Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide Table Of ContentsPrevious ChapterNext ChapterBook Index


C H A P T E R  3
Installing and Configuring Sun ONE Server Software

This chapter describes how to configure the Sun Crypto Accelerator 1000 board for use with Sun ONE servers. This chapter includes the following sections:


Note - The Sun ONE servers described in this manual were previously named iPlanettrademark Servers.



Note - All Sun ONE server software is supported for use with the board. The example in this section covers configuring the Sun ONE Web Server only. Refer to the Sun ONE documentation for details on how to install and configure Sun ONE server software.


Overview of Enabling Sun ONE Web Servers

To enable Sun ONE Web Servers you must complete the following procedures, that the rest of the chapter explains in detail.

1. Install the Sun ONE Web Server.

2. Create a trust database.

3. Request a certificate.

4. Install the certificate.

5. Configure the Sun ONE Web Server.


caution icon

Caution - These procedures must be followed in the order given. Failure to do so could result in an incorrect configuration.


Installing and Configuring Sun ONE Web Server 6.1

This section describes how to install and configure Sun ONE Web Server 6.1 to use the board. You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about installing and using Sun ONE Web Servers. This section includes the following procedures:


procedure icon  To Install Sun ONE Web Server 6.1

1. Download the Sun ONE Web Server 6.1 software.

You can find the web server software at the following URL:
http://www.sun.com/

2. Change to the installation directory and extract the web server software.

3. Install the web server with the setup script from the command-line.

The default path name for the server is: /opt/SUNWwbsvr/.

This chapter refers to the default paths. If you decide to install the software in a different location, be sure to note where you installed it. 


# ./setup

4. Answer the prompts from the installation script.

Except for the following prompts, you can accept the defaults:

a. Agree to accept the license terms by typing yes.

b. Enter a fully qualified domain name.

c. Enter the Sun ONE Web Server 6.1 Administration Server password twice.

d. Press Return when prompted.

Configuring Sun ONE Web Server 6.1

These procedures create a trust database; register the board with the web server; generate and install a server certificate; and enable the web server for SSL.


procedure icon  To Create a Trust Database

1. Start the administration server.

To start a Sun ONE Web Server, use the following command (instead of running startconsole as setup requests): 


# /opt/SUNWwbsvr/https-admserv/start

Sun ONE Web Server 6.1 B08/22/2003 12:37

info: CORE3016: daemon is running as super-user

info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.4.1_03]

from [Sun Microsystems Inc.]

info: WEB0100: Loading web module in virtual server [vs-admin] at

[/admin-app]

info: HTTP3072: [LS ls1] http://hostname.domain:8888 ready to accept

requests

startup: server started successfully

 

The response provides the URL for connecting to your servers.

2. Start the Sun ONE administration server by opening up a web browser and entering: 


http://hostname.domain:admin-port

In the pop-up window, enter the Sun ONE Web Server administration server username and password you selected while running setup.


Note - If you used the default settings during Sun ONE Web Server setup, enter the word admin for the User ID or the Sun ONE Web Server administration server username.


3. Click OK.

4. Create the trust database for the web server instance.

You might want to enable security on more than one web server instance. If so, repeat this process for each web server instance.


Note - If you want to run SSL on the administration server as well, the process of setting up a trust database is similar. Refer to the Sun ONE documentation for more information.


a. Click the Servers tab in the administration server.

b. Select a server and click the Manage button.

c. Click the Security tab near the top of the page and select the Create Database link.

d. Enter a password (web server trust database) in the two dialog boxes and click OK.

Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode.


procedure icon  To Register the Board With the Web Server

1. Configure Sun Metaslot keystore. Login as the Web Server Administration Server user you chose during Sun ONE Web Server installation (the default is root). Use the following command to setup the Sun Metaslot keystore. The default password is changeme if it is prompted. The new password you enter here will be needed to start the Sun ONE Web Server. For convenience, you may also use the same password you created in the last section (To Create a Trust Database) for Sun Metaslot. 


% METASLOT_ENABLED=false

% export METASLOT_ENABLED

% pktool setpin

Restore the METASLOT_ENABLED environment variable using the following command. 


