Sun Java System Web Proxy Server 4.0.1 �z��n |
�� 5 ��
�ϥξ��ҩM�K�_�����y�z�F�p��ϥξ��ҩM�K�_�{�ҨӫO�@ Sun Java System Web Proxy Server ���w���CProxy Server ���X�F�Ҧ� Sun Java System ��A�����w���[�c�A�ëإߦb�~�ɼзǩM���@��w����¦���W�A�㦳�̤j�����q�ʩM�@�P�ʡC
�������]�z�w����}�K�_�[�K�����!A�]�A�[�K�P�ѱK�B���}�K�_�P�p�K�K�_�B�Ʀ���ҩM�[�K��w�C�p�ݧ�h��T�A�аѾ\�uIntroduction to SSL�v�C
�����]�t�U�C�p�`�G
�����Ҫ��{���{�ҬO�T�{����{�ǡC�b������Ҥ��A�{�ҬO�@���t�@�誺�H���ѧO�C���ҬO�䴩�{�Ҫ��@�ؤ覡�C
���Ҥ��]�t��w�ӤH�B���q�Ψ�L����W�٪��Ʀ��ơA���ҩ���Ҥ��]�t�����}�K�_�ݩ���C
�Τ�ݩM��A�����i�H�֦����ҡC��A���{�ҫ�Τ�ݹ��A�����H���ѧO (�Y�ﰲ�]�t�d�S�w����}�W����A������´�i���ѧO)�C�Τ�ݻ{�ҫ��A����Τ�ݪ��H���ѧO (�Y�ﰲ�]�ϥΥΤ�ݳn�骺�ϥΪ̶i���ѧO)�C�Τ�ݥi�H�֦��h�Ӿ��ҡA�N�p�P�H�i�H���ƭӤ��P������@�ˡC
���ҥѾ��ұ��v��� (CA) �ֵo�öi��Ʀ�ñ�W�CCA �i�H�O�X����Ҫ����q�A�]�i�H�O�t�d�����q����~�������Υ�~�����ֵo���Ҫ�����C�z�i�H�M�w�N���ǥR�+H�� CA �������Ҩ�L�ϥΪ̨����c�C
���F���}�K�_�M���ҩ��ѧO������W�٥~�A�����٥]�A�L�d�aB�ֵo���Ҫ� CA ���W�٤Ψ�Ʀ�ñ�W�C
�p�ݦ�����Ҥ��e�M�榡����h��T�A�аѾ\�uIntroduction to SSL�v�C
�p�ݦ���䴩�������X�R��쪺��h��T�A�аѾ\�uAll About Certificate Extensions�v�C
�إߥi�H���Ʈw�ӽЦ�A�����Ҥ��e�A�����إߤ@�ӥi�H���Ʈw�C�b Proxy Server ���AAdministration Server �M�C�Ӧ�A����ҳ��i�H�֦��ۤv���i�H���Ʈw�C�i�H���Ʈw�u��b����q���W�إߡC
�إߥi�H���Ʈw�ɡA�ݭn��w�Ω�K�_���ɮת��K�X�C��ݭn���K�X�ӱҰʨϥΥ[�K�q�T����A���C�p�ݦ����ܱK�X���`�N�ƶ��M��A�аѾ\��ܼW�j���K�X�C
�b�i�H���Ʈw���A�i�H�إߩM�x�s���}�K�_�M�p�K�K�_ (�٬��K�_���ɮ�)�C�K�_���ɮץΩ� SSL �[�K�C�ӽЩM�w�˦�A�����ҮɱN�|�Ψ�K�_���ɮסC�w�˾��Ҥ���A���|�x�s�b�i�H���Ʈw���C
�K�_���ɮץH�[�K���Φ��x�s�b�H�U�ؿ�G
server_root/alias/proxy-serverid-key3.db
Administration Server �u��@�ӥi�H���Ʈw�C�C�Ӧ�A����ҳ��i�H�֦��ۤv���i�H���Ʈw�C
�إߥi�H���Ʈw
�ϥ� password.conf
�̹w�]�AProxy Server �|�b�Ұʫe���ܺz��ѱK�_��Ʈw�K�X�C�Y�n���s�ҰʵL�H�ݺު��A�� Proxy Server�A�����N�K�X�x�s�b password.conf �ɮפ��C�u���b�t�Ψ��R��O�@�ɤ~��o�˰��A�H�K���|���ɮשM�K�_��Ʈw�C
�q�`�A����H /etc/rc.local �� /etc/inittab �ɮױҰʤw�ҥ� SSL �� UNIX ��A���A�]����A���b�Ұʤ��e�|�n�D��J�K�X�C���ޥi�H�N�K�X�H�¤�r�榡�x�s�b�Y���ɮפ��Ӧ۰ʱҰʤw�ҥ� SSL ����A���A���ij���n�γo�ؤ�k�C��A���� password.conf �ɮ�3���W�ŨϥΪ̩Φw�˦�A�����ϥΪ̩Ҿ֦��A�u���֦��̤~�㦳���ɮת�Ū��M�g�J�v�C
�b UNIX �W�A�N�ҥΤF SSL ����A�����K�X�O�d�b password.conf �ɮפ��|�a�ӫܤj���w���ʭ��I�C�i�H�s���ɮת����ϥΪ̧��i�s��w�ҥ� SSL ����A�����K�X�C�N�ҥΤF SSL ����A�����K�X�O�d�b password.conf �ɮפ����e�A�ЦҶq�i��a�Ӫ��w���ʭ��I�C
�b Windows �W�A�p�G�ĥ� NTFS �ɮרt�ΡA�h3�ӹ�]�t password.conf �ɮת��ؿ�s���v���[�H���w (�Y�Ϥ��ϥΦ��ɮ�)�A�ӫO�@���ؿ�CAdministration Server �ϥΪ̩M Proxy Server �ϥΪ�3�Ө㦳���ؿ�Ū��M�g�J�v���C�O�@���ؿ�i�H�����L�ϥΪ̫إ߰��� password.conf �ɮסC�b FAT �ɮרt�ΤW�A�L�k�H���w�s���k�ӫO�@�ؿ���ɮסC
�۰ʱҰʤw�ҥ� SSL ����A��
�۰ʱҰʤw�ҥ� SSL ����A��
�Y�ϫإߤF password.conf �ɮסA�b�Ұ� Proxy Server �ɨt�Τ]�`�|���ܱz���ѱK�X�C
�ӽЩM�w�� VeriSign ����VeriSign �O Proxy Server ��������ұ��v���C���q���N²�ƤF���ҥӽе{�ǡCVeriSign ���u�զb������N���ҶǦ^��A���C
����A���إߥi�H����Ҹ�Ʈw��A�i�H�ӽФ@�Ӿ��ҨñN�䴣�浹 CA (���ұ��v���)�C�p�G���q���ۤv������ CA�A�i�H�V������ӽо��ҡC�p�G�p���q�ӷ~ CA �B�ʶR���ҡA�п�ܤ@�� CA �ø߰ݨ�һݸ�T���榡�C
Administration Server �u��@�Ӧ�A�����ҡC�C�Ӧ�A����ҳ��i�H�֦��ۤv����A�����ҡC
���`�]�t�H�U�D�D�G
�ӽ� VeriSign ����
�ӽ� VeriSign ����
�w�� VeriSign ����
�w�� VeriSign ����
�ӽЩM�w�˨�L��A���������F VeriSign�A�z��i�q��L���ұ��v���ӽЩM�w�˾��ҡC�Q���q�β�´�i��|���Ѧۤv���������ҡC���`�y�z�p��ӽЩM�w�˨�L��������A�����ҡC
���`�]�t�H�U�D�D�G
CA �һݪ���T
�}�l�ӽе{�ǫe�A�ȥ��T���z�� CA �n�D���Ǹ�T�C�U CA �ҭn�D����T�榡�����Ҥ��P�A��j�P�Ө� CA �i��n�D�z���ѤU�C��T�C�Ъ`�N�A�o�Ǹ�T�����j���&b���ҧ�s�ɳq�`���O���ݭn���C
- Requestor name�C���ҽШD�̪��W�١C
- Telephone number�C�ШD�̪��q�ܸ��X�C
- Common name�CDNS �d�䤤�ϥΪ�����X�檺�D��W�� (�Ҧp www.example.com)�C
- Email address�C�z�P CA �����q�H�ɨϥΪ��~�ȹq�l�l���}�C
- Organization�C�z���q�B�Ш|��c�β�´���������k�w�W�١C�h�� CA �|�n�D���Ѫk�ߤ�� (�Ҧp�ӷ~�P�Ӫ��ƥ�) ���ҩ��T�C
- Organizational unit�C���q������´�椸���y�z�C
- Locality�C��´�Ҧb�����B����ΰ�a/�a�Ϫ�����C
- State or Province�C��~�Ҧb���{�ά١C
- Country�C��a/�a�ϦW�٪���r���Y�g (�H ISO �榡)�C�Ҧp�A��ꪺ��a/�a�ϥN�X�� US�C
�Ҧ���T���X���@�t�C�٬���O�W�� (DN) ���ݩʭȹ�A�i���Ѿ��ҥD��C
�p�G�q�ӷ~ CA �B�ʶR���ҡA�h�����b CA �ֵo���Ҥ��e�P���s���A�H�A�ѥL�̩һݪ���L��T�C�h�� CA ���n�D�z���Ѩ����ҩ�C�Ҧp�ACA �ݭn���ұz�����q�W�٩M���q���v�t�d�z��A�����ϥΪ̡A�åB�i��|�߰ݱz�O�_�㦳�ϥΩҴ��Ѹ�T���X�k�v���C
�b�Y�ǰӷ~ CA�A��´�έӤH���Ѫ������ҩ�V�R�!A�Ҵ��Ѫ����ҴN�V�ԲӡB�V�ǽT�C�Ҧp�A�z�i�H�ʶR�@�i���ҡA�n�� CA �������ҤF�z�O www.example.com �q�����X�k�z��A�ӥB���ҤF�z�����q�w�q�ƤT�~���ӷ~���ʥB�L���j�Ȥ�D�^�ץ�C
