Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 Table Of ContentsPrevious ChapterNext ChapterBook Index
C H A P T E R  8
Feedback Installing and Configuring Apache Web Server Software

This chapter explains how to configure and enable the Sun Crypto Accelerator 6000 Board for use with Apache Web Servers on both Oracle Solaris and Linux platforms. This chapter includes the following sections:

Installing and Configuring Apache Web Server on Oracle Solaris Platforms

This section provides instructions specific to Oracle Solaris platforms.


procedure icon  Create a Private Key and Certificate

The following procedure describes how to create the private key and certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 6000 Board. If you already have a private key and certificate, go to Enable Apache Web Server.

1. Generate an RSA private key in Privacy-Enhanced Mail (PEM) format. 


% ./openssl genrsa -des3 -out  /usr/local/apache2/conf/server.key 1024

2. Create your PEM passphrase.

This passphrase protects the key material. Be sure to select a strong passphrase, but one that you can remember. If you forget the passphrase, you will be unable to access your keys. 


Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:


caution icon Caution - You must remember the passphrase you enter. Without the passphrase, you cannot access your keys. There is no way to retrieve a lost passphrase.

3. Create a certificate request using the keys you just created. 


% ./openssl req -new -key /usr/local/apache2/conf/server.key  -out /crtreq.csr

You must first enter the passphrase to access your keys. Then provide the appropriate information for the fields in TABLE 8-1:


TABLE 8-1 Certificate Field Descriptions

Certificate Field

Description

Country Name

The two-letter ISO code for the country, which is asserted on the certificate and is a required field (for example, the United States is US).

State or Province Name

(Optional) The full name of the state in this field (or type “.” and press Return).

Locality

(Optional) City, county, principality, or country, which is also asserted on the certificate if provided.

Organization Name

A value for the Organization to be asserted on the certificate.

Organizational Unit Name

(Optional) A value for the Organizational Unit that will be asserted on the certificate.

SSL Server Name

Web site Domain that is typed in a visitor’s browser.

Email Address

Contact information for requestor.


The following is an example of how the certificate fields are entered: 


Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.’, the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) []:Fictional Company, Inc.
Organizational Unit Name (eg, section) []:Online Sales Division
Common Name (eg, YOUR name) []:www.fictional-company.com
Email Address []:admin@fictional-company.com
 
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []: Fictional Comany, Inc.

4. Hand off the certreq.csr file to your certificate authority.


procedure icon  Enable Apache Web Server

Apache Web Server and mod_ssl are provided with the Oracle Solaris 10 OS. The following instructions are for these specific releases of Apache Web Server. Refer to the Apache Web Server documentation for more information.

1. Create an httpd configuration file.

For Oracle Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows: 


% cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf

2. Replace ServerName with your server name in the http.conf file.

3. Find your private key and certificate.

4. Rename the private key as server.key and place it in the /etc/apache/ssl.key directory.

5. Rename the private certificate as server.crt and place it in the /etc/apache/ssl.crt directory.

6. Start the Apache Web Server.

This example assumes the Apache binary directory is /usr/apache/bin. If this is not the Apache binary directory, type in the correct directory. 


% /usr/apache/bin/apachectl startssl

7. Enter you PEM passphrase if prompted for it.

8. Verify the SSL enabled web server with a browser pointing to the following URL: 


https://ServerName:ServerPort/


Note - The default port is 443.

9. Verify that the Sun Crypto Accelerator 6000 board is being used. 


% kstat -n mca0

Verify that the rsaprivate field is being incremented in the statistics.

Installing and Configuring Apache Web Server on Linux Platforms

The Apache web server included in the Linux installation does not have the appropriate plug-ins. This section describes how to prepares the Apache Web Server with appropriate plug-ins to use the Sun Crypto Accelerator 6000 board for SSL acceleration.


