A RepositorySettings files needs to be available to all components in a Bit Repository system, as it describes the contract for the system.
The RepositorySettings format is specified in the RepositorySettings.xsd schema definition.
For at template including desciptions of the individual elements see these example RepositorySettings.
Not all parts of the settings file are relevant for all components, so irrelevant parts may be removed when distributed to the different components. This may introduce errors, so it is recommended to distribute the full RepositorySettings file to all repository participants.
See ReferenceSettings at GitHub, showing how the ReferenceSettings file should be defined.
Certificate Creation
The following is an instruction on how to create the certificates needed in the collection settings.
Certificates are used intensively throughout a Bit Repository system for authentication and authorization. The rules for using the certificates are specified in the RepositorySettings.
The general organizational policy for creating and managing certificates should be used for Bit Repository systems.
Self-signed CertificatesFor test and development purposes self-signed certificated can be used. The following describes how to create self-signed certificates for test purposes.
# For HTTPS servers remember to put the # server FQDN in the CN. KEY="$CN.key" CSR="$CN.csr" CRT="$CN.crt" # Generate key openssl genrsa -out "$KEY" 1024 || exit 1 # Certificate Signing Request (Remember to modify the signing request subject) openssl req -new -key "$KEY" -out "$CSR" -subj "/C=DK/O=TestOrganization/OU=TestDepartment/CN=$CN" || exit 1 # Self sign openssl x509 -req -days 1000 -in "$CSR" -out "$CRT" -signkey "$KEY" || exit 1
Optionally this can be packaged into a web browser friendly pkcs-12 file along with the server certificate:
openssl pkcs12 -export -in browser.crt -inkey browser.key -out browser.p12 -certfile /path/to/server.crt
See also Using SSL in Java
Creating a certificate authority for test
$ mkdir /path/to/ca/ # CA root $ mkdir /path/to/ca/ca.db.certs # Signed certificates $ touch /path/to/ca/ca.db.index # Index of signed certificates $ echo 01 > /path/to/ca/ca.db.serial # Next (sequential) serial number $ cp ca.conf /path/to/ca/ # Configuration file (see below) $ cd /path/to/ca $ openssl genrsa -out ca.key 1024 # Generate CA private key $ openssl req -new -key ca.key \ -out ca.csr # Create Certificate Signing Request $ openssl x509 -req -days 10000 \ -in ca.csr \ -out ca.crt \ -signkey ca.key # Create self-signed certificate
ca.conf:
[ ca ] default_ca = ca_default [ ca_default ] dir = ./ca certs = $dir new_certs_dir = $dir/ca.db.certs database = $dir/ca.db.index serial = $dir/ca.db.serial RANDFILE = $dir/ca.db.rand certificate = $dir/ca.crt private_key = $dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
Creating and signing webserver certificate:
$ openssl genrsa -out server.key 1024 # Create private/public key pair for server $ openssl req -new -key server.key \ -out server.csr # Create certificate signing request # (Remember: Common name *MUST* match server address) $ openssl ca -config ca.conf \ -in server.csr \ -cert ca.crt \ -keyfile ca.key \ -out server.crt # Sign certificate request with CA certificate. # Create PEM file with the server key and certificate for use with lightttpd $ cat server.key server.crt > server.pem
Creating a client certificate for use with web browsers (remember it will also usually need the CA certificate used in signing):
# openssl genrsa -out client.key 1024 # Generate public/private key for client # openssl req -new -key client.key \ -out client.csr # Create certificate signing request # openssl ca -config ca.conf \ -in client.csr \ -cert ca.crt \ -keyfile ca.key \ -out client.crt # Sign certificate # openssl pkcs12 -export -clcerts \ -in client.crt \ -inkey client.key \ -out client.p12 # Create PKCS12 keystore for use with web browsers
References:
Client certificates with apache