You are on page 1of 14

Payment gateway implementation:

The standard process to implement real-time payment processing is:

1) To obtain an online merchant account for a particular credit card from a bank;
2) To select a payment gateway that will process the credit card information; and
3) To integrate your website with the payment gateway.

SSL stands for Secure Socket Layer.


SSL is a method of encryption that is used to protect sensitive data as it is
passed across the internet.

I want to integrate my website to payment gateway I have to write shopping cart


program.

How do I configure Apache 2 for SSL?

For 8.1: by hand, following the apache and mod_ssl documentation. With later packages:


1. place your server certificates in /etc/apache2/ssl*/ so the locations match
up with /etc/apache2/ssl.conf or run /usr/bin/gensslcert2 to create dummy
certs
2. add "ssl" to APACHE_MODULES and "SSL" to
APACHE_SERVER_FLAGS in /etc/sysconfig/apache2

There is no mod_ssl RPM for apache2: The module is no longer a problem with regard to
export restrictions and, in addition, mod_ssl has been included into the Apache base
distribution.

How to set up SSL with Apache 2 on


SuSE 9.1
Installation

On SuSE 9.1, when you install your software, in YAST2, search for apache. Install all the
apache2 items and none of the plain apache ones. If you are not running SuSE, the
directory locations may change. Be sure to run the online update in Yast2 because there
have been many fixes to both Apache and OpenSSH. If you use php, I have seen Web
pages that advise upgrading to the latest versions.
In Yast2 you can configure the non-SSL server in Network Services/HTTP server. Do not
turn on SSL in the default host or else the non-ssl host (on port 80) will try to look for
certificates. Also, if you have the SuSE firewall turned on, be sure to allow port 443 (or
the port you choose for SSL) through the firewall.

Starting Apache 2 automatically


As root,
cd /etc/init.d
and do
insserv apache2

This will insert apache 2 in the correct startup and shutdown scripts.

Overall guidance
There is a good quick start document in
/usr/share/doc/packages/apache2/README.QUICKSTART.SSL

But it is not quite enough to do the job.

Getting a certificate
If you installed all the apache2 modules, the manual should be available on your
machine. Go to
http://localhost/manual/ssl/ssl_faq.html#aboutcerts
and either get a "real" certificate or create your own following the instructions there.

Eric Busse gave the following hints about generating your own certificate:

As opposed to manually creating a cert you can do the following

/usr/bin/gensslcert2 (claims SuSE) however in my experience it�€™s actually:


/usr/bin/gensslcert

Shamelessly lifted from: http://portal.suse.com/sdb/en/2003/01/apache2-faq.html#ssl

If you are not going to be at the console whenever your computer reboots, follow the
instructions for using an unencrypted (but protected) server key. Be sure it is protected
with access permissions 400.

If you run gensslcert, you should look at the man page and run it with all of the
arguments.

These options are recognized: Default:

-C Common name "$name"


-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage

For example:

/usr/bin/gensslcert -c US -s TN -l "Oak Ridge" -o Your_organization


-e your_name@your_isp.com -d -n 192.168.1.10

In particular the CN field is critical because it must be identical to the

ServerName 192.168.1.10

in the virtual host file (discussed later).

gensslcert will put the certificates in the correct directories. If you get a "real" certificate,
install the server key in

/etc/apache2/ssl.key/server.key
and the server certificate in
/etc/apache2/ssl.crt/server.crt

Configuration

As root, you will need to edit several files.

/etc/sysconfig/apache2:
Add ssl to
APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env
expires include log_config mime negotiation setenvif status suexec userdir ssl"

Add the server flag SSL to turn on the SSL module configuration file
(/etc/apache2/ssl.conf)
APACHE_SERVER_FLAGS="-D SSL"

Increase the startup timeout to allow a password entry if necessary


APACHE_START_TIMEOUT="5"

In /etc/apache2/vhosts.d,

cp vhost-ssl.template vhost-ssl.conf
You can also copy the vhost.template file to vhost.conf if you want a non-ssl server.

Then edit vhost-ssl.conf.

/etc/apache2/vhosts.d/vhost-ssl.conf:

You must configure the virtual directory for the server. You can put all the access control
directives and the document root here.

#
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/www/secdocs"
# The ServerName must be identical to the -n field in your certificate

ServerName 192.168.1.10
ServerAdmin your@email.address
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

#Access controls for a directory called noCTRP


<directory /srv/www/secdocs/noCTRP>
AuthType Basic
AuthName "Password Required"
# The file for the passwords for this directory
AuthUserFile /srv/www/passwords/password.noCTRP
require user security
Options Indexes FollowSymLinks
</directory>

There seems to be another problem that several other frustrated people have run across.
In spite of putting the

APACHE_SERVER_FLAGS="-D SSL"

in /etc/sysconfig/apache2 file, the system seems to ignore the directive. You can see if
this is the case on your system.

