This procedure should be used to improve the performance of SSL packet process on an Apache 2.0 web server.
The following procedure requires that an Apache 2.0 web server has been installed and configured. The Apache 2.0 web server is included in the Solaris 10 release.
To use the SSL kernel proxy, the server private key and the server certificate need to exist in a single file. If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for kernel SSL. If the SSLCertificateKeyFile parameter is also specified, then the certificate file and the private key file need to be combined. One way to combine the certificate and the key file is to run the following command:
# cat cert.pem key.pem >cert-and-key.pem
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. The ksslcfg command is included in the Network Security profile.
Stop the web server.
This command will stop the web server on a system in which the server is configured to run using SMF.
# svcadm disable svc:/network/http:apache2
If the service has not be converted yet, stop the service with this command syntax: /usr/apache2/bin/apachectl stop
Determine what parameters to use with the ksslcfg command.
All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format. For the SSL kernel proxy the value should be either pem or pkcs12.
key-and-certificate-file – Used with the -i option to set the location of the file that stores to server key and the certificate.
password-file – Used with the -p option to select the location of the file that includes the password used to encrypt the private key. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port – Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80. The web server listens on the SSL proxy port.
ssl-port – Selects the port for the SSL Kernel Proxy to listen on. Normally this is set to 443.
The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8443 for the proxy-port and 443 for the ssl-port.
Create the service instance.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -i key-and-certificate-file -p password-file -x proxy-port ssl-port
Verify that the instance was created properly.
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
Configure the web server to listen on the SSL proxy port.
Edit the /etc/apache2/http.conf file and add a line to define the SSL proxy port. If you use the servers IP address, then the web server will only listen on that interface. The line should look like:
Set an SMF dependency for the web server.
The web server should only be started after the SSL kernel proxy instance. The following commands establish that dependency.
# svccfg -s svc:/network/http:apache2 svc:/network/http:apache2> addpg kssl dependency svc:/network/http:apache2> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443 svc:/network/http:apache2> setprop kssl/grouping = astring: require_all svc:/network/http:apache2> setprop kssl/restart_on = astring: refresh svc:/network/http:apache2> setprop kssl/type = astring: service svc:/network/http:apache2> end
Enable the web server.
# svcadm enable svc:/network/http:apache2
If the service is not started using SMF, use the following command: /usr/apache2/bin/apachectl startssl
The following command creates an instance using the pem key format.
# ksslcfg create -f pem -i cert-and-key.pem -p file -x 8443 443