|C H A P T E R 3|
Installing and Configuring Sun ONE Server Software
This chapter describes how to configure the Sun Crypto Accelerator 1000 board for use with Sun ONE servers. This chapter includes the following sections:
Note - All Sun ONE server software is supported for use with the board. The example in this section covers configuring the Sun ONE Web Server only. Refer to the Sun ONE documentation for details on how to install and configure Sun ONE server software.
To enable Sun ONE Web Servers you must complete the following procedures, that the rest of the chapter explains in detail.
1. Install the Sun ONE Web Server.
2. Create a trust database.
3. Request a certificate.
4. Install the certificate.
5. Configure the Sun ONE Web Server.
This section describes how to install and configure Sun ONE Web Server 6.1 to use the board. You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about installing and using Sun ONE Web Servers. This section includes the following procedures:
1. Download the Sun ONE Web Server 6.1 software.
You can find the web server software at the following URL:
2. Change to the installation directory and extract the web server software.
3. Install the web server with the setup script from the command-line.
The default path name for the server is: /opt/SUNWwbsvr/.
This chapter refers to the default paths. If you decide to install the software in a different location, be sure to note where you installed it.
4. Answer the prompts from the installation script.
Except for the following prompts, you can accept the defaults:
a. Agree to accept the license terms by typing yes.
b. Enter a fully qualified domain name.
c. Enter the Sun ONE Web Server 6.1 Administration Server password twice.
d. Press Return when prompted.
These procedures create a trust database; register the board with the web server; generate and install a server certificate; and enable the web server for SSL.
1. Start the administration server.
To start a Sun ONE Web Server, use the following command (instead of running startconsole as setup requests):
The response provides the URL for connecting to your servers.
2. Start the Sun ONE administration server by opening up a web browser and entering:
In the pop-up window, enter the Sun ONE Web Server administration server username and password you selected while running setup.
3. Click OK.
4. Create the trust database for the web server instance.
You might want to enable security on more than one web server instance. If so, repeat this process for each web server instance.
a. Click the Servers tab in the administration server.
b. Select a server and click the Manage button.
c. Click the Security tab near the top of the page and select the Create Database link.
d. Enter a password (web server trust database) in the two dialog boxes and click OK.
Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode.
1. Configure Sun Metaslot keystore. Login as the Web Server Administration Server user you chose during Sun ONE Web Server installation (the default is root). Use the following command to setup the Sun Metaslot keystore. The default password is changeme if it is prompted. The new password you enter here will be needed to start the Sun ONE Web Server. For convenience, you may also use the same password you created in the last section (To Create a Trust Database) for Sun Metaslot.
Restore the METASLOT_ENABLED environment variable using the following command.
The pktool setpin command creates the .sunw directory in the home directory of the Administration Server user. This directory will be used by the System User you chose during Sun ONE Web Server installation (the default user is webservd). Change to the home directory of the Administration Server user and use the following command to change the ownership and groupship of .sunw directory and all its contents to the System User.
Use the following command to disable the CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_SSL3_MASTER_KEY_DERIVE, CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC mechanisms in the Sun Metaslot.
Determine whether the system is using the non-export or export version of softtoken with the following command:
If pkcs11_softtoken.so is returned in the output of the previous command, disable the algorithms with the following command.
Alternately, if pkcs11_softtoken_extra.so is returned in the output of the cryptoadm list -p command, disable the algorithms with the following command:
2. Register the Solaris PKCS#11 library in the security module database of the Sun ONE Web Server using modutil.
Note - modutil is a utility developed by Mozilla and is available with the Sun ONE destribution. By default, the modutil is located at /opt/SUNWwbsvr/bin/https/admin/bin directory. It uses the NSS libraries located at /opt/SUNWwbsvr/bin/https/lib. This directory should be included in the environment variable, $LD_LIBRARY_PATH.
3. Certain Sun ONE applications ask for a password for every known PKCS#11 token. To limit the slots presented to those required to start the web server, disable all slots except for one slot used by the Sun ONE application.
1. Restart the Sun ONE Web Server 6.1 Administration Server by typing the following commands. The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box enter the Sun ONE Web Server 6.1 Administration Server user name and password you selected while running setup.