As root run

JARDELL:SuSEconfig

JARDELL:/etc/apache2 # httpd2 -D SSL -S


VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 192.168.1.10 (/etc/apache2/vhosts.d/vhost-
ssl.conf:27)
*:80 192.168.1.10 (/etc/apache2/vhosts.d/vhost.conf:1)
Syntax OK
If you do not see the vhost-ssl.conf file, something is rotten in Denmark.

To aid in determining what is happening, you can also raise the error logging level in
/etc/sysconfig/apache2:

APACHE_LOGLEVEL="debug"

This will let you see what the ServerName in the certificate is. If this name is not
identicat to the one in the vhost-ssl.conf file, apache2 will not start in SSL mode!

Starting your server


As root run
rcapache2 start
This command can also be used to restart or stop your server.
Your server should be listening to port 443 on your host.

Be sure to place an index.html file in the main document directory, in my case


/srv/www/secdocs.
If you have comments or suggestions, e-mail me at jar@ornl.gov

Visitors since 19 June 2003:

Steps ssl certificate verisign.


Trial

http://www.verisign.com/support/ssl-certificates-support/install-ssl-certificate.html

ApacheSSL certificate:Verisign SSL with Extended validation.

http://www.verisign.com/support/ssl-certificates-support/extended-validation/apache.html

Configure SSL for Apache2 on Debian


3.1 (sarge)
Authors: Brusten Philip & Van der Velpen Jan 
Last modified: Monday, 07­Nov­2005 14:45:41 CET

This small guide describes a simple configuration to use SSL for Apache2 httpd 
on Debian GNU/Linux 3.1 (Sarge). At this point you should already have a 
running Apache2 on your Debian system. With some minor modifications you 
should be able to use this guide for any Apache2 running on any OS.

Configuration
NOTE: if you want to use a self­signed certificate you can run the Debian­specific 
command apache2-ssl-certificate. It will create a private key and a matching self­
signed certificate. Else you should create a private key and a certificate yourself 
(it is recommended to create a certificate signing request and let a commercial 
CA sign it so browsers will trust the webserver by default). See this list of SSL 
commands to do that.

1. Make a copy of /etc/apache2/sites-available/default in the same directory. 
Call it something like ssl. 

roo t# cp / e t c /apache2 /s i tes - ava i l ab le /de fau l t / e t c /apache2 /s i tes - ava i l ab le / s s l

2. Make a symlink to this new site configuration from /etc/apache2/sites-
enabled/. Notice that this is already done for default. 

roo t# l n - s / e t c /apache2 /s i tes - ava i l ab le / s s l / e t c /apache2 /s i tes - enab led /

3. Make apache load and configure the SSL module. 

root# l n - s / e t c /apache2 /mods - ava i l ab le / s s l . l oad / e t c /apache2 /mods - enab led /


roo t# ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/

4. Add a Listen 443 directive to /etc/apache2/ports.conf 

5. Now edit /etc/apache2/sites-available/ssl: 
6. NameVirtualHost *:443
7. <VirtualHost *:443>
8. SSLEngine On
9. SSLCertificateFile /etc/apache2/ssl/apache.pem
10. ...
11. </VirtualHost>
If you are not using a self­signed certificate (which is highly 
recommended), then don't forget to add one of these lines so your 
webserver can send the full certificate chain to the client (this is usually 
required for a browser/client to trust the server): 
SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
OR
SSLCACertificatePath /full/path/to/apache/conf/certs

note: the correct Ben­SSL directive is SSLCACertificateFile or 
SSLCACertificatePath 

Restart Apache2: 
root# / e t c / i n i t . d /apache2 res ta r t
Res ta r t i ng apache .

HTTPS should work now. Try: https://hostname/

SSL configuration on Apache.

Creating Certificate and Key for SSL


1. Create RSA Private Key.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted
using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

$ openssl genrsa -des3 -out server.key 1024

The command will prompt you for a pass-phrase and then store the key in the file server.key. It is
critical that the pass-phrase be secure and not forgotten. If either the key is lost, or the pass-
phrase is forgotten, the certificate will be useless!. You might want to consider using an empty
passphrase so apache could restart on its own without a pass-phrase. Check the web for
documentation on best practices

2. Generating Certificate Signing Request (CSR)

Once the private key is generated a Certificate Signing Request can be generated.

