SSL Requirements Overview
This section explains each of the major components required at your site to use Secure Sockets Layer (SSL) with web sites. This is intended to give you an overview of what you must have in place and how the components interact. A list of the procedures to follow to configure SSL is in the "SSL Configuration Procedures".
Before a web site can use SSL, it must have public and private keys for encryption and a PKCS#7 certificate which it can present to clients. The certificate contains the web site's identity (distinguished name), the identity of the issuer, the web site's public key, and the digital signature of the issuer. Public web sites typically get certificates signed by a third-party certificate authority (CA) such as VeriSign; if a client also has the public key of the third-party CA, it can trust that the site's identity has been verified and is authentic.
Note -
"Credentials" in this document refers to a key package -- public and private -- and an associated certificate.
SunTM WebServerTM includes software for running a CA. The CA can create SSL credentials for web sites. Other tools allow you to install the web site's credentials for use by Sun WebServer, to get credentials signed by a third-party, and to install third-party certificates.
The following must be completed at your site to run SSL:
-
Install Sun WebServer with SSL.
-
Create a root certificate authority (Root CA).
-
Use a unique IP address for web sites that use SSL.
-
Create the server credentials.
-
(Recommended) Request signed certificates from an independent CA.
Root Certificate Authority (Root CA)
You need to create a Root CA at your site to create credentials for web sites. A Root CA user will create credentials for itself, and then use the credentials to create key packages and sign certificates for web servers in your network. You may store the credentials in the Federated Naming Service (FNS) for easy accessibility from other machines, or you can store them only in files on the Root CA machine to limit access. By default, they are stored in /var/fn.
The Root CA host (where credentials are created) does not need to be the same machine as Sun WebServer, and for security reasons you may want to run the Root CA on a different machine or a machine with no network access at all.
Root CA User
You can use any user name except for root (UID 0) on the Root CA host to be the Root CA user. The Root CA user is the only user that can create credentials for web sites. The Root CA user will have its own, password-protected credentials, which are used to sign all of the certificates it creates.
The Root CA credentials are bound to a distinguished name (DN) entry. All credentials are bound to a DN. The Root CA distinguished name uses the following attributes:
| Attribute Type | Abbreviation | Example |
|---|---|---|
| Common name | cn | cn=rootca |
| Email address | em | em=rootca@A.net |
| Serial number | serial | serial=no12345 |
| Organizational unit name | ou | ou=web |
| Organization Name | o | o=A.net |
| Locality name | l | l=internet |
| State or province name | st | st=California |
| Country name | c | c=US |
The order of the attributes matters in the DN. The DN must begin with the most specific attribute and continue to the least specific. The attributes are listed in the table from most specific (common name) to least specific (country).
All credentials are stored in a directory owned by the Root CA user, which should not be publicly readable. The Root CA user's credentials (as well as each web site's credentials) will be available through the Federated Naming Service (FNS).
Root CA Host
All computers that use SSL or key packages will need to have the security tools packages installed. There must be at least one machine, the Root CA host, where
-
The user name of the Root CA exists.
-
The credentials of the Root CA are stored.
-
FNS is properly installed.
The Root CA will create and store credentials for web sites on this host.
Running Sun WebServer on the Root CA host is not necessary. A Sun WebServer machine can get access to the credentials for web sites it hosts by copying the files from the Root CA hosts.
SSL-Enabled Sun WebServer
To support SSL for web sites, you need an instance of Sun WebServer that has all of the SSL packages and libraries available and has SSL enabled on a port for each IP address where SSL will be used.
Once credentials are created by the Root CA, the credentials must be installed on the Sun WebServer machine where the site is hosted.
Unique IP for Web Site
The Root CA user creates credentials for a web site, using the web site's host name and IP address. The credentials must be bound to a unique host name and IP address, so there must be a unique IP address with an SSL port for each SSL-enabled site.
Certificate Signing
When a client connects to an SSL enabled port on a web site, it requests the site's credentials. To verify the credentials, they must be signed by a CA for which the client has a public key and which the client trusts.
Since most clients will not have your local Root CA's public key certificate as a trusted party, you will want to get site credentials signed by a well-known CA, such as VeriSign.
- © 2010, Oracle Corporation and/or its affiliates