�ӽШ�L��A������
�ӽШ�L��A������
- �s�� Administration Server �� Server Manager�A�M���@�U [Security] ���ҡC
- ��@�U [Request Certificate] �s���C
- ��w�O�ӽзs�����٬O���ҧ�s�C�\�h���Ҧb�@�q�ɶ� (�Ҧp���Ӥ�Τ@�~) ��|�L�aC�Y�� CA �|�۰ʵ��z�ǰe�@�ӧ�s�����ҡC
- ��w������ҥӽЪ��覡�G
- �q [Cryptographic Module] �U�Ԧ��M�椤�A���ӽо��ҮɱK�_���ɮn�ϥΪ��[�K�ҲաC
- ��J�K�_���ɮת��K�X�C���D�z���F�����ҲեH�~���[�K�ҲաA�_�h���K�X�Y���z�b�إߥi�H���Ʈw�ɩҫ�w���K�X�C��A���N�ϥΦ��K�X��o�p�K�K�_�ù�ǰe�� CA ���T���i��[�K�C�M��A��A���N�z�����}�K�_�Υ[�K���T���ǰe�� CA�CCA �|�ϥΤ��}�K�_�ӸѱK�z���T���C
- ��J�z���ѧO��T�A�p�m�W�ιq�ܸ��X�C����T���榡�] CA �Ӳ��C�Ъ`�N�A�o�Ǹ�T�����j���&b���ҧ�s�ɳq�`���O���ݭn���C
- �J���ˬd�o�Ǥ��e�H�T�w��ǽT�ʡA�M���@�U [OK]�C��T�V�ǽT�A��Ǿ��Ҫ��t�ץi��N�V�֡C�p�G�N�ӽаe�ܾ��Ҧ�A���A�t�η|�b����ӽФ��e���ܱz���Ҫ���T�C
��A���|���ͥ]�t�z����T�����ҥӽСC�ӽХ]�t�H�p�K�K�_�إߪ��Ʀ�ñ�W�CCA �ϥμƦ�ñ�W�����ҥӽЦb�q��A���q���V CA ��Ѫ��L�{�����D��«��C�u���b���ּƱ��p�U�ӽФ~�|�D��«��A�o�ɡACA �q�`�|�H�q�ܧΦ��P�z�s���C
�p�G��ܥH�q�l�l��ǰe�ӽСA��A���N�s�g���t�ӽЪ��q�l�l��T���ñN��ǰe�� CA�C�q�`�A���ҷ|�z�L�q�l�l��Ǧ^�C�p�G�z��w�F���Ҧ�A���� URL�A�z����A���|�ϥΦ� URL �V���Ҧ�A������ӽСC�� CA �өw�A�z�i��|����q�l�l��Ψ�L�覡���^�СC
�p�G CA �P�N�V�z�ֵo���ҡA�K�|�q���z�C�h�Ʊ��p�U�ACA �|�ϥιq�l�l��V�z�ǰe���ҡC�p�G�z����´���b�ϥξ��Ҧ�A���A�h�]�\�i�H�ϥξ��Ҧ�A�������j�M���ҡC
�Ƶ�
�ëD�C�ӱq�ӷ~ CA �B�ӽо��Ҫ��ϥΪ̳��|��o���ҡC�\�h CA �b�ֵo���Ҥ��e���n�D�z���Ѩ����ҩ�C�ӥB�A�n��o���i��n��O�@�Ѩ�X�g���ɶ��C�z���d��ήɦV CA ���ѩҦ����n����T�C
������ҫ�Y�i�i��w�ˡC�b���v��A�z���M�i�H�ϥΥ��ҥ� SSL �� Proxy Server�C
�w�˨�L��A������
��z���� CA �ֵo�����ҮɡA���O�H�z�����}�K�_�[�K�L���A�o�˥u���z�~�ऩ�H�ѱK�C�Y�n�ѱK�M�w�˾��ҡA������J���T���i�H���Ʈw�K�X�C
���Ҧ��T�������G
������O�ѦU�Ӿ��ұ��v���̦�ñ�p���@�t�C���h�����ҡCCA ���Ҩ㦳���ұ��v��� (CA) �����ѡA�Ω�ñ�p�����v���ֵo�����ҡC�� CA �� CA ���Ҷi�ӤS�iñ�p CA ���ҡA�p�����!A����� CA�C
�Ƶ�
�p�G CA ���۰ʱN����Ҷǰe���z�A�z3�o�X���ШD�C�\�h CA �|�b�q�l�l�P�ɪ��[�L�̪����ҩM�z�����ҡA�z����A���N�P�ɦw�˳o��Ӿ��ҡC
��z���� CA �ֵo�����ҮɡA���O�H�z�����}�K�_�[�K�L���A�o�˥u���z�~�ऩ�H�ѱK�C�w�˾��ҮɡAProxy Server �|�ϥαz��w���K�_���ɮױK�X�N��ѱK�C�p�U�ҭz�A�z�i�H�N�q�l�l���x�s�b��A���i�H�s���m�A�Ϊ̤]�i�H�ƻs�q�l�l��r�÷dzƱN��K�� [Install Certificate] ��椤�C
�w�˨�L��A������
- �s�� Administration Server �� Server Manager�A�M���@�U [Security] ���ҡC
- ��@�U [Install Certificate] �s���C
- �b [Certificate For] �ǡA���n�w�˪����������G
- �q�U�Ԧ��M�椤���[�K�ҲաC
- ��J�K�_���ɮױK�X�C
- ��J���ҦW�� (�ȭ��b�B�J 3 �����F [Server Certificate Chain] �� [Certification Authority] �����p�U)�C
- ���H�U�@���@�~�Ӵ��Ѿ��Ҹ�T�G
- ��@�U [OK]�C
- ���H�U��@�ﶵ�G
���ұN�x�s�b��A�������Ҹ�Ʈw���C�Ҧp�G
server_root/alias/proxy-serverid-cert8.db
�E�������N���ұq Sun ONE Web Proxy Server 3.6 (��٬� iPlanet Web Proxy Server) �E���� Sun Java System Web Proxy Server 4 �ɡA�N�۰ʧ�s�ɮ� (�]�A�i�H����Ҹ�Ʈw)�C
�T�{ Proxy Server 4 Administration Server ���¦��� 3.x ��Ʈw�ɮצ�Ū���v�C�o���ɮO��� 3.x_server_root/alias �ؿ� alias-cert.db �M alias-key.db�C
�u���b��A���ҥΤF�w���ʮɡA�~��E���K�_���ɮשM���ҡC�z��i�ϥ� Administration Server �M Server Manager �� [Security] ���ҤU�� [Migrate 3.x Certificates] �ﶵ����K�_�ξ��Ҧۦ�E���C�p�ݦ���S�w�]�w����h��T�A�аѾ\�u�W����C
�b��e�������A�ѷӾ��ҩM�K�_���ɮ�3�ĥΥi�Ѧh�Ӧ�A����ҨϥΪ��O�W�CAdministration Server �z�ۥ������O�W�Ψ�e�U���ҡC�Ӧb Sun Java System Web Proxy Server 4 ���AAdministration Server �M�C�Ӧ�A����ҳ����ۤv�����ҩM�K�_���ɮסA�٬��i�H���Ʈw�A�ӫD�O�W�C
��� Administration Server �����A�i�H���Ʈw�Ψ�e�U���ҥ� Administration Server �z�A�ӹ���A����ҫh�� Server Manager �z�C�{�b�A���ҩM�K�_���Ʈw�ɮר̾ڨϥΥ��̪���A����ҩR�W�C�b��e�������A�p�G�h�Ӧ�A����Ҧ@�ΦP�@�ӧO�W�A�E���ɷ|���s��A����ҭ��s�R�W���ҩM�K�_���ɮסC
�N�E���P��A��������p����ӥi�H���Ʈw�C��e��Ʈw���C�X���Ҧ� CA ���N�Q�E���� Proxy Server 4 ��Ʈw�C�p�G�X�{���ƪ� CA�A�h�ϥΥH�e�� CA�A���쥦�L�aC�ФŹxէR�����ƪ� CA�C
Proxy Server 3.x ���ҷ|�Q�E�����䴩�� Network Security Services (NSS) �榡�C���Ҫ��R�W�Y�ھڦs����ҮɩҥΪ� Proxy Server ���� (�]�N�O [Administration Server Security] ���ҩ� [Server Manager Security] ����)�C
�E������
�ϥΤ��خھ��ҼҲ�
Proxy Server �H�����i�ʺA��J���ھ��ҼҲե]�A�\�h CA (�䤤�]�A VeriSign) ���ھ��ҡC�ϥήھ��ҼҲեi�H��e��a�N�ھ��ҤɯŨ�������C�H�e�A�z�ݭn�v�ӧR���ª��ھ��ҡA�M��A�v�Ӧw�˷s���ھ��ҡC�{�b�Y�n�w�˱`�Ϊ� CA ���ҡA�u�ݱN�ھ��ҼҲ��ɮק�s��������A�ϥ���b�H�᪩���� Proxy Server ���ϥΡC
�]���ھ��ҬO���� PKCS #11 �[�K�Ҳչ�@���A�ҥH������R���Ҳե]�t���ھ��ҡA�b�z�o�Ǿ��Үɤ]���|���ѧR�����Ҫ��ﶵ�C�Y�n�q��A����Ҥ������ھ��ҡA�i�H�z�L�R����A�� alias �ɮפ����H�U���e�Ӱ��ήھ��ҼҲաG
