C H A P T E R 4 - Enabling Apache Web Servers

C H A P T E R 4

Enabling Apache Web Servers

This chapter explains how to configure and enable the Sun Crypto Accelerator 1000 board for use with Apache Web Servers. This chapter includes the following sections:

Creating a Private Key and Certificate

Enabling Apache Web Servers

Creating a Private Key and Certificate

The following procedure describes how to create the private key and certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 1000 board. If you already have a private key and certificate, go to Enabling Apache Web Servers.

To Create a Private Key and Certificate

1. Generate an RSA private key in Privacy-Enhanced Mail (PEM) format.

% /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache/ssl.key/server.key 1024

2. Create your PEM passphrase.

This passphrase protects the key material. Be sure to select a strong passphrase, but one that you can remember. If you forget the passphrase, you will be unable to access your keys.

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

Caution - You must remember the passphrase you enter. Without the passphrase, you cannot access your keys. There is no way to retrieve a lost passphrase.

3. Generate the certificate request.

% /usr/sfw/bin/openssl req -new -key /etc/apache/ssl.key/server.key -out /etc/apache/ssl.csr/certreq.csr

4. Create a certificate request using the keys you just created.

You must first enter the passphrase to access your keys. Then provide the appropriate information for the following fields:

Country Name: The two-letter ISO code for the country, which is asserted on the certificate and is a required field (for example, the United States is US)

State or Province Name: (Optional) The full name of the state in this field (or type "." and press Return).

Locality: (Optional) City, county, principality, or country, which is also asserted on the certificate if provided

Organization Name: A value for the Organization to be asserted on the certificate

Organizational Unit Name: (Optional) A value for the Organizational Unit that will be asserted on the certificate

Common Name: Website Domain that is typed in a visitor's browser or contact name

Email Address: Contact information for requestor

A challenge password: (Optional). You must remember this password if you choose to enter one.

The following is an example of how the certificate fields are entered:

Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:US

State or Province Name (full name) [Some-State]:.

Locality Name (eg, city) []:.

Organization Name (eg, company) []:Fictional Company, Inc.

Organizational Unit Name (eg, section) []:Online Sales Division

Common Name (eg, YOUR name) []:www.fictional-company.com

Email Address []:admin@fictional-company.com

Please enter the following `extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []: Fictional Comany, Inc.

5. Hand off the certreq.csr file to your certificate authority.

6. Once the certificate is signed by the certificate authority, go to the next section to setup the Apache Web Server.

Enabling Apache Web Servers

Apache Web Server and mod_ssl are provided with the Solaris 10 Operating System. The following instructions are for these specific releases of Apache Web Server. Refer to the Apache Web Server documentation for more information.

To Enable the Apache Web Server

1. Create an httpd configuration file.

For Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows:

% cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf

2. Replace ServerName with your server name in the http.conf file.

If you have a private key and certificate, go to Step 5.

If you do not have a private key and certificate, go to Creating a Private Key and Certificate.

3. Save the issued key as /etc/apache/ssl.key/.

4. Save the issued certificate as /etc/apache/ssl.crt/server.crt.

Note - When generating the key and copying the certificate, any cert or key with the same filename is overwritten. Other names can be chosen, the names in this example are defaults. If other names are chosen, the administrator must change the SSLCertificateFile and SSLCertificateKeyFile directives in httpd.conf to point to the new filenames.

5. Start the Apache Web Server.

This example assumes the Apache binary directory is /usr/apache/bin; if this is not the Apache binary directory, type in the correct directory.

% /usr/apache/bin/apachectl startssl

6. Enter you PEM passphrase if prompted for it.

7. Verify the SSL enabled web server with a browser pointing to the following URL:

https://ServerName:ServerPort/

Note - The default port is 443.

8. Verify that the Sun Crypto Accelerator 1000 Board is being used.

% kstat -n dca0

Verify that the rsaprivate field is being incremented in the statistics.