Enabling SSL on a Web Site

Enabling SSL on a web site requires three procedures: ensuring that the SSL packages are installed, installing the credentials on the machine where Sun WebServer is running, and configuring SSL on a port that the web site can use.

Creating Site Credentials

To Install Site Credentials on a Sun WebServer Machine

1. The directories where the site's credentials are stored need to be copied to the Sun WebServer machine.

   If the Root CA machine and the Sun WebServer machine are the same, skip this step.

   You can move the directory to a floppy disk or other portable medium, or you can share the directory with the Sun WebServer machine over NFS.

   In either case, copy the directory you specified for the output of setup_creds and all of its subdirectories. The directory should contain:

   • certs/IP_Address.CERT

   • keypkgs/IP_Address.KEYPKG

   where IP_Address is the address used by the web site.

2. As root on the Sun WebServer machine, run /usr/http/bin/install_certs.

   You will need to specify the path to the credentials, the IP address of the web site, and the user ID (uid) of the Sun WebServer process. For example

   # /usr/http/bin/install_certs -p /floppy/cert_floppy -i \ 121.122.123.12 0

3. Enter the key package password for this web site.

   This is the password specified in Step Step 8 in "Creating Credentials".

   /usr/bin/skilogin: Enter host key package password

   The credentials are now stored on the Sun WebServer machine. Follow the next procedure to configure the web site to use SSL.

Configuring a Web Site for SSL

You must create port on the web site's IP address that uses SSL. The default port used for SSL connections is 443.

These instructions assume you are using the Sun WebServer Administration Console. You can also configure the port by editing the configuration file for the web site's server instance (for example, /etc/http/sws_server.httpd.conf). Please refer to the man page for httpd.conf(4) if you choose to edit the configuration file.

To Configure A Web Site for SSL:

1. Connect to the Sun WebServer Administration Console and log in.

   For information on connecting, see Chapter 2, Configuring the Administration Server.

2. Find the server instance that hosts the web site in the Server List. Click on the + to expand the folder if the configuration pages are not listed.

3. If you do not know the IP address of the web site, choose the Web Sites page.

   The IP address(es) used by the web site are shown in the list.

   ---

   Note -

   The IP Address must not be used by multiple web sites. The SSL certificate is bound to a unique IP address and host name.

   ---

4. Click the IP/Ports page to add a port to the web site's IP address.

   The Network Connections list will display on the right, showing all of the IP addresses and ports used by this server instance.

5. Click on Add to create a Network Connection using the web site's IP address and port 443.

   The Network Connection Dialog opens.

6. Fill in the IP Address and Port fields with the web site's IP address and the port on which you want SSL active (usually 443). Set the Timeout and whether you want to Allow HTTP 1.0 Keepalive.

   If you are unsure about Timeout and Allow HTTP 1.0 Keepalive, click on Help in the dialog. For adequate performance, set the Timeout to 300 seconds and allow HTTP 1.0 Keepalive.

7. Click the Enable SSL box.

8. If you want to accept connections only from clients that have valid personal certificates, click the Require Client Certificate box.

   For more information on this field click on Help in the dialog.

9. Set the cipher suites you want to enable.

   The server will negotiate with the client to use a common cipher suite. If the client and server have more than one suite in common, the strongest suite will be used.

   If you have the US/Canada encryption software, you may choose 128-bit, 40-bit, or both. Select both, unless you explicitly want to require a certain set from clients.

   If you have global encryption software, you can only use the 40-bit cipher suite. Click the 40-bit box.

10. Click on OK to save your changes, then choose Serve->Save IP/Ports.

11. If you are configuring SSL on the default site for the server instance, skip the remaining steps.

    The default site on a server listens to all connection endpoints defined for that server, so there is no need to add the new SSL connection to the web site.

12. From the Server List, choose the Web Site page and select the web site in the list. Choose Server->Edit Web Site.

    In the Edit Web Site dialog, find the SSL enabled network connection in the Connections list and choose it. The connections are listed as IP_Address:Port combinations.

13. Click on > to move the connection in the Site Connections list.

    ---

    Note -

    This option is disabled for default sites because default sites automatically listen in on all connection endpoints for the server. If you are configuring the default site for the server instance, skip steps 12 through 15.

    ---

14. Click on Save to confirm the web site changes.

15. Select Server->Save to save your changes.

    Continue with the next configuration procedure, "Requesting Signed Certificates ".