Wednesday Jan 24, 2007

New Web Server GUI

WS61-70Comparison


WS6.1 to WS7.0 Administration GUI Mapping




    Sun Java System Web Server 7.0 has a brand new administration Graphical User Interface (GUI) with a different look and feel from Sun ONE Web Server 6.1 GUI. I've put together this post by comparing Administration tasks in WS6.1 GUI to WS7.0 GUI. It is designed mainly to guide users moving from WS6.1 to SJSWS 7.0 and to help new users familiarise themseleves with the new administration GUI.


Note:
1) All tasks  for Sun Java System Web Server 7.0 are performed after logging into the Administration GUI.
2) Detailed Navigation path given for SJSWS 7.0
3) Configuration actions have to be deployed, for the same changes to be seen on the instance.


Contents:
  1. Administration Server Tasks
  2. Servers (Configurations & Instances)
  3. Server management
  4. Virtual Servers
  5. Certificates, Tokens, CRLs, Enabling SSL
  6. Monitoring
  7. Miscellaneous




Administration Server Tasks:


Sub Tasks
Sun ONE Web Server 6.1
 Sun Java System Web Server 7.0
Shut down Admin server
Preferences -> Shut down
Nodes -> Select Administration Server -> General -> Stop

To restart,
Nodes -> Select Administration Server -> General -> Restart

Edit listen sockets
Preferences -> Edit Listen Sockets -> ls1
To edit SSL Port:
Nodes -> Select Administration Server -> General -> SSL Port

To edit HTTP (non SSL) Port,
Nodes -> Select Administration Server -> General -> Admin Server Preferences -> HTTP Port

Edit Server user
Preferences -> Server Settings -> Admin Server user

Nodes -> Select Administration Server -> General -> Server user
Username and Password
Preferences -> Server Settings -> Superuser Access Control

1) Username
2) Password
Nodes -> Select Administration Server -> General -> Administration Server Preferences ->

1) UserName
2) Change Password

View logs 
Preferences -> View Access Log
Preferences -> View Error Log

1)  Common Tasks -> View Logs -> View Administration Server logs -> Select Access/Error from drop down menu
or
Nodes -> View Logs
or
Nodes -> Select Administration Server -> General -> View Logs

Logging options Preferences ->Access Logging Options
Preferences ->Error Logging Options

Nodes -> Select Administration Server -> General -> Log Level
Security
Security
Admin is already SSL enabled. To view admin certificates,
Nodes -> Select Administration Server -> Certificates

To renew:
Nodes -> Select Administration Server -> Certificates -> Renew Certificates

Tokens
Security -> Change Password
Nodes -> Select Administration Server -> Certificates -> Token Password Management

Cluster Management
Security -> Cluster Management
Register agent to the administration server through CLI.

Create new instance:
Common Tasks -> New Instance

In the New Instance wizard, 
Select configuration -> Select Node where instance has to be created

SNMP
Global Settings -> SNMP Master Agent Control

Servers -> Manage Servers -> Select server -> Manage -> Monitor -> SNMP Subagent Control

Nodes -> Select Administration Server -> SNMP

Start/Stop Master Agent and Subagent





Servers (Configurations & Instances) :


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Server Management
                   
Servers -> Manage Servers                                                  
Configurations -> Select config link(from table)
New Server
Servers -> Add Server
To create new configuration:
Common Tasks -> New Configuration (can create instance also)
or
Configurations -> New

To create new instance:
Common Tasks -> New Instance
or
Configurations -> Select config checkbox -> 'More Configurations Actions' menu -> New Instance
or
Configurations -> Select config -> Instances -> New

Remove Server
Servers -> Remove Server
To remove instance:
Configurations -> Select config -> Instances -> Select instance checkbox -> Delete
or
Nodes -> Select Node -> Instances -> Delete

To remove configuration:
Configurations -> Select config checkbox -> 'More Configurations Actions' menu -> Delete configuration
(This will delete the instances also)

Migration
Servers -> Migrate Server
Common Tasks -> Migrate
or
Configurations -> Migrate






Server Management :


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Start/ Stop server
Servers -> Manage Servers -> Select server -> Manage -> Preferences -> On/Off Common Tasks -> Select config -> Start/Stop Instances
or
Configurations  -> Start/Stop instances for config
or
Configurations -> Select config -> Instances -> Start/Stop

Performance
Servers -> Manage Servers -> Select server -> Manage -> Preferences ->

Performance Tuning
Magnus Editor
File Cache Configuration
Thread Pools

Configurations -> Select config link -> Performance
The following performance settings can be configured here:
HTTP, DNS, SSL/TLS, Cache, CGI, Access Log Buffer
                                                                                               
Listeners
Servers -> Manage Servers -> Select server -> Manage -> Preferences ->
1) Add Listen Socket
2) Edit Listen Socket

Configurations -> Select config link -> HTTP Listeners ->
1) New
2) Select HTTP Listener link
Mime Types
Servers -> Manage Servers -> Select server -> Manage -> Preferences -> Mime Types
Configurations -> Select config link -> General -> Mime Types