% METASLOT_ENABLED=true

% export METASLOT_ENABLED

The pktool setpin command creates the .sunw directory in the home directory of the Administration Server user. This directory will be used by the System User you chose during Sun ONE Web Server installation (the default user is webservd). Change to the home directory of the Administration Server user and use the following command to change the ownership and groupship of .sunw directory and all its contents to the System User. 


% chown -R webservd:webservd .sunw

Use the following command to disable the CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_SSL3_MASTER_KEY_DERIVE, CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC mechanisms in the Sun Metaslot.

Determine whether the system is using the non-export or export version of softtoken with the following command: 


% cryptoadm list -p

If pkcs11_softtoken.so is returned in the output of the previous command, disable the algorithms with the following command.


Note - When executing the cryptoadm command, all strings must be entered on one line. You must be superuser to execute this command. 



% cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

Alternately, if pkcs11_softtoken_extra.so is returned in the output of the cryptoadm list -p command, disable the algorithms with the following command: 


% cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

2. Register the Solaris PKCS#11 library in the security module database of the Sun ONE Web Server using modutil.


Note - modutil is a utility developed by Mozilla and is available with the Sun ONE destribution. By default, the modutil is located at /opt/SUNWwbsvr/bin/https/admin/bin directory. It uses the NSS libraries located at /opt/SUNWwbsvr/bin/https/lib. This directory should be included in the environment variable, $LD_LIBRARY_PATH. 



% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -add "Solaris Cryptographic Framework" -libfile /usr/lib/libpkcs11.so

3. Certain Sun ONE applications ask for a password for every known PKCS#11 token. To limit the slots presented to those required to start the web server, disable all slots except for one slot used by the Sun ONE application. 


% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -disable "Solaris Cryptographic Framework"

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -enable "Solaris Cryptographic Framework" -slot "Sun Metaslot"


procedure icon  To Generate a Server Certificate

1. Restart the Sun ONE Web Server 6.1 Administration Server by typing the following commands. The response provides the URL for connecting to your servers. 


% /opt/SUNWwbsvr/https-admserv/stop

% /opt/SUNWwbsvr/https-admserv/start

2. Start the Administration GUI by opening up a web browser and typing: 


http://hostname.domain:admin-port

In the authentication dialog box enter the Sun ONE Web Server 6.1 Administration Server user name and password you selected while running setup.


Note - If you used the default settings during Sun ONE Web Server setup, enter admin for the user ID or the Sun ONE Web Server 6.1 Administration Server user name.


3. Click OK.

The Sun ONE Web Server 6.1 Administration Server window is displayed.

4. To request the server certificate, select the Servers tab near the top of Sun ONE Web Server 6.1 Administration Server window. Then select a server from the drop-down menu and click the Manage button.

The Sun ONE Web Server 6.1 Server Manager window is displayed.

5. Select the Security tab near the top of the Sun ONE Web Server 6.1 Server Manager window. Then click the Request a Certificate link on the left panel.


FIGURE 3-1 Sun ONE Web Server 6.1 Administration Server Request a Server Certificate Dialog Box Using Sun Metaslot

6. Fill out the form to generate a certificate request, using the following information:

a. Select a New Certificate.

If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.

b. Select the Cryptographic Module you want to use.

Each slot has its own entry in this pull-down menu. For this example, the Sun Metaslot is chosen.

c. In the Key Pair File Password dialog box, provide the password for the user that will own the key.

This password is the one you used to configure the Sun Metaslot.

d. Type the appropriate information for the requestor information fields in TABLE 3-1.


TABLE 3-1 Requestor Information Fields

Field

Description

Requestor Name

Contact information for the requestor

Telephone Number

Contact information for the requestor

Common Name

Web site domain that is typed in a visitor's browser

Email Address

Contact information for the requestor

Organization

Company name

Organizational Unit

(Optional) Department of the company

Locality

(Optional) City, county, principality, or country

State

(Optional) Full name of the state

Country

Two-letter ISO code for the country (for example, the United States is US)


e. Click OK to submit the information.

