Part I Network Services Topics
Network Cache and Accelerator (Overview)
Web Servers Using the Secure Sockets Layer Protocol
Managing Web Cache Servers (Task Map)
Interpositioning Library for Daemon Support of the Door Server
Administering the Caching of Web Pages (Tasks)
How to Enable Caching of Web Pages
How to Disable Caching of Web Pages
How to Enable or Disable NCA Logging
How to Load the Socket Utility Library for NCA
How to Add a New Port to the NCA Service
How to Configure an Apache 2.0 Web Server to Use the SSL Kernel Proxy
How to Configure a Sun Java System Web Server to Use the SSL Kernel Proxy
Part II Accessing Network File Systems Topics
4. Managing Network File Systems (Overview)
5. Network File System Administration (Tasks)
6. Accessing Network File Systems (Reference)
8. Planning and Enabling SLP (Tasks)
10. Incorporating Legacy Services
Part V Serial Networking Topics
15. Solaris PPP 4.0 (Overview)
16. Planning for the PPP Link (Tasks)
17. Setting Up a Dial-up PPP Link (Tasks)
18. Setting Up a Leased-Line PPP Link (Tasks)
19. Setting Up PPP Authentication (Tasks)
20. Setting Up a PPPoE Tunnel (Tasks)
21. Fixing Common PPP Problems (Tasks)
22. Solaris PPP 4.0 (Reference)
23. Migrating From Asynchronous Solaris PPP to Solaris PPP 4.0 (Tasks)
25. Administering UUCP (Tasks)
Part VI Working With Remote Systems Topics
27. Working With Remote Systems (Overview)
28. Administering the FTP Server (Tasks)
29. Accessing Remote Systems (Tasks)
Part VII Monitoring Network Services Topics
The following sections cover the procedures to enable or disable parts of the service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Type the names of each of the physical interfaces in the /etc/nca/nca.if file. See the nca.if(4) man page for more information.
# cat /etc/nca/nca.if hme0 hme1
Each interface must have an accompanying hostname.interface-name file and an entry in /etc/hosts file for the contents of hostname.interface-name. To start the NCA feature on all interfaces, place an asterisk, *, in the nca.if file.
Change the status entry in /etc/nca/ncakmod.conf to enabled.
# cat /etc/nca/ncakmod.conf # # NCA Kernel Module Configuration File # status=enabled httpd_door_path=/var/run/nca_httpd_1.door nca_active=disabled
See the ncakmod.conf(4) man page for more information.
Change the status entry in /etc/nca/ncalogd.conf to enabled.
# cat /etc/nca/ncalogd.conf # # NCA Logging Configuration File # status=enabled logd_path_name="/var/nca/log" logd_file_size=1000000
You can change the location of the log file by changing the path that is indicated by the logd_path_name entry. The log file can be a raw device or a file. See the following examples for samples of NCA log file paths. See the ncalogd.conf(4) man page for more information about the configuration file.
Add the port numbers in the /etc/nca/ncaport.conf file. This entry causes NCA to monitor port 80 on all configured IP addresses.
# cat /etc/nca/ncaport.conf # # NCA Kernel Module Port Configuration File # . . ncaport=*/80
Use the eeprom command to set the kernelbase of the system.
# eeprom kernelbase=0x90000000 # eeprom kernelbase kernelbase=0x90000000
The second command verifies that the parameter has been set.
Note - By setting the kernelbase, you reduce the amount of virtual memory that user processes can use to less than 3 Gbytes. This restriction means that the system is not ABI compliant. When the system boots, the console displays a message that warns you about noncompliance. Most programs do not actually need the full 3–Gbyte virtual address space. If you have a program that needs more than 3 Gbytes, you need to run the program on a system that does not have NCA enabled.
Example 2-1 Using a Raw Device as the NCA Log File
The logd_path_name string in ncalogd.conf can define a raw device as the place to store the NCA log file. The advantage to using a raw device is that the service can run faster because the overhead in accessing a raw device is less.
The NCA service tests any raw device that is listed in the file to ensure that no file system is in place. This test ensures that no active file systems are accidentally written over.
To prevent this test from finding a file system, run the following command. This command destroys part of the file system on any disk partition that had been configured as a file system. In this example, /dev/rdsk/c0t0d0s7 is the raw device that has an old file system in place.
# dd if=/dev/zero of=/dev/rdsk/c0t0d0s7 bs=1024 count=1
After running dd, you can then add the raw device to the ncalogd.conf file.
# cat /etc/nca/ncalogd.conf # # NCA Logging Configuration File # status=enabled logd_path_name="/dev/rdsk/c0t0d0s7" logd_file_size=1000000
Example 2-2 Using Multiple Files for NCA Logging
The logd_path_name string in ncalogd.conf can define multiple targets as the place to store the NCA log file. The second file is used when the first file is full. The following example shows how to select to write to the /var/nca/log file first and then use a raw partition.
# cat /etc/nca/ncalogd.conf # # NCA Logging Configuration File # status=enabled logd_path_name="/var/nca/log /dev/rdsk/c0t0d0s7" logd_file_size=1000000
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Change the status entry in /etc/nca/ncakmod.conf to disabled.
# cat /etc/nca/ncakmod.conf # NCA Kernel Module Configuration File # status=disabled httpd_door_path=/var/run/nca_httpd_1.door nca_active=disabled
See the ncakmod.conf(4) man page for more information.
Change the status entry in /etc/nca/ncalogd.conf to disabled.
# cat /etc/nca/ncalogd.conf # # NCA Logging Configuration File # status=disabled logd_path_name="/var/nca/log" logd_file_size=1000000
See the ncalogd.conf(4) man page for more information.