WebDAV Settings
Servers -> Manage Servers -> Select server -> Manage -> Preferences -> Enable/Disable WebDAV

Configurations -> Select config link -> General -> WebDAV
Logs
Servers -> Manage Servers -> Select server -> Manage -> Logs

1) View Access Log
    View Error Log
2) Archive Log
3) Access Log preferences
    Error Log Preferences
4) Generate Report

1) Common Tasks -> View Logs
or
Configurations -> View Logs
or
Configurations -> Select config link -> Instances -> View Logs
or
Nodes -> View Logs
or
Nodes -> Select Node -> Instances -> View Logs

Select Node
Select Access/ Server Log
Select config
Select virtual server (if log preferences have been set for vs)

2) Configurations -> Select config link -> General -> Log preferences -> Log Archiving

3) Configurations -> Select config link -> General -> Log preferences ->
Server Log Preferences
Access Log Preferences

4)  (Missing )

Java
Servers -> Manage Servers -> Select server -> Manage -> Java

1) Enable/Disable Servlets/JSP
2) JVM General
3) JVM Path Settings
4) JVM Options
5) JVM Profiler
6) JDBC Connection Pools
7) JDBC Resources
8) Custom Resources
9) External JNDI Resources
10) Java Security
11) Security Realms

Common Tasks -> Select config -> Edit Java Settings
or
Configurations -> Select config link -> java

1) General

2) General -> Java Home
JVM Settings -> Debug Java Settings

3) General -> Path Settings

4) JVM Settings -> JVM Options

5) JVM Settings -> Profilers

6) Resources -> JDBC Resources
    Create new Resource and Edit

7) Resources -> JDBC Resources

8) Resources -> Custom Resources

9) Resources -> External JNDI Resources

10) Authentication -> Servlet Authentication

11) Authentication -> Servlet Authentication

New:

Mail Resources can  be configured in
Resources -> Mail Resources

SOAP Authentication Providers can be configured in
Authentication -> SOAP Authentication

Lifecycle modules can be created from
Lifecycle modules -> New

Servlet container settings and Session Replication settings can be configured from Servlet Container and Session Replication tabs respectively.

Access Control
1) Authentication Databases
Global Settings -> Configure Directory Service

2) User/ Groups  (new user/group, management)
Users and Groups

3) ACLs
Global Settings -> Restrict Access

Configurations -> Select config link ->Access Control

1) Authentication Databases

2) Users
    Groups

3) Access Control Lists (ACL)

Advanced Settings
-
Configurations -> Select config link -> General -> Advanced
Configuration Informations: Name, User, Platform, Temp directory
HTTP Settings
Localization

Summary
-
Common Tasks -> Select config -> View Summary
Configurations -> Select config link -> Summary







Virtual Servers :


Virtual Servers tab can be accessed from either of the following:

Common Tasks -> Select Virtual Server -> Edit Virtual Server

Configurations -> Select Config link -> Virtual Servers -> Select Virtual Server link


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Add/ Edit Virtual Servers
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Server
1) Add Virtual Server
2) Edit Virtual Server

1) Common Tasks -> New Virtual Server
or
Configurations -> Select Config link -> Virtual Servers -> New

2) Common Tasks -> Select Virtual Server -> Edit Virtual Server

Web Applications
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers ->Manage Virtual Servers -> Select Virtual Server -> Manage -> Web Applications
Common Tasks -> Select Virtual Server -> Add Web Application
or
Configurations -> Select config link -> Virtual Servers -> Add Web Application
or
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Web Applications

WebDAV
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> Manage Virtual Servers -> Select Virtual Server -> Manage -> WebDAV
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> WebDAV


Search
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> Manage Virtual Servers -> Select Virtual Server -> Manage -> Search
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Search


Logs
1) Settings
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> Logging Settings

2) View Virtual Server Logs:
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers ->Manage Virtual Servers -> Select Virtual Server -> Manage -> Preferences -> Status -> Select access/error log link
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> Log Preferences


To view logs:

Common Tasks -> View Logs ->
Select Node
Select Access/ Server Log
Select config
Select virtual server (if log preferences have been set for vs)

ACLs
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> ACL Settings
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Access Control -> Access Control Lists (ACLs)


Quality of Service, Localization, P3P
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> Quality of Service


Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> General ->
Quality of Service

New:

Localization
P3P Settings

CGI
Servers -> Manage Servers -> Select server -> Manage -> Class Manager ->

1) Chroot Settings (UNIX only)
Virtual Servers -> CGI Settings

2) CGI Directories
 Programs -> CGI Directory

3) CGI as file type
Programs -> CGI File Type

Common Tasks -> Select Virtual Server -> CGI Directories ->

Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Content Handling -> CGI ->

1) CGI Settings

2) CGI Directories

3) CGI Settings

Document Directories
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Content Mgmt ->

1) Primary Document Directory
2) Additional Document Directory
3) User Document Directories
1) Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> General

Common Tasks -> Select virtual server -> Document Directories
or
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Content Handling -> Document Directories ->