�p�G���n�_��ھ��ҼҲաA�i�H�q server_root/bin/proxy/lib (UNIX) �� server_root\bin\proxy\bin (Windows) �N���X�i���=ƻs�^ alias �l�ؿ�C
�i�H�ק�ھ��Ҫ��H���T�C�H���T�N�g�J�ҽs�誺��A����Ҫ����Ҹ�Ʈw���A�Өä���^�ܮھ��ҼҲե����C
�z�����z�i�H�˵�B�R���νs��w�˦b��A���W���U�ؾ��Ҫ��H��]�w�C�䤤�]�A�z�ۤv�����ҩM�Ӧ� CA �����ҡC
�z����
���Ҹ�T���]�A�֦��̩M�ֵo�̡C�H��]�w���\�z�]�w�Τ�ݫH��Ψ��]�w��A���H��C��� LDAP ��A�����ҡA��A�������O�i�H��C
�w�˩M�z CRL �M CKL���ҺM�P�M�� (CRL) �M���|�K�_�M�� (CKL) ���M���a�C�X�Τ�ݩΦ�A���ϥΪ̤�3�A�H��Ҧ����ҩM�K�_�C�p�G���Ҥ�����Ƶo���ܧ� (�Ҧp�A�Y��ϥΪ̦b���ҹL�d��e�ܧ�F�줽�ǩ���}�F��´)�A�h���ұN�Q�M�P�A���ƱN��ܦb CRL ���C�p�G�K�_�Q«��γQ���|�A�h���K�_�Ψ��ƱN��ܦb CKL ���CCRL �M CKL ���� CA ���ͨéw�g�s�C�P�z���S�w CA �s���i��o�o�DzM��C
���`�]�t�H�U�D�D�G
�w�� CRL �� CKL
�w�� CRL �� CKL
- �q CA ��o CRL �� CKL�A�M��N���U��ܥ���ؿ�C
- �s�� Administration Server �� Server Manager�A�M���@�U [Security] ���ҡC
- ��@�U [Install CRL/CKL] �s���C
- ���H�U��@�ﶵ�G
- ��J���p�ɮת������|�W�١A�M���@�U [OK]�C�N��� [Add Certificate Revocation List] �� [Add Compromised Key List] �����A�䤤�C�X CRL �� CKL ��T�C�p�G��Ʈw���w�s�b CRL �� CKL�A�h�N��� [Replace Certificate Revocation List] �� [Replace Compromised Key List] �����C
- �W�[�δ%N CRL �� CKL�C
�z CRL �M CKL
�z CRL �M CKL
- �s�� Administration Server �� Server Manager�A�M���@�U [Security] ���ҡC
- ��@�U [Manage CRL/CKL] �s���C�N��� [Manage Certificate Revocation Lists /Compromised Key Lists] �����A�䤤�C�X�Ҧ��w�w�˪� CRL �M CKL �Ψ�L�d�aC
- �q [Server CRLs] �� [Server CKLs] �M�椤�����ҡC
- ��� [Delete CRL] �� [Delete CKL] �R�� CRL �� CKL�A�άO��� [Quit] ��^�ܺz�����C
�]�w�w���ʳߦn�]�w��o���ҫ�A�K�i�H�}�l�O�@��A�����w���C���`�N�y�z Sun Java System Web Proxy Server �Ҵ��Ѫ��\�h�w���ʤ��!C
�[�K�O�ܴ���T���L�{�A�g�L�o�@�L�{��T�ܬ��u���w�w����̤~��z�Ѫ����e�C�ѱK�]�O�ܴ��[�K��T���L�{�A�g�L�o�@�L�{��T���s�ܱo�i�H�z�ѡCProxy Server �䴩�w���q�T�ݼh (SSL) �M�ǿ�h�w���� (TLS) �[�K��w�C
�K�X�O�@�إΩ�[�K�θѱK���[�K�t��k (�@�ؼƾǨ��)�CSSL �M TLS ��w�]�t�j�q�K�X�աC�Y�DZK�X�|���L�K�X��j�j�B��w���C�@��Ө��A�K�X�ϥΪ��줸�V�h�A��ƸѱK�K�V��C
�b�����V�[�K�L�{���A��賣�����ϥάۦP���K�X�C�ѩ�i�ѨϥΪ��K�X���h�A�������A���ϥγ̱`�Ϊ��K�X�C
�b�w���s�u�L�{���A�Τ�ݩM��A���өw��賣�i�Ψӳq�T���̱j�K�X�C�z�i�H�q SSL 2.0�B SSL 3.0 �M TLS ��w��ܱK�X�C
�Ƶ�
SSL 2.0 �᪺�����w�b�w���ʤήį�W�i��F�ﵽ�C���D�Τ�ݵL�k�ϥ� SSL 3.0�A�_�h�ФŨϥ� SSL 2.0�C�Τ�ݾ��Ҥ��@�w�A�� SSL 2.0 �[�K�C
��a�[�K�{�Ǩä����H�O�@��A����K��T���w���C�����N�K�_�P�[�K�K�X�t�X�ϥΡA�~�ಣ�ͯu�����[�K�ĪG�A�θѱK��e�[�K����T�C�[�K�{�ǨϥΥH�U��رK�_�Ө�o�����G�G���}�K�_�M�p�K�K�_�C�ϥΤ��}�K�_�[�K����T�u��ϥ����p���p�K�K�_�i��ѱK�C���}�K�_�H���ҵo�G�C�u�����p���p�K�K�_���O�@�C
�p�ݦ���U�رK�X�ժ�����H�αK�_�M���Ҫ���h��T�A�аѾ\�uIntroduction to SSL�v�C
�Y�n��w��A���i�ϥΪ��K�X�A�бq Proxy Server �ϥΪ̤��������M��i����C���D�z�����ϥίS�w�K�X���R�2z�ѡA�_�h�z3������� (��M�z�i�ण�Ʊ�ҥΥ[�K�ĪG�ëD�̨Ϊ��K�X)�C
�`�N
�Фſ�� [Enable No Encryption, Only MD5 Authentication]�C�p�G�Τ�ݨS����L�i�Ϊ��K�X�A��A���|�̹w�]�ϥΦ��]�w�Ӥ��i��[�K�C
���`�]�t�H�U�D�D�G
SSL �M TLS ��w
Proxy Server �䴩�Ω�[�K�q�T�� SSL �P TLS ��w�CSSL �M TLS �W�ߩ�3�ε{���A�i�H�b��W�z��a�
SSL �M TLS ��w�䴩�U�إΩ��A���M�Τ�ݬۤ��{�ҡB�ǿ���ҩM�إ߶��q�@�~�K�_���K�X�C�Τ�ݩM��A���i�H�䴩�U�رK�X�թαK�X���A�o��M��U�ئ]�!A�Ҧp�Ҥ䴩����w�B���q����[�K�j�ת������H�άF����[�K�n�骺�X�f����C�b��L��Ƥ��ASSL �M TLS �洫��w�N�M�w��A���M�Τ�ݦp��өw�ΨӶi��q�T���K�X�աC
�ϥ� SSL �P LDAP �q�T
�z3�ӭn�D Administration Server �ϥ� SSL �P LDAP �i��q�T�C
�b Administration Server �W�ҥ� SSL
- �s�� Administration Server�A�M���@�U [Global Settings] ���ҡC
- ��@�U [Configure Directory Service] �s���C
- �b��ܪ���椤��@�U�ؿ�A�Ȫ��s���C�N��� [Configure Directory Service] �����C�Y�|���إ߰�� LDAP ���ؿ�A�ȡA�бq [Create New Service of Type] �U�Ԧ��M�椤��� [LDAP Server]�A�M���@�U [New] �Ӱt�m�ؿ�A�ȡC�p�ݧ�h����w���� LDAP ���ؿ�A�ȩ���ܪ��S�w��쪺��T�A�аѾ\�u�W����C
- ��� [Yes] �H�ϥ� SSL �i��s�u�A�M���@�U [Save Changes]�C
�g�L Proxy Server �إ� SSL �q�D
��z�H����V��� Proxy Server (�N�z��A��) �B�Τ�ݽШD�g�L�N�z��A���P�w����A���i�� SSL �s�u�ɡA�N�z��A���N�}�Ҥ@�s�V�w����A�����s�u�A�M��ƻs��V����ơA�Ӥ��z�Z�w���@�~�ƥ�C���{�Ǻ٬��إ� SSL �q�D�A�Ш��U�Ϫ�����C
�� 5-1 �ϥ� SSL �s�u�ɡAProxy Server �L�k�˵�ۤv�ǿ骺��ơC
�Y�n�N SSL �q�D�P HTTPS URL �t�X�ϥΡA�Τ�ݥ����䴩 SSL �P HTTPS�CHTTPS �O�z�L�N�@�� HTTP �P SSL �t�X�ϥι�@�Ӧ����C���䴩 HTTPS ���Τ�ݤ��i�ϥ� Proxy Server �� HTTPS �N�z�\��s�� HTTPS ���C
SSL �q�D�O�@�ؤ��|�v�T3�ε{���h�� (HTTPS) ���C���@�~�CSSL �q�D���w���ʬ۷��L�N�z�� SSL�C�s�b��䶡���N�z��A�����|�H���覡�묹�w���ʩέ��C SSL ���\��ʡC
