Any client can download packages from a repository that is configured to serve packages over HTTP. In some cases, you need to restrict access. One way to restrict access to the repository is to run the depot server behind an SSL-enabled Apache instance that supports client certificates.
Using SSL provides the following benefits:
Ensures encrypted transfer of package data between the client and the server
Enables you to grant access to repositories based on the certificate the client presents to the server
To set up a secure repository server, you must create a custom certificate chain:
Create a certificate authority (CA), which is the head of the certificate chain.
Issue certificates from this CA to the clients that are allowed to access the repository.
One copy of the CA is stored on the repository server. Whenever a client presents a certificate to the server, that client certificate is verified against the CA on the server to determine whether to grant access.
This section describes the following steps to create the certificate chain and configure the Apache front end to verify client certificates:
Create a keystore
Create a certificate authority for client certificates
Add SSL configuration to the Apache configuration file
Create a self-signed server certificate authority
Create a PKCS12 keystore
For information about Apache web server privileges in Oracle Solaris, see Locking Down Resources by Using Extended Privileges in Securing Users and Processes in Oracle Solaris 11.2 .