2) New

3) User Document Directories

Content Handling (Miscellaneous)
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Content Mgmt ->

1) Document Preferences
    Document Footer
    Symbolic Links
    Parse HTML
    Cache Control  Directives
    International Characters
    Server Precompressed content
    Compress Content on Demand


2) URL Forwarding

3) Error Responses

4) .htaccess Configuration
    Stronger Ciphers

5) Enable/ Disable WebDAV

6) Remote File Manipulation

1) Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> General

Parse HTML
Directory Listing
Document Footer
Compression
Miscellaneous

2) Common Tasks -> Select virtual server -> URl Redirects
or
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Content Handling -> URL Redirects

3) Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Content Handling -> Error Pages

4) Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Access Control -> General

5) Enable/Disable WebDAV settings made at config level

6) Remote File Manipulation can be done through WebDAV.

Reverse Proxy Settings at
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Content Handling -> Reverse Proxy

Styles
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Styles

No admin interface.
Request Limits
-
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> Request Limits

Summary
Servers -> Manage Servers -> Select server -> Manage -> Class Manager -> Virtual Servers -> Manage Virtual Servers -> Select Virtual Server -> Manage -> Preferences -> Settings

Common Tasks -> Select Virtual Server -> View Summary

Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Summary







Certificates, Tokens, CRLs, Enabling SSL :


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Certificate Request
Servers -> Manage Servers -> Select server -> Manage -> Security -> Request Certificate

[Cannot create selfsigned certificates]


Server Certificates -> Request
or
Common Tasks -> Request Server Certificate
or
Configurations -> Select config link -> Certificates -> Server Certificates -> Request

1) Select option to create self signed certificate.
2) Select option CA signed certificate


Install Server Certificate
Servers -> Manage Servers -> Select server -> Manage -> Security -> Install Certificate -> This server
Server Certificates -> Install
or
Common Tasks -> Install Server Certificate
or
Configurations -> Select config link -> Certificates -> Server Certificates -> Install

Install CA certificate/ certificate chain
Servers -> Manage Servers -> Select server -> Manage -> Security -> Install Certificate ->
1) CA
2) Certificate chain
Configurations -> Select config link -> Certificates -> Certificate Authorities -> Install

1) Select option to install CA
2) Select option for certificate chain

Manage Certificates
Servers -> Manage Servers -> Select server -> Manage -> Security -> Manage Certificates
To view server certificates (both selfsigned and CA signed) :
Server Certificates (for all configs)
or
Configurations -> Select config link -> Certificates -> Server Certificates (specific to a config)

To view CA certificates :
Configurations -> Select config link -> Certificates -> Certificate Authorities (shows all builtin certificates also)

Use filter 'Hide Built-in certificates' to view installed CA certificates

Tokens
Servers -> Manage Servers -> Select server -> Manage -> Security ->

Create Database
Change Password

Configurations -> Select config link -> Certificates -> PKSC11 Tokens

Set Password
Edit Password
Unset Password
Do not prompt for password during instance startup

If token password is set, it is required to set the password in the session to view certificates for the config. Click on 'Set Passwords' button to enter correct token password.

CRLs
Servers -> Manage Servers -> Select server -> Manage -> Security ->

1) Install CRLs/CKLs
2) Manage CRLs/CKLs
1) Configurations -> Select config link -> Certificates -> Certificate Authorities -> Install CRL

2) Configurations -> Select config link -> Certificates -> Certificate Authorities -> Select CA link for which CRL has been installed -> Uninstall CRL

(CKLs : Not supported)

Enable SSL
Servers -> Manage Servers -> Select server -> Manage -> Preferences -> Edit Listen Sockets -> Select listener -> Enable Security

Configurations -> Select config link -> HTTP Listeners -> Select listener link -> SSL -> Enable Security





Monitoring :


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Monitoring Settings
Servers -> Manage Servers -> Select server -> Manage -> Monitor ->

1) Monitor Current Activity
2) SNMP Subagent Configuration
3) Quality of Service
1) Configurations -> Select config link -> General -> Monitoring Settings -> General

2) Configurations -> Select config link -> General -> Monitoring Settings -> SNMP Subagent Settings

3) Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> General ->
Quality of Service

Virtual Server Settings for Monitoring
-
Common Tasks -> Select Virtual Server -> Edit Virtual Server -> Server Settings -> Monitoring Settings
or
Configurations -> Select Config link -> Virtual Servers -> Select Virtual Server link -> Server Settings -> Monitoring Settings

View Monitoring Data
Servers -> Manage Servers -> Select server -> Manage -> Monitor -> Monitor Current Activity Monitoring ->

Configurations
Instances






Miscellaneous:


Sub Tasks Sun ONE Web Server 6.1 Sun Java System Web Server 7.0
Version
                   
Servers -> Manage Servers -> Select server -> Manage -> Preferences -> On/Off -> About this server link                        Version button on Top left corner.
Logout from Admin GUI , Refresh, Back to Home Page

-
Logout, Refresh, Home buttons on Top right corner

Deploy
-
When changes are made to the configuration, it has to be saved first and then deployed to the instances.
'Deployment Pending' link on Top right corner
or
Configurations -> Select config checkbox -> 'More Configurations Actions' -> Deploy Configuration









Thursday Jun 08, 2006

Enable SSL - GUI

enable_ssl_GUI
Enabling SSL on WS7.0 through Administration GUI



Pre Requisites:

  1. Sun Java System Web Server 7.0 installed
  2. Administration server is started (from <server-root>/admin-server/bin/startserv)
  3. Configuration and instance exists. eg) config1 on server host
  4. Certificate server for creating CA signed server certificates.

