| Skip Navigation Links | |
| Exit Print View | |
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Using Link Protection in Virtualized Environments
2. Tuning Your Network (Tasks)
3. Web Servers and the Secure Sockets Layer Protocol
SSL Kernel Proxy Encrypts Web Server Communications
Protecting Web Servers With the SSL Kernel Proxy (Tasks)
How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy
How to Configure an Oracle iPlanet Web Server to Use the SSL Kernel Proxy
How to Configure the SSL Kernel Proxy to Fall Back to the Apache 2.2 SSL
4. IP Filter in Oracle Solaris (Overview)
6. IP Security Architecture (Overview)
8. IP Security Architecture (Reference)
9. Internet Key Exchange (Overview)
The following procedures show how to configure web servers to use the SSL kernel proxy:
How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy
How to Configure an Oracle iPlanet Web Server to Use the SSL Kernel Proxy
How to Configure the SSL Kernel Proxy to Fall Back to the Apache 2.2 SSL
The SSL kernel proxy can improve the speed of SSL packet processing on an Apache 2.2 web server. This procedure implements the simple scenario that is illustrated in Figure 3-1.
Before You Begin
You have configured an Apache 2.2 web server. This web server is included in Oracle Solaris.
You must assume the root role.
# svcadm disable svc:/network/http:apache22
If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for the SSL kernel proxy.
If the SSLCertificateKeyFile parameter is also specified, then you must combine the certificate file and the private key file. Run a command similar to the following to combine the files:
# cat cert.pem key.pem > cert-and-key.pem
See the ksslcfg(1M) man page for the full list of options. The parameters that you must supply follow:
key-format – Used with the -f option to define the certificate and key format. For the SSL kernel proxy, the supported formats are pkcs11, pem, and pkcs12.
key-and-certificate-file – Used with the -i option to set the location of the file that stores the server key and the certificate for the pem and pkcs12 key-format options.
password-file – Used with the -p option to obtain the password used to encrypt the private key for the pem or pkcs12 key-format options. For pkcs11, the password is used to authenticate to the PKCS #11 token. You must protect the password file with 0400 permissions. This file is required for unattended reboots.
token-label – Used with the -T option to specify the PKCS #11 token.
certificate-label – Used with the -C option to select the label in the certificate object in the PKCS #11 token.
proxy-port – Used with the -x option to set the SSL proxy port. You must specify a different port from the standard port 80. The web server listens on the SSL proxy port for unencrypted plaintext traffic. Typically, the value is 8443.
ssl-port – Specifies the listening port for the SSL kernel proxy. Typically, the value is 443.
Specify the SSL proxy port and associated parameters by using one of the following formats:
# ksslcfg create -f key-format -i key-and-certificate-file \ -p password-file -x proxy-port ssl-port
# ksslcfg create -f pkcs11 -T PKCS#11-token -C certificate-label \ -p password-file -x proxy-port ssl-port
# svcs svc:/network/ssl/proxy STATE STIME FMRI online 02:22:22 svc:/network/ssl/proxy:default
The following output indicates that the service instance was not created:
svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances STATE STIME FMRI
Edit the /etc/apache2/2.2/http.conf file and add a line to define the SSL proxy port. If you use the server's IP address, then the web server listens on that interface only. The line is similar to the following:
Listen proxy-port
The web server service can start only after the SSL kernel proxy instance is started. The following commands establish that dependency:
# svccfg -s svc:/network/http:apache22 svc:/network/http:apache22> addpg kssl dependency ...apache22> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443 ...apache22> setprop kssl/grouping = astring: require_all ...apache22> setprop kssl/restart_on = astring: refresh ...apache22> setprop kssl/type = astring: service ...apache22> end
# svcadm enable svc:/network/http:apache22
The SSL kernel proxy can improve the speed of SSL packet processing on an Oracle iPlanet Web Server. This procedure implements the simple scenario that is illustrated in Figure 3-1.
Before You Begin
You have installed and configured an Oracle iPlanet Web Server. The server can be downloaded from Oracle iPlanet Web Server. For instructions, see Oracle iPLANET WEB SERVER 7.0.15.
You must become an administrator who is assigned the Network Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Use the administrator web interface to stop the server. For instructions, see Oracle iPLANET WEB SERVER 7.0.15.
See the ksslcfg(1M) man page for the full list of options. For the list of parameters that you must supply, see Step 3 in How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy.
Specify the SSL proxy port and associated parameters by using one of the following formats:
# ksslcfg create -f key-format -i key-and-certificate-file \ -p password-file -x proxy-port ssl-port
# ksslcfg create -f pkcs11 -T PKCS#11-token -C certificate-label \ -p password-file -x proxy-port ssl-port
# svcs svc:/network/ssl/proxy STATE STIME FMRI online 02:22:22 svc:/network/ssl/proxy:default
For instructions, see Oracle iPLANET WEB SERVER 7.0.15.
