7.2 Enabling Secure Communications Between the Web Server Instances and the Load Balancer

When a Web Server instance is created, it contains a default http-listener port. In the following sections, certificates are requested and installed, and a new http-listener port is created and enabled for secure communication with the OpenSSO Enterprise Load Balancer 3.

• To Request and Install a Server Certificate and a Root Certificate for Web Server 1

• To Create an SSL Enabled HTTP Listener Port on Web Server 1

• To Request and Install a Server Certificate and a Root Certificate for Web Server 2

• To Create an SSL Enabled HTTP Listener Port on Web Server 2

• To Import the Root Certificate to the Web Server 1 JDK Certificate Store

• To Import the Root Certificate to the Web Server 2 JDK Certificate Store

To Request and Install a Server Certificate and a Root Certificate for Web Server 1

The wadm command line interface, bundled with the Web Server, is used to import the root and server certificates into the Web Server certificate store.

Before You Begin

Copy the same root certificate imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances to the da-1 host machine. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

1. As a root user, log in to the da–1 host machine.

2. Start the Web Server Administration Server.

   # su da80adm # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

3. Create a temporary file that contains the administration password.

   This file will be used for certificate request generation and certificate installation

   # cd /export/da80adm # cat > admin.pwd wadm_password=web4dmin Hit Control D to terminate the command. ^D

4. Generate a certificate signing request.

   # cd /opt/SUNWwbsvr/bin # ./wadm create-cert-request --user=admin --password-file=/export/da80adm/admin.pwd --host=da-1.example.com --port=8989 --key-type=rsa --org="Sun Microsystems" --org-unit="Sun Distributed Authentication" --locality="Santa Clara" --state=California --country=US --config=da-1.example.com --token=internal --server-name=da-1.example.com

5. Copy the output into a file named da-1.csr and send the request to the CA of your choice.

   -----BEGIN NEW CERTIFICATE REQUEST----- MIIB2DCCAUECAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRQwEgYDVQQHEwtTYW50YSBDbGFyYTEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVt czEnMCUGA1UECxMeU3VuIERpc3RyaWJ1dGVkIEF1dGhlbnRpY2F0aW9uMRkwFwYD VQQDExBkYS0xLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDGdeNgE00/6o3nrG38yatMhnrJeUVR86Pj5rBk282DQQfVenuWt0hL8Y6q9KvT JQRoeclWMl94ZErdtNY0qKqXZBxhC0CCtiAvNHJAg8zErGTOADs6ptmXkzVRGBXE b7zLOGlROnK9xAw0wms/aFsbA/Mb0zMI5PDztRAf5A8fIQIDAQABoAAwDQYJKoZI hvcNAQEFBQADgYEAqap+9N/T+pzzAZL+EiG3rciKcG+Ij94Yk+3q0hMj3d3xer8Q 1shLAy4za9qHvOnT8M7hpKY6lpw4Y4N+w3eIgfDc3aCnz1Aot5Na4alWJZ81SUAZ Fl6fD7CX7KMtF6Agfpi5OV+NdOiBL6tQ7F7G70c3pYV5MnQvYf5dnuiZEkQ= -----END NEW CERTIFICATE REQUEST-----

   The CA issues and returns a certified server certificate named da-1.cer.

6. Install da-1.cer, the server certificate.

   # ./wadm install-cert --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --port=8989 --token=internal --cert-type=server --nickname=da-1 da-1.cer CLI201 Command 'install-cert' ran successfully

7. (Optional) Verify that the server certificate was properly installed.

   # ./wadm list-certs --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --token=internal --cert-type=server da-1

   The output indicates that the server certificate was properly installed.

8. Install ca.cer, the root certificate.

   # ./wadm install-cert --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --port=8989 --token=internal --cert-type=ca --nickname=OpenSSLTestCA ca.cer CLI201 Command 'install-cert' ran successfully

9. (Optional) Verify that the root certificate was properly installed.

   # ./wadm list-certs --user=admin --password-file=/export/da80adm/admin.pwd --token=internal --cert-type=ca --config=da-1.example.com | grep -i open openSSLTestCA - sun

   The output indicates that the root certificate was properly installed.

To Create an SSL Enabled HTTP Listener Port on Web Server 1

The wadm command line interface, bundled with the Web Server, is used in this procedure.

Before You Begin

This procedure assumes that you have just completed To Request and Install a Server Certificate and a Root Certificate for Web Server 1 and are still logged in as the non-root user.

1. Create an SSL enabled HTTP listener port on Web Server 1.

   # ./wadm create-http-listener --user=admin --password-file=/export/da80adm/admin.pwd --host=da-1.example.com --port=8989 --listener-port=1443 --config=da-1.example.com --server-name=da-1.example.com --default-virtual-server-name=da-1.example.com http-listener-2 CLI201 Command 'create-http-listener' ran successfully

2. (Optional) Verify that the listener was created.