Access Administration User interface on browser through SSL port:

https://<server-host>:<server-ssl-port>

Login with correct username and password.


What is covered in this blog??

Setting token
Requesting  certificates
Installing server certificates
Installing CA certificates
Setting trust flags for CA
CRL management
Deleting certificates
Enabling SSL on default listener
Edit listener - security properties

Steps to be followed will be described from the start page or the admin console. Deploy config after each set of steps.

Setting token pin

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> PKCS11 tokens

Steps:
  1. Select default token internal from the tokens table.
  2. In the edit token properties wizard, select 'Set Password' checkbox.
  3. Enter token pin. eg) 88888888
  4. Click OK and close wizard.
  5. If token is set, then the password has to be set in the Server Certificates, Certificate Authorities pages using the 'Set password' button for that session. Only then will the contents of the table be displayed.

Requesting certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note:
Requesting Certificates can also be done from the following screens:
  • Common Tasks -> Request Server Certificate -> Select config
  • Server Certificates -> Request Button -> Select config
  • Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> select listener (http-listener-1) -> Security -> Request link
Steps:
  1. Click on Request button in the Server certificates page
  2. Enter token pin (if set). Next
  3. Enter Server name (eg. server-host) , Organization, Organizational unit , Locality, State and Country. Next
  4. There are two key types for certificate creation:
    • Key type RSA: Select radio button RSA and then select key size from drop down menu. Next
    • Key type ECC: Select radio button ECC and then select curve name from drop down menu. Next
  5. Two types of certificate can be created:
    • Self signed certificate: Select radio button for self signed certificate. Enter nickname and validity. Http listener can be selected to enable SSL. Next
    • CA signed certificate: Select radio button for CA signed certificate. Next
  6. Review Settings. Finish
  7. For self signed certificate,  message shows successful creation of certificate and  table lists the newly created certificate.
  8. To view certificate details, click on the certificate name link in the server certificates table.
  9. For CA signed  certificate,  a Certificate Signing Request is displayed . This CSR (including the BEGIN /END NEW CERTIFICATE REQUEST ) has to be sent to the certificate signing authority to get the requested certificate. See steps in 'Installing server certificates' to install the CA signed server certificate.

[Get CSR signed by CA (Certificate Server) and generate certificate in DER format.]

Installing server certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note: Installing Server Certificates can also be done from the following screens:
  • Common Tasks -> Install Server Certificate -> Select config
  • Server Certificates -> Install Button -> Select config
Steps:
  1. Click Install button in the Server certificates page
  2. Enter token pin (if set). Next
  3. The CSR obtained from the Request certificate wizard should be signed by valid CA and can be provided as data to the install server certificate wizard. Two ways by which certificate data can be provided:
    • Certificate data in DER format can provided directly : Select radio button Certificate and enter data in the text area. Next
    • Certificate data can be provided in DER/binary format in a file(\*) accessible by the server: Select radio button Certificate file and provide path to the file on the server. Next
  4. Enter nickname for the certificate. Http listener can be selected to enable SSL. Next
  5. Review Settings. Finish
  6. Message shows successful installation of certificate and table lists the newly installed certificate.
  7. To view certificate details, click on the certificate name link in the server certificates table.

Installing CA certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click Install button in the Certificate Authorities page
  2. Enter token pin (if set). Next
  3. Two ways by which certificate data for CA can be provided:
    • Certificate data in DER format can provided directly : Select radio button Certificate and enter data in the text area. Next
    • Certificate data can be provided in DER/binary format in a file(\*) accessible by the server: Select radio button Certificate file and provide path to the file on the server. Next
  4. There are two Certificate types:
    • CA Certificate : Select radio button to install CA certificate. Next
    • Certificate Chain: Select radio button to install certificate chain. Next
  5. Review Settings. Finish
  6. Message shows successful installation of CA certificate/ certificate chain and table lists  newly installed certificate.
  7. Use filter to hide built in certificates to display  newly installed CA certificate.
  8. To view certificate details, click on the certificate name link in the Certificate Authorities table.

Setting trust flags for CA

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click on the CA certificate name link to edit trust flags
  2. In the trust flags section, edit checkboxes for 'Trusted to sign client certificates' or 'Trusted to sign server certificates'.
  3. Apply and close.

