The SSL Kernel Proxy works in zones with the following limitations:
All of the kernel SSL administration must be done from the global zone. The global zone administrator needs access to the local zone certificate and key files. The local zone web server can be started once the service instance is configured using the ksslcfg command in the global zone.
A specific host name or IP address must be specified when running the ksslcfg command to configure the instance. In particular, the instance can not use INADDR_ANY.
In the local zone, first stop the web server. In the global zone do all of the steps to configure the service. To create a instance for a local zone called apache-zone, use the following command:
# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem -p /zone/apache-zone/root/pass \ -x 8080 apache-zone 443 |
In the local zone, run the following command to enable the service instance:
# svcadm enable svc:/network/http:apache2 |