test

Sun Java System Web Server 7.0 Update 3 Administrator's Guide

Configuring Solaris Cryptographic Framework

This section describes how to configure Solaris cryptographic for use with Web Server.

ProcedureTo Configure Solaris Cryptographic

  1. Remove the ./sunw directory from your machine using the following command.

    %rm -rf $HOME/.sunw

  2. Set a new pin using the following command:

    % pktool setpin Enter new PIN:<type the pin here>

    Re-enter new PIN:<retype the pin again>

  3. Disable the mechanisms in the pkcs11_kernel.so and pkcs11_softtoken.so files using the following command:

    #cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_kernel.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEYAND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

    #cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEYAND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

    Note –

    Ensure to disable mechanisms in pkcs11_softtoken_extra.so file, if it is used.

ProcedureTo Register PKCS#11 Library File

  1. Type the following command to add the Solaris crypto framework to network security services (NSS) in the config directory

    $ cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -add "scf" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

  2. Verify the registration using the following command:

    $cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -list 

    Listing of PKCS #11 Modules
1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
         status: loaded

          slot: NSS Internal Cryptographic Services
         token: NSS Generic Crypto Services

          slot: NSS User Private Key and Certificate Services
         token: NSS Certificate DB

   2. scf
         library name: /usr/lib/libpkcs11.so
          slots: 1 slot attached
         status: loaded

          slot: Sun Crypto Softtoken
         token: Sun Software PKCS#11 softtoken

   3. Root Certs
         library name: libnssckbi.so
          slots: There are no slots attached to this module
         status: Not loaded

    For more information on creating server certificates, see Requesting a Certificate

    If certificates exists in NSS database, you can export or import the certificates using the following pk12util command:

    $pk12util -o server.pk12 -d . -n <server-cert>

    $pk12util -i server.pk12 -d . -h "Sun Software PKCS#11 softtoken"

    Note –

    By default, certutil/pk12util searches the databases for cert8.db and key3.db. Add -P as the prefix for the Web Server, which uses the alternate names https-instance-hostname-cert8.db and https-instance-hostname-key3.db.

ProcedureTo Enable and Bypass PKCS#11 Tokens

  1. From the home page, click the Configurations tab

  2. In the Configuration page, click the configuration that you want to enable the PKCS#11 and Allow Bypass option

  3. Click the Certificates tab

  4. Click the PKCS#11 Tokens sub tab

  5. In General Settings, select the check boxes to enable PKCS#11 and Allow Bypass

  6. Click the Save button

    See CLI reference, set-pkcs11-prop(1).

Creating a Self-Signed Certificate Using CLI and Enabling SSL

Start the wadm from the installation directory and perform the following steps:

$wadm --user=admin
Please enter admin-user-password>enter the administration serverpassword

$wadm>list-tokens --config=test.sun.com

internal
Sun Software PKCS#11 softtoken

$wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert 
--token="Sun Software PKCS#11 softtoken"
Please enter token-pin>enter the password

CLI201 Command 'create-selfsigned-cert' ran successfully

$wadm>set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 enabled=true 
server-cert-nickname="Sun Software PKCS#11 softtoken:MyCert"
CLI201 Command 'set-ssl-prop' ran successfully

$wadm>deploy-config test.sun.com
CLI201 Command 'deploy-config' ran success

Now, start the Administration Server.

$ cd <install-dir>/<instance-dir>/bin/startserv
Sun Java System Web Server 7.0 Update 3

Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:enter the password
info: HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept requests
info: CORE3274: successful server startup