ʹ��֤��Կ

��½��ʹ��֤��Կ��֤4ȷ�� Sun ONE Web Server 6.1 �İ�ȫ�ԡ��μ��ڱ��ݡ��ܾ��߷��ʺ��ķ��ʵĸ��ְ�ȫ��ܡ�Sun ONE Web Server 6.1 �� Sun ONE ��İ�ȫ��ϵ�ṹ��b��ҵ��׼�͹��Э��֮�ϣ��Ի�ȡ��Ļ��Ժ�һ��ԡ�

��Ķq��֮ǰ��Ӧ��Ѿ��Ϥ��Կ��ܵĻ����Щ��(��ܺͽ��ܡ��Կ��ר��Կ��֤��Լ��Э�顣�й��ϸ��Ϣ�� Introduction to SSL��

��֤��֤

��֤��ȷ��ݵĹ�̡��罻��У��֤��һ��һ��ȷ�ϵĹ�̡�֤��֧��֤��һ�ַ��

ʹ��֤��֤

֤��а��ָ��ˡ��˾��ʵ��ƣ��֤��֤��а�Ĺ��Կ��ڸ�ʵ�塣�ͻ��ͷ��ӵ��֤�顣

֤��֤��Ȩ�� CA��䷢��ǩ��CA ��ͨ�� Internet ��֤��Ĺ�˾��Ҳ��Ǹ��Ϊ��˾��j��ⲿ��䷢֤��Ĳ��š��Խ��ε� CA ȷ��Ϊ��û��ݵ��֤��

��˹��Կ��֤��ʶ��ʵ��֮�⣬֤�黹��(��ڡ��䷢��֤�� CA ��ƺͰ䷢��֤�� CA �ġ��ǩ��й�֤��ݺ͸�ʽ��ϸ��Ϣ��μ� Introduction to SSL��

��֤

��ָ֤�ͻ��Է��е��ʶ�𣻼��Ա��ΪҪ��λ��ض��ַ�ķ��֯��ʶ��

�ͻ��֤

�ͻ��ָ֤��Կͻ��е��ʶ�𣻼��Ա��Ϊʹ�ÿͻ��Ա��ʶ�𡣿ͻ��ж��֤�飬��ͬһ��˿��м��ͬ��һ��

��֤��

ÿ̨��ӵ�в�ͬ��֤��ݿ⡣ÿ��ݿ��԰��֤�顣��ÿ��ʵ��Ҳ��ӵ�в�ͬ��֤�顣


ע	�ڼ��֮ǰ��밲װ��֤�顣

��ݿ�

��֤��֮ǰ��봴��һ��ݿ⡣�� Sun ONE Web Server �У�Administration Server ��ÿ��ʵ��ӵ��Լ��ݿ⡣��ݿ�ֻ��ڱ��ؼ��ϴ��

��ݿ�ʱ��Ҫָ��Կ��ļ��롣��Ҫ��4��ʹ�ü��ͨ�ŵķ��йظ�ÿ��ʱ��ע��б?��μ�� PIN��

��ݿ��У��Դ��洢��Կ��ר��Կ��Ϊ��Կ��ļ��Կ��ļ�� SSL ��ܡ��Ͱ�װ��֤��ʱ��õ��Կ��ļ��װ֤��֮��֤�齫�洢��ݿ��С��Կ��ļ��Լ��ܵ��ʽ�洢��Ŀ¼�У�

Administration Server ��ֻ��һ��ݿ⡣ÿ��ʵ��ӵ��Լ��ݿ⡣��Ϊ��ʵ��ݿ⡣

��ݿ�

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Create Database��t�ӡ�

��ݿ��롣

�ظ��ϲ��衣

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

ʹ�� password.conf

ȱʡ��£�Web ��֮ǰ��ʾ��Ա��Կ��ݿ����ϣ��һ��˲�� Web ��Ҫ��뱣�� password.conf �ļ��С��ϵͳ�ܵ��ֵı��ʱ�ſ��ִ�д˲��ֻ��ļ��Կ��ݿ�Ų��ᱻ�𻵡�

��£��޷�ʹ�� /etc/rc.local �� /etc/inittab �ļ�� SSL �� UNIX ��Ϊ�÷��֮ǰҪ����ܿ��ͨ��Դ��ı��ʽ�洢��ĳ��ļ��4�Զ�� SSL �ķ��鲻Ҫʹ��ַ�� password.conf �ļ�Ӧ�鳬��û��װ��û��У��ֻ��߶��ж�дȨ�ޡ�

�� UNIX �ϣ�� SSL �ķ��뱣�� password.conf �ļ��л��4�ܴ�İ�ȫ��ա��κο��Է��ʸ��ļ��û��Ȩ�� SSL �ķ��Ŀ���� SSL �ķ��Ŀ���� password.conf �ļ��֮ǰ��뿼�ǿ��ܴ�4�İ�ȫ��ա�

�� Windows �ϣ��װ�� NTFS �ļ�ϵͳ��Ӧ��ƶ԰� password.conf �ļ��ʹ��ʹ�ø��ļ��Ŀ¼�ķ��Ȩ�ޣ��Ӷ��ļ��Ŀ¼��û�� Web ��û�Ӧ�öԸ�Ŀ¼��ж�/дȨ�ޡ��Ŀ¼��Է�ֹ��û��α password.conf �ļ��޷�ͨ��ƶ� FAT �ļ�ϵͳ�ϵ�Ŀ¼��ļ��ķ��Ȩ��4��ǡ�

�Զ�� SSL �ķ��

ȷ�� SSL��

�ڷ��ʵ�� config ��Ŀ¼�д��µ� password.conf �ļ��

��ʹ�õ��Ƿ��ڲ� PKCS#11 ��ģ�飬��Ϣ��

internal:your_password

��ʹ�õ�� PKCS#11 ģ�飨��Ӳ��ܻ�Ӳ��ָ�� PKCS#11 ģ��ƣ��롣��磺

nFast:your_password

ֹͣ��ʹ��Ч��

��ʹ�� password.conf �ļ�֮�� Web ��ʱʼ�ջ��յ��ʾ��

��Ͱ�װ VeriSign ֤��

VeriSign �� Sun ONE Web Server ��ѡ֤��Ȩ��VeriSign �� VICE Э��Լ�֤��̡�VeriSign ��ܹ�ֱ�ӽ�֤�鷵�ط��

Ϊ��֤��ݿ��һ��֤�鲢��ύ��֤�� (CA)��˾��Լ��ڲ� CA��֤�顣��ҵ CA ��֤�飬��ѡ��һ�� CA ��Ҫ��ض��ʽ��Ϣ��(ָ��վ��t�ӵĿ��֤��б��Դӡ�Request a Certificate��л�á��й� CA ��ݵ��ϸ��Ϣ��ͨ��Server Administrator��͡�Request a Certificate��µġ�Server Manager Security Pages��õ��֤��б?

Administration Server ��ֻ��һ��֤�顣ÿ��ʵ��ӵ��Լ��ķ��֤�顣��Ϊÿ̨��ѡ��һ��ʵ��֤�顣

�� VeriSign ֤��

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Request VeriSign Certificate��t�ӡ�

�鿴��Ĳ��衣

��OK��

�� VeriSign �еĲ��в��

��װ VeriSign ֤��

�� VeriSign ֤�鲢��׼��֤��һ��ʾ�ڡ�Install VeriSign Certificate��ҳ��-�б��С�Ҫ��װ VeriSign ֤�飬��ִ��²��裺

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Install VeriSign Certificate��t�ӡ�

��ʹ��ⲿ��ģ�飬��Ӽ��ģ��-�б��ѡ��ڲ��ģ�顣

��Կ��ļ�� PIN��

��-�б��ѡ��Ҫ�� ID��

ͨ��ѡ��һ��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

��Ͱ�װ��֤��

�� VeriSign��Դ��֤��Ͱ�װ֤�顣��ͨ��Ա (Server Administrator) �͡�Request a Certificate��µġ�Server Manager Security�� CA �б?��Ĺ�˾��֯��ܻ��ṩ�Լ��ڲ�֤�顣��ڽ��Ͱ�װ��Щ��͵ķ��֤�顣

�� CA ��Ϣ

��ʼ��֮ǰ��ȷ��˽� CA ��Ϣ��۴��ҵ CA ��ڲ� CA ��֤�飬��Ҫ�ṩ��Ϣ��

��Common Name�� DNS ��ʹ�õ�ȫ�޶��磬www.sun.com��l�ӵ��վ�� URL �е��}��Ʋ�ƥ�䣬�ͻ��յ�֤��վ��Ʋ�ƥ��֪ͨ��֤��ʵ�ԡ�ĳЩ CA ��ܻ��Ҫ��˶��м��Ҫ��

