This procedure should be used to improve the performance of SSL packet process on a Sun Java System Web Server. See the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for information about this web server.
The following procedure requires that a Sun Java System Web Server has been installed and configured.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. The ksslcfg command is included in the Network Security profile.
Stop the web server.
Use the administrator web interface to stop the server. See Starting and Stopping the Server in the Sun Java System Web Server 6.1 SP4 Administrator’s Guidefor more information.
Disable the cryptographic framework's metaslot.
This step is needed to make sure that the metaslot is disabled when the kernel SSL service instance is created.
# cryptoadm disable metaslot
Determine what parameters to use with the ksslcfg command.
All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format.
token-label – Used with the -T option to specify the PKCS#11 token.
certificate-label – Used with the -C option to select the label in the certificate object in the PKCS#11 token.
password-file – Used with the -p option to select the location of the file that includes the password used to login the user to the PKCS#11 token used by the web server. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port– Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80. The web server listens on the SSL proxy port.
ssl-port – Defines the port for the SSL Kernel Proxy to listen on. Normally this value is set to 443.
The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8443 for the proxy-port and 443 for the ssl-port.
Create the service instance.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -T PKCS#11-token -C certificate-label -p password-file -x proxy-port ssl-port
Enable the cryptographic framework's metaslot.
# cryptoadm enable metaslot
Verify that the instance was created properly.
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
Configure the web server to listen on the SSL proxy port.
See Adding and Editing Listen Sockets in the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for more information.
Start the web server.
The following command creates an instance using the pkcs11 key format.
# ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" -C "Server-Cert" -p file -x 8443 443