���F SSL�A��Ƭy�N�Q�[�K�A�ϥN�z��A���L�k�s���ڪ��@�~�ƥ�C�]���A�s��O��K���|�C�X�q���ݦ�A�����������A�X�μ��Y��סC�p����i�קK�N�z��A���Υ���L�ĤT����ť�@�~�ƥ�C
�]���N�z��A������L�k�˵��ơA�]���Y�L�k���ҥΤ�ݻP���ݦ�A�������ҥ�y����w�O SSL�C�o�N��ۥN�z��A����L�k�����L��w�q�L�C�z3���w SSL �s�u�u�q���� Internet Assigned Numbers Authority (IANA) �ҫ�w���ۦW SSL �s����A��Y�s���� 443 (HTTPS) �γs���� 563 (SNEWS)�C�Y�����I�b��L�s����W���w����A���A�z�i��T�]�w�ҥ~���p�A�H���\�s�u��Y�ǥD��W����L�s����C�W�z�@�~�O�ϥ� connect://.* �귽�������C
��ڤW�ASSL �q�D�\��O�@�ؤ@�몺�B���� SOCKS ���\��A�P��w�L��A�]���z��i���L�A�ȨϥΦ��\��CProxy Server �i���䴩 SSL �����3�ε{���B�z SSL �q�D�A���ȭ��� HTTPS �P SNEWS ��w�C
�t�m SSL �q�D
�U�C�{�Ǵy�z�p��t�m Proxy Server �Өϥ� SSL �q�D�C
�t�m SSL �q�D
- �s��Y��A����Ҫ� Server Manager�A�M���@�U [Routing] ���ҡC
- ��@�U [Enable/Disable Proxying] �s���C
- �q�U�Ԧ��M���� connect://.*.443 �귽�Cconnect:// ��k�O�@�ؤ����N�z��A����ܪk�A���s�b��N�z��A���~�C�p�ݦ��� connect ����h��T�A�аѾ\ SSL �q�D���ԲӧN�ʸ�������U�C�y�z�C�Y�n���\�s�u���L�s����A�z�i�ϥνd�������� URL ���ˡC�p�ݦ���d������h��T�A�аѾ\�z�d���M�귽�C
- ��� [Enable Proxying Of This Resource]�A�M���@�U [OK]�C
SSL �q�D���ԲӧN�ʸ��
�N����Ө��ASSL �q�D�ϥ� CONNECT ��k�A�H�ؼХD��W�٤γs���X�����ѼơA�ᱵ�ťզ�G
CONNECT energy.example.com:443 HTTP/1.0
���۴N�O�Ӧ� Proxy Server �����\�^�СA�ᱵ�@�ťզ�G
HTTP/1.0 200 Connection established
Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0�Τ�ݻP���ݦ�A�������s�u�H�Y�إߡA��ƥi��V�ǿ�A���ܥ�@����s�u����C
��ڤW�A���F�q�H URL ���ˬ���¦���зǰt�m����q�A�D��W�٩M�s���X (energy.example.com:443) �Q�۰ʹ�M�ܤ@ URL�A�p�G
connect://energy.example.com:443
connect:// �ȬO Proxy Server �ϥΪ��@�ؤ�����ܪk�A�ΥH�ϰt�m��²��A�B�P��L URL ���ˤ@�P�C�b Proxy Server �~�Aconnect URL �ä��s�b�A�Y Proxy Server �q������o�˪� URL�A�|�N����L�ġA�B�ڵ��惡�ШD���ѪA�ȡC
����ť�q�T�ݱҥΦw����
�z�i�H�z�L�H�U�覡�ӫO�@��A����ť�q�T�ݪ��w���G
�}�Ҧw����
�z������}�Ҧw���ʥ\��A�M��~�ର��ť�q�T�ݰt�m��L�w���ʳ]�w�C�z�i�H�b�إ߷s����ť�q�T�ݩνs��{����ť�q�T�ݮɶ}�Ҧw���ʡC
�Y�n�b�إ߰�ť�q�T�ݮɶ}�Ҧw����
�Y�n�b�s�谻ť�q�T�ݮɶ}�Ҧw����
����ť�q�T�ݿ���A������
�z�i�H�b Administration Server �� Server Manager ���N��ť�q�T�ݰt�m���ϥαz�w�ӽШæw�˪���A�����ҡC
�Y�n����ť�q�T�ݿ���A������
- �s�� Administration Server �� Server Manager�A�M���@�U [Preferences] ���ҡC
- ��@�U [Edit Listen Sockets] �s���C
- ��@�U�z�n�s�誺��ť�q�T�ݪ��s���C
- �Y�n�}�Ҧw���ʡA�бq [Security] �U�Ԧ��M�椤��� [Enabled]�A�M���@�U [OK]�C�Ъ`�N�A�p�G�|���w�˦�A�����ҡA�h�u���� [Disabled]�C
- ��� [Enabled] �ë�@�U [OK] ��A�бq��ť�q�T�ݪ� [Server Certificate Name] �U�Ԧ��M�椤����A�����ҡA�M��A��@�U [OK]�C
���K�X
�Y�n�O�@ Proxy Server ���w���A3�ӱҥ� SSL�C�z�i�H�ҥ� SSL 2.0�BSSL 3.0 �M TLS �[�K��w�ÿ��U�رK�X�աC�i�H�� Administration Server ����ť�q�T�ݱҥ� SSL �M TLS ��w�C�� Server Manager ����ť�q�T�ݱҥ� SSL �P TLS �۷�S�w��A����ҳ]�w�F�w���ʳߦn�]�w�C�����ܤ֦w�ˤ@�Ӿ��ҡC
�Ƶ�
�ﰻť�q�T�ݱҥ� SSL �ȾA�Ω�ϦV�N�z��A���*R�ť��C��Y�A�ȷ� Proxy Server �Q�t�m�����ϦV�N�z�ɡA�~��ﰻť�q�T�ݱҥ� SSL�C
�w�]�]�w���\�ϥγ̱`�Ϊ��K�X�C���D�z�����ϥίS�w�K�X�ժ��R�2z�ѡA�_�h�z3�������C�p�ݦ���S�w�K�X����h��T�A�аѾ\�uIntroduction to SSL�v�C
[TLS Rollback] ���w�]�Ϋ�ij�]�w�� [Enabled]�C�o�N��A���t�m������I�����^�_��;���xաC���F�P�Y�ǥ����T��@ TLS �W�檺�Τ�ݹ�{���q�ʡA�i��ݭn�N���ȳ]�w�� [Disabled]�C
�Ъ`�N�A���� TLS �^�_�N�ɭP�s�u��D��^�_��;�C�����^�_��;�O�@�ؾ��A�ĤT��i�H�z�L�o�ؾ��j��Τ�ݩM��A���ϥΦw���ʸ�C�����h�w (�Ҧp SSL 2.0) �i��q�T�C�ѩ� SSL 2.0 ��w���s�b���Ҷg�����ʳ��A�]���L�k����쪩���^�_��;�A�o�N�ϲĤT���e��I��M�ѱK�[�K���s�u�C
�ҥ� SSL �M TLS
- �s�� Administration Server �� Server Manager�A�M���@�U [Preferences] ���ҡC
- ��@�U [Edit Listen Sockets] �s���A�M��A��@�U�n�s�誺��ť�q�T�ݪ��s���C�w����ť�q�T�ݥi�ϥΪ��K�X�]�w�N��ܥX�ӡC
�Ƶ�
�p�G���ﰻť�q�T�ݱҥΦw���ʡA�h���|�C�X��� SSL �M TLS ��T�C�Y�n�ϥαK�X�A�аȥ�����ť�q�T�ݱҥΦw���ʡC�p�ݧ�h��T�A�аѾ\����ť�q�T�ݱҥΦw�����C
�b��A���W�ҥ� SSL ��A�� URL �N�ϥ� https�A�ӫD http�C��V�w�ҥ� SSL ����A���W��� URL �榡�p�U�G
https://servername.domain.dom:port
�Ҧp�Ahttps://admin.example.com:443�C
�p�G�ϥιw�]���w�� HTTP �s���� (443)�A�h�L���b URL ����J�s���X�C
����t�m�w����
�w�ˤw�ҥ� SSL ����A���ɡA�|�b magnus.conf �ɮ� (��A�����D�t�m�ɮ�) ��������w���ʰѼƫإ߫�O���ءC
�]�w SSL �t�m�ɮ�O����
- �w��Y��A����Ҧs�� Server Manager�C
- �ȥ����n�t�m����ť�q�T�ݱҥΦw���ʡC�p�ݧ�h��T�A�аѾ\����ť�q�T�ݱҥΦw�����C
- ��ʽs�� magnus.conf �ɮסA�M��w��U�C�]�w��J�ȡG
�o�� SSL �t�m�ɮ�O�p�U�ҭz�G�p�ݦ��� magnus.conf ����h��T�A�аѾ\�uProxy Server Configuration File Reference�v�C
SSLSessionTimeout
SSLSessionTimeout ��O�Ω� SSL 2.0 ���q�@�~���֨�C
�y�k
SSLSessionTimeout seconds