��Email Address��ҵ Email ��ַ��õ�ַ�� CA ֮��ͨ�š�

��Organization��ǹ�˾��ȵ��ʽ��Ϸ��ơ�� CA ��Ҫ��ʹ�÷��ĵ��Ӫҵִ�ո��֤��Ϣ��

��Organizational Unit��˵��˾��֯�Ŀ�ѡ�ֶΡ�Ҳ��ڱ�ע��̫��ʽ�Ĺ�˾��ƣ�� Inc.��Corp. �ȵȣ��

��Locality��ͨ��֯��ڵĳ��С��ң��Ŀ�ѡ�ֶΡ�

��State or Province��ͨ��Ǳ��ģ��ĳЩ CA �ǿ�ѡ�ġ��ע�⣬�� CA ��д��Щ��д��ȷ�ϡ�

��Country��Ǳ��ģ��ڹ�ң��Ƶ�}��ַ��д��ISO ��ʽ��9�Ĺ�Ҵ��Ϊ US��

��Щ��Ϣ��Ϊһϵ��ֵ�ԣ��Ϊ��ص�� [DN]��Ψһ��ʶ֤��⡣

��ҵ CA ��֤�飬�� CA �䷢֤��֮ǰ��֮j�磬�Բ��Ϣ�� CA ��Ҫ��ṩ��֤��磬CA ��Ҫ��֤��Ĺ�˾��ƺ͹�˾��Ȩ��û��ҿ��ܻ�ѯ��Ƿ��ʹ��ṩ��Ϣ�ĺϷ�Ȩ�ޡ�

ĳЩ��ҵ CA ��߽�Ϊ��ϸ��ʶ��֯��ṩ��ϸ�Ҿ�ȷ��֤�顣��磬��Թ��һ��֤�飬�� CA ��֤�� www.sun.com ��ĺϷ��Ա��֤��Ĺ�˾��Ѵ��ҵ���ش�ͻ��ϰ��Ĺ�˾��

��֤��

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Request a Certificate��t�ӡ�

ѡ��һ��֤�飬��֤��¡�

��֤��һ��ʱ�䣨��»�һ�꣩��ᵽ�ڡ�ĳЩ CA ��Զ��֤��¡�

Ҫָ��ύ֤��ķ�ʽ��ִ��²��裺

�� CA �� Email ��ʽ�յ��룬��ѡ�С�CA Email�� CA ��Email ��ַ��Ҫ�� CA ��б?�뵥��List of available certificate authorities��

��Ҫ��ʹ�� Netscape ֤�� (Certificate Server) ��ڲ� CA ��֤�飬�뵥��CA URL��֤�� URL�� URL Ӧָ��֤��֤��ĳ�� URL ��ʾ��https://CA.mozilla.com:444/cms��

��-�б��ѡ��֤��ʱҪʹ�õ��Կ��ļ��ļ��ģ�顣

��Կ��ļ��롣

��ѡ��ڲ�ģ��ļ��ģ�飬��ݿ�ʱָ��롣��ʹ�ø��ȡר��Կ��ܷ��͸� CA ��Ϣ��Ȼ������Կ�ͼ��ܵ��Ϣ��͸� CA��CA ʹ�ù��Կ4��Ϣ��

��ı�ʶ��Ϣ��

��Ϣ�ĸ�ʽ�� CA ��졣�й��Щ�ֶεĳ��˵��ͨ��Ա (Server Administrator) �͡�Request a Certificate��µġ�Server Manager Security��õ��֤��б?��ע�⣬֤��ͨ��Ҫ��Ϣ�еĴ󲿷��ݡ�

��ϸ��Щ��ȷ��׼ȷ�ԡ�

��ϢԽ׼ȷ��׼֤��ٶȿ��ܾ�Խ�졣��Ҫ��֤��ύ��֮ǰ�յ��֤��ʽ��Ϣ��ʾ��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

��ɰ��Ϣ��֤��롣��а�ʹ��ר��Կ��ǩ��CA ʹ��ǩ��4��֤�ڴӷ�� CA ��·�ɹ��δ��ġ��ᱻ��ģ��ʱ CA ͨ��ͨ��绰��j�硣

��ѡ��ͨ�� Email ��룬��׫д�� Email ��䷢�͸� CA��ͨ��֤��ͨ�� Email ��ء��ָ��ָ��֤�� URL��ʹ�� URL ��֤��ύ��롣��ͨ�� Email ��ʽ��û�Ӧ��ȡ�� CA��

�� CA ͬ��䷢֤�飬��֪ͨ��£�CA ��ͨ�� Email ��֤�顣��֯ʹ��֤��ʹ��֤��ı?��֤�顣

�յ�֤��󣬼��ɽ��а�װ��ڴ��ڼ䣬��Ȼ��ʹ��δ��װ SSL �ķ��

��װ��֤��

��յ�� CA ��ص�֤��ʱ��֤�齫ͨ��Կ��ܣ��ֻ��Խ��ܡ�ֻ��ȷ��ݿ��룬��ܽ��ܺͰ�װ֤�顣


ע	��д��ҵ CA ��֤��û��֤�顣�ܶ� CA ��䷢֤��֮ǰ��Ҫ��ṩ��֤��ң�Ҫ��׼��Ҫһ�쵽}��µ�ʱ�䡣��ʱ�� CA �ṩ��б��Ϣ��

�ṩ��ͻ��Լ��ķ��֤��

��֤��t��ʹ�õ� CA �Լ��֤��

��ε� CA ��֤��

֤��t��l��֤��Ȩ��ǩ��һϵ�зֲ�֤�顣CA ֤��ڱ�ʶ��֤�� (CA) �Լ��Ըû�䷢��֤��ǩ��4��CA ֤��ֿ��ɸ� CA �� CA ֤��ǩ��4��ƣ�ֱ�� CA��

�� CA �յ�֤��ʱ��֤�齫ͨ��Կ��ܣ��ֻ��Խ��ܡ��װ֤��ʱ��ʹ��ָ��Կ��ļ��뽫��ܡ��Խ� Email ��ڷ��Է��ʵ�λ��У�Ҳ��Ը�� Email ��ı��׼��ճ��Install Certificate��?�С�

��װ֤��


ע	�� CA δ��Զ��֤�飬��Ӧ��֤�顣�ܶ� CA �� Email �а��ǵ�֤��֤�飬��ķ��ͬʱ��װ��}��֤�顣

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Install Certificate��t�ӡ�

ѡ��Ҫ��װ��֤��ͣ�

��This Server��ڽ��ķ��j�ĵ��֤�顣

��Server Certificate Chain��Ҫ��֤��t�е� CA ֤�顣

��Trusted Certificate Authority (CA)��ĳ�� CA ��֤�飬�� CA ��Ϊ�ͻ��֤�� CA ʹ�á�

��-�б��ѡ��ģ�顣

��Կ��ļ��롣

��֤��Ǵ˷��ʵ��ʹ�õ�Ψһ��ƣ��뱣��a name for the certificate��֤��ƣ��ֶ�Ϊ�գ��ǳ��

��֤�齫��

��ʵ��Ψһ��֤��

ʹ��ڲ�ģ��ļ��ģ��

�ڵ��ģ��У��з��ʵ��Ψһ��֤��

��ƣ��ƽ��ʾ�ڡ�Manage Certificates��б��У��ӦΪ˵��ơ��磬��United States Postal Service CA��ĳ�� CA ��ƣ��VeriSign Class 2 Primary CA��ͬʱ˵�� CA ��֤��͡��δ��֤��ƣ��Ӧ��ȱʡֵ��

ѡ��һѡ�

��Message is in this file��Ϣ��ڴ��ļ��У��ѱ�� Email ��·��

��Message text��Ϣ�ı��ͷ��ճ�� Email �ı�

��Ʋ�ճ��ı��ȷ��ͷ��Begin Certificate��͡�End Certificate��а��ʼ��ֹl�ַ�

��OK��

ѡ��һѡ�

��Add Certificate��Ҫ��װ�µ�֤�飩��

��Replace Certificate��Ҫ��װ֤��£��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

֤�齫�洢�ڷ��֤��ݿ��С��ļ��Ϊ <alias>-cert8.db��磺

��ʱǨ��֤��

��Ҫ�� iPlanet Web Server 4.1 �� 6.0 ��ֲ��ļ��(��ݿ��֤��ݿ⣩��Զ��¡�

��Կ��ļ��֤��ֻ��ڷ��˰�ȫ��ʱ��ܱ�Ǩ�ơ�Ҳ��ʹ�á�Administration Server��͡�Server Manager��еġ�Security��ѡ���Ǩ��Կ��֤�顣

��ǰ�İ汾�У�֤��Կ��ļ��ɱ��ã��ñ��ɶ��ʵ��ʹ�á�Administration Server ��еı��ί��֤�顣�� Sun ONE Web Server 6.1 �У�Administration Server ��ÿ��ʵ��Լ��֤��Կ��ļ��Ϊ��ݿ��Ǳ��

��ͨ�� Administration Server��Ϊ��?�� Server Manage��Ϊ��ʵ��ݿ⼰��ί��֤�飬��а�(��֤��а��֤��֤��Կ��ݿ��ļ��ڰ�ʹ��ǵķ��ʵ��ǰ�İ汾�У��ʵ��ͬһ��Ǩ��ʱ��Ϊ�·��ʵ��֤��Կ��ļ��

��ʵ��j��ݿ⽫��Ǩ�ơ��ǰ��ݿ��г��֤��Ǩ�Ƶ� Sun ONE Web Server 6.1 ��ݿ��С��ظ�� CA��ʹ��ǰ�� CA��ֱ��ڡ��벻Ҫ��ɾ��ظ�� CA��

ʹ��ø�֤��ģ��

Sun ONE Web Server 6.1 ��Ķ�̬��װ��֤��ģ��(�� CA��а�( VeriSign��ĸ�֤�顣ͨ��֤��ģ�飬��Խ��֤��ߵİ汾��ҷ��ǰ��׵Ķࡣ��ǰ��Ҫ��ɾ��ɵĸ�֤�飬Ȼ��װ�µ�֤�顣Ҫ��װ��õ� CA ֤�飬��ڿ��ֻ��֤��ģ��ļ��µ��ߵİ汾��Ϊ��Ժ�汾�� Sun ONE Web Server �� Service Packs �н��á�

��Ϊ��֤��Ϊ PKCS#11 ��ģ��ʵ�ֵģ��Ծ��ɾ��ģ��ĸ�֤�飬��ҹ��Щ֤��ʱҲ��ṩɾ��֤��ѡ�Ҫ�ӷ��ʵ��Ƴ��֤�飬��ͨ��ɾ�� alias �ļ��е��4��ø�֤��ģ�飺

libnssckbi.so��ڶ�� UNIX ƽ̨�ϣ�

libnssckbi.sl�� HP-UX �ϣ�

nssckbi.dll�� Windows �ϣ�

��Ժ�Ҫ�ָ��֤��ģ�飬��Խ�)չ�� bin/https/lib��UNIX �� HP�� bin\https\bin (Windows) ��ƻ� alias ��Ŀ¼��

��޸ĸ�֤��Ϣ��Ϣ��д��༭�ķ��ʵ��֤��ݿ��У��Ƿ��ظ�֤��ģ�鱾�?

��֤��

��Բ鿴��ɾ��༭��ϰ�װ�ĸ��֤��á��а�(��Լ��֤��4�� CA ��֤�顣

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Manage Certificates��t�ӡ�

��Ҫʹ��ڲ��ģ��ȱʡ��õ�֤�飬��ʾ��Ѱ�װ֤��б?��а�(֤��ͺͽ�ֹ��ڡ��֤�鶼�洢�� server_root/alias Ŀ¼�С�

��Ҫʹ��ⲿ��ģ�飨��Ӳ��Ҫ��Ϊÿ��ض�ģ��룬Ȼ�󵥻�OK��֤��б?��£��Ա��ģ��а��Щ֤�顣

��Ҫ��ġ�Certificate Name��֤��ƣ��

��ʾ��Edit Server Certificate��а��֤��͵Ĺ��ѡ�ֻ�� CA ֤��û�ȡ��ÿͻ��Ρ�ĳЩ�ⲿ��ģ�鲻��ɾ��֤�顣

�༭��֤��
ͼ��ʾ�ˡ�Edit Server Certificate��ڡ�

�ڡ�Edit Server Certificate��У��ѡ��ѡ�

��Delete Certificate��Quit��ڲ��õ�֤�飩

��Set client trust��Unset server trust��Quit�� CA ֤�飩

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

ͨ��ã��ÿͻ��λ�ȡ��÷��Ρ�� LDAP ��֤�飬��뱻��Ρ�

��װ�͹�� CRL �� CKL

֤�鳷��б� (CRL) ��𻵵��Կ�б� (CKL) �ܹ��г�ͻ��û�Ӧ��ε��֤��Կ��֤��е��ݷ��仯��磬ĳλ�û��֤�鵽��֮ǰ��˰칫�һ��뿪��֯��֤�齫��أ��ݽ��ʾ�� CRL �С��Կ��Ļ��ܵ�ĳ�̶ֳȵ��𻵣��Կ��ݽ��ʾ�� CKL �С�CRL �� CKL �� CA ��ɲ��ڸ��¡�

��װ CRL �� CKL

��ȡ CA �� URL�� CRL �� CKL��

�� URL��ʸ�վ�㡣

�� CA ��˵�� CRL �� CKL ��ص��Ŀ¼�С�

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Install CRL/CKLs��t�ӡ�

ѡ��һѡ�

��Certificate Revocation List��֤�鳷��б?

��Compromised Key List��𻵵��Կ�б?

��j�ļ��·��

��OK��

��ѡ��Certificate Revocation List��ʾ��Add Certificate Revocation List��г�� CRL ��Ϣ��

��ѡ��Compromised Key List��ʾ��Add Compromised Key List��г�� CKL ��Ϣ��



ע	��ݿ��Ѵ�� CRL �� CKL �б?��ʾ��Replace Certificate Revocation List��Replace Compromised Key List��

��Add��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

�� CRL �� CKL

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Manage CRL/CKLs��t�ӡ�

��ʾ��Manage Certificate Revocation Lists /Compromised Key Lists��г��Ѱ�װ�ķ�� CRL �� CKL ��ֹ��ڡ�

�ӡ�Server CRLs��Server CKLs��б��ѡ��Certificate Name��

ѡ��ѡ�

��Delete CRL��

��Delete CKL��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

��ð�ȫ��ѡ��

��֤��󣬾Ϳ��Կ�ʼ��ķ��Sun ONE Web Server �ṩ�˶��ȫԪ�ء�

��ת��Ϣ��ʹ��Ԥ�ڽ��κ��˶��޷�ʶ��Ϣ�Ĺ�̡��Ǳ任��Ϣ��ʹ��¿ɱ�ʶ��Ĺ�̡�Sun ONE Web Server 6.1 ֧�� SSL �� TLS ��Э�顣

��㷨��һ��ڼ��ܻ��ܵ��㷨��ѧ��SSL �� TLS Э��˶��㷨�׼��ĳЩ��㷨��㷨��ǿ�󡢸�ȫ��һ��ԣ��㷨ʹ�õ�λԽ�࣬��ݽ��Խ�ѡ�

��κ�˫��ܹ��У�˫��ʹ��ͬ�ļ��㷨��ڿ��ʹ�ö��ּ��㷨��Ҫ�÷��ʹ���õļ��㷨��

�ڰ�ȫl�ӹ��У��ͻ��ͷ��ͬ��ʹ�ÿ��Խ��ͨ�ŵ��ǿ��ļ��㷨��Դ� SSL2��SSL3 �� TLS Э��ѡ��㷨��

��5ļ��ܹ�̲��ȷ��Ϣ�İ�ȫ��ʹ�ü��㷨��ͬʱ��ʹ��Կ��Ա��ļ��ܽ��ǰ��ܵ��Ϣ��ܹ��ʹ��}��Կ��ô˽��Կ��ר��Կ��ʹ�ù��Կ��ܵ��Ϣֻ��ʹ�ù�j��ר��Կ��н��ܡ��Կ��Ϊ֤��һ��ַ��ֻ�й�j��ר��Կ�ܵ��


ע	��Ϊ�� SSL 2.0 �汾֮�� SSL �İ�ȫ�Ժ��ܽ��˸��ָĽ��Գ�ǿͻ��޷�ʹ�� SSL 3��Ҫʹ�� SSL 2��ʹ�� SSL 2 ��㷨�޷�Ϊ�ͻ��֤��ṩ��֤��

�йظ��ּ��㷨�׼��˵��Լ��Կ��֤��ϸ��Ϣ��μ� Introduction to SSL��

Ҫָ��ʹ�õļ��㷨��б��ѡ��Щ�㷨��г�ֵ��ɲ�ʹ��ض��ļ��㷨��Ӧȫ��ѡ�С��ǣ��ܲ�ϣ��÷��ż��ܵļ��㷨��

SSL �� TLS Э��

Sun ONE Web Server 6.1 ֧��ڼ��ͨ�ŵİ�ȫ�׽��ֲ� (SSL) Э��ʹ��㰲ȫ�� (TLS) Э�顣SSL �� TLS �Ƕ�b��Ӧ�ó��򣬲��Ҹ�߼��Э��͸��طֲ��С�

SSL �� TLS Э��֧�ָ��ּ��㷨��ڷ��Ϳͻ��໥��֤��֤��ͽ�b�Ự��Կ��ͻ��ͷ��֧�ָ��ּ��㷨�׼��㷨��ϣ��ȡ��ڸ��أ��֧�ֵ�Э�顢��˾�йؼ��ǿ�ȵ��Լ��Լ��ڵ��ơ��У�SSL �� TLS ��Э�齫ȷ��Ϳͻ��Э��Ծ��4ͨ�ŵļ��㷨�׼��

ʹ�� SSL �� LDAP ͨ��

��Ӧ��Ҫ�� Administration Server ʹ�� SSL �� LDAP ��ͨ�š�Ҫ�� Administration Server �ϵ� SSL��ִ��²��裺


ע��	�벻Ҫѡ��No Encryption, only MD5 message authentication��ͻ��û��õļ��㷨��Ĭ��ʹ�ô��Ҳ��м��ܡ�

�� Administration Server ��ѡ��Global Settings��ѡ���

��Configure Directory Service��t�ӡ�

ѡ��Yes��ʹ�ð�ȫ�׽��ֲ� (SSL) ��l�ӡ�

��Save Changes��

��OK��Ķ˿ڸ��Ϊʹ�� SSL �� LDAP ��׼�˿ڡ�

Ϊ��׽��ð�ȫ��

�򿪰�ȫ��

Ϊ��׽��ѡ��֤��

ѡ��㷨

�򿪰�ȫ��

Ϊ��׽��ȫ��֮ǰ��򿪰�ȫ�ԡ��ڴ��µ��׽��ֻ�༭��׽��ʱ�򿪰�ȫ�ԡ�

��׽��ʱ�򿪰�ȫ��

�� Server Manage ��-�б��ѡ��Ҫ��д��׽��ֵķ��ʵ��

ѡ��Preferences��ѡ���δ��ʾ��

ѡ��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��

��New��ť��

��ʾ��Add Listen Socket��

��Ϣ��ѡ��ȱʡ��

Ҫ�򿪰�ȫ�ԣ��ӡ�Security��-�б��ѡ��Enabled��

��OK��

��Apply��Ȼ�󵥻�Restart��ʹ��Ч��



ע	��Ҫ�ڴ��׽��ֺ�ʹ�á�Edit Listen Sockets��t��4��ð�ȫ��á�

�༭��׽��ʱ�򿪰�ȫ��

��Ҳ��ͨ�� Administration Server �� Server Manage �༭��׽��ʱ�򿪰�ȫ�ԡ�Ҫ�ڱ༭��׽��ʱ�򿪰�ȫ�ԣ��ִ��²��裺

�� Administration Server �� Server Manage��Ȼ��ѡ��Security��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

ѡ��Preferences��ѡ���δ��ʾ��

ѡ��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��

Ҫ�༭��׽��֣��뵥��Ҫ�༭��׽��ֵġ�Listen Socket ID��

��ʾ��Edit Listen Socket��

ҪΪ��׽��ִ򿪰�ȫ�ԣ��ӡ�Security��-�б��ѡ��Enabled��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

Ϊ��׽��ѡ��֤��

�� Administration Server �� Server Manage ��׽��֣��ʹ��Ͱ�װ�ķ��֤�顣


ע	��ٰ�װ��һ��֤�顣

�� Administration Server �� Server Manage��Ȼ��ѡ��Preferences��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

ѡ��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��

Ҫ�༭��׽��֣��뵥��Ҫ�༭��׽��ֵġ�Listen Socket ID��

��ʾ��Edit Listen Socket��

ҪΪ��׽��ִ򿪰�ȫ�ԣ��ӡ�Security��-�б��ѡ��Enabled��



ע	��װ��ⲿģ�飬��ʾ��Manage Server Certificates��ҳ�棬��Ҫ��ڼ��֮ǰ��ⲿģ��Ŀ��

�ӡ�Server Certificate Name��-�б��Ϊ��׽��ѡ��֤�顣

��б��а��Ѱ�װ��ڲ��ⲿ֤�顣



ע	��δ��װ��֤�飬��ʾ��Ϣ��ǡ�Server Certificate Name��-�б?

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

ѡ��㷨

Ҫ�� Web ��İ�ȫ�ԣ�Ӧ�� SSL�� SSL 2.0��SSL 3.0 �� TLS ��Э�鲢ѡ��ּ��㷨�׼��׽��Ϊ Administration Server �� SSL �� TLS��׽��Ϊ Server Manage �� SSL �� TLS ��Ϊ��׽��ֹ�j��ð�ȫ��ѡ�

��ϣ��ʹ�÷Ǽ��ܵ��뽫��Ϊʹ��ͬ��׽��֣��ҹرհ�ȫ�ԡ�

ȱʡ��ʹ���õļ��㷨��г�ֵ��ɲ�ʹ��ض��ļ��㷨�׼��Ӧȫ��á��й��ض��ϸ��Ϣ��μ� Introduction to SSL��


ע	��ٰ�װ��һ��֤�顣

�Ƽ�ʹ�õ� tlsrollback ��ȱʡ��Ϊ True��Ὣ��Ϊ��Ϊ�汾�ع��ֵ��Ϊ False ��Ҫ��ĳЩδ��ȷʵ�� TLS �淶�Ŀͻ��֮��Ļ��ԡ�

��ע�⣬�� tlsrollback ��Ϊ False �ή��l�Ӷ԰汾�ع��ķ;��f��汾�ع��һ�ֻ��ƣ��ͨ��ֻ��ǿ�ƿͻ��ͷ��ʹ�ð�ȫ�Խϵ͵��Э�飨�� SSLv2��ͨ�š�� SSLv2 Э��д��֪�Ĳ��֮��޷��⵽�汾�ع��ʹ��׽�ȡ�ͽ��ܼ��ܵ�l�ӡ�

�� Administration Server �� Server Manage��Ȼ��ѡ��Preferences��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��ڰ�ȫ��׽��֣��Edit Listen Socket��ʾ��õļ��㷨��á�



ע	��δ��׽��á�Security��򲻻��г��κ� SSL �� TLS ��Ϣ��Ҫʹ�ü��㷨��ȷ��ѡ��׽��˸ð�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

ѡ��ö�Ӧ�ĸ�ѡ��



ע	�� Netscape Navigator 6.0��ѡ�� TLS �� SSL3�� TLS �ع�ҲҪѡ�� TLS��ȷ�� SSL3 �� SSL2��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��



ע	��׽��ֵİ�ȫ�Ժ�Ӧ�ø��ʱ��ϵͳ��Զ��޸� magnus.conf �ļ��ʾ��ȫ��Ѵ򿪣��Զ�ָ��׽��ֹ�j��ȱʡ��ȫ��

�ڷ�� SSL �� URL ��ʹ�� https�� http��ָ�� SSL �ķ��ĵ�� URL ��¸�ʽ��

ȫ��ð�ȫ��

��װ�� SSL �ķ�� magnus.conf �ļ��ļ��Ϊȫ�ְ�ȫ��ָ��Ŀ��ȫ�Ա��Ϊ��on��ȫ��ò��С�� SSL ��Կ��Է��Ϊ��λ�� server.xml �ļ�� SSLPARAMS Ԫ��в��ҡ�

�� Server Manage ��-�б��ѡ��ķ��ʵ��

ȷ��ΪҪ��õ��׽��˰�ȫ�ԡ�Ҫ��д˲��ִ��²��裺

��Edit Listen Sockets��t�ӡ�

��Ҫ��䰲ȫ�Ե��׽��Ӧ�ġ�Listen Socket ID��

��ת�a�Edit Listen Socket��

�ӡ�Security��-�б��ѡ��Enabled��

��OK��

��Magnus Editor��t�ӡ�

��-�б��ѡ��SSL Settings��Manage��

��¸��ֵ��

SSLSessionTimeout

SSLCacheEntries

SSL3SessionTimeout

��OK��

��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

SSLSessionTimeout

�﷨

�� seconds �ǻ�� SSL �Ự��Ч��ȱʡֵΪ 100 �롣��ָ�� SSLSessionTimeout ָ���ֵ��Զ��޶�Ϊ 5 �� 100 ֮�䡣

SSLCacheEntries

SSL3SessionTimeout

�﷨

�� seconds �ǻ�� SSL3 �Ự��Ч��ȱʡֵΪ 86400 �루24 Сʱ��ָ�� SSL3SessionTimeout ָ���ֵ��Զ��޶�Ϊ 5 �� 86400 ֮�䡣

ʹ��ⲿ��ģ��

Sun ONE Web Server 6.1 ֧��ʹ��ⲿ��ģ�飨��ǻۿ��ƻ��ķ��

��װ PKCS#11 ģ��

Sun ONE Web Server ֧�ֹ��Կ��ܱ�׼ (PKCS) #11��ñ�׼�� SSL �� PKCS#11 ģ��֮��ͨ��ʹ�õĽӿڡ�PKCS#11 ģ��ָ�� SSL Ӳ��Ļ��ڱ�׼��l�ӡ��ⲿӲ��ĵ��֤��Կ�洢�� secmod.db �ļ��У��ļ��ڰ�װ PKCs#11 ģ��ʱ��ɡ�

ʹ�� modutil ��߰�װ PKCS#11 ģ��

��ʹ�� modutil ��߲�ͨ�� .jar �ļ��ļ��ʽ��װ PKCS#11 ģ�顣

ȷ��ر��з��( Administration Server��

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/https/admin/bin ��ӵ�� PATH �С�

�� server_root/bin/https/admin/bin ��ҵ� modutil��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH server_root/bin/https/lib:${LD_LIBRARY_PATH}

�� IBM-AIX �ϣ�LIBPATH

�� HP-UX �ϣ�SHLIB_PATH

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/https/bin

��Ŀ¼��ҵ�� PATH��server_root/https-admin/start��

��modutil��

��г��ѡ�

ִ��Ĳ��

��磬Ҫ�� UNIX �� PCKS#11 ģ�飬��Ҫ��룺

modutil -add��PCKS#11 �ļ��ƣ�-libfile��PCKS#11 ��libfile�� -nocertdb -dbdir�� db Ŀ¼��

ʹ�� pk12util

ʹ�� pk12util ��Դ��ڲ��ݿ��е��֤��Կ��䵼��ڲ��ⲿ PKCS#11 ģ�顣��Խ�֤��Կʼ�յ��ڲ��ݿ��У��ⲿ��Ʋ��֤��Կ��Ĭ��£�pk12util ʹ��Ϊ cert8.db �� key3.db ��֤��Կ��ݿ⡣

ʹ�� pk12util ��

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/https/admin/bin ��ӵ�� PATH �С�

�� server_root/bin/https/admin/bin ��ҵ� pk12util��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH/server_root/bin/https/lib:${LD_LIBRARY_PATH}

�� IBM-AIX �ϣ�LIBPATH

�� HP-UX �ϣ�SHLIB_PATH

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/https/bin

��Ŀ¼��ҵ�� PATH��server_root/https-admin/start��

��pk12util��

��г��ѡ�

ִ��Ĳ��

��磬�� UNIX �У��Ҫ��룺

pk12util -o certpk12 -n Server-Cert [-d /server/alias] [-P https-test-host]

��ݿ��롣

�� pkcs12 ��롣

ʹ�� pk12util ��

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/https/admin/bin ��ӵ�� PATH �С�

�� server_root/bin/https/admin/bin ��ҵ� pk12util��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH/server_root/bin/https/lib:${LD_LIBRARY_PATH}

�� IBM-AIX �ϣ�LIBPATH

�� HP-UX �ϣ�SHLIB_PATH

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/https/bin

��Ŀ¼��ҵ�� PATH��server_root/https-admin/start��

��pk12util��

��г��ѡ�

ִ��Ĳ��

��磬�� UNIX �У��Ҫ��룺

pk12util -i pk12_sunspot [-d certdir][-h "nCipher"][-P https-jones.redplanet.com-jones-]

-P �� -h ֮�󣬲��ұ��һ��

��ȷ��(��д��ĸ��֮��Ŀո�

��ݿ��롣

�� pkcs12 ��롣ʹ��ĳ��ⲿ֤��

��֤�鰲װ��ⲿ PKCS#11 ģ�飨��磬Ӳ��У��޷�ʹ�ø�֤�� server.xml ��б༭��ָ��֤��ơ�

��ʼ�ճ��ʹ��Ϊ��Server-Cert��֤��ⲿ PKCS#11 ģ��е�֤�齫��ʶ��а��ģ��ĳ��磬��Ϊ��smartcard0��ⲿ�ǻۿ��ȡ��ϰ�װ�ķ��֤��Ӧ��Ϊ��smartcard0:Server-Cert��

Ҫʹ�ð�װ��ⲿģ��е�֤��ҪΪ��е��׽��ָ��֤��ơ�

Ϊ��׽��ѡ��֤��


ע	��δ��׽��á�Security��򲻻��г�֤��Ϣ��ҪΪ��׽��ѡ��֤��ƣ��ȱ��ȷ��ϵİ�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

�� Administration Server �� Server Manage��Ȼ��ѡ��Preferences��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

ѡ��Preferences��ѡ���δѡ��

��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��

��Ҫ��֤��j��׽��Ӧ�ġ�Listen Socket Id��t�ӡ�

��ʾ��Edit Listen Socket��

�ӡ�Server Certificate Name��-�б��Ϊ��׽��ѡ��֤�顣

��б��а��Ѱ�װ��ڲ��ⲿ֤�顣



ע	��δ��װ��֤�飬��ʾ��Ϣ��ǡ�Server Certificate Name��-�б?

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

��Ҳ��ֶ��༭ server.xml �ļ��÷��ʹ�ø÷��֤�� SSLPARAMS �е� servercertnickname ��Ը��Ϊ��

Ҫ�� $TOKENNAME ʹ�õ�ֵ��ת�w��ġ�Security��ѡ���ѡ��Manage Certificates��t�ӡ��¼��洢 Server-Cert ��ⲿģ��ʱ��$TOKENNAME:$NICKNAME �?��б��н��ʾ��֤�顣

FIPS-140 ��׼

ͨ�� PKCS#11 API��ִ�м��ܲ��Ӳ��ģ��ͨ�š��ڷ��ϰ�װ PKCS#11 ֮��Զ� Sun ONE Web Server ��ã�ʹ��j��Ϣ��׼ (FIPS)-140 ��ݡ��Щ�� SSL 3.0 �汾�С�


ע	��δ��ݿ⣬��Ϊ�ⲿ PKCS#11 ģ��װ֤��ʱ��һ��ݿ⡣��ȱʡ��ݿ�û��룬��޷��ʡ��ⲿģ�齫��Ͱ�װ��֤�顣��ȱʡ��ݿ�û��룬��ʹ�á�Security��ѡ��͡�Create Database��4��롣

�� FIPS-140 �е�˵��װ�ò��

�� Administration Server �� Server Manage��Ȼ��ѡ��Preferences��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��ڰ�ȫ��׽��֣��Edit Listen Socket��н��ʾ��õİ�ȫ��á�



ע	Ҫʹ�� FIPS-140��ȷ��ѡ��׽��˸ð�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

�� SSL 3 �汾��-�б��ѡ��Enabled��δѡ��

ѡ��ʵ�� FIPS-140 ��㷨�׼��

(FIPS) 56 λ�� DES �� SHA ��Ϣ��֤

(FIPS) 168 λ�� Triple DES �� SHA ��Ϣ��֤

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

��ÿͻ��ȫҪ��

Ҫ��ͻ��֤

��Ϊ Administration Server ��ÿ��ʵ��׽��֣��Ҫ��ͻ��֤��ÿͻ��֤�󣬽��Ҫ�ͻ��֤�飬Ȼ��Ž��Ӧ��͸��ѯ��

Sun ONE Web Server ֧��ͨ��ͻ��֤��е� CA ��ǩ��ͻ��֤��ʱ��ε� CA ��ƥ��4��֤�ͻ��֤�顣�� Administration Server �ġ�Security��µġ�Manage Certificates��в鿴ǩ��ͻ��֤��ʱ��ε� CA �б?CA ��ͣ�

�� CA��ƥ�䣩

��εķ�� CA��ƥ�䣩

��εĿͻ�� CA��ƥ�䣩

��εĿͻ��/�� CA��ƥ�䣩

��Զ� Web ��ã��Ծܾ��4�� CA �Ŀͻ��֤��κοͻ��Ҫ��ܻ�ܾ��ε� CA��Ϊ CA ��˿ͻ��Ρ��йظ��Ϣ��μ��֤��

��֤��ѹ��ڣ�Sun ONE Web Server ��¼��󡢾ܾ�֤�鲢��ͻ��һ��Ϣ��Ҳ�� Administration Server �ġ�Manage Certificates��в鿴�ѹ��ڵ�֤�顣

��ԶԷ��ã��Ա�ӿͻ��֤��ռ��Ϣ�� LDAP Ŀ¼�е��û��ƥ�䡣��ȷ��ͻ��Ч��֤�� LDAP Ŀ¼�е����һ��ȷ��ͻ��֤�� LDAP Ŀ¼�е�֤��ƥ�䡣Ҫ�˽��ν��д˲��μ��ͻ��֤��ӳ�䵽 LDAP��

��Խ��ͻ��֤��ͷ��ʿ��ƽ��ʹ�ã��Ա��4��ε� CA ��⣬��֤��j��û��ʿ��ƹ�� (ACL) ��ƥ�䡣�йظ��Ϣ��μ�ʹ�÷��ʿ��ļ��

��Ҳ��Դ��ͻ��֤��Ϣ��й��ϸ��Ϣ��μ� Sun ONE Web Server 6.1 NSAPI Programmer's Guide��

��ͻ��֤

�� Administration Server �� Server Manage��Ȼ��ѡ��Preferences��ѡ���

�� Server Manage��ȴ��-�б��ѡ��ʵ��

��Edit Listen Sockets��t�ӡ�

��ʾ��Edit Listen Sockets��

��ҪΪ��ͻ��֤��׽��Ӧ�ġ�Listen Socket Id��t�ӡ�

��ʾ��Edit Listen Socket��

ҪΪ��׽��ͻ��֤��ӡ�Client Authentication��-�б��ѡ��Required��

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��



ע	Ŀǰ��ÿ�� Web ��ʵ��ֻ��һ��֤��ݿ⡣�ڸ÷��ʵ��е��а�ȫ��ͬһ��εĿͻ�� CA �б?��}̨��Ҫ��ͬ�� CA��Щ��Ӧ��ھ��е��ݿ�Ĳ�ͬ�ķ��ʵ��С�

��ͻ��֤��ӳ�䵽 LDAP

��ڽ�� Sun ONE Web Server ��4��ͻ��֤��ӳ�䵽 LDAP Ŀ¼�е��Ĺ�̡�

��ÿͻ��󣬽��ڴ��֮ǰ��Ҫ�ͻ��֤�顣ĳЩ�ͻ��ͬʱ��Ϳͻ��֤�顣

��Բ鿴�� CA �Ƿ�� Administration Server �е�ĳ�� CA ��ƥ�䡣��Ҳ��ƥ�� CA��Sun ONE Web Server ��ֹl�ӡ��ܹ��ҵ�ƥ�� CA��

��֤֤��4��ε� CA ֮�󣬷��ͨ��·�ʽ��֤��ӳ�䵽 LDAP �


ע	��ͻ��֤��ӳ�䵽 LDAP ֮ǰ��Ҫ�� ACL��й��ϸ��Ϣ�� 9 �¡��ƶԷ��ķ��ʡ��

��䷢�ߺ�� DN �ӿͻ��֤��ӳ�䵽 LDAP Ŀ¼�еķ�֧�㡣

�� LDAP Ŀ¼��ͻ��֤��⣨��û��Ϣ��ƥ��

��ѡ��֤�ͻ��֤��Ƿ��Ӧ�� DN �� LDAP ��е�֤��ƥ�䡣

��ʹ��Ϊ certmap.conf ��֤��ӳ��ļ�4ȷ��ν�� LDAP ��ӳ��ļ��߷��Ҫʹ�ÿͻ��֤��е��Щֵ��û��ơ�Email ��ַ�ȣ��ʹ��Щֵ�� LDAP Ŀ¼�е��û����Ҫȷ�� LDAP Ŀ¼�е��ĸ�λ�ÿ�ʼ��֤��ӳ��ļ�Ҳ��߷��ʼ��λ�á�

��˽��˿�ʼ��λ�ú��Ҫ��ݣ�� 1��֮�󣬽�� LDAP Ŀ¼��ִ�� 2��δ�ҵ�ƥ��ҵ��ƥ����ӳ��δ��Ϊ��֤֤�飬��ʧ�ܡ��й�Ԥ��Ϊ��б?��μ��±?�� 5-1��ע�⣬�� ACL ��ָ��Ԥ�ڵ��Ϊ��磬��ָ�� Sun ONE Web Server ��֤��ƥ��ʧ��ʱ��й�� ACL ��ѡ��ϸ��Ϣ��ʹ�÷��ʿ��ļ��

�� 6-1 LDAP ��
LDAP ��	֤��֤��	֤��֤�ر�
δ�ҵ��	��֤ʧ��	��֤ʧ��
ǡ��ҵ�һ��	��֤ʧ��	��֤�ɹ�
�ҵ��	��֤ʧ��	��Ȩʧ��

�� LDAP Ŀ¼��ҵ�ƥ��֤��󣬾Ϳ��ʹ�ø��Ϣ��磬ĳЩ��ʹ��֤��-��-LDAP (certificate-to-LDAP) ӳ��4ȷ��ĳ̨��ķ��Ȩ�ޡ�

ʹ�� certmap.conf �ļ�

֤��ӳ��ȷ�� LDAP Ŀ¼�в��û��ķ�ʽ��ʹ�� certmap.conf ��֤�飨��ָ��ӳ�䵽 LDAP ��ķ�ʽ��Ա༭��ļ����ƥ�� LDAP Ŀ¼��֯��г��ϣ��û�ӵ�е�֤�顣�û��Ի�� subjectDN ��ʹ�õ��û� ID��Email ��κ��ֵ��֤��ԣ�ӳ��ļ��ɶ��Ϣ��

��Ӧ�� LDAP ��е��ĸ�λ�ÿ�ʼ��

�� LDAP Ŀ¼�н��ʱ��Ӧ��֤��

��Ƿ�Ҫ��֤��

��ļ��һ��ӳ�䣬ÿ��ӳ�䶼Ӧ��ڲ�ͬ�� CA��ӳ��﷨��£�

��һ��ָ��Լ��γ� CA ֤��ж��ص��Ƶ��ԡ��ģ��Խ��䶨��Ϊ��κ��ơ��ǣ�issuerDN ��䷢�ͻ��֤�� CA �İ䷢�� DN ��ȫƥ�䡣��磬��}�� issuerDN �н��ڷָ��ԵĿո��죬��Ϊ}��ͬ��

certmap sun1 ou=Sun Certificate Authority,o=Sun, c=US
certmap sun2 ou=Sun Certificate Authority,o=Sun, c=US



��ʾ	��ʹ�õ�� Sun ONE Directory Server ��ƥ�� issuerDN ʱ��⣬�� Directory Server ��־��Ƿ��õ��Ϣ��

��ӳ��еĵڶ��к��н��ֵ��ƥ�䡣certmap.conf �ļ��а��ȱʡ��ԣ��ʹ��֤�� API �Զ��ԣ��

DNComps ��һϵ��Զ��ŷָ��ɣ��ȷ�� LDAP Ŀ¼��ĸ�λ�ÿ�ʼ��ƥ��û��ͻ��֤��ߣ��Ϣ��Ŀ��ӿͻ��֤��ռ��Щ��Ե�ֵ��Щֵ�γ� LDAP DN��Ȼ�󼴿�ȷ�� LDAP Ŀ¼��ĸ�λ�ÿ�ʼ��磬�� DNComps ��Ϊʹ�� DN �� o �� c ��ԣ�� LDAP Ŀ¼�е� o=<org>, c=<country> �ʼ�� <org> �� <country> ��滻Ϊ֤�� DN ��ֵ��

FilterComps ��һϵ��Զ��ŷָ��ɣ��ͨ��ռ��ͻ��֤��û� DN ��Ϣ4��ʹ��Щ��Ե�ֵ��γ��ƥ�� LDAP Ŀ¼�и�� LDAP Ŀ¼��ҵ��һ��֤��ռ��û��Ϣ��ƥ��Ŀ��ʾ��ɹ��ҷ��ѡ��ִ��ĳ��֤��

��磬�� FilterComps ��Ϊʹ�� Email ��û� ID �� (FilterComps=e,uid)��Ŀ¼�� Email ��û� ID ��ֵ��ӿͻ��֤��ռ��û��Ϣ��ƥ��Ŀ��Email ��ַ��û� ID �Ƿǳ��õĹ��Ϊ��Ŀ¼��ͨ��Ψһ�ġ��Ҫ�ǳ��壬�Խ��ƥ�� LDAP ��ݿ��е�ĳһ�

�й� x509v3 ֤��Ե��б?��±?

�� 6-2 x509v3 ֤��
��	˵��
c	��ң��
o	��֯
cn	ͨ��
l	λ��
st	״̬
ou	��֯��λ
uid	UNIX/Linux �û� ID
Email	Email ��ַ

��4��֤�飨��4�� LDAP Ŀ¼��磬ĳЩ֤�齫 e ��û�� Email ��ַ�� LDAP ��Ƹ��Ϊ mail��

verifycert ��߷��Ƿ��Ҫ��ͻ��֤�� LDAP Ŀ¼��ҵ��֤��бȽϡ��ʹ��}��ֵ��on �� off�� LDAP Ŀ¼�а�֤�飬��ֻ��ʹ�ô��ԡ��˹��ȷ��û�ʹ�õ�֤��Ч��δ��ء�

CmapLdapAttr �� LDAP Ŀ¼�а��û��֤�� DN ��ơ��Ե�ȱʡֵΪ certSubjectDN��Բ��Ǳ�׼�� LDAP ��ԣ��Ҫʹ�ø��ԣ��Ҫ)չ LDAP ģʽ��й��ϸ��Ϣ�� Introduction to SSL��

�� certmap.conf �ļ��д��ڴ��ԣ�� LDAP Ŀ¼��ԣ��Դ�� DN��֤��л�ã��ƥ��Ŀ��δ�ҵ��κ��Ŀ��ʹ�� DNComps �� FilterComps ӳ��

��ʹ�� DNComps �� FilterComps ƥ��Ŀ��'��ʱ��ڽ�֤�� LDAP ��Ŀ��ƥ��ķ��ǳ��á�

Library ��ֵΪָ�� DLL ��·��ԡ�ֻ��ʹ��֤�� API ��Լ��ʱ��Ҫʹ�ô��ԡ��й��ϸ��Ϣ��μ� NSAPI Programmer's Guide��

InitFn ��ֵΪ�Զ�� init ��Ƶ��ԡ�ֻ��ʹ��֤�� API ��Լ��ʱ��Ҫʹ�ô��ԡ�

��Զ��

��ʹ�ÿͻ��֤�� API ��Լ��ԡ��йس��ƺ�ʹ�ÿͻ��֤�� API ��Ϣ��μ� NSAPI Programmer's Guide��

<name>:library <path_to_shared_library>
<name>:InitFn <name_of_init_function>

ӳ��

certmap.conf �ļ��Ӧ��ٰ�һ���ʾ��˵��ʹ�� certmap.conf �ļ��Ĳ�ͬ��ʽ��

ʾ�� 1

��ʾ��ʾ��ֻ��һ��ȱʡ��ӳ�� certmap.conf �ļ��

ʹ�ñ�ʾ��ڰ� ou=<orgunit>, o=<org>, c=<country> ��Ŀ�� LDAP ��֧�㴦��ʼ�� <> �е��ı��滻Ϊ�ͻ��֤�� DN ��ֵ��

Ȼ�󣬷��ʹ��֤��е� Email ��ַ��û� ID ��ֵ�� LDAP Ŀ¼��ƥ���ҵ�ƥ��ʱ��ȽϿͻ��͵�֤��ʹ洢��Ŀ¼�е�֤�飬��֤��֤�顣

ʾ�� 2

��ʾ��ļ��а�(}��ӳ�䣺һ��ȱʡӳ�䣬��һ��9��ʵ�ҵ (US Postal Service)��

��õ�֤��4��9��ʵ�ҵ��û��ʹ��ȱʡӳ�䣬�� LDAP ��Ķ��ƥ��ͻ�� Email ��û� ID ��Ŀ��֤��4��9��ʵ�ҵ��Ӱ��֯��λ�� LDAP ��֧��ƥ�� Email ��ַ��ң��ע�⣬��֤��4�� USPS��֤��֤�飬��֤��֤�顣

ʾ�� 3


ע��	֤��еİ䷢�� DN�� CA ��Ϣ��ӳ��ĵ�һ��еİ䷢�� DN һ�¡��ʾ��У�4�԰䷢�� DN�� o=United States Postal Service,c=US��֤��Ͳ�ƥ�䣬��Ϊ o �� c ��֮��û�пո�

��ʾ��ʹ�� CmapLdapAttr �� LDAP ��ݿ��Ϊ certSubjectDN ��ԣ��Ե�ֵ��ͻ��֤��е�� DN ��ȫƥ�䡣

��ҵ��һ��ƥ����֤����δ�ҵ�ƥ����ʹ�� DNComps �� FilterComps ��ƥ���ڱ�ʾ��У�� o=LeavesOfGrass Inc, c=US �µ�� uid=Walt Whitman��


ע	��ʾ�� LDAP Ŀ¼�а�� certSubjectDN ��Ե��

��ø�ǿ��ļ��㷨

��Stronger Ciphers��ѡ��ṩ��ڷ��ʵ� 168 λ��128 λ�� 56 λ��С��Կ��ṩ��Կ��ָ��ʱʹ�õ��ļ��δָ��ļ��Sun ONE Web Server ��ء�Forbidden��״̬��

��ѡ��ڷ��ʵ��Կ��С�롰Security Preferences��µĵ�ǰ��㷨��ò�һ�£�Sun ONE Web Server ��ʾһ��Ի��򣬾��Ҫ��ô��и��Կ��С�ļ��㷨��

��Կ��С��Ƶ�ʵ��Ŀǰ�� obj.conf �е� NSAPI PathCheck ָ��� Service fn=key-toosmall��ָ��Ϊ��

��У�<nbits> ��Կ��Сλ��<filename> �ǲ��ʱʹ�õ��ļ�� URI��ơ�

��δ�� SSL ��δָ�� secret-keysize ��PathCheck �� REQ_NOACTION��ǰ�Ự��Կ��СС��ָ�� secret-keysize��״̬Ϊ PROTOCOL_FORBIDDEN �� REQ_ABORTED��δָ�� bong-file�� REQ_PROCEED��ҡ�path��Ϊ bong-file <filename>��ң��Կ��С��ǰ�Ự�� SSL �Ự��ʧЧ��´ε�ͬһ̨�ͻ��l�ӵ��ʱ�� SSL ��֡�


ע	��Stronger Ciphers��?�� PathCheck fn=ssl-check ʱ��ɾ��ڶ��ҵ�� Service fn=key-toosmall ָ�

�� Server Manage ��-�б��ѡ��ʵ��

��Virtual Server Class��ѡ���

��-�б��ѡ��һ��ಢ��Manage��

��ʾ��Class Manager��

ѡ��Content Mgmt��ѡ���

ѡ��Stronger Ciphers��

ͨ��·�ʽѡ��Խ��б༭��

��-�б��

��Browse��

��Wildcard��

ѡ��Կ��С��ƣ�

168 λ��

128 λ��

56 λ��

��

��Ҫ�ܾ��ʵ��Ϣ��ڵ��ļ�λ�á�

��OK��

��Apply��

ѡ��/��̬Ӧ�á�

��ȫ��

��ĳЩ�˻��ͼ�ƽ��ļ��⣬��ȫ��ա��ٵķ��4��ⲿ��ڲ��ĺڿͣ��ʹ�ø��ַ��ͼ��ķ��Լ��ϵ��Ϣ��

��˳��ڷ��ü��⣬��Ӧ��ȡ��İ�ȫԤ�4�ʩ��磬��һ��ȫ�ķ��ڣ��Լ��?��εĸ��˽��ص��ķ��С�

��

��ƹ��

ѡ��ɿ��

�� PIN

��Ʒ��ϵ��Ӧ�ó��

��ֹ�ͻ�� SSL �ļ�

��ƶ˿�

�˽��

��Ա��

��

��ּ򵥵İ�ȫ��ᱻ��ǡ��һ��ķ��У�ֻ��Ȩ��û��ܽ��÷��䡣��Է�ֹ�κ��˹��?

��ƹ��

��ʹ��Զ��ã��ȷ��˷��ʿ��ƣ�ֻ��û��ͼ��й��?��ϣ�� Administration Server Ϊ��û��ṩ�� LDAP ��򱾵�Ŀ¼��Ϣ�ķ��ʣ��뿼��ά��}̨ Administration Server ��ʹ��Ⱥ��?�� SSL �� Administration Server ��һ̨ Administration Server ��û��ķ��ʡ�

��ӦΪ Administration Server �򿪼��ܹ��ܡ��δ�� SSL l��ڹ��?��ôͨ��ȫ��ִ��Զ�̷��ʱӦ�ø��С�ģ��Ϊ�κ��˶��Խ�ȡ��Ĺ��벢��ķ��

ѡ��ɿ��

��ڷ��ʹ�ö��룺��롢ר��Կ��롢��ݿ��ȵȡ��Ҫ��һ��Ϊ��и��û��ļ��κη��ר��Կ��һ��Ҫ��롣��˻�ȡ��ר��Կ��ר��Կ��룬��Դ��αװ��ķ��ȡ�͸�ķ��ͨ��Ϣ��

��ñ��Լ��䣬��޷��µ��磬��Խ� MCi12!mo �ǳɡ�My Child is 12 months old!��Ҫʹ�ú��ӵ��Ϊ��

��ƽ��

��ؽ��й��һ��룬��ʹ�õĹ��Խ�࣬��Խ��ƽ⣺

��ĳ��ӦΪ 6 �� 14 ��ַ�Mac ��벻�ó�� 8 ��ַ�

�벻Ҫʹ�á��Ƿ��ַ�*��" ��ո�

�벻Ҫʹ�ôʵ䵥�ʣ��κ��ԣ�

�벻Ҫʹ�ó��ĸ�滻��罫 E �滻Ϊ 3 �� L �滻Ϊ 1

��ܶ�ذ��ַ�

��д��ĸ

Сд��ĸ

��

�� PIN

��ö��ڸ��ݿ�/��Կ��ļ�� PIN�� Administration Server �� SSL��ʱ��Ҫ��롣��ڸ��ӶԷ��Ķ��Ᵽ��

ֻ��ڱ��ؼ��ϸ�Ĵ��롣�йظ��ʱ��ע��б?��ƽ��

��

Ҫ�� Administration Server ��ʵ��ݿ�/��Կ��ļ��룬��ִ��²��裺

�� Administration Server �� Server Manage��

�� Server Manage��ȴ��-�б��ѡ��ʵ��

ѡ��Change Password��t�ӡ�

��-�б��ѡ��Ҫ��и��İ�ȫ��ơ�

ȱʡ��£��ڲ��Կ��ݿ�İ�ȫ��Ϊ��internal��װ�� PKCS#11 ģ�飬��ῴ��г��ơ��Change Password��t�ӡ�

��뵱ǰ��롣

��롣

�ٴ��롣

��OK��

�� Server Manage��Apply��Ȼ�󵥻�Restart��ʹ��Ч��

ȷ��Կ��ļ��ܵ��Administration Server ��Կ��ļ��洢�� server_root/alias Ŀ¼�С�ʹ�ļ��Ŀ¼ֻ�ܱ��ϰ�װ�� Sun ONE ��ȡ��

�˽ⱸ�ݴŴ��Ƿ�洢�˸��ļ��Լ��Ƿ��ܹ��ػ��ļ�Ҳ��Ҫ��洢�˸��ļ��񱣻��һ��f��ı��ݡ�

��Ʒ��ϵ��Ӧ�ó��

UNIX �� Linux

С��ѡ�� inittab �� rc �ű��Ľ�̡��벻Ҫ�ڷ�� telnet �� rlogin��ң�Ҳ��Ӧ�ڷ�� rdist��4�ַ��ļ��Ҳ��ڸ��·��е��ļ��

Windows

��Ŀ¼ʱҪ��С�ġ��ң�Ҫ��Щ�û��ʻ�� Guest Ȩ�ޡ�

��ֹ�ͻ�� SSL �ļ�

ͨ�� HTML ��ʽ��ļ�� <HEAD> ��У��Է�ֹ�ͻ��ٻ��ǰ��ļ��

��ƶ˿�

��ü��δʹ�õ��ж˿ڡ�ʹ��·��;�ǽ��ÿ��Է�ֹ��С�˿ڼ��κζ˿ڵĴ��l�ӡ��ζ�Ż�ȡ�� Shell ��Ψһ��ͨ��?ʽʹ�÷��ü��Ӧ��ѷ��һ��Ƶ��ڡ�

�˽��

��ṩ�˷��Ϳͻ��֮��İ�ȫl�ӡ��ͻ��Ϣ֮�󣬷��޷��Ϣ�İ�ȫ�ԣ�Ҳ�޷��ƶԷ��?��Ŀ¼��ļ��ķ��ʡ�

�˽��Щ��Ҫ��磬��ͨ�� SSL l�ӻ�ȡ��ÿ��ţ��Щ��Ƿ�洢�ڷ��ϵİ�ȫ�ļ��أ�SSL l��ֹ��Щ��أ��Ӧ�öԿͻ��ͨ�� SSL ��͸��κ��Ϣ�İ�ȫ�Ը��

��Ա��

��Ҫͬʱʹ��ܱ��ĺͲ��ܱ��ķ��Ӧ��ܱ��ķ��ϲ��ܱ��ķ��Դ��ޣ��ͬһ̨��в��ܱ��ķ��ܱ��ķ��ִ��²��

ָ��ȷ�Ķ˿ںš�ȷ��ָ��ܱ��ķ��Ͳ��ܱ��ķ��Ķ˿ںŲ�ͬ��ע��ȱʡ�˿ں�Ϊ��

443��ܱ��ķ��

80��ڲ��ܱ��ķ��

�� UNIX �� Linux��ĵ��Ŀ¼�� chroot ��ܡ��ܱ��ķ��Ӧ��ʹ�� chroot �ض��ĵ��Ŀ¼��á�

chroot ��ڶ��Ŀ¼��Ʒ��ʹ��ض��Ŀ¼��ʹ�ô˹��4��ܱ��ķ��磬��ø�Ŀ¼Ϊ /d1/ms��ô Web ��Է��ʸ�Ŀ¼ʱ�� /d1/ms��Է��ʵ�� /dev�� /d1/ms/dev �ȵȡ�� UNIX/Linux ϵͳ�� Web ��ʵ�ʸ�Ŀ¼��ļ��ķ��Ȩ�ޡ�

��ǣ��ʹ�� chroot��Ҫ��Ŀ¼�� Sun ONE Web Server ��Ŀ¼�ṹ��ͼ��ʾ��

Ϊ��ָ�� chroot

�� Server Manage ��-�б��ѡ��ʵ��

ѡ��Virtual Server Class��ѡ���

��Edit Classes��t�ӡ�

ȷ��Ҫָ�� chroot Ŀ¼��ġ�Option��Ϊ��Edit��

��ġ�Advanced��ť��

��ʾ��Virtual Servers CGI Settings��

�ڡ�Chroot��ֶ��·��

��OK��

��Apply��

ѡ��Load Configuration Files��̬Ӧ�ø�ġ�

Ϊ��ָ�� chroot

�� Server Manage ��-�б��ѡ��ʵ��

ѡ��Virtual Server Class��ѡ���

�ӷ��ͼ�У��Ҫָ�� chroot Ŀ¼��t�ӡ�

ѡ��Settings��ѡ���

��ʾ��Settings��

�ڡ�Chroot Directory��Աߵġ�Set to��ֶ��·��

��OK��

��Apply��

ѡ��Load Configuration Files��̬Ӧ�ø�ġ�

��Ҳ��ʹ�á�Class Manager Virtual Servers��ѡ��͡�CGI Settings��t��Ϊ��ָ�� chroot Ŀ¼��

�й��Ϊ��ָ�� chroot Ŀ¼��ϸ��Ϣ��μ� Sun ONE Web Server 6.1 Programmer's Guide��

�� 6 �� ʹ��֤�����Կ

����֤�����֤

ʹ��֤�������֤

��������֤

�ͻ�����֤

���������֤��

����������ݿ�

����������ݿ�

ʹ�� password.conf

�Զ��������� SSL �ķ�����

����Ͱ�װ VeriSign ֤��

���� VeriSign ֤��

��װ VeriSign ֤��

����Ͱ�װ���������֤��

����� CA ��Ϣ

�������������֤��

��װ���������֤��

��װ֤��

��ʱǨ��֤��

ʹ�����ø�֤��ģ��

����֤��

��װ�͹��� CRL �� CKL

��װ CRL �� CKL

���� CRL �� CKL

���ð�ȫ��ѡ��

SSL �� TLS Э��

ʹ�� SSL �� LDAP ͨ��

Ϊ�����׽������ð�ȫ��

�򿪰�ȫ��

���������׽���ʱ�򿪰�ȫ��

�༭�����׽���ʱ�򿪰�ȫ��

Ϊ�����׽���ѡ�������֤��

ѡ������㷨

ȫ�����ð�ȫ��

SSLSessionTimeout

�﷨

SSLCacheEntries

SSL3SessionTimeout

�﷨

ʹ���ⲿ����ģ��

��װ PKCS#11 ģ��

ʹ�� modutil ���߰�װ PKCS#11 ģ��

ʹ�� pk12util

ʹ�� pk12util ����

ʹ�� pk12util ����

Ϊ�����׽���ѡ��֤�����

FIPS-140 ��׼

���ÿͻ���ȫҪ��

Ҫ��ͻ�����֤

����ͻ�����֤

���ͻ���֤��ӳ�䵽 LDAP

ʹ�� certmap.conf �ļ�

�����Զ�������

ӳ������

ʾ�� 1

ʾ�� 2

ʾ�� 3

���ø�ǿ��ļ����㷨

��������ȫ����

�����������

���ƹ������

ѡ��ɿ�������

���������ƽ������

�������� PIN

�������

���Ʒ������ϵ�����Ӧ�ó���

UNIX �� Linux

Windows

��ֹ�ͻ���� SSL �ļ�

���ƶ˿�

�˽�����������

�����������Ա���������

Ϊ�����������ָ�� chroot

Ϊ���������ָ�� chroot

�� 6 ��
ʹ��֤��Կ

��֤��֤

ʹ��֤��֤

��֤

�ͻ��֤

��֤��

��ݿ�

��ݿ�

�Զ�� SSL �ķ��

��Ͱ�װ VeriSign ֤��

�� VeriSign ֤��

��Ͱ�װ��֤��

�� CA ��Ϣ

��֤��

��װ��֤��

ʹ��ø�֤��ģ��

��֤��

��װ�͹�� CRL �� CKL

�� CRL �� CKL

��ð�ȫ��ѡ��

Ϊ��׽��ð�ȫ��

��׽��ʱ�򿪰�ȫ��

�༭��׽��ʱ�򿪰�ȫ��

Ϊ��׽��ѡ��֤��

ѡ��㷨

ȫ��ð�ȫ��

ʹ��ⲿ��ģ��

ʹ�� modutil ��߰�װ PKCS#11 ģ��

ʹ�� pk12util ��

ʹ�� pk12util ��

Ϊ��׽��ѡ��֤��

��ÿͻ��ȫҪ��

Ҫ��ͻ��֤

��ͻ��֤

��ͻ��֤��ӳ�䵽 LDAP

��Զ��

ӳ��

��ø�ǿ��ļ��㷨

��ȫ��

��

��ƹ��

ѡ��ɿ��

��ƽ��

�� PIN

��

��Ʒ��ϵ��Ӧ�ó��

��ֹ�ͻ�� SSL �ļ�

��ƶ˿�

�˽��

��Ա��

Ϊ��ָ�� chroot

Ϊ��ָ�� chroot