   # ./wadm get-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --http-listener=http-listener-2 tls=true client-auth-timeout=60 client-auth=false enabled=false ssl2=false max-client-auth-data=1048576 tls-rollback-detection=true ssl3=true

   The output indicates that the listener was properly created.

3. Enable SSL for the newly created HTTP listener port.

   # ./wadm set-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --http-listener=http-listener-2 enabled=true CLI201 Command 'set-ssl-prop' ran successfully

4. Associate the HTTP listener port with the nickname of the certificate.

   # ./wadm set-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --http-listener=http-listener-2 server-cert-nickname=da-1 CLI201 Command 'set-ssl-prop' ran successfully

5. (Optional) Verify that SSL is enabled on the listener port and is configured with an associated server certificate.

   # ./wadm get-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-1.example.com --http-listener=http-listener-2 tls=true server-cert-nickname=da-1 client-auth-timeout=60 client-auth=false enabled=true ssl2=false max-client-auth-data=1048576 tls-rollback-detection=true ssl3=true

   The output indicates that SSL is enabled and da-1 is the associated certificate nickname.

6. Deploy the modified configuration.

   # ./wadm deploy-config --user=admin --password-file=/export/da80adm/admin.pwd --host=da-1.example.com port=8989 da-1.example.com CLI201 Command 'deploy-config' ran successfully

7. Restart the Web Server instance.

   # cd /opt/SUNWwbsvr/https-da-1.example.com/bin # ./stopserv ; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2007 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://da-1.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-1.example.com:1443 ready to accept requests info: CORE3274: successful server startup

   The output indicates that http-listener-2 is SSL is enabled and ready to accept requests.

8. Remove the temporary administration password file.

   # cd /export/da80adm # rm admin.pwd

9. (Optional) Access https://da-1.example.com:1443 from a web browser to verify that the secure port can be invoked.

   ---

   Tip –

   A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

   ---

To Request and Install a Server Certificate and a Root Certificate for Web Server 2

The wadm command line interface, bundled with the Web Server, is used to import the root and server certificates into the Web Server certificate store.

Before You Begin

Copy the same root certificate imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances to the da-1 host machine. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

1. As a root user, log in to the da–2 host machine.

2. Start the Web Server Administration Server.

   # su da80adm # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

3. Create a temporary file that contains the administration password.

   This file will be used for certificate request generation and certificate installation

   # cd /export/da80adm # cat > admin.pwd wadm_password=web4dmin Hit Control D to terminate the command. ^D

4. Generate a certificate signing request.

   # cd /opt/SUNWwbsvr/bin # ./wadm create-cert-request --user=admin --password-file=/export/da80adm/admin.pwd --host=da-2.example.com --port=8989 --key-type=rsa --org="Sun Microsystems" --org-unit="Sun Distributed Authentication" --locality="Santa Clara" --state=California --country=US --config=da-2.example.com --token=internal --server-name=da-2.example.com

5. Copy the output into a file named da-2.csr and send the request to the CA of your choice.

   -----BEGIN NEW CERTIFICATE REQUEST----- MIIB2DCCAUECAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRQwEgYDVQQHEwtTYW50YSBDbGFyYTEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVt czEnMCUGA1UECxMeU3VuIERpc3RyaWJ1dGVkIEF1dGhlbnRpY2F0aW9uMRkwFwYD VQQDExBkYS0xLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDGdeNgE00/6o3nrG38yatMhnrJeUVR86Pj5rBk282DQQfVenuWt0hL8Y6q9KvT JQRoeclWMl94ZErdtNY0qKqXZBxhC0CCtiAvNHJAg8zErGTOADs6ptmXkzVRGBXE b7zLOGlROnK9xAw0wms/aFsbA/Mb0zMI5PDztRAf5A8fIQIDAQABoAAwDQYJKoZI hvcNAQEFBQADgYEAqap+9N/T+pzzAZL+EiG3rciKcG+Ij94Yk+3q0hMj3d3xer8Q 1shLAy4za9qHvOnT8M7hpKY6lpw4Y4N+w3eIgfDc3aCnz1Aot5Na4alWJZ81SUAZ Fl6fD7CX7KMtF6Agfpi5OV+NdOiBL6tQ7F7G70c3pYV5MnQvYf5dnuiZEkQ= -----END NEW CERTIFICATE REQUEST-----

   The CA issues and returns a certified server certificate named da-2.cer.

6. Install da-2.cer, the server certificate.

   # ./wadm install-cert --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --port=8989 --token=internal --cert-type=server --nickname=da-2 da-2.cer CLI201 Command 'install-cert' ran successfully

7. (Optional) Verify that the server certificate was properly installed.

   # ./wadm list-certs --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --token=internal --cert-type=server da-2

   The output indicates that the server certificate was properly installed.