�䤤 seconds �O�֨� SSL ���q�@�~�O��Ī���ơC�w�]�Ȭ� 100�C�p�G��w�F SSLSessionTimeout ��O�A��ƪ��ȱN�۰ʭ��w�� 5 �� 100 �����C
SSLCacheEntries
��w�i�H�֨� SSL ���q�@�~���ƥءC
SSL3SessionTimeout
SSL3SessionTimeout ��O�Ω� SSL 3.0 �M TLS ���q�@�~���֨�C
�y�k
SSL3SessionTimeout seconds
�䤤 seconds �O�֨� SSL 3.0 ���q�@�~�O��Ī���ơC�w�]�Ȭ� 86400 �� (24 �p��)�C�p�G��w�F SSL3SessionTimeout ��O�A��ƪ��ȱN�۰ʭ��w�� 5 �� 86400 �����C
�ϥΥ~���[�K�Ҳ�Proxy Server �䴩�H�U�ϥΥ~���[�K�Ҳ� (�p���z�d�ΰO������) ����k�G
�Ұ� FIPS-140 �[�K�зǤ��e�A�����W�[ PKCS #11 �ҲաC
���`�]�t�H�U�D�D�G
�w�� PKCS #11 �Ҳ�
Proxy Server �䴩���}�K�_�[�K�з� (PKCS) #11�A���зǩw�q�F�b SSL �M PKCS#11 �Ҳդ����q�T�ҨϥΪ������CPKCS #11 �ҲեΩ��{�P SSL �w��[�t�������зǪ��s���C�~���w��[�t�����פJ���ҩM�K�_�x�s�b secmod.db �ɮפ��A���ɮO�b�w�� PKCS #11 �Ҳծɲ��ͪ��C�ɮצ�� server_root/alias �ؿ�C
�ϥ� modutil �w�� PKCS #11 �Ҳ�
�i�H�ϥ� modutil �u��H .jar �ɮשΪ����ɮת��Φ��w�� PKCS #11 �ҲաC
�ϥ� modutil �w�� PKCS #11 �Ҳ�
- �T�w�w����Ҧ���A�� (�]�A Administration Server)�C
- �i�J�]�t��Ʈw�� server_root/alias �ؿ�C
- �N server_root/bin/proxy/admin/bin �W�[�� PATH ���C
- �b server_root/bin/proxy/admin/bin ����� modutil�C
- �]�w��ҡC�Ҧp�G
- ��J��O�Gmodutil�C�N�C�X�U�ؿﶵ�C
- ���һݪ��ʧ@�C
�Ҧp�A�Y�n�b UNIX ���W�[ PCKS #11 �ҲաA�п�J�G
modutil -add (PKCS#11 �ɮת��W��) -libfile (PKCS #11 �� libfile) -nocertdb -dbdir . (�z�� db �ؿ�)
�ϥ� pk12util
�ϥ� pk12util �i�H�q������Ʈw���ץX���ҩM�K�_�A�ñN��פJ�����Υ~�� PKCS #11 �ҲաC�z�l�ץi�H�N���ҩM�K�_�ץX�ܤ�����Ʈw�A��h�ƥ~���O�����|���\�z�ץX���ҩM�K�_�C�̹w�]�Apk12util �ϥΦW�� cert8.db �M key3.db �����ҩM�K�_��Ʈw�C
�z�L pk12util �ץX
�q������Ʈw�ץX���ҩM�K�_
- �i�J�]�t��Ʈw�� server_root/alias �ؿ�C
- �N server_root/bin/proxy/admin/bin �W�[�� PATH ���C
- �b server_root/bin/proxy/admin/bin ����� pk12util�C
- �]�w��ҡC�Ҧp�G
- ��J��O�Gpk12util�C�N�C�X�U�ؿﶵ�C
- ���һݪ��ʧ@�C
�Ҧp�A�b UNIX ���A�п�J�G
pk12util -o certpk12 -n Server-Cert [-d /server/alias] [-P https-test-host]
- ��J��Ʈw�K�X�C
- ��J pkcs12 �K�X�C
�z�L pk12util �פJ
�N���ҩM�K�_�פJ�����Υ~�� PKCS #11 �Ҳ�
- �i�J�]�t��Ʈw�� server_root/alias �ؿ�C
- �N server_root/bin/proxy/admin/bin �W�[�� PATH ���C
- �b server_root/bin/proxy/admin/bin ����� pk12util�C
- �]�w��ҡC�Ҧp�G
- ��J��O�Gpk12util�C�N�C�X�U�ؿﶵ�C
- ���һݪ��ʧ@�C
�Ҧp�A�b UNIX ���A�п�J�G
pk12util -i pk12_sunspot [-d certdir][-h "nCipher"][-P https-jones.redplanet.com-jones-]
-P ������b -h ����A�åB�����O�̫�@�ӤơC
��J���T���O���W�١A�]�A�j�g�r�)M���������Ů�C
- ��J��Ʈw�K�X�C
- ��J pkcs12 �K�X�C
�H�~�����ұҰʦ�A��
�p�G��A�������Ҧw�˦b�~�� PKCS #11 �Ҳ� (�Ҧp�A�w��[�t��) ���A��A���N�L�k�ϥΦ����ұҰʡA���D�z�� server.xml �ɮi��s��A�Ψ̦p�U�ҭz�ӫ�w���ҦW�١C
��A���l�xըϥΦW���uServer-Cert�v�����ұҰʡC��~�� PKCS #11 �Ҳդ������ҷ|�b���ѧO�X���]�t�Ҳժ��@�ӰO���W�١C�Ҧp�A�w�˦b�W�� smartcard0 ���~�����z�dŪ��W����A������3�R�W�� smartcard0:Server-Cert�C
�Y�n�ϥΦw�˦b�~���Ҳդ������ұҰʦ�A���A����������A������ť�q�T�ݫ�w���ҦW�١C
����ť�q�T�ݿ����ҦW��
����ť�q�T�ݿ����ҦW��
�p�G���ﰻť�q�T�ݱҥΦw���ʡA�h���|�C�X���Ҫ���T�C�Y�n����ť�q�T�ݿ����ҦW�١A����ȥ��ﰻť�q�T�ݱҥΦw���ʡC�p�ݧ�h��T�A�аѾ\����ť�q�T�ݱҥΦw�����C
�z�]�i�H��ʽs�� server.xml �ɮסA���A���H����A�����ұҰʡC�N SSLPARAMS ���� servercertnickname �ݩ��ܧG
$TOKENNAME:Server-Cert
�Y�n�d�� $TOKENNAME �ϥΪ��ȡA�в��ܦ�A���� [Security] ���Ҩÿ�� [Manage Certificates] �s���C��z�n�J���x�s Server-Cert ���~���ҲծɡA$TOKENNAME:$NICKNAME ��檺�M�椤�N��ܨ���ҡC
FIPS-140 �з�
�z�i�H�Q�� PKCS #11 API �P���[�K�@�~���n��εw��Ҳճq�T�C�b Proxy Server �W�w�� PKCS #11 ��A�Y�i�N��A���t�m���P FIPS-140 �ۮe�AFIPS ��� Federal Information Processing Standards (�p����T�B�z�з�)�C�u�� SSL 3.0 ���]�t�o�ǵ{���w�C
�ҥ� FIPS-140
- �̾� FIPS-140 ����w�˦��~���{���C
- �s�� Administration Server �� Server Manager�A�M���@�U [Preferences] ���ҡC
- ��@�U [Edit Listen Sockets] �s���C[Edit Listen Socket] ��������ܦw����ť�q�T�ݥi�Ϊ��w���ʳ]�w�C
�Ƶ�
�Y�n�ϥ� FIPS-140�A�аȥ�����ť�q�T�ݱҥΦw���ʡC�p�ݧ�h��T�A�аѾ\����ť�q�T�ݱҥΦw�����C
- �q [SSL Version 3] �U�Ԧ��M���� [Enabled] (�p�G�|�����)�C
- ���A�? FIPS-140 �K�X�աA�M���@�U [OK]�G
�]�w�Τ�ݦw���ʻݨD���i�O�@��A���w���ʪ��Ҧ��B�J��A�i�H���Τ�ݳ]�w��L�w���ʻݨD�C
��� SSL �s�u�ӻ��A�Τ�ݻ{�ҨëD���n���{�ǡA��O�䪺�T�i�H�i�@�B�T�O�[�K��T�ǰe�ܥ��T����Ƥ�C�z�i�b�ϦV�N�z��A�����ϥΥΤ�ݻ{�ҡA�H�T�O���e��A�����|�P������v���N�z��A���ΥΤ�ݦ@�θ�T�C
���`�]�t�H�U�D�D�G
�n�D�Τ�ݻ{��
�z�i�H�� Administration Server �M�C�Ӧ�A����ұҥΰ�ť�q�T�ݡA�H�n�D�i��Τ�ݻ{�ҡC�p�G�ҥΥΤ�ݻ{�ҡA�������ѥΤ�ݻ{�ҡA��A���~��N�^3�ǰe���d�ߡC
Proxy Server �䴩�z�L���Τ�ݾ��Ҥ��� CA �P�Ω�ñ�p�Τ�ݾ��Ҫ��i�H�� CA �ӻ{�ҥΤ�ݾ��ҡC�z�i�H�b [Security] ���ҤW�� [Manage Certificates] �����˵�Ω�ñ�p�Τ�ݾ��Ҫ��i�H�� CA ���M��C