$ openssl req -new -key server.key -out server.csr

During the generation of the CSR, you will be prompted for several pieces of information.
A sample CSR generation session is shown below,

$ openssl req -new -key server.key -out server.csr


Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:Enter pass phrase here
You are about to be asked to enter information that will be incorporated
into your certificate request. Make sure your common name is your
hostname (as defined in your URL, to avoid SSL warnings)

What you are about to enter is what is called a Distinguished Name or a


DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Hampshire
Locality Name (eg, city) []:Nashua
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain.com,
Inc.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:webmaster@domain.com

Please enter the following 'extra' attributes


to be sent with your certificate request
A challenge password []:********
An optional company name []:
3. Generating or Obtaining a Certificate

At this point you can choose to generate a self-signed certificate, or obtain a certificate from a
certification authority. The second option is preferable as it will provide a higher level of trust to
users visiting your SSL secured pages.

To generate a self-signed certificate which is good for a year, issue the following command:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt

Or, purchase and request an SSL certificate from a certificate vendor such as Thawte, GeoTrust or
Comodo using the csr generated above.

4. Copying the key and certificate to the destination point.

1. Make a folder (ssl.crt) under apache/conf and copy the certificate there.

[root@bfc12 root]# cd /usr/local/apache2/conf


[root@bfc12 conf]# mkdir ssl.crt
[root@bfc12 conf]# cp server.crt ssl.crt/

2. Make another folder(ssl.key) under apache/conf and copy the key there.

[root@bfc12 root]# cd /usr/local/apache2/conf


[root@bfc12 conf]# mkdir ssl.key
[root@bfc12 conf]# cp server.key ssl.key/

Configure httpd.conf for SSL


Some changes to be done in httpd.conf for SSL.
(httpd.conf can be found under apache installtion. e.g /usr/local/apache2/conf/httpd.conf)
1. Search for following line and uncomment it if it is commented.

LoadModule ssl_module modules/mod_ssl.so

2. Search for follownig lines of code. If it is not present or commneted, then add it or
uncomment it.
3. <IfModule mod_ssl.c>
4. Include conf/ssl.conf
</IfModule>

Configure ssl.conf for SSL


Some changes to be done in ssl.conf for SSL.
(ssl.conf can be found under apache installtion. e.g /usr/local/apache2/conf/ssl.conf)

1. Comment following lines of code.


2. #<IfDefine SSL>
3. --------
4. --------[ Keep the code between these tags as is. Do not
comment it.]
5. --------
#</IfDefine>

6. Make sure apache is listening to 443 port.


So following line of code should be present.

Listen 443

7. Create one Virtual Host for 443 port.


8. <VirtualHost servername:443>
9. DocumentRoot "/usr/local/apache2/htdocs"
10.ServerName servername:443
11.ServerAdmin webmaster@domain.com
12.ErrorLog /usr/local/apache2/logs/error_log
13.LogLevel info
14.TransferLog /usr/local/apache2/logs/access_log
15.SSLEngine on
16.SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
17.SSLCertificateKeyFile
/usr/local/apache2/conf/ssl.key/server.key
18.<Directory "/usr/local/apache2/cgi-bin">
19. SSLOptions +StdEnvVars
20.</Directory>
</VirtualHost>

Payment gateway :
Mailing list archives
Site index · List index
Message
« Date » · « Thread »
view
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
RE: [users@httpd] multiple vhosts on port 80 and
Subject port 443
Date Thu, 19 Oct 2006 13:16:34 GMT
> -----Original Message-----
> From: joe pond [mailto:digger920@hotmail.com]
> Sent: Thursday, October 19, 2006 2:59 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] multiple vhosts on port 80 and port 443
>
> I noticed on 10/19/2006 several postings about this. I may
> have included too
> much stuff but some folks may need the info.
>
> The following configuration setup enables me to have multiple
> vhost on port
> 80 and multiple vhosts on port 443 and I can require
> login/password or not
> for eithe port 80 or port 443.
>
> The non-matching server name on the 2nd 443 host would seem to be
> resolveable by creating another certificate with that servers
> name in it but
> I have not tried that yet.

Don't bother - it won't work. As masro says, the SSL channel is


established first - before the server gets the Host header that it
needs
for NameVirtualHost resolution. So the server will always use the certs
from the first SSL VH to set up the connection.