8. Install ca.cer, the root certificate.

   # ./wadm install-cert --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --port=8989 --token=internal --cert-type=ca --nickname=OpenSSLTestCA ca.cer CLI201 Command 'install-cert' ran successfully

9. (Optional) Verify that the certificate was properly installed.

   # ./wadm list-certs --user=admin --password-file=/export/da80adm/admin.pwd --token=internal --cert-type=ca --config=da-2.example.com | grep -i open openSSLTestCA - sun

   The output indicates that the root certificate was properly installed.

To Create an SSL Enabled HTTP Listener Port on Web Server 2

The wadm command line interface, bundled with the Web Server, is used in this procedure.

Before You Begin

This procedure assumes that you have just completed To Request and Install a Server Certificate and a Root Certificate for Web Server 2 and are still logged in as the non-root user.

1. Create an SSL enabled HTTP listener port on Web Server 2.

   # ./wadm create-http-listener --user=admin --password-file=/export/da80adm/admin.pwd --host=da-2.example.com --port=8989 --listener-port=1443 --config=da-2.example.com --server-name=da-2.example.com --default-virtual-server-name=da-2.example.com http-listener-2 CLI201 Command 'create-http-listener' ran successfully

2. (Optional) Verify that the listener was created.

   # ./wadm get-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --http-listener=http-listener-2 tls=true client-auth-timeout=60 client-auth=false enabled=false ssl2=false max-client-auth-data=1048576 tls-rollback-detection=true ssl3=true

   The output indicates that the listener was properly created.

3. Enable SSL for the newly created HTTP listener port.

   # ./wadm set-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --http-listener=http-listener-2 enabled=true CLI201 Command 'set-ssl-prop' ran successfully

4. Associate the HTTP listener port with the nickname of the certificate.

   # ./wadm set-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --http-listener=http-listener-2 server-cert-nickname=da-2 CLI201 Command 'set-ssl-prop' ran successfully

5. (Optional) Verify that SSL is enabled on the listener port and is associated with the server certificate.

   # ./wadm get-ssl-prop --user=admin --password-file=/export/da80adm/admin.pwd --config=da-2.example.com --http-listener=http-listener-2 tls=true server-cert-nickname=da-2 client-auth-timeout=60 client-auth=false enabled=true ssl2=false max-client-auth-data=1048576 tls-rollback-detection=true ssl3=true

   The output indicates that SSL is enabled and da-2 is the associated certificate nickname.

6. Deploy the modified configuration.

   # ./wadm deploy-config --user=admin --password-file=/export/da80adm/admin.pwd --host=da-2.example.com port=8989 da-2.example.com CLI201 Command 'deploy-config' ran successfully

7. Restart the Web Server instance.

   # cd /opt/SUNWwbsvr/https-da-2.example.com/bin # ./stopserv ; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2008 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://da-2.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-2.example.com:1443 ready to accept requests info: CORE3274: successful server startup

   The output indicates that http-listener-2 is SSL is enabled and ready to accept requests.

8. Remove the temporary administration password file.

   # cd /export/da80adm # rm admin.pwd

9. (Optional) Access https://da-2.example.com:1443 from a web browser to verify that the secure port can be invoked.

   ---

   Tip –

   A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

   ---

To Import the Root Certificate to the Web Server 1 JDK Certificate Store

Before You Begin

Copy ca.cer, the same CA root certificate used in 4.3 Enabling Secure Communication for the Directory Server User Data Instances, to the JDK certificate store in the /export/WS7 directory on the da–1 host machine.

1. As a root user, log into the da–1 host machine.

2. Import ca.cer into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/WS7/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2008 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8: A3:20:8C:BA Trust this certificate? [no]: yes Certificate was added to keystore

3. (Optional) Verify that the root certificate was successfully imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openssltestca, Jul 1, 2008, trustedCertEntry

4. Restart the Web Server instance.

   # su da80adm # cd /opt/SUNWwbsvr/https-da-1.example.com/bin # ./stopserv ; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2008 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://da-1.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-1.example.com:1443 ready to accept requests info: CORE3274: successful server startup

5. Log out of the da-1 host machine.

To Import the Root Certificate to the Web Server 2 JDK Certificate Store

Before You Begin

Copy ca.cer, the same CA root certificate used in 4.3 Enabling Secure Communication for the Directory Server User Data Instances, to the JDK certificate store in the /export/WS7 directory on the da–2 host machine.

1. As a root user, log into the da–2 host machine.

2. Import ca.cer into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/WS7/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2008 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8: A3:20:8C:BA Trust this certificate? [no]: yes Certificate was added to keystore

3. (Optional) Verify that the root certificate was successfully imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openssltestca, Jul 1, 2008, trustedCertEntry

4. Restart the Web Server instance.

   # su da80adm # cd /opt/SUNWwbsvr/https-da-2.example.com/bin # ./stopserv ; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2008 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://da-2.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-2.example.com:1443 ready to accept requests info: CORE3274: successful server startup

5. Log out of the da-2 host machine.