CRL management

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click Install CRL button in the Certificate Authorities page
  2. In the Install CRL wizard, enter path to the CRL file on local system/server.
  3. CRL installation can be verified in the CA certificates table, under the CRL column, against the corresponding CA. eg) for CA Verisign Class 1 Public Primary Certification Authority, CRL installed will be pca1.1.1.crl
  4. To view CRL details, click on the CA name link. In the Certificate Authority properties page, CRLs will be displayed.
  5. To uninstall CRL, click on the Uninstall CRL button seen in Certificate Authority properties page in step 4.
  6. Message shows successful uninstallation of CRL. Close.

Deleting certificates

Server certificates:
Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note:
Deleting Certificates can also be done from the following screen:

  • Server Certificates tab
Steps:
  1. Select checkbox against the certificate to be deleted
  2. Click on Delete button. Message shows certificate is successfully deleted.
CA certificates:
Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Note:
Built in CA certificates cannot be deleted

Steps:
  1. Select checkbox against the CA certificate to be deleted
  2. Click on Delete button. Message shows  certificate is successfully deleted.

Enabling SSL

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> Select listener (http-listener-1) -> Security  tab

Note:
At least one certificate of type RSA or ECC must exist to enable SSL

Steps:
  1. Enable the 'Security' checkbox
  2. Select certificate(s) to be used to enable security from drop down menus of RSA/ ECC certificate or both.
  3. If ECC certificates are used to enable SSL, at least one ECC cipher from  SSL3/TLS list should be selected (browser should also support ECC and should have the respective cipher enabled)
  4. Apply and close.
  5. Http listeners table shows 'Security' as enabled against the listener

Edit listener - Security properties

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> Select listener (http-listener-1) -> Security  tab

Steps:

  1. Select different certificate(s) to be used to enable security from drop down menus of RSA/ ECC certificate for the same listener
  2. Edit Client authentication - required/optional, Authentication timeout, Maximum Authentication data
  3. Also possible to select or remove the SSL3/TLS and SSL2 ciphers.
  4. Apply changes and close

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Deploy config from the 'Deployment Pending' link and start instance from Instances tab. Now you have an SSL enabled instance.....

Access from browser as https://<server-host>:<instance-port>/





(\*) Not available in Sun Java System Web Server 7.0-Technology-Preview-1


Wednesday May 24, 2006

enable_ssl_cli

certcli
Enabling SSL on WS7.0\* using CLI




Sun Java System Web Server 7.0  provides an easy to use Command Line tool wadm which allows installation and management of certificates. Enabling SSL on the server involves use of the following CLI :

set-token-pin
create-selfsigned-cert
list-certs
create-cert-request
install-cert
delete-cert
set-ssl-prop


All the CLI explained below are executed from the wadm prompt.
To enter the wadm prompt, execute the following from <server-root>/bin. (eg, if user=admin, port=8888, admin password is saved in <server-root>/bin/admin.pwd)
./wadm --user=admin --port=8888 --password-file=admin.pwd
wadm>

For seeing the usage of any CLI, give command name at the wadm prompt.


Pre  requisites:
1) SJSWS7.0 Technology Preview-1 installed
2) Config and instance exists


Setting token password for internal (optional):
wadm> set-token-pin --save-pin=true --token=internal --config=config1
Please enter token-pin> {Enter token pin if set already}
Please enter new-token-pin> {Enter new pin, say 88888888}
Please enter new-token-pin again> {88888888}
CLI201 Command 'set-token-pin' ran successfully

The pin can also be set in a passwordfile as follows:
vi <server-root>/bin/certdb.pwd

wadm_token_pin=12345678
wadm_new_token_pin=88888888

=========================

wadm> set-token-pin --save-pin=true --password-file=certdb.pwd --token=internal --config=config1

Note: For the execution of the remaining CLI,  if wadm_token_pin is set in the passwordfile, user will not be prompted for the pin each time.


Creating self signed certificates:

Key type: RSA (there is option to specify key size)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=rsa --config=config1 --server-name=server1 --nickname=cert1
CLI201 Command 'create-selfsigned-cert' ran successfully

Key type: ECC ( there is an option to specify the curvename)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=ecc --config=config1 --server-name=server2 --nickname=cert2
CLI201 Command 'create-selfsigned-cert' ran successfully


Listing the installed certificates:

The same CLI can be used with different options of cert-type  to list server and CA certificates.

wadm> list-certs --token=internal --cert-type=server --config=config1
cert1
cert2

wadm> list-certs --token=internal --cert-type=ca --config=config1
Builtin Object Token:Verisign/RSA Secure Server CA
Builtin Object Token:GTE CyberTrust Root CA
Builtin Object Token:GTE CyberTrust Global Root
Builtin Object Token:Thawte Personal Basic CA
.
.
.
.

