Securing Your CP Server with SSL

 

Related Docs:   Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Securing Transferred Data through SSL (User guide)

This document gives a step-by-step instruction on how to secure your CP apache server with a regular (not wildcard) SSL certificate.

You can secure your control panel with a wildcard certificate if you install it on the same domain name. For example, if your cp domain name is cp.example.com, you can secure it by installing wildcard certificate to example.com.

We recommend that you configure your system to be accessible both by http and https, because SiteStudio doesn't fully support https protocol.

To secure your CP with regular SSL:

  1. Create or choose a directory to store SSL-related files. E.g.:
    #mkdir cert
    Make this directory available only for root:
    #chmod 700 cert
    Go to this directory:
    #cd cert
  2. Generate an SSL private key with the OpenSSL utility:
    #openssl genrsa -des3 -out server.key 1024
    When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234. A unique private key will be generated into the server.key file.
    For more, read modssl documentation.
  3. Copy this file to a secure location. You will need it later.
  4. Make the newly generated file readable only by root:
    #chmod 600 server.key
  5. To view the content of the private key file, use the command:
    #openssl rsa -noout -text -in server.key
  6. Remove pass phrase from the private key:
  7. #openssl rsa -in server.key -out server.key.unsecure
  8. Now you don't need the private key with the pass phrase any more. Overwrite it with the private key without the pass phrase:
    #cp server.key.unsecure server.key
  9. Generate an SSL certificate signing request based on the private key:
    #openssl req -new -key server.key -out server.csr
    You will have to answer many questions related to your company. Your answers are required to be included in the certificate.
    Note: Common name is the URL at which you want your control panel to be available, e.g. cp.yourdomain.com (not yourdomain.com).
  10. Check the content of the certificate request file:
    #openssl req -noout -text -in server.csr
    If you find a mistake in the data you have submitted, you can re-generate the request anew.
  11. Make sure to back up your SSL files:
    # mkdir backup
    # chmod 700 backup

    # cp ./*.* backup/
  12. Send the generated CSR file to a trusted Certificate Authority for signing. They will send you back the certificate. Save it as server.crt.
  13. To view the content of the certificate, run:
    # openssl x509 -noout -text -in server.crt
  14. Save the private key and the certificate:
    # cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/
    # cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  15. Important: Make sure to back up the ssl.key and ssl.crt files to a safe location. You may need them in the future.
  16. If your certificate was signed by a non-trusted certificate authority, run the following command:
    # cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  17. If your certificate was signed by a non-trusted certificate authority, open the file httpd.conf:
    # vi /hsphere/local/home/cpanel/apache/etc/httpd.conf
    and find the following lines:
    <VirtualHost _default_:8443>
    DocumentRoot "/hsphere/local/home/cpanel/shiva/shiva-templates"
    ServerName cp.domain.com
    ServerAdmin root@domain.com
    ErrorLog /hsphere/local/home/cpanel/apache/logs/error_log
    TransferLog /hsphere/local/home/cpanel/apache/logs/access_log
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/server.crt
    SSLCertificateKeyFile /hsphere/local/home/cpanel/apache/etc/ssl.key/server.key
    
    At the end of this block add the following line:
    SSLCACertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca-bundle.crt
    Note: If you are installing Comodo certificate, skip adding the above line. Instead, download the bundle file from this page, save this bundle file as /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt and add the following line to httpd.conf (as at the previous step):
    SSLCertificateChainFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
  18. Open the file hsphere.properties:
    # vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties
    and change lines:
    CP_PORT = 8080
    CP_PROTOCOL=https://
    to:
    CP_PORT = 8443
    CP_PROTOCOL=https://
  19. Restart H-Sphere.
  20. Check the log file:
    # vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log

 

Disabling HTTP access.

We don't recommend disabling HTTP access, because it is required by SiteStudio. Still, if you have chosen to disable http, do the following:

  1. Open the file ~cpanel/apache/etc/httpd.conf
  2. If you would like to exclude http access and use only secure connections, comment out the line "Listen 8080" in the block IfDefine SSL.
  3. Restart H-Sphere.

 

Switching Between IP and Domain Name

You can't have your control panel available both by domain name and IP address. You can have only one. To switch between IP and domain name control panel access:

  1. Open the /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties file.
  2. Set the value of CP_HOST to your new CP URL/IP. Make sure not to change the value of the PATH_SITE_STUDIO property.
  3. Save and exit the file.
  4. Restart H-Sphere.

Related Docs:   Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Securing Transferred Data through SSL (User guide)







Home   Products   Services   News
© Copyright. . PSOFT. All Rights Reserved. Terms | Site Map