NCA logging can be turned on or turned off, as needed, after NCA has been enabled. See How to Enable Caching of Web Pages for more information.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To permanently disable logging, you need to change the status in /etc/nca/ncalogd.conf to disabled and reboot the system. See the ncalogd.conf(4) man page for more information.
Follow this process only if your web server does not provide native support of the AF_NCA socket.
In the startup script for the web server, add a line that causes the library to be preloaded. The line should resemble the following:
LD_PRELOAD=/usr/lib/ncad_addr.so /usr/bin/httpd
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Add a new port entry to /etc/nca/ncaport.conf. This example adds port 8888 on IP address 192.168.84.71. See ncaport.conf(4) for more information.
# cat /etc/nca/ncaport.conf # # NCA Kernel Module Port Configuration File # . . ncaport=*/80 ncaport=192.168.84.71/8888
An address needs to be in the file that contains the NCA port configurations before a web server can use the address for NCA. If the web server is running, it must be restarted after the new address is defined.
This procedure should be used to improve the performance of SSL packet process on an Apache 2.0 web server.
The following procedure requires that an Apache 2.0 web server has been installed and configured. The Apache 2.0 web server is included in the Solaris 10 release.
To use the SSL kernel proxy, the server private key and the server certificate need to exist in a single file. If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for kernel SSL. If the SSLCertificateKeyFile parameter is also specified, then the certificate file and the private key file need to be combined. One way to combine the certificate and the key file is to run the following command:
# cat cert.pem key.pem >cert-and-key.pem
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. The ksslcfg command is included in the Network Security profile.
This command will stop the web server on a system in which the server is configured to run using SMF.
# svcadm disable svc:/network/http:apache2
If the service has not be converted yet, stop the service with this command syntax: /usr/apache2/bin/apachectl stop
All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format. For the SSL kernel proxy the value should be either pem or pkcs12.
key-and-certificate-file – Used with the -i option to set the location of the file that stores to server key and the certificate.
password-file – Used with the -p option to select the location of the file that includes the password used to encrypt the private key. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port – Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80. The web server listens on the SSL proxy port.
ssl-port – Selects the port for the SSL Kernel Proxy to listen on. Normally this is set to 443.
Note - The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8443 for the proxy-port and 443 for the ssl-port.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -i key-and-certificate-file -p password-file -x proxy-port ssl-port
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
Edit the /etc/apache2/http.conf file and add a line to define the SSL proxy port. If you use the servers IP address, then the web server will only listen on that interface. The line should look like:
Listen 0.0.0.0:proxy-port
The web server should only be started after the SSL kernel proxy instance. The following commands establish that dependency.
# svccfg -s svc:/network/http:apache2 svc:/network/http:apache2> addpg kssl dependency svc:/network/http:apache2> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443 svc:/network/http:apache2> setprop kssl/grouping = astring: require_all svc:/network/http:apache2> setprop kssl/restart_on = astring: refresh svc:/network/http:apache2> setprop kssl/type = astring: service svc:/network/http:apache2> end
# svcadm enable svc:/network/http:apache2
If the service is not started using SMF, use the following command: /usr/apache2/bin/apachectl startssl
Example 2-3 Configuring an Apache 2.0 Web Server to Use the SSL Kernel Proxy
The following command creates an instance using the pem key format.
# ksslcfg create -f pem -i cert-and-key.pem -p file -x 8443 443
This procedure should be used to improve the performance of SSL packet process on a Sun Java System Web Server. See the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for information about this web server.
The following procedure requires that a Sun Java System Web Server has been installed and configured.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. The ksslcfg command is included in the Network Security profile.
Use the administrator web interface to stop the server. See Starting and Stopping the Server in the Sun Java System Web Server 6.1 SP4 Administrator’s Guidefor more information.
This step is needed to make sure that the metaslot is disabled when the kernel SSL service instance is created.
# cryptoadm disable metaslot
All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format.
token-label – Used with the -T option to specify the PKCS#11 token.
certificate-label – Used with the -C option to select the label in the certificate object in the PKCS#11 token.
password-file – Used with the -p option to select the location of the file that includes the password used to login the user to the PKCS#11 token used by the web server. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port– Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80. The web server listens on the SSL proxy port.
ssl-port – Defines the port for the SSL Kernel Proxy to listen on. Normally this value is set to 443.
Note - The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8443 for the proxy-port and 443 for the ssl-port.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -T PKCS#11-token -C certificate-label -p password-file -x proxy-port ssl-port
# cryptoadm enable metaslot
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
See Adding and Editing Listen Sockets in the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for more information.
Example 2-4 Configuring a Sun Java System Web Server to Use the SSL Kernel Proxy
The following command creates an instance using the pkcs11 key format.
# ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" -C "Server-Cert" -p file -x 8443 443
The SSL Kernel Proxy works in zones with the following limitations:
All of the kernel SSL administration must be done from the global zone. The global zone administrator needs access to the local zone certificate and key files. The local zone web server can be started once the service instance is configured using the ksslcfg command in the global zone.
A specific host name or IP address must be specified when running the ksslcfg command to configure the instance. In particular, the instance can not use INADDR_ANY.
Example 2-5 Configuring an Apache Web Server in a Local Zone to Use the SSL Kernel Proxy
In the local zone, first stop the web server. In the global zone do all of the steps to configure the service. To create a instance for a local zone called apache-zone, use the following command:
# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem -p /zone/apache-zone/root/pass \ -x 8443 apache-zone 443
In the local zone, run the following command to enable the service instance:
# svcadm enable svc:/network/http:apache2