The web server service can start only after the SSL kernel proxy instance is started. The following commands establish that dependency, assuming the FMRI of the web server service is svc:/network/http:webserver7:
# svccfg -s svc:/network/http:webserver7 svc:/network/http:webserver7> addpg kssl dependency ...webserver7> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443 ...webserver7> setprop kssl/grouping = astring: require_all ...webserver7> setprop kssl/restart_on = astring: refresh ...webserver7> setprop kssl/type = astring: service ...webserver7> end
# svcadm enable svc:/network/http:webserver7
In this procedure, you configure an Apache 2.2 web server from scratch and configure the SSL kernel proxy as the primary SSL session handling mechanism. When the set of SSL ciphers that the client offers does not include a cipher that the SSL kernel proxy offers, the Apache 2.2 web server serves as a fallback mechanism w. This procedure implements the complex scenario that is illustrated in Figure 3-2.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
The following command generates a CSR and associated private key for the SSL kernel proxy:
# cd /root # openssl req \ > -x509 -new \ > -subj "/C=CZ/ST=Prague region/L=Prague/CN=`hostname`" \ > -newkey rsa:2048 -keyout webkey.pem \ > -out webcert.pem Generating a 2048 bit RSA private key .+++ ........+++ writing new private key to 'webkey.pem' Enter PEM pass phrase: JohnnyCashIsCool Verifying - Enter PEM pass phrase: JohnnyCashIsCool # # chmod 440 /root/webcert.pem ; chown root:webservd /root/webcert.pem
For more information, see the openssl(5) man page.
# echo "RefrigeratorsAreCool" > /root/kssl.pass # chmod 440 /root/kssl.pass; chown root:webservd /root/kssl.pass
Note - The passphrase cannot contain white space.
# cat /root/webcert.pem /root/webkey.pem > /root/webcombo.pem
# ksslcfg create -f pem -i /root/webcombo.pem -x 8443 -p /root/kssl.pass 443
Edit the Listen line in the /etc/apache2/2.2/httpd.conf file.
# pfedit /etc/apache2/2.2/httpd.conf ... ## Listen 80 Listen 8443
# cp /etc/apache2/2.2/samples-conf.d/ssl.conf /etc/apache2/2.2/ssl.conf
This module adds listening on port 443 for encrypted connections.
# pfedit /root/put-passphrase.sh #!/usr/bin/ksh -p ## Reads SSL kernel proxy passphrase /usr/bin/cat /root/kssl.pass
# chmod 500 /root/put-passphrase.sh # chown webservd:webservd /root/put-passphrase.sh
# pfedit /etc/apache2/2.2/ssl.conf ... ## SSLPassPhraseDialog builtin SSLPassPhraseDialog exec:/root/put-passphrase.sh
The values of the SSLCertificateFile and SSLCertificateKeyFile parameters in the ssl.conf file contain the expected placement and names. You can copy or link the certificates to the correct location.
# ln -s /root/webcert.pem /etc/apache2/2.2/server.crtSSLCertificateFile default location # ln -s /root/webkey.pem /etc/apache2/2.2/server.keySSLCertificateKeyFile default location
# svcadm enable apache22
Use the openssl s_client and kstat commands to view the packets.
# openssl s_client -cipher RC4-SHA -connect web-server:443
An increase of 1 to the kstat counter kssl_full_handshakes verifies that the SSL session was handled by the SSL kernel proxy.
# kstat -m kssl -s kssl_full_handshakes
# openssl s_client -cipher CAMELLIA256-SHA -connect web-server:443
An increase of 1 to the kstat counter kssl_fallback_connections verifies that the packet arrived but the SSL session was handled by the Apache web server.
# kstat -m kssl -s kssl_fallback_connections
Example 3-1 Configuring an Apache 2.2 Web Server to Use the SSL Kernel Proxy
The following command creates a service instance for the SSL kernel proxy that uses the pem key format:
# ksslcfg create -f pem -i cert-and-key.pem -p kssl.pass -x 8443 443
The SSL kernel proxy works in zones with the following limitations:
All of the kernel SSL administration must be done in the global zone. The global zone administrator needs access to the local zone certificate and key files. The local zone web server can be started after the service instance is configured by using the ksslcfg command in the global zone.
A specific host name or IP address must be specified with the ksslcfg command when you configure the instance. In particular, the instance cannot specify INADDR_ANY for the IP address.
Before You Begin
The web server service is configured and enabled in the non-global zone.
You must become an administrator who is assigned the Network Security and Zone Management rights profiles. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
For example, to stop an Apache web server in the apache-zone zone, run the following command:
apache-zone # svcadm disable svc:/network/http:apache22
To create a service instance for the apache-zone, use a command similar to the following:
# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem \ -p /zone/apache-zone/root/skppass -x 8443 apache-zone 443
For example, enable the web service in apache-zone.
apache-zone # svcadm enable svc:/network/http:apache22
|