Sun Java System Web Server 7.0 Update 4 Administrator's Guide

Configuring Solaris Cryptographic Framework

This section describes how to configure Solaris cryptographic for use with Web Server.

ProcedureTo Configure Solaris Cryptographic

  1. Remove the ./sunw directory from your machine using the following command:

    %rm -rf $HOME/.sunw

  2. Set a new pin using the following command:

    % pktool setpin Enter new PIN:<type the pin here>

    Re-enter new PIN:<retype the pin again>

  3. Disable the mechanisms in the and files using the following command:



    Note –

    Ensure to disable mechanisms in file, if it is used.

ProcedureTo Register PKCS#11 Library File

  1. Type the following command to add the Solaris crypto framework to network security services (NSS) in the config directory

    $ cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -add "scf" -libfile /usr/lib/ -mechanisms RSA

  2. Verify the registration using the following command:

    $cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -list

    Listing of PKCS #11 Modules
    1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
             status: loaded
              slot: NSS Internal Cryptographic Services
             token: NSS Generic Crypto Services
              slot: NSS User Private Key and Certificate Services
             token: NSS Certificate DB
       2. scf
             library name: /usr/lib/
              slots: 1 slot attached
             status: loaded
              slot: Sun Crypto Softtoken
             token: Sun Software PKCS#11 softtoken
       3. Root Certs
             library name:
              slots: There are no slots attached to this module
             status: Not loaded

    For more information on creating server certificates, see Requesting a Certificate

    If certificates exists in the NSS database, you can export or import the certificates using the following pk12util command:

    $pk12util -o server.pk12 -d . -n <server-cert>

    $pk12util -i server.pk12 -d . -h "Sun Software PKCS#11 softtoken"

    Note –

    By default, certutil/pk12util searches the databases for cert8.db and key3.db. Add -P as the prefix for the Web Server, which uses the alternate names https-instance-hostname-cert8.db and https-instance-hostname-key3.db.

ProcedureTo Enable and Bypass PKCS#11 Tokens

  1. From the home page, click the Configurations tab.

  2. In the Configuration page, click the configuration that you want to enable the PKCS#11 and Allow Bypass option.

  3. Click the Certificates tab.

  4. Click the PKCS#11 Tokens sub tab.

  5. In General Settings, select the check boxes to enable PKCS#11 and Allow Bypass.

  6. Click the Save button.

    See CLI reference, set-pkcs11-prop(1).

Creating a Self-Signed Certificate Using CLI and Enabling SSL

Start the wadm from the installation directory and perform the following steps:

$wadm --user=admin
Please enter admin-user-password>enter the administration serverpassword


Sun Software PKCS#11 softtoken

$wadm>create-selfsigned-cert --nickname=MyCert 
--token="Sun Software PKCS#11 softtoken"
Please enter token-pin>enter the password

CLI201 Command 'create-selfsigned-cert' ran successfully

$wadm>set-ssl-prop --http-listener=http-listener-1 enabled=true 
server-cert-nickname="Sun Software PKCS#11 softtoken:MyCert"
CLI201 Command 'set-ssl-prop' ran successfully

CLI201 Command 'deploy-config' ran success

Start the Administration Server.

$ cd <install-dir>/<instance-dir>/bin/startserv
Sun Java System Web Server 7.0 Update 3

Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:enter the password
info: HTTP3072: http-listener-1: ready to accept requests
info: CORE3274: successful server startup