Check the archive for SSL NBVH - it's been gone over a million times
already...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>
> HTH
>
> digger920
>
Message
« Date » · « Thread »
view
>
> Apache2.2.X, SSL, Vhosts
>
> I use include files to make troubleshooting a bit easier.
> This is a WAMP server BTW.
>
> In httpd.conf
>
> Listen 192.168.10.4:80
> Listen 192.168.10.4:443
>
> LoadModule ssl_module modules/mod_ssl.so
>
>
>
> # Virtual hosts
> Include conf/extra/httpd-vhosts.conf
>
> # Secure (SSL/TLS) connections
> Include conf/extra/httpd-ssl.conf
>
> <IfModule ssl_module>
> SSLMutex default
> SSLSessionCache none
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
>
> ========================
>
> In httpd-vhosts.conf
>
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> ServerAdmin whoever@where-ever
> ServerName juneau
> DocumentRoot "C:/Server/Apache2.2/htdocs"
>
> #ErrorLog logs/dummy-host.example.com-error_log
> #CustomLog logs/dummy-host.example.com-access_log common
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerAdmin whoever@where-ever
> ServerName ASite
> #ServerAlias Test1
> DocumentRoot "C:/Server/Apache2.2/htdocs/www/A-Site"
>
> #ErrorLog logs/dummy-host2.example.com-error_log
> #CustomLog logs/dummy-host2.example.com-access_log common
> </VirtualHost>
>
Message
« Date » · « Thread »
view
> <VirtualHost *:80>
> ServerAdmin whoever@where-ever
> ServerName secure
> DocumentRoot "C:/Locked"
> <Directory /Locked>
> AuthType Basic
> AuthName "Locked Test"
> AuthUserFile C:/Server/Apache2.2/htdocs/passwords/pwrd
> Require user testuser
> Order allow,deny
> Allow from all
> </Directory>
> #ErrorLog logs/dummy-host2.example.com-error_log
> #CustomLog logs/dummy-host2.example.com-access_log common
> </VirtualHost>
>
> ==================================
>
> In httpd-ssl.conf
>
> NameVirtualHost *:443
>
> ## SSL Global Context
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> SSLSessionCache
> shmcb:c:/server/apache2.2/logs/ssl_scache(512000)
> SSLSessionCacheTimeout 300
>
> ## SSL Virtual Host Context
>
> <VirtualHost *:443>
>
> # General setup for the virtual host
> ServerName juneau
> ServerAdmin whoever@where-ever
> DocumentRoot "c:/SecureToo/"
>
> <Directory /SecureToo>
> Order allow,deny
> Allow from all
> </Directory>
>
>
> ErrorLog
> c:/server/apache2.2/logs/vhost_SSL_error_log.log
> TransferLog
> c:/server/apache2.2/logs/vhost_SSL_access_log.log
>
>
> # SSL Engine Switch:
Message
« Date » · « Thread »
view
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile c:/server/apache2.2/conf/ssl/juneau.crt
>
> SSLCertificateKeyFile c:/server/apache2.2/conf/ssl/juneau.key
>
> SSLCertificateChainFile c:/server/apache2.2/conf/ssl/juneau.crt
>
> <FilesMatch "\.(cgi|shtml|phtml|php)$">
> SSLOptions +StdEnvVars
> </FilesMatch>
> <Directory "c:/server/apache2.2/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog c:/server/apache2.2/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerAdmin whoever@when-ever
> ServerName secure
> DocumentRoot "C:/Locked/"
> <Directory /Locked>
> AuthType Basic
> AuthName "Locked Test"
> AuthUserFile C:/Server/Apache2.2/htdocs/passwords/pwrd
> Require user jpond
> Order allow,deny
> Allow from all
> </Directory>
> #ErrorLog logs/dummy-host2.example.com-error_log
> #CustomLog logs/dummy-host2.example.com-access_log common
> </VirtualHost>
>
> _________________________________________________________________
> Add a Yahoo! contact to Windows Live Messenger for a chance
> to win a free
> trip!
> http://www.imagine-windowslive.com/minisites/yahoo/default.asp
x?locale=en-us&hmtagline
>
>
> ---------------------------------------------------------------------
Message
« Date » · « Thread »
view
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

This message is for the named person's use only. It may contain
confidential, proprietary
or legally privileged information. No confidentiality or privilege is
waived or lost by any
mistransmission. If you receive this message in error, please notify
the sender urgently and
then immediately delete the message and any copies of it from your
system. Please also immediately
destroy any hardcopies of the message. You must not, directly or
indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their
networks. Any views expressed in this message are those of the
individual sender, except where
the message states otherwise and the sender is authorised to state them
to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Mime• Unnamed text/plain (inline, Quoted Printable,


7824 bytes)
View raw message