3. Click OK.
The Sun ONE Web Server 6.1 Administration Server window is displayed.
4. To request the server certificate, select the Servers tab near the top of Sun ONE Web Server 6.1 Administration Server window. Then select a server from the drop-down menu and click the Manage button.
The Sun ONE Web Server 6.1 Server Manager window is displayed.
5. Select the Security tab near the top of the Sun ONE Web Server 6.1 Server Manager window. Then click the Request a Certificate link on the left panel.
6. Fill out the form to generate a certificate request, using the following information:
a. Select a New Certificate.
If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.
b. Select the Cryptographic Module you want to use.
Each slot has its own entry in this pull-down menu. For this example, the Sun Metaslot is chosen.
c. In the Key Pair File Password dialog box, provide the password for the user that will own the key.
This password is the one you used to configure the Sun Metaslot.
d. Type the appropriate information for the requestor information fields in TABLE 3-1.
e. Click OK to submit the information.
7. Use a certificate authority to generate the certificate.
8. Once the certificate is generated, copy it, along with the headers, to the clipboard.
1. Click the Security tab near the top of the Sun ONE WebServer 6.1 Server Manager window.
2. Select the Install Certificate link on the left side of the Sun ONE Web Server 6.1 Administration Server window.
Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server.
3. Fill out the form to install your certificate:
In most cases, you can leave this blank. If you provide a name, it alters the name the web server uses to access the certificate and key when running with SSL support. The default for this field is Server-Cert.
4. Paste the certificate you copied from the certificate authority (in Step 8 of the To Generate a Server Certificate) into the Message text box.
You are shown some basic information about the certificate.
5. Click OK.
6. If everything looks correct, click the Add Server Certificate button.
On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.
You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.
Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.
7. Use the following command to recursively change permissions of the .sunw directory to the System user:
Even though this command was executed previously it needs to be executed again. This step is necessary because the Administration Server user has ownership of the newly imported certificate, and the System user requires ownership.
1. Select the Servers tab and make sure the Manage Servers link on the left is selected. Choose a server in the "Select a Server" list and click on the Manage button.
2. Select the Preferences tab near the top of the page.
3. Select the Edit Listen Sockets link on the left panel.
The main panel lists all the listen sockets set for the web server instance.
a. Click the link under Listen Socket ID for the listen socket you wish to configure.
b. Alter the following fields:
c. Click OK to apply these changes.
You are back to the list of listen sockets. Make sure the security is enabled.
4. Click the same listen socket again.
5. Enter the password you used for configuring the Sun Metaslot to authenticate to the keystore on the system.
6. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.
A dialog box is displayed for changing the cipher settings. You can select either Cipher Default settings, SSL2, or SSL3/TLS. If you select the Cipher Default, you are not shown the default settings. The other two choices require you to select the algorithms you want to enable in a pop-up dialog box. Refer to your Sun ONE documentation on cipher selection.
7. Select the certificate for the keystore Sun Metaslot: Server-Cert (or the name you chose).
8. When you have chosen a certificate and confirmed all the security settings, click OK.
9. Select the Apply link in the far upper right corner to apply these changes before you start your server.
10. Select the Load Configuration Files link to apply the changes.
You are redirected to a page that allows you to start your web server instance.
If you click the Apply Changes button when the server is off, an authentication dialog box prompts you for the password you used for configuring the Sun Metaslot. This window is not resizable, and you might have a problem submitting the change.
There are two workarounds for this problem:
11. In the Sun ONE Web Server 6.1 Administration Server window, select the On/Off link on the left side of the window.
12. Enter the passwords for the servers and click Server On.
You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.
At the Module keystore-name prompt, enter the password you used for configuring the Sun Metaslot.
Enter the password you entered for configuring other keystores as prompted.
13. Verify the new SSL-enabled web server at the following URL:
You can enable the Sun ONE Web Servers to perform an unattended startup at reboot with an encrypted key.
1. Navigate to the config subdirectory for your Sun ONE Web Server instance--for example, /opt/SUNWwbsvr/https-webserver-instance-name/config.
2. Create a password.conf file with only the following lines:
3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file: