System Administration Guide: Network Services

ProcedureHow to Configure a Sun Java System Web Server to Use the SSL Kernel Proxy

This procedure should be used to improve the performance of SSL packet process on a Sun Java System Web Server. See the Sun Java System Web Server 7.0 Update 1 Administrator’s Guide for information about this web server.

Before You Begin

The following procedure requires that a Sun Java System Web Server has been installed and configured.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration The ksslcfg command is included in the Network Security profile.

  2. Stop the web server.

    Use the administrator web interface to stop the server. See Starting and Stopping the Server in the Sun Java System Web Server 7.0 Update 1 Administrator’s Guidefor more information.

  3. Determine what parameters to use with the ksslcfg command.

    All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:

    • key-format – Used with the -f option to define the certificate and key format.

    • token-label – Used with the -T option to specify the PKCS#11 token.

    • certificate-label – Used with the -C option to select the label in the certificate object in the PKCS#11 token

    • password-file – Used with the -p option to select the location of the file that includes the password used to login the user to the PKCS#11 token used by the web server.. This password is used to allow unattended reboots. The permissions on the file should be 0400.

    • proxy-port– Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80.

    • ssl-port – Defines the port of the server application. This value is set in the server.xml file. Normally this value is set to 443.


    Note –

    The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8080 for the proxy-port and 443 for the ssl-port


  4. Create the service instance.

    The ksslcfg command to specify the SSL proxy port and associated parameters.


    ksslcfg create -f key-format -T PKCS#11-token -C certificate-label -p password-file -x proxy-port ssl-port
    
  5. Verify that the instance was created properly.

    The service state reported by the following command should be “online”.


    # svcs svc:/network/ssl/proxy
    
  6. Configure the web server to listen on the SSL proxy port.

    See Adding and Editing Listen Sockets in the Sun Java System Web Server 7.0 Update 1 Administrator’s Guide for more information.

  7. Start the web server.


Example 2–4 Configuring a Sun Java System Web Server to Use the SSL Kernel Proxy

The following command creates an instance using the pkcs11 key format.


# ksslcfg create -f pkcs11 -T "NSS Internal PKCS #11 Module" -C "Server-Cert" -p file -x 8080 443