�z�i�H�N Proxy Server �t�m���ڵ����㦳�i�H�� CA �ֵo���Τ�ݾ��Ҫ����Τ�ݡC�Y�n����Ωڵ��i�H�� CA�A������ CA �]�w�Τ�ݫH��C�p�ݧ�h��T�A�аѾ\�z�����C
�p�G���Ҥw�L�aAProxy Server �N�O���~�B�ڵ����ҨæV�Τ�ݶǦ^�@�h�T���C�]�i�H�b [Manage Certificates] �������˵���Ǿ��Ҥw�g�L�aC
�z�i�H�N��A���t�m���q�Τ�ݾ��Ҧ�����T�ñN��P LDAP �ؿ�ϥΪ̶��ؤ��C�o�˥i�H�T�w�Τ�ݾ֦����Ī����ҩM LDAP �ؿ���ءC�ӥB�٥i�H�T�w�Τ�ݾ��һP LDAP �ؿ���Ҭ۲šC�Y�n�A�Ѧp��i�榹�@�~�A�аѾ\�N�Τ�ݾ��ҹ�M�� LDAP�C
�z�i�H�N�Τ�ݾ��ҩM�s���X�ϥΡA�H�K���F�Ӧۥi�H�� CA �H�~�A�P�������p���ϥΪ��٥����P�s���W�h (ACL) �۲šC�p�ݧ�h��T�A�аѾ\�ϥΦs����ɮ��C
�n�D�Τ�ݻ{��
�ϦV�N�z��A�������Τ�ݻ{��
�b�ϦV�N�z��A�����A�i�̤U�C�*R�ť��Ӱt�m�Τ�ݻ{�ҡG
- Proxy-Authenticates-Client�C�b���*R�ť��U�A�z�i���\�s��Ҧ���i������Ҫ��Τ�ݡA�άO�Ȧs��Ǩ�i������ҥB�b Proxy Server ���s���M�椤�Q��{�i�ϥΪ̪��Τ�ݡC
- Content-Server-Authenticates-Proxy�C�b���*R�ť��U�A�z�i�T�O���e��A���u���P�z�� Proxy Server (�ӫD��L����A��) �s�u�C
- Proxy-Authenticates-Client and Content-Server-Authenticates-Proxy�C���*R�ť����z���ϦV�N�z��A�����ѳ̤j�{�ת��w���ʻP�{�ҡC
�p�ݦ���p��t�m�W�z�*R�ť�����T�A�аѾ\�]�w�ϦV�N�z��A�������Τ�ݻ{���C
�]�w�ϦV�N�z��A�������Τ�ݻ{��
�w���ϦV�N�z��A�������Τ�ݻ{�ҥi�i�@�B�T�O�z���s�u�w���L���C�H�U����e�N���&p��̾ڱz��ܪ��*R�ť��t�m�Τ�ݻ{�ҡC
Proxy-Authenticates-Client
�t�m Proxy-Authenticates-Client �*R�ť�
- ����ϥΤϦV�N�z��A�����u�]�w�ϦV�N�z��A���v������ܡA�t�m�w���� Client-to-Proxy �P Proxy-to-Content Server �*R�ť��C
- �s��Y��A����Ҫ� [Server Manager]�A�M���@�U [Preferences] ���ҡC
- ��@�U [Edit Listen Sockets] �s���A�M��A�b��ܪ���椤��@�U�z�Q�n����ť�q�T�ݪ��s���C(�ϥ� [Add Listen Socket] �s���t�m�üW�[��ť�q�T�ݡC)
- ��w�Τ�ݻ{�һݨD�G
���\�s��㦳�ľ��Ҫ��Ҧ��ϥΪ̡G
- �b [Security] �Ϭq�A�ϥ� [Client Authentication] �]�w�n�D����ť�q�T�ݤW���Τ�ݻ{�ҡC�Ъ`�N�A�p�G�|���w�˦�A�����ҡA���]�w�N���|��ܡC
�Ȥ��\�s��Ǩ㦳�ľ��ҥB�w��w���s�����i����ϥΪ̪��ϥΪ̡G
- �b [Security] �Ϭq���A�N [Client Authentication] �]�w�O������A�C�Ъ`�N�A�p�G�|���w�˦�A�����ҡA���]�w�N���|��ܡC
- �b����A����Ҫ� [Server Manager Preferences] ���Ҥ��A��@�U [Administer Access Control] �s���C
- ��� ACL�A�M���@�U [Edit] ��s�C�N��� [Access Control Rules For] ���� (�Y�t�ε����{�Ҵ��ܡA�Х��{��)�C
- �}�Ҧs��� (�Y�|���֨� [Access control Is On] �֨���A�Ю֨�)�C
- �N Proxy Server �]�w�������ϦV�N�z��A���{�ҡC�p�ݧ�h��T�A�аѾ\�]�w�ϦV�N�z��A���C
- ��@�U�һݦs���W�h�� [Rights] �s���A�b�U��ج[����w�s���v���A�M���@�U [Update] �H��s�����ءC
- ��@�U [Users/Groups] �s���C�b�U��ج[���A��w�ϥΪ̻P�s�աA��� SSL �����{�Ҥ�k�A�M���@�U [Update] �H��s�����ءC
- ��@�U�W��ج[���� [Submit] �H�x�s�z�����ءC
�p�ݦ���]�w�s����h��T�A�аѾ\������A�����s���C
Content-Server-Authenticates-Proxy
�t�m Content Server-Authenticates-Proxy �*R�ť�
- �п���]�w�ϦV�N�z��A��������ܡA�t�m�w���� Client-to-Proxy �P Proxy-to-Content-Server �*R�ť��C
- �b���e��A���W�}�ҥΤ�ݻ{�ҡC
Proxy-Authenticates-Client and Content-Server-Authenticates-Proxy
�t�m Proxy-Authenticates-Client and Content-Server-Authenticates-Proxy �*R�ť�
- ��Ӭ����t�m Proxy-Authenticates-Client �*R�ť��A�o�ǻ����� Proxy-Authenticates-Client�C
- �b���e��A���W�}�ҥΤ�ݻ{�ҡC
�N�Τ�ݾ��ҹ�M�� LDAP
���`�y�z Proxy Server �N�Τ�ݾ��ҹ�M�� LDAP �ؿ�ت��{�ǡC
��A������Τ�ݪ��ШD�ɡA�|�b�B�z�ШD���e�߰ݥΤ�ݪ����ҡC���ǥΤ�ݷ|�N�Τ�ݾ��һP�ШD�@�P�ǰe����A���C
�Ƶ�
�N�Τ�ݾ��ҹ�M�� LDAP ���e�A�٥����t�m�һݪ� ACL�C�p�ݧ�h��T�A�аѾ\������A�����s���C
��A���N�xձN CA �P Administration Server �����i�H�� CA �M����C�Y�L�۲Ū� CA�AProxy Server �|����s�u�C�p�G�����۲Ū� CA�A��A���N�~��B�z�ШD�C
���Ҿ��ҬO�Ӧۥi�H�� CA ����A��A���|�z�L�H�U�覡�N���ҹ�M�� LDAP ���ءG
��A���ϥΦW�� certmap.conf �����ҹ�M�ɮרӨM�w�p���� LDAP �j�M�C��M�ɮױN�i�D��A���n�q�Τ�ݾ��Ҥ������ǭ� (�p�@��ϥΪ̪��W�١B�q�l�l���}��)�C��A���N�ϥγo�ǭȦb LDAP �ؿ�j�M�ϥΪ̶��ءA���A������ݭn�T�w�q LDAP �ؿ���Ӧ�m�}�l�j�M�C���ҹ�M�ɮפ]�|�i�D��A���}�l�j�M����m�C
��A�����D�ӱq��B�}�l�j�M�ηj�M��ض��� (�W�z�Ĥ@�I) ��A�K�|�b LDAP �ؿ���j�M (�ĤG�I)�C�p�G�����۲Ŷ��ةΧ��h�Ӭ۲Ŷ��ءA�åB���]�m��M�����Ҿ��ҡA�j�M�N���ѡC
�U��C�X�w�j��j�M���G�B�@�覡�C�Ъ`�N�A�z�i�b ACL ����w�w�j��B�@�覡�C�Ҧp�A�i��w����Ҥ�異�ѮɡAProxy Server �u���z�C�p�ݦ���p��]�w ACL �ߦn�]�w����h��T�A�аѾ\�ϥΦs����ɮ��C
�� 5-1 LDAP �j�M���G
LDAP �j�M���G
�}�Ҿ�������
���������
����춵��
�{�ҥ���
�{�ҥ���
��n���@�Ӷ���
�{�ҥ���
�{�Ҧ��\
���h�Ӷ���
�{�ҥ���
���v����
��A���b LDAP �ؿ���۲Ū����ةM���ҫ�A�N�i�H�ϥγo�Ǹ�T�ӳB�z�@�~�ƥ�C�Ҧp�A�Y�Ǧ�A���ϥξ��Ҩ� LDAP ����M�ӽT�w��Y�Ӧ�A�����s���v���C
�ϥ� certmap.conf �ɮ�
���ҹ�M�i�T�w��A���p��b LDAP �ؿ�d��ϥΪ̶��ءC�z�i�H�ϥ� certmap.conf �t�m���� (�̦W�٫�w) ��M�� LDAP ���ت��覡�C�z�i�H�s�覹�ɮסA�W�[���ءA�Ӥ�� LDAP �ؿ�c�æC�X�z�Ʊ�ϥΪ֦̾������ҡC�ϥΪ̥i�H���ϥΪ� ID�B�q�l�l���}�� subjectDN ���ϥΪ�����L�ȶi��{�ҡC����ӻ��A��M�ɮץi�w�q�H�U��T�G
