Sun Web Server 6.1 SSL acceleration on T1000/T2000



I can't say that security is my area of expertise.  I have this nasty habit of trusting people. Therefore, when it comes t setting things up, I need help. Get this: I even RTFM.

You may or may not know this, but the T1 chip (T1000/T2000 servers to date) supports crypto acceleration natively, and we have a handy blueprint which walks through the setup/configuration. When combined with a couple of blog entries (here and here), I am starting to "get it". That being said, here is a set of end-to-end steps to get it all up and running with a self-signed certificate:

## Set up password file
# echo YOUR_PASSWORD > /tmp/password.txt
# chmod 600 /tmp/password.txt

## Create certificate store
# /opt/SUNWwbsvr/bin/https/admin/bin/certutil -N \\
   -P https-web.West.Sun.COM-web- \\
   -d /opt/SUNWwbsvr/alias \\
   -f /tmp/password.txt

## Create a self-signed certificate and store it in the certificate store
## When run, Select 1 (SSL client), then 9 (other), then "y".
## (Jyri describes how to do this via a Certificate Authority)
# /opt/SUNWwbsvr/bin/https/admin/bin/certutil -S -x \\
   -P https-web.West.Sun.COM-web- \\
   -d /opt/SUNWwbsvr/alias \\
   -f /tmp/password.txt \\
   -n Server-Cert \\
   -s "CN=web.West.Sun.COM,C=US" \\
   -t u,u,u -m 12345 -v 99 -5

## Enable the Sun Metaslot
# /opt/SUNWwbsvr/bin/https/admin/bin/modutil \\
   -dbdir /opt/SUNWwbsvr/alias \\
   -dbprefix https-web.West.Sun.COM-web- \\
   -nocertdb
   -disable "Solaris Cryptographic Framework"
# /opt/SUNWwbsvr/bin/https/admin/bin/modutil \\
   -dbdir /opt/SUNWwbsvr/alias \\
   -dbprefix https-web.West.Sun.COM-web- \\
   -nocertdb \\
   -enable "Solaris Cryptographic Framework"\\
   -slot "Sun Metaslot"

## Export the certificate and key from the internal store to a PKCS#12 formatted file
# /opt/SUNWwbsvr/bin/https/admin/bin/pk12util \\
   -o /tmp/cert.p12 \\
   -d /opt/SUNWwbsvr/alias \\
   -n Server-Cert \\
   -P https-web.West.Sun.COM-web-

## Import the certificate and key into the Sun Metaslot
# /opt/SUNWwbsvr/bin/https/admin/bin/pk12util \\
   -o /tmp/cert.p12 \\
   -d /opt/SUNWwbsvr/alias \\
   -n Server-Cert -P https-web.West.Sun.COM-web-

## Ensure the web server user can utilize the keystore.
## I'm not entirely sure of what the security implications
## are here, but the web server (webservd) couldn't open
## the store without doing this. I probably should have tried
## to import the key into the keystore as webservd ...
# chown -R webservd:webservd /.sunw

## Run these steps if you want the web server to start up on boot.
## Otherwise the user is prompted to enter the keystore password
# echo internal:`cat /tmp/password.txt`
   > /opt/SUNWwbsvr/https-web.West.Sun.COM/config/password.conf
# chmod 400 /opt/SUNWwbsvr/https-web.West.Sun.COM/config/password.conf


## Clean up
# rm /tmp/password.txt
# rm /tmp/cert.p12
Hope this helps.


Comments:

Post a Comment:
Comments are closed for this entry.
About

John Clingan

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today