C H A P T E R 7 |
Installing and Configuring Apache Web Server Software |
This chapter explains how to configure and enable the Sun Crypto Accelerator 6000 Board for use with Apache Web Servers on both Oracle Solaris and Linux platforms. Sections include:
This section provides instructions specific to Oracle Solaris platforms.
The following procedure describes how to create the private key and certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 6000 Board. If you already have a private key and certificate, go to Enabling Apache Web Server.
1. Generate an RSA private key in Privacy-Enhanced Mail (PEM) format.
2. Create your PEM passphrase.
This passphrase protects the key material. Be sure to select a strong passphrase, but one that you can remember. If you forget the passphrase, you will be unable to access your keys.
Caution - You must remember the passphrase you enter. Without the passphrase, you cannot access your keys. There is no way to retrieve a lost passphrase. |
3. Create a certificate request using the keys you just created.
You must first enter the passphrase to access your keys. Then provide the appropriate information for the fields in TABLE 7-1:
The following is an example of how the certificate fields are entered:
4. Hand off the certreq.csr file to your certificate authority.
Apache Web Server and mod_ssl are provided with the Oracle Solaris 10 OS. The following instructions are for these specific releases of Apache Web Server. Refer to the Apache Web Server documentation for more information.
1. Create an httpd configuration file.
For Oracle Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows:
2. Replace ServerName with your server name in the http.conf file.
3. Find you private key and certificate.
4. Rename the private key as server.key and place it in the /etc/apache/ssl.key directory.
5. Rename the private certificate as server.crt and place it in the /etc/apache/ssl.crt directory.
6. Start the Apache Web Server.
This example assumes the Apache binary directory is /usr/apache/bin. If this is not the Apache binary directory, type in the correct directory.
7. Enter you PEM passphrase if prompted for it.
8. Verify the SSL enabled web server with a browser pointing to the following URL:
Note - The default port is 443. |
9. Verify that the Sun Crypto Accelerator 6000 board is being used.
Verify that the rsaprivate field is being incremented in the statistics.
The Apache web server included in the Linux installation does not have the appropriate plugins. This section describes how to prepares the Apache Web Server with appropriate plugins to use the Sun Crypto Accelerator 6000 board for SSL acceleration.
Note - On Oracle Solaris platforms, the OpenSSL executable is in the /usr/sfw/bin/ directory. On Linux platforms, the OpenSSL executable is in the /usr/bin/ directory. |
Download the following files from the OpenSSL web site:
Choose a directory to uncompress the OpenSSL software (/var/tmp/ is used in this example). Type the following command:
Change to the new /var/tmp/openssl-0.9.7d directory and install the patch with the following command:
The following is an example of the output:
Note - Check the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.0 for any additional required patches. You must install all of the required patches before configuring OpenSSL. |
Use the following command to configure and compile OpenSSL. Refer to the README.pkcs11 and INSTALL file for more information.
Download Apache 2.2.0, httpd-2.2.0.tar.gz, from http://www.apache.org. Choose a directory to uncompress the Apache software (/var/tmp is used in this example). Type the following command:
Change to the new /var/tmp/httpd-2.2.0 directory and type the following command to configure the Apache Web Server. Refer to the INSTALL file for more information.
There are many other options to configure Apache. The --enable-ssl --with-ssl=/var/tmp/openssl-0.9.7d options are the minimum required. These options provide the location of the OpenSSL libraries.
Finally, use the following commands to compile and install Apache. Refer to the INSTALL file for more information:
By default, Apache is installed in the /usr/local/apache2 directory.
The Apache software is installed in the /usr/local/apache2 directory in this example.
Edit the /usr/local/apache2/conf/httpd.conf file and change the following line to enable SSL:
To enable the PKCS#11 OpenSSL engine, edit the /usr/local/apache2/conf/extra/httpd-ssl.conf file to add the following line:
just before the following line:
In the same file, also change the following line:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA:!RSA-AES128-SHA |
This change eliminates the strong ciphers that do not work well with OpenSSL. Save the change and exit editing.
Prepare a certificate request and a certificate as described in the previous sections of this chapter.
Note - Use /usr/bin/openssl for the OpenSSL command, /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt for the key and certificate files for Apache 2.x. |
Put the private key in the /usr/local/apache2/conf/server.key file and the certificate in the /usr/local/apache2/conf/server.crt file.
Use the following command to start the Apache Web Server:
Test the Apache Web Server as described in the previous sections of this chapter. Verify that the Sun Crypto Accelerator 6000 board is being used with the following command:
Verify that the rsaprivate field is being incremented in the statistics.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.