7. Use a certificate authority to generate the certificate.

8. Once the certificate is generated, copy it, along with the headers, to the clipboard.


Note - The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 4 of To Install the Server Certificate.



procedure icon  To Install the Server Certificate

1. Click the Security tab near the top of the Sun ONE WebServer 6.1 Server Manager window.

2. Select the Install Certificate link on the left side of the Sun ONE Web Server 6.1 Administration Server window.

Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server.


FIGURE 3-2 Sun ONE Web Server 6.1 Administration Server Install a Server Certificate Dialog Box Using Sun Metaslot

3. Fill out the form to install your certificate:


TABLE 3-2 Fields for the Certificate to Install

Fields

Description

Certificate For

This server

Cryptographic Module

Each slot has its own entry in this pull-down menu. Ensure that you select the correct slot name. For this example, use Sun Metaslot

Key Pair File Password

This password is the one you used for configure the Sun Metaslot.

Certificate Name

In most cases, you can leave this blank. If you provide a name, it alters the name the web server uses to access the certificate and key when running with SSL support. The default for this field is Server-Cert.


4. Paste the certificate you copied from the certificate authority (in Step 8 of the To Generate a Server Certificate) into the Message text box.

You are shown some basic information about the certificate.

5. Click OK.

6. If everything looks correct, click the Add Server Certificate button.

On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.

You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.

Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.

7. Use the following command to recursively change permissions of the .sunw directory to the System user: 


% chown -R webservd:webservd .sunw

Even though this command was executed previously it needs to be executed again. This step is necessary because the Administration Server user has ownership of the newly imported certificate, and the System user requires ownership.


procedure icon  To Enable the Web Server for SSL

1. Select the Servers tab and make sure the Manage Servers link on the left is selected. Choose a server in the "Select a Server" list and click on the Manage button.

2. Select the Preferences tab near the top of the page.

3. Select the Edit Listen Sockets link on the left panel.

The main panel lists all the listen sockets set for the web server instance.

a. Click the link under Listen Socket ID for the listen socket you wish to configure.

b. Alter the following fields:

c. Click OK to apply these changes.

You are back to the list of listen sockets. Make sure the security is enabled.

4. Click the same listen socket again.

5. Enter the password you used for configuring the Sun Metaslot to authenticate to the keystore on the system.

6. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.

A dialog box is displayed for changing the cipher settings. You can select either Cipher Default settings, SSL2, or SSL3/TLS. If you select the Cipher Default, you are not shown the default settings. The other two choices require you to select the algorithms you want to enable in a pop-up dialog box. Refer to your Sun ONE documentation on cipher selection.

7. Select the certificate for the keystore Sun Metaslot: Server-Cert (or the name you chose).

8. When you have chosen a certificate and confirmed all the security settings, click OK.

9. Select the Apply link in the far upper right corner to apply these changes before you start your server.

10. Select the Load Configuration Files link to apply the changes.

You are redirected to a page that allows you to start your web server instance.

If you click the Apply Changes button when the server is off, an authentication dialog box prompts you for the password you used for configuring the Sun Metaslot. This window is not resizable, and you might have a problem submitting the change.

There are two workarounds for this problem:

11. In the Sun ONE Web Server 6.1 Administration Server window, select the On/Off link on the left side of the window.

12. Enter the passwords for the servers and click Server On.

You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.

At the Module keystore-name prompt, enter the password you used for configuring the Sun Metaslot.

Enter the password you entered for configuring other keystores as prompted.

13. Verify the new SSL-enabled web server at the following URL:

https://hostname.domain:server-port/


Note - The default server-port is 443.


Configuring Sun ONE Web Servers to Start Up Without User Interaction on Reboot

You can enable the Sun ONE Web Servers to perform an unattended startup at reboot with an encrypted key.


procedure icon  To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot

1. Navigate to the config subdirectory for your Sun ONE Web Server instance--for example, /opt/SUNWwbsvr/https-webserver-instance-name/config.

2. Create a password.conf file with only the following lines: 


internal:trust-db-password

token-label:password

3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file: 


# chown web-server-UNIX-user-ID password.conf

# chmod 400 password.conf

 

 



  Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide 819-0425-11 Table Of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.