���ҹ�M�ɮצ��H�U��m�G
server_root/userdb/certmap.conf
���ɮץ]�t�@�өΦh�өR�W����M�A�C�ӹ�M���A�ΩP�� CA�C��M���y�k�p�U�G
certmap name issuerDN
name:property [value]�Ĥ@��Ω��w���ت��W�٥H�ΧΦ� CA ���Ҥ���O�W�٪��ݩʡCname �O��N���A�z�i�H�N�w�q�C��O�AissuerDN �����P�ֵo�Τ�ݾ��Ҫ� CA ���ֵo�� DN �����۲šC�Ҧp�A�H�U��Ӯֵo�� DN ��Ȧb�9j�ݩʪ��Ů�W���Үt���A���A���N����Ӥ��P�����ءG
certmap sun1 ou=Sun Certificate Authority,o=Sun,c=US
certmap sun2 ou=Sun Certificate Authority, o=Sun, c=US
����
�p�G���b�ϥ� Sun Java System Directory Server �æb���ֵo�� DN �ɹJ����D�A�Цb Directory Server ��~�O��d�䦳�Ϊ���T�C
�w�R�W��M�����ĤG��M�H�᪺��i�H���ݩʻP�Ȭ۲šCcertmap.conf �ɮפ��]�t���ӹw�]�S�� (�i�H�ϥξ��� API �ۭq�S��)�G
- DNComps �O�@�t�C�γr���9j���ݩʡA�Ω�T�w��A���q LDAP �ؿ���Ӧ�m�}�l�j�M�ŦX�ϥΪ� (�Y�Τ�ݾ��Ҫ��֦���) ��T�����ءC��A���q�Τ�ݾ��Ҧ����o���ݩʪ��ȡA�åγo�ǭȧΦ� LDAP DN�A�M��Y�i�T�w��A���q LDAP �ؿ���Ӧ�m�}�l�j�M�C�Ҧp�A�p�G�N DNComps �]�w���ϥ� DN �� o �P c �ݩʡA�h��A���|�q LDAP �ؿ� o=org, c= country ���ض}�l�j�M�A�䤤 org �P country �ξ��Ҥ� DN ���ȩҴ%N�C
�Ҧp�A�p�G FilterComps �]�w���ϥιq�l�l���}�M�ϥΪ� ID �ݩ� (FilterComps=e,uid)�A��A���|�b�ؿ�j�M�Y���ءA�����ت��q�l�l��ΨϥΪ� ID �ȻP�q�Τ�ݾ��ҩҨ�o���@��ϥΪ̸�T�۲ŦX�C�q�l�l���}�M�ϥΪ� ID �O�D�`�n���z�ᄍ�A�]�����̦b�ؿ�q�`�O�ߤ@���C�z�ᄍ�ݭn����쨬�H�P LDAP ��Ʈw�����@�� (�B�u���@��) ���ج۲šC
�z�ᄍ���ݩʦW�٥����O�Ӧ۾��� (�ӫD�Ӧ� LDAP �ؿ�) ���ݩʦW�١C�Ҧp�A�ϥΪ̹q�l�l���}�b�Y�Ǿ��Ҥ���3�� e �ݩʡA�� LDAP �N���٬� mail�C
�U��C�X x509v3 ���Ҫ��ݩʡC
- verifycert �|�i����A���O�_3�N�Τ�ݾ��һP LDAP �ؿ���Ҭۤ��C���ϥΨ�ӭȡG[on] �M [off]�C�u���� LDAP �ؿ�]�t���ҮɡA�~��ϥΦ��S�ʡC���\��U��T�w�@��ϥΪ̨ϥΪ����Ҧ��ĥB���Q�M�P�C
- CmapLdapAttr �O LDAP �ؿ�]�t�ϥΪ̥������Ҥ��D�� DN ���ݩʦW�١C���S�ʪ��w�]�Ȭ� certSubjectDN�C���ݩʤ��O�зǪ� LDAP �ݩʡA�]���n�ϥΦ��S�ʡA�������� LDAP �Ҧ��C�p�ݧ�h��T�A�аѾ\�uIntroduction to SSL�v�C
�p�ݦ���o�ǯS�ʪ���h��T�A�аѾ\�H�U�p�`�����d�ҡG��M�d���C
�إߦۭq�S��
�i�ϥΥΤ�ݾ��� API �ӫإߦۤv���S�ʡC�إߦۭq��M��A�N�i��p�U�榡�ѷӹ�M�G
name:library path_to_shared_library
name:InitFN name_of_init_function�Ҧp�G
certmap default1 o=Sun Microsystems, c=US
default1:library /usr/sun/userdb/plugin.so
default1:InitFn plugin_init_fn
default1:DNComps ou o c
default1:FilterComps l
default1:verifycert on��M�d��
certmap.conf �ɮפ�3�ܤ֥]�t�@�Ӷ��ءC�H�U�d�һ��� certmap.conf �����P�ϥΤ覡�C
�d�� #1
���d�ҥN��u���@�ӹw�]��M�� certmap.conf �ɮסG
certmap default default
default:DNComps ou, o, c
default:FilterComps e, uid
default:verifycert on�ϥΥ��d�ҮɡA��A���|�b�]�t ou=orgunit, o=org, c=country ���ت� LDAP �$��I�}�l�j�M�A�䤤�����r�N�Q�Τ�ݾ��Ҥ��D�� DN ���ȩҴ%N�C
�M��A��A���ϥξ��Ҥ����q�l�l���}�P�ϥΪ� ID �ȨӦb LDAP �ؿ�j�M�۲Ū����ءC���۲Ū����خɡA��A���N�Τ�ݶǰe�����һP�ؿ��x�s�����Ҭۤ��A�H���Ҿ��ҡC
�d�� #2
�H�U�d���ɮפ��]�A��ӹ�M�G�@�ӥΩ�w�]�A�t�@�ӥΩ� US Postal Service�G
certmap default default
default:DNComps
default:FilterComps e, uidcertmap usps ou=United States Postal Service, o=usps, c=US
usps:DNComps ou,o,c
usps:FilterComps e
usps:verifycert on�Y��A�����쪺���Ҥ��O�Ӧ� US Postal Service�A���|�ϥιw�]��M (�q LDAP �𪬵��c���ݶ}�l�j�M�ŦX�Τ�ݹq�l�l��P�ϥΪ� ID ������)�C�Y���ҨӦ� US Postal Service�A�h��A���|�q�]�t��´�椸�� LDAP �$�}�l�j�M�۲Ū��q�l�l���}�C�t�Ъ`�N�A�Y���ҨӦ� US Postal Service�A�h��A���|���Ҧ����ҡC�Ӥ��|���Ҩ�L���ҡC
�`�N
���Ҥ����ֵo�� DN (�Y CA ����T) �����P��M���Ĥ@�椤�ҦC���ֵo�� DN �@�P�C�b�W�Ҥ��A�Ӧۮֵo�� DN ������ (o=United States Postal Service,c=US) �N���۲šA�]�� o �M c �ݩʤ����S���Ů�C
�d�� #3
�U�Ҩϥ� CmapLdapAttr �S�ʦb LDAP ��Ʈw���j�M�W�� certSubjectDN ���ݩʡA���3�P�Τ�ݾ��Ҥ�����ӥD�� DN �����۲šC
certmap myco ou=My Company Inc, o=myco, c=US
myco:CmapLdapAttr certSubjectDN
myco:DNComps o, c
myco:FilterComps mail, uid
myco:verifycert on�p�G�Τ�ݾ��Ҫ��D�鬰�G
uid=Walt Whitman, o=LeavesOfGrass Inc, c=US
��A���N����j�M�]�t�H�U��T�����ءG
certSubjectDN=uid=Walt Whitman, o=LeavesOfGrass Inc, c=US
�p�G���@�өΦh�Ӭ۲Ū����ءA��A���N�~�����ҦU���ءC�p�G�����۲Ū����ءA��A���|�ϥ� DNComps �M FilterComps �j�M�۲Ū����ءC�b���d�Ҥ��A��A���|�b o=LeavesOfGrass Inc, c=US �U���Ҧ����ؤ��j�M uid=Walt Whitman�C
�]�w�W�j���[�K�z�L [Server Manager Preferences] ���Ҥ��� [Set Cipher Size] �ﶵ�i�H��ܨϥ� 168 �줸�B128 �줸�� 56 �줸�j�p���K�_�i��s��A�Ϊ̤����w�K�_�j�p�C�z�i�H��w���ŦX������ɨϥΪ��ɮסC�p�G����w�ɮסAProxy Server �N�Ǧ^ [Forbidden] ���A�C
�p�G�ҿ��s��K�_�j�p�P [Security Preferences] �U�ثe���K�X�]�w���@�P�AProxy Server �|��ܤ@�ӧ����ܤ��Aĵ�i�z�ݭn�ҥαK�_�j�p��j���K�X�C
�K�_�j�p�����@��� obj.conf ���� NSAPI PathCheck ��O�A�Ӥ��O Service fn=key-toosmall�C����O���G