Generating certificate request:

wadm> create-cert-request --org=SUN --config=config1 --token=internal --server-name=server3

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBXzCByQIBADAgMQwwCgYDVQQKEwNTVU4xEDAOBgNVBAMTB3NlcnZlcjMwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMDp+9nvsAglieLcgXQ/czAAn5xlsx1a
/3cZc9FlZw3/ILJ3/eMDVbo9ZrQLinW+xk7tYwH5zLPnhJFad55XSr2yT/1tHG8u
gjHFXninrSsNNjg47jt6Q+RUWKy/HOgXhqAXtBz+eyvzGUFK1OcZhK2xim1dXAg3
hS1X53G/1TUtAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAeKF4itZlI3jGgqjNk
bxKR6PvEjYqQlo6Ux9BLTXCYxKpHQMcJLOENt3IyB9UqUFRDJZGsX4/TDIWcm+oM
0ny/xAAsHNsj8Rt1cu9uBCIMicJbBqhESj+LWZSIO+yQ2OlNyqhV4APpKyh8tSbJ
qSxgnLG+ozaAxOpJbEFg++HcQw==
-----END NEW CERTIFICATE REQUEST-----

Copy the above request to a file and get it signed by certificate signing authority.


Installing CA signed server certificates, CA certificates, certificate chain:

The same CLI can be used with different options of cert-type to install server, CA or certificate chain.

For installing CA signed server certificate, first generate request using CLI create-cert-request and get it signed by CA. Then use following CLI to provide file path to the CA signed certificate which can be in ascii or binary format.

wadm>install-cert  --config=config1 --token=internal --cert-type=server --nickname=cert3 /space/certreq/server.cert
CLI201 Command 'install-cert' ran successfully

For CA certificate and chain, provide the certificate file.
wadm>install-cert  --config=config1 --token=internal --nickname="Cert Manager" --cert-type=ca  /space/certreq/ca.cert
CLI201 Command 'install-cert' ran successfully

Use CLI list-certs with option cert-type as server/ca to verify the installation of these certificates.


Deletion of certificates:

wadm> delete-cert --token=internal --config=config1 cert1
CLI201 Command 'delete-cert' ran successfully


Enabling SSL:

To enable ssl on the default listener using certificate cert2:

wadm>
set-ssl-prop --config=config1 --http-listener=http-listener-1 server-cert-nickname=cert2
CLI201 Command 'set-ssl-prop' ran successfully


wadm>get-ssl-prop --config=config1 --http-listener=http-listener-1
tls=true
server-cert-nickname=[cert2]
client-auth-timeout=60
client-auth=false
enabled=false
ssl2=false
max-client-auth-data=1048576
tls-rollback-detection=true
ssl3=true

Other properties such as SSL/TLS settings, Client authentication etc can be edited with the same CLI set-ssl-prop.

Deploy the config and start instance.

wadm> deploy-config config1
CLI201 Command 'deploy-config' ran successfully

wadm> start-instance --config=config1 server1
CLI204 Successfully started the server instance.

Now you have an SSL enabled instance running.

========================================

Installing certificates & enabling SSL through admininstration GUI, installing binary certificates shall be discussed in the next couple of posts...


\*Sun Java System Web Server 7.0-Technology-Preview-1


Thursday May 18, 2006

Setting wadm options in rcfile

WS7.0 CLI : How to avoid typing options repeatedly?



Sun Java System Web Server 7.0 has a robust Command Line Interface which can be used to administer the many configs and instances on the server. This command line tool or executable is called wadm which is present in <server-install-root>/bin. To avoid typing the common options such as user, password etc for every command, the option can either be set as an environment variable in the shell invoking wadm or within the wadm shell . The shell variable name is obtained as wadm_option. If the option has a hyphen ("-"), it should be replaced with an underscore ("_").

eg)
If option : user
shell variable name
: wadm_user

If option  : key-type
shell variable name : wadm_key_type

How ???
1) create rcfile .wadmrc to set the shell variables
2) use set /unset commands within the wadm shell

Note: Options supplied directly on the command line will take precedence over the shell variables.



For example if you want to  execute the  CLI create-selfsigned-cert:


CLI Usage:

create-selfsigned-cert [--echo=true] [--prompt=false] [--verbose=true] [--token=name] [--org-unit=unit] [--locality=place] [--state=name] [--validity=num of months] [--org=org] [--country=name] [--key-type=(rsa|ecc)] [--key-size=size] [--curve=curvename] --config=name --server-name=name --nickname=nickname


If you want the org and country same for all the certificates you create, your rcfile should look like this:

<server-root>/bin>> vi .wadmrc

set wadm_password adminadmin
set wadm_org SUN
set wadm_country US

--------------------------------------------------------------------------------------------------------------------------------


Now, to execute the CLI, enter the wadm prompt as:
./wadm --user=admin --port=8888 --rcfile=.wadmrc

And execute CLI:
wadm>create-selfsigned-cert --config=config1 --server-name=server1 --nickname=cert1
wadm>create-selfsigned-cert --config=config1 --server-name=server2 --nickname=cert2

You need not specify the options org and  country again. These certificates will be created with org=SUN and country=US. This can be verified using certutil or viewed from the Administration GUI.