Note - On Oracle Solaris platforms, the OpenSSL executable is in the /usr/sfw/bin/ directory. On Linux platforms, the OpenSSL executable is in the /usr/bin/ directory.


procedure icon  Prepare OpenSSL Libraries

1. Download the following files from the OpenSSL web site:

2. Choose a directory to uncompress the OpenSSL software (/var/tmp/ is used in this example). Type the following command: 


% tar -zxvf openssl-0.9.7d.tar.gz
% gunzip pkcs11_engine-0.9.7d.patch.2006-04-17.gz

3. Change to the new /var/tmp/openssl-0.9.7d directory and install the patch with the following command: 


% patch -p1 < ../pkcs11_engine-0.9.7d.patch.2006-04-17

The following is an example of the output: 


patching file Configure
patching file Makefile.org
patching file README.pkcs11
patching file crypto/engine/Makefile.ssl
patching file crypto/engine/cryptoki.h
patching file crypto/engine/eng_all.c
patching file crypto/engine/engine.h
patching file crypto/engine/hw.ec
patching file crypto/engine/hw_pk11.c
patching file crypto/engine/hw_pk11_err.c
patching file crypto/engine/hw_pk11_err.h
patching file crypto/engine/hw_pk11_pub.c
patching file crypto/engine/pkcs11.h
patching file crypto/engine/pkcs11f.h
patching file crypto/engine/pkcs11t.h


Note - Check the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 for any additional required patches. You must install all of the required patches before configuring OpenSSL.

4. Configure and compile OpenSSL. Refer to the README.pkcs11 and INSTALL file for more information. 


% ./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
% make


procedure icon  Compile Apache Web Server

1. Download Apache 2.2.0, httpd-2.2.0.tar.gz, from http://www.apache.org.

2. Choose a directory to uncompress the Apache software (/var/tmp is used in this example). Type the following command: 


% tar -zxvf httpd-2.2.0.tar.gz

3. Change to the new /var/tmp/httpd-2.2.0 directory and type the following command to configure the Apache Web Server. Refer to the INSTALL file for more information. 


% ./configure --enable-ssl --with-ssl=/var/tmp/openssl-0.9.7d

There are many other options to configure Apache. The --enable-ssl --with-ssl=/var/tmp/openssl-0.9.7d options are the minimum required. These options provide the location of the OpenSSL libraries.

4. Compile and install Apache. Refer to the INSTALL file for more information: 


% make
% make install


Note - Using Apache 2.2.0 or 2.2.2 on SuSE with the x86_x64 architecture, make could fail with an error message similar to the following:
/usr/lib/libexpat.la: could not read symbols: Invalid operation
If this error occurs, change the /usr/lib/libexpat.la entry to /usr/lib64/libexpat.la in the srclib/apr-util/Makefile.

By default, Apache is installed in the /usr/local/apache2 directory.


procedure icon  Configure and Start Apache Web Server

The Apache software is installed in the /usr/local/apache2 directory in this example.

1. Edit the /usr/local/apache2/conf/httpd.conf file and change the following line to enable SSL: 


#Include conf/extra/httpd-ssl.conf

to: 


Include conf/extra/httpd-ssl.conf

2. Enable the PKCS#11 OpenSSL engine by editing the /usr/local/apache2/conf/extra/httpd-ssl.conf file to add the following line: 


SSLCryptoDevice pkcs11

just before the following line: 


#   Pass Phrase Dialog:

In the same file, also change the following line: 


SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

to: 


SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA:!RSA-AES128-SHA

This change eliminates the strong ciphers that do not work well with OpenSSL. Save the change and exit editing.

3. Prepare a certificate request and a certificate as described in the previous sections of this chapter.


Note - Use /usr/bin/openssl for the OpenSSL command, /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt for the key and certificate files for Apache 2.x.

4. Put the private key in the /usr/local/apache2/conf/server.key file and the certificate in the /usr/local/apache2/conf/server.crt file.

5. Use the following command to start the Apache Web Server: 


% /usr/local/apache2/bin/apachectl start


Note - Apache could fail to start with an error message similar to the following:
Syntax error on line 52 of /usr/local/apache2/conf/extra/httpd-ssl.conf: SSLCryptoDevice: Invalid argument; must be one of: ’builtin’ (none), ...
If this error occurs, verify that:
--pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so is used for the OpenSSL configuration and also that /usr/lib64/pkcs11/PKCS11_API.so is a link to the 64-bit openCryptoki PKCS#11 library with the file command.

6. Test the Apache Web Server as described in the previous sections of this chapter. Verify that the Sun Crypto Accelerator 6000 board is being used with the following command: 


% cat /proc/driver/mca0

7. Verify that the rsaprivate field is being incremented in the statistics.

Feedback


Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 E39851-01 Table Of ContentsPrevious ChapterNext ChapterBook Index

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.