PathCheck fn="ssl-check" [secret-keysize=nbits] [bong-file=filename]
�䤤�Anbits �O�K�_���һݪ��̤p�줸�ơAfilename �O���ŦX������ɩҥ��ɮת��W�١C
�p�G���ҥ� SSL �Ϊ̥���w secret-keysize �ѼơAPathCheck �N�Ǧ^ REQ_NOACTION�C�Y�ثe���q�@�~���K�_�j�p�p���w�� secret-keysize�A�h��Ʒ|�Ǧ^���A�� PROTOCOL_FORBIDDEN �� REQ_ABORTED (�Y����w bong-file) �� REQ_PROCEED�A��|�ܼƳQ�]�w�� bong-file filename�C�ӥB�A�p�G���ŦX�K�_�j�p����A�ثe���q�@�~�� SSL ���q�@�~�֨�رN���ġA�o�ˤU����P�@�ӥΤ�ݳs�u���A���ɡA�N�o�ͧ��㪺 SSL �洫�C
�Ƶ�
��b [Set Cipher Size] ��椤�W�[ PathCheck fn=ssl-check �ɡA���|�����b����쪺�Ҧ� Service fn=key-toosmall ��O�C
�]�w�W�j���[�K
- �s��Y��A����Ҫ� [Server Manager]�A�M���@�U [Preferences] ���ҡC
- ��@�U [Set Cipher Size] �s���C
- �q�U�Ԧ��M�椤���n�M�μW�j�[�K���귽�A�M���@�U [Select]�C�z��i��w�`�W��ܦ��C�p�ݧ�h��T�A�аѾ\�z�d���M�귽�C
- ���K�_�j�p����G
- ��w�n�ڵ��s��T���Ҧb���ɮצ�m�A�M���@�U [OK]�C
�p�ݦ���K�X����h��T�A�аѾ\�uIntroduction to SSL�v�C
��L�w���ʦҶq���F�Y�ǤH�|�xկ}�ѱz���K�X�~�A�٦���L�w���ʭ��I�s�b�C����{�����I�Ӧۥ~���M�������b�ȡA�L�̨ϥΦU�ؤ�k�xզs��z����A���H�Φ�A���W����T�C�]���A���F�b��A���W�ҥΥ[�K�~�A��3�Ĩ��B�~���w�����@���I�C�Ҧp�A�N��A���q����b�@�Ӧw�����ж����A�����\��i�H��ϥΪ̱N�{���W�Ǧܱz����A���C���`�y�z�F���Ϧ�A����w�����Y�ǭn�I�C
���`�]�t�H�U�D�D�G
�������s��
�o��²�檺�w����k�g�`�|�Q��ѡC�N��A���q����b�@�ӤW�ꪺ�ж����A�u���g�L���v���ϥΪ̤~��i�J�ж��C�o�˥i�H������H��;��A���q�������C�ӥB�A�n�O�@�n�q�����z (��) �K�X (�p�G������)�C
����z�s��
�p�G�ϥλ��ݰt�m�A�аȥ��]�w�s���A�u���\�ּƨϥΪ̩M�q���i��z�C�p�G�Ʊ� Administration Server ���@��ϥΪ̴��ѹ� LDAP ��A���Υ���ؿ��T���s���v���A�ЦҶq���@��� Administration Server �M�ϥ��O���z�C�o�˱ҥΤF SSL �� Administration Server �i�����D��A���A�ӥt�@�� Administration Server �h�Ω�@��ϥΪ̪��s��C�p�ݦ����O������h��T�A�аѾ\�z��A���O���C
�z��3�� Administration Server �}�ҥ[�K�\��C�p�G���ϥ� SSL �s�u�i��z�A����z�L�D�[�K������滷�ݦ�A���z��3�Ӯ�~�p�ߡC�]�����H���i�H�I��z���z�K�X�í��s�t�m�z����A���C
��ܼW�j���K�X
�z�i�H�b��A�����ϥΦh�ӱK�X�G�z�K�X�B�p�K�K�_�K�X�B��Ʈw�K�X�����C�z�K�X�O�����K�X���̭��n���@�ӡA�]�������K�X���ϥΪ̧��i�H�b�z���q���W�t�m����A���C�p�K�K�_�K�X�O�����n���K�X�C�p�G�Y�ӨϥΪ̨�o�F�z���p�K�K�_�M�p�K�K�_�K�X�A�h�i�H�إ߰���A�����˦��z����A���A�Ϊ̺I��M�ܧ�i�X�z��A�����q�T��ơC
�K�X�̦n�O�K��z�ۤv�O�СA�L�H�S�L�k�q��C�Ҧp�AMCi12!mo �i�O���uMy Child is 12 months old!�v�C�Ӥp�Ĥl���m�W�Υͤ鵥���A�X���K�X�C
�إ���H�}�Ѫ��K�X
�H�U�o��²�檺��ɭ�h�i0�U�z�إW�j���K�X�C������@�ӱK�X�M�ΥH�U�Ҧ��W�h�A��ϥΪ��W�h�V�h�A�z���K�X�N�V��H�Q�}�ѡC�@�Ǵ��ܡG
�ܧ�K�X�� PIN
�w���ܧ�i�H���Ʈw/�K�_���ɮױK�X�� PIN �O�@�Ӧn�ߺD�C�p�G�b Administration Server ���ҥΤF SSL�A�h�Ұʦ�A���ɻݭn���K�X�C�w���ܧ�K�X�i�H�W�[���A�����B�~�O�@�C
�u3�b����q���W�ܧK�X�C�p�ݦ����ܧ�K�X���`�N�ƶ��M��A�аѾ\�إ���H�}�Ѫ��K�X�C
�ܧ�i�H���Ʈw/�K�_���ɮױK�X
- �s�� Administration Server �� Server Manager�A�M���@�U [Security] ���ҡC
- ��@�U [Change Key Pair File Password] �s���C
- �q [Cryptographic Module] �U�Ԧ��M�椤���n�b�䤤�ܧ�K�X���w���ʰO���C�̹w�]�A�����K�_��Ʈw���w���ʰO���� [Internal]�C�Y�w�w�� PKCS #11 �ҲաA�h�N�C�X�Ҧ��w���ʰO���C
- ��J�ثe�K�X�C
- ��J�s�K�X�C
- �A����J�K�X�A�M���@�U [OK]�C
�T�w�z���K�_���ɮר��O�@�CAdministration Server �N�K�_���ɮ��x�s�b server_root/alias �ؿ�C
�A���ɮO�_�x�s�b�ƥ�ϱa�W�άO�_��Q��L�H�I��]�ܭ��n�C�p�G�o�ˡA�h�������O�@��A���@�˺ɤO�O�@�z���ƥ�C
�����A���W����L3�ε{��
���ԷV�Ҽ{�b��A���q���W��檺�Ҧ�3�ε{���C�Q�Φ�A���W��檺��L�{�������|�}�i�H�}��A�����w���O�@�C�а��ΩҦ������n���{���M�A�ȡC�Ҧp�AUNIX sendmail �`�n�{����H�w���a�t�m�A�ӥB�i�H�z�L�{���]�p�Ӧb��A���q���W����L�i��`���{���C
UNIX �M Linux
�J�ӿ�ܱq inittab �M rc �{���ɱҰʪ��{�ǡC���n�q��A���q����� telnet �� rlogin�C�z�礣3�b��A���q���W��� rdist�C�p���i�5o�ɮסA���i�Ω��s��A���q���W���ɮסC
Windows
�P��L�q���@�κϺо�M�ؿ�ɭn��~�p�ߡC�ӥB�A�n�Ҷq���ǨϥΪ̨㦳�b���� Guest �v���C�z�ݯS�O�d�N�b��A���w�˭��ǵ{���Τ��\��L�H�b��A���W�w�˭��ǵ{���C��L�ϥΪ̪��{���i��|�s�b�w���|�}�C���V�|���O�A���H�i��|�W�Ǵc�N�{���A�W�N�}�a��A�����w���ʡC�b�z����A���W�w�˵{�����e�@�w�n�J���ˬd�o�ǵ{���C
����Τ�ݧ֨� SSL �ɮ�
�z�L�b HTML �ɮת� <HEAD> �Ϭq���W�[�H�U��A�i�H����Τ�ݧ֨�[�K�e���ɮסG
<meta http-equiv="pragma" content="no-cache">
����s����
���ιq���W���ϥΪ��Ҧ��s����C�ϥθ�Ѿ��Ψ�����t�m�i����~�����ϥΪ̳s�u�ܵ���̤p�s���H�~�����s����C�o�N��ۨ�o�q���W Shell ���ߤ@��k�N�O��ڦa�ϥΦ�A���q���A��3�Ӧ�b�@�ӭ��w���ϰ줺�C
�A�Ѧ�A��������
��A�����Ѧ�A���M�Τ�ݤ������w���s�u�C�Τ�ݨ�o��T����A��A���J�L�k�����T���w���ʡA���]�L�k������A���q�������Ψ�ؿ�M�ɮת��s��C
�A�ѳo�ǭ���U��z�A�ѭn�קK���DZ��ΡC�Ҧp�A�z�i�H�z�L SSL �s�u��o�H�Υd���A��o�Ǹ��X�O�_�x�s�b��A���q���W���w���ɮפ��O�HSSL �s�u�פ��A�o�Ǹ��X�|��˩O�H �аȥ���Τ�ݳz�L SSL �ǰe���z������T��I�w���O�@�C