<server-install-root>/bin# ./certutil -L -d <server-install-root>/admin-server/config-store/config1/config -n cert1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:82:7e:c1:aa
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: "CN=server1,O=SUN,C=US"
        Validity:
            Not Before: Wed May 17 06:30:13 2006
            Not After : Thu Aug 17 06:30:13 2006
        Subject: "CN=server1,O=SUN,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
         .
         .
         .
         .
         .
         .
         .

wadm>set wadm_org JWS
wadm>create-selfsigned-cert --config=config1 --server-name=server3 --nickname=cert3

Here, cert3 gets created with org=JWS and not SUN. Use unset wadm_org to remove this setting.

wadm>create-selfsigned-cert --config=config1 --server-name=server4 --org=WS --nickname=cert4

Here, cert4 gets created with org=WS.

ie, Precedence is in the following order :
Option in the command itself >>>  set/unset commands in wadm shell >>> rcfile


To know more about SJSWS7.0 Administration, see I.K's blog


Saturday May 13, 2006

Forwarding client credentials through Reverse Proxy

ClientCredentialsForwarding




Client credentials forwarding using

Sun Java System Web Proxy Server 4.0



Introduction:

Client information such as IP are generally not sent by a proxy to the remote server. However, there might be instances when it is required to send the client's information over to the remote server. ie, if the IP address of the client is required to be known to access the remote server.  Sun Java System Web Proxy Server 4.0 lets you configure the proxy to send the client's IP address, the client certificate details such as keysize, secret keysize, ciphers, SSL session id, issuer DN, User DN, SSL/TLS certificate.


Requirements:

1) Web server
2) Sun Java System Web Proxy Server 4.0.x
3) CA signed server certificate installed on SJSWPS 4.0.x
4) Client certificate from trusted CA installed on browser. Also, change preferences on browser so as not to go through any proxy.
5) tcp_forward.pl on same machine with webserver installed : Forwards tcp connection (to tap the request/response between proxy and webserver). Port used for forwarded connection will be called tcpforwardPort henceforth.
6) Perl : to execute tcp_forward.pl



Deployment scenarios:

(1)

                            |
                            |
  Webserver ------- | -------------------------------Client(Browser)
                            |
                            |
                    Reverse Proxy



(2)
                           |                              |
                           |                              |
Webserver -------- | ---------------------- |----------------Client(Browser)
                           |                              |
                           |                              |
                   tcp_forward.pl                   Reverse  Proxy       




Steps to configure Client Credentials Forwarding (Steps 1 to 4 to be followed from Administration UI of SJSWPS 4.0.x):  

1) Install CA signed server certificate on SJSWPS 4.0.x
      
   
    i) Manage Server tab -> Select Instance ->Security -> Create Database. Initialise database with valid password.
    ii) Request certificate -> Get generated certificate request signed by Certificate signing authority
    iii) Install certificate -> Copy base 64 encoded certificate with headers and add to server. Install certificate chain also.
    iv) Manage Certificates -> Set client trust.

2) Enabling Security & Client authentication on SJSWPS 4.0.x

    i) Manage Server tab -> Select Instance -> Preferences -> Edit Listen Sockets -> Select listen socket
    ii) Select 'enabled' option from drop down menu for Security
    iii) Edit listen socket again. Under Security, select option 'required' from drop down menu for Client authentication and save changes.

3) Setting up Reverse proxy on SJSWPS 4.0.x  (Deployment scenario 1)

    i) Manage Server tab -> Select Instance -> URLs -> Create Mapping
    ii) Create forward mapping:
             Mapping type: Regular
             Map source prefix:                https://proxyHost:proxyInstancePort
             Map destination :                  http://webserverHost: tcpforwardPort

             Mapping type: Regular
             Map source prefix:                /
             Map destination :                  http://webserverHost: tcpforwardPort

    iii) Create reverse mapping:
             Mapping type: Reverse
             Map source prefix:                http://webserverHost: tcpforwardPort
             Map destination :                  https://proxyHost:proxyInstancePort

4) Manage Server tab -> Select Instance -> Routing -> Forward Client Credentials
      
       i) Select resource for which configuration has to be set
       ii) Select options of credentials to be forwaded to remote server (here, the webserver)
       iii) Give valid HTTP headers for the same
       iv) Apply changes and restart instance

5) From terminal start script tcp_forward.pl as follows (Deployment scenario 2):

       perl tcp_forward.pl -f tcpfwdPort -t webserverHost:webserverPort -recv -send

       example: perl tcp_forward.pl -f 2323 -t sunws.india:8080 -recv -send
       The following message will be seen:
       Server started on port 2323

6) From the browser with client certificate installed:

      
https://proxyHost:proxyInstancePort/testPage.html

       example: https://sunproxy:9090/testPage.html

Whatever information regarding the client certificates on the client's browser is sent across to the origin server by the proxy server if client credentials forwarding is enabled. To verify  fowarding of credentials, see terminal  where  tcp_forward.pl  is  running.

Sample output:
 
Note:
S-> sent by proxy , R-> received from web server
(IP is masked on purpose.)

