also manually create the ROOT directory and unzip the contents of the WAR file inside.
NextTypes Configuration
For configuring the system we can create a configuration directory and indicate it in the WEB-INF/web.xml file in the settings_directory variable. /etc/nexttypes/settings is used by default.
This way we can replace the WAR file keeping the configuration. There is also the ability to modify the settings in the WAR file to distribute it with the desired settings.
The directory must be created and the user tomcat must be given read permissions.
# mkdir /etc/nexttypes/settings # chgrp tomcat /etc/nexttypes/settings
HTTP and Database Configuration
Before starting the system we must configure some parameters of the HTTP protocol and the database. To do this we will create the http.properties and postgresql.properties files in the /etc/nexttypes/settings directory. In http.properties you must configure the name and domain of the system using the host variable and in postgresql.properties the passwords of the database users.
host=demo.nexttypes.com
read_password=aaaaaa write_password=aaaaaa admin_password=aaaaaa
Backup Configuration
To make the incremental and total backups the system needs us to create a directory where to store the files and give the user tomcat write permissions.
# mkdir -m 770 /var/backups/nexttypes # chgrp tomcat /var/backups/nexttypes
It is also necessary to give permissions on the systemd service in the same way as with the virtual host directory where the WAR file is deployed.
ReadWritePaths=/var/backups/nexttypes/
To change the default configuration we can create the backup.properties file in the configuration directory and modify the variables that we want.
Memory
If you want to use large text or binary fields or use a caching system you need to increase the maximum memory that Tomcat can use. This can be done using the -Xmx parameter in the /etc/default/tomcat10 file in the JAVA_OPTS variable. The size must be at least 512MB.
JAVA_OPTS="-Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Xmx1024m"
Next it is necessary to set the maximum allowed size of the HTTP request in the WEB-INF/web.xml configuration file.
<max-file-size>52428800</max-file-size> <max-request-size>52428800</max-request-size>
Network Configuration
Once the connector is prepared in Tomcat the next step is to configure the resolution of the server name to its IP address in the DNS system. For testing purposes an entry in the /etc/hosts file like the following can be added to the clients:
192.168.1.36 demo.nexttypes.com demo
After configuring the domain name resolution the server can be accessed at the HTTP address http://demo.nexttypes.com:8080 or in the HTTPS address https://demo.nexttypes.com:8443. After checking that everything works we can modify the Tomcat configuration to use the standard ports 80 (HTTP) and 443 (HTTPS). In the http.properties NextTypes configuration file we must configure the https_port variable.
https_port=443
After finishing the configuration we can restart Tomcat.
# systemctl restart tomcat10
Postfix
NextTypes can be integrated with an MTA like Postfix to receive and send emails. Postfix can be installed with the following command:
# apt-get install postfix
NextTypes has a Simple SMTP server with the basic functionality to receive mails from a complete MTA such as Postfix and convert the mails into raw_email objects:
{
"name" : "raw_email",
"cdate" : "2015-04-01T14:30:16Z",
"adate" : "2015-04-01T14:30:16Z",
"fields" : {
"mail_from" : {
"type" : "string",
"length" : 250,
"not_null" : true
},
"rcpt_to" : {
"type" : "text",
"not_null" : true
},
"data" : {
"type" : "text",
"not_null" : true
}
}
}
The server is configured with the /etc/nexttypes/settings/smtp.properties file, in which it is necessary to indicate the host name to be displayed in the startup message and the port on which it should receive connections.
host=demo.nexttypes.com port=2525
In the Postfix configuration, in the /etc/postfix/main.cf file, it is necessary to configure a virtual domain.
virtual_transport = smtp:127.0.0.1:2525 virtual_mailbox_domains = example.com
Once configured the server can be restarted with the following command:
# systemctl restart postfix
Once the configuration is finished and the server restarted a controller can be created to process the raw_email objects as received. To send emails you can use the Email class which uses Jakarta Mail.
ClamAV
The NextTypes virus scanning system uses ClamAV antivirus to scan system objects. For this it is necessary to install it with the following command:
# apt-get install clamav-daemon
Once installed we must configure it to listen on a TCP port, by default 3310 is used. Then the configuration must be reloaded and the service restarted.
# mkdir /etc/systemd/system/clamav-daemon.socket.d/ # vi /etc/systemd/system/clamav-daemon.socket.d/extend.conf [Socket] ListenStream=3310
# systemctl daemon-reload # systemctl restart clamav-daemon
Finally it is necessary to configure in the clamav.properties file the host and port of the ClamAV server.