In this procedure, you configure an Apache 2.2 web server from scratch and configure the SSL kernel proxy as the primary SSL session-handling mechanism. When the set of SSL ciphers that the client offers does not include a cipher that the SSL kernel proxy offers, the Apache 2.2 web server serves as a fallback mechanism. This procedure implements the complex scenario that is illustrated in Kernel-Encrypted Web Server Communications With User-Level Fallback Option.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
The following command generates a CSR and associated private key for the SSL kernel proxy:
# cd /root # openssl req \ > -x509 -new \ > -subj "/C=CZ/ST=Prague region/L=Prague/CN=`hostname`" \ > -newkey rsa:2048 -keyout webkey.pem \ > -out webcert.pem Generating a 2048 bit RSA private key .+++ ........+++ writing new private key to 'webkey.pem' Enter PEM pass phrase: JohnnyCashIsCool Verifying - Enter PEM pass phrase: JohnnyCashIsCool # # chmod 440 /root/webcert.pem ; chown root:webservd /root/webcert.pem
For more information, see the openssl(5) man page.
# echo "RefrigeratorsAreCool" > /root/kssl.pass # chmod 440 /root/kssl.pass; chown root:webservd /root/kssl.pass
# cat /root/webcert.pem /root/webkey.pem > /root/webcombo.pem
# ksslcfg create -f pem -i /root/webcombo.pem -x 8443 -p /root/kssl.pass 443
Edit the Listen line in the /etc/apache2/2.2/httpd.conf file.
# pfedit /etc/apache2/2.2/httpd.conf ... ## Listen 80 Listen 8443
# cp /etc/apache2/2.2/samples-conf.d/ssl.conf /etc/apache2/2.2/ssl.conf
This module adds listening on port 443 for encrypted connections.
# pfedit /root/put-passphrase.sh #!/usr/bin/ksh -p ## Reads SSL kernel proxy passphrase /usr/bin/cat /root/kssl.pass
# chmod 500 /root/put-passphrase.sh # chown webservd:webservd /root/put-passphrase.sh
# pfedit /etc/apache2/2.2/ssl.conf ... ## SSLPassPhraseDialog builtin SSLPassPhraseDialog exec:/root/put-passphrase.sh
The values of the SSLCertificateFile and SSLCertificateKeyFile parameters in the ssl.conf file contain the expected placement and names. You can copy or link the certificates to the correct location.
# ln -s /root/webcert.pem /etc/apache2/2.2/server.crtSSLCertificateFile default location # ln -s /root/webkey.pem /etc/apache2/2.2/server.keySSLCertificateKeyFile default location
# svcadm enable apache22
Use the openssl s_client and kstat commands to view the packets.
# openssl s_client -cipher RC4-SHA -connect web-server:443
An increase of 1 to the kstat counter kssl_full_handshakes verifies that the SSL session was handled by the SSL kernel proxy.
# kstat -m kssl -s kssl_full_handshakes
# openssl s_client -cipher CAMELLIA256-SHA -connect web-server:443
An increase of 1 to the kstat counter kssl_fallback_connections verifies that the packet arrived, but the SSL session was handled by the Apache web server.
# kstat -m kssl -s kssl_fallback_connections
The following command creates a service instance for the SSL kernel proxy that uses the pem key format:
# ksslcfg create -f pem -i cert-and-key.pem -p kssl.pass -x 8443 443