>>> perl tcp_forward.pl -f 2323 -t sunws.india:8080 -recv -send
Server started on port 2323
Incoming connection
Forwarding to sunws.india:8080
S [GET /myindex.html HTTP/1.1]
S [Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0]
S [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \*/\*]
S [Accept-Language: en-us]
S [Accept-Encoding: gzip, deflate]
S [User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)]
S [Host: sunws.india:2323]
S [Client-ip: \*\*\*.\*\*\*.\*\*\*.\*\*\*]
S [Proxy-cipher: RC4]
S [Proxy-keysize: 128]
S [Proxy-secret-keysize: 128]
S [Proxy-ssl-id: TPrrA9p11nI0ucQRE52k1aEfl5Uk7WASs8DTWoTfglg=]
S [Proxy-issuer-dn: E=devika@sun.com,CN=wps,OU=jws,O=sun,L=bng,ST=kar,C=in]
S [Proxy-user-dn: E=devika@sun.com,CN=wps,OU=jws]
S [Proxy-auth-cert: MIIDBTCCAq+gAwIBAgIBBTANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJpbjEMMAoGA1UECBMDa2FyMQwwCgYDVQQ
HEwNibmcxDDAKBgNVBAoTA3N1bjEMMAoGA1UECxMDandzMREwDwYDVQQDEwhuYWdlbmRyYTEjMCEGCSqGSIb3DQEJAR
YUbmFnZW5lZHJhLmprQHN1bi5jb20wHhcNMDQxMjE3MDYxNjUwWhcNMDUxMjE3MDYxNjUwWjBKMRAwDgYDVQQLEwdXZ
WJUaWVyMQ8wDQYDVQQDEwZzYW5qYXkxJTAjBgkqhkiG9w0BCQEWFnNhbmpheS5peWVuZ2FyQHN1bi5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMeuinauMVc9hE+FWHxtBKxqV4Mpo59OV0F8DZeAbgNMNoX6JtJRCy+4s22mldW
2UDCpr14Ap8pkYo5TcFynh81K2TtsCuqitY1fOCUoVJObUgTOPoOLi5VJqKoUw5CT6s+TShQly6s3BRamr9eDbGrHpa
u4MeTF8cqHgJZM5e7fAgMBAAGjggEHMIIBAzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyY
XRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUY16JdeH4PIpiVx46hg/4V0I8iQcwgagGA1UdIwSBoDCBnYAUqi21noO6
8mbTlhgmKWDm/8Wqk/qhgYGkfzB9MQswCQYDVQQGEwJpbjEMMAoGA1UECBMDa2FyMQwwCgYDVQQHEwNibmcxDDAKBgN
VBAoTA3N1bjEMMAoGA1UECxMDandzMREwDwYDVQQDEwhuYWdlbmRyYTEjMCEGCSqGSIb3DQEJARYUbmFnZW5lZHJhLm
prQHN1bi5jb22CAQAwDQYJKoZIhvcNAQEEBQADQQA1Sr2+NUmG/GRyf7lpvWJ5r6gRNWqXPGeM2maox1Ce/e6lXSiEj
VBjxawieYnJudCHPG4fo5b7yNUc+NX5RFJG]
S [Via: 1.1 proxy-server1]
S [Connection: keep-alive]
R [HTTP/1.1 200 OK]
R [Server: Sun-ONE-Web-Server/6.1]
R [Date: Thu, 28 Jul 2005 17:56:19 GMT]
R [Content-length: 1097]
R [Content-type: text/html]
R [Last-modified: Tue, 05 Jul 2005 22:24:02 GMT]
R [Etag: "449-42cb0882"]
R [Accept-ranges: bytes]
R [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">]
R [<html>]
R [<head>]
R [  <meta http-equiv="content-type"]
R [ content="text/html; charset=ISO-8859-1">]
R [  <title>myindex</title>]
R [  <meta name="author" content="Devika Gopinathan">]
R [</head>]
R [<body>]
R [<br>]
R [<h2 style="text-align: center;">Test Page</h2>]
R [<br>]
R [<h2>Sun Java System Web Proxy Server 4.0</h2>]
R [<br>]
R [<font color="#ffffff"></font>]
R [<table cellpadding="2" cellspacing="2" border="1"]
R [ style="text-align: left; width: 70%;">]
R [  <tbody>]
R [    <tr>]
R [      <td style="vertical-align: top;">Ownership<br>]
R [      </td>]
R [      <td style="vertical-align: top;">Sun Java System Web Proxy Server]
R [QA</td>]
R [    </tr>]
R [    <tr>]
R [      <td style="vertical-align: top;">Date of Creation (mm/dd/yyyy)<br>]
R [      </td>]
R [      <td style="vertical-align: top;">01/07/2005<br>]
R [      </td>]
R [    </tr>]
R [    <tr>]
R [      <td style="vertical-align: top;">Page Created By<br>]
R [      </td>]
R [      <td style="vertical-align: top;">Devika Gopinathan</td>]
R [    </tr>]
R [  </tbody>]
R [</table>]
R [<h2><font color="#ffffff"><br>]
R [</font></h2>]
R [<br>]
R [<!--#include virtual="trial.shtml" -->]
R [</body>]
R [</html>]
Closed connection






 
 

About

dee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today