Enabling SSL on a Web Site
Enabling SSL on a web site requires installing the credentials on the machine where Sun WebServer is running, and configuring SSL on a port that the web site can use.
Installing Site Credentials
To Install Site Credentials on a Sun WebServer Machine
-
Copy the directories where the site's credentials are stored to the Sun WebServer machine.
If the Root CA machine and the Sun WebServer machine are the same, skip this step.
You can move the directory to a floppy disk or other portable medium, or you can share the directory with the Sun WebServer machine over NFS.
In either case, copy the directory you specified for the output of sslgencrd and all of its subdirectories. The directory should contain:
-
certs/IP_Address.CERT -
keypkgs/IP_Address.KEYPKG
where
IP_Addressis the address used by the web site.
Note -The SSL script setup_creds has been renamed to sslgencrd.
-
-
As root on the Sun WebServer machine, run /usr/http/bin/sslstore.
Note -The SSL script install_certs has been renamed to sslstore.
You will need to specify the path to the credentials, the IP address of the web site, and the user ID (uid) of the Sun WebServer process. For example
# /usr/http/bin/sslstore -p /floppy/cert_floppy -i \ 121.122.123.12 0
Valid options are:
- -c
-
Indicates reinstallation of local certificate. This option replaces a third party certificate with the original self-signed certificate. The self-signed certificate created with sslgencrd from the credentials directory should be preserved. The same credentials directory is specified again in the -p option.
Note -It is recommended that you save third party certificates received from a CA in a file because they cannot be recovered after they have been removed with the -c option.
- -i IP_Address
-
Specifies the IP address of the web site for which credentials are being created.
- uid
-
User ID under which the web server process runs. Default uid is 0.
- -p path
-
Certificates directory.
-
Enter the key package password for this web site.
This is the password specified in step Step 8 in "Creating Credentials".
/usr/bin/skilogin: Enter host key package password
The credentials are now stored on the Sun WebServer machine. Follow the next procedure to configure the web site to use SSL.
Configuring a Web Site for SSL
You must create a port on the web site's IP address that uses SSL. The default port used for SSL connections is 443.
These instructions assume you are using the Sun WebServer GUI. You can also configure the port by editing the configuration file for the web site's server instance (for example, /etc/http/sws_server.httpd.conf). Please refer to the man page for httpd.conf(4) if you choose to edit the configuration file.
To Configure A Web Site for SSL:
-
Connect to the Sun WebServer GUI and log in.
For information on connecting, see Chapter 2, Configuring Sun WebServer.
-
Find the server instance that hosts the web site in the Server List. Click the + to expand the folder if the configuration pages are not listed.
-
If you do not know the IP address of the web site, choose the Web Sites page.
The IP address(es) used by the web site are shown in the list.
Note -The IP Address must not be used by multiple web sites. The SSL certificate is bound to a unique IP address and host name.
-
Click the IP/Ports page to add a port to the web site's IP address.
The Network Connections list will display on the right, showing all of the IP addresses and ports used by this server instance.
-
Click Add to create a Network Connection using the web site's IP address and port 443.
The Network Connection Dialog opens.
-
Fill in the IP Address and Port fields with the web site's IP address and the port on which you want SSL active (usually 443). Set the Timeout and whether you want to allow HTTP 1.0 Keepalive.
If you are unsure about Timeout and Allow HTTP 1.0 Keepalive, click Help in the dialog. For best performance, set the Timeout to 300 seconds and allow HTTP 1.0 Keepalive.
-
Select the Enable SSL check box.
-
If you want to accept connections only from clients that have valid personal certificates, click the Require Client Certificate box.
For more information on this field, click Help.
-
Set the cipher suites you want to enable.
The server will negotiate with the client to use a common cipher suite. If the client and server have more than one suite in common, the strongest suite will be used.
If you have the US/Canada encryption software, you may choose 128-bit, 40-bit, or both. Select both, unless you explicitly want to require a certain set from clients.
If you have global encryption software, you can only use the 40-bit cipher suite. Select the 40-bit check box.
Note -For domestic software, to ensure successful operation with various browsers, always include the strongest available cipher choice (SSL_RSA_WITH_RC4_128_MD5) in the ssl_ciphers attribute when you enable SSL on a port.
-
Click OK to confirm your changes, then choose Save from the Web Server menu.
-
If you are configuring SSL on the default site for the server instance, skip the remaining steps.
The default site on a server listens to all connection endpoints defined for that server, so there is no need to add the new SSL connection to the web site.
-
From the Server List, choose the Web Site page and select the web site in the list. Choose Edit Web Site from the Edit menu.
In the Edit Web Site dialog, find the SSL enabled network connection in the Available IP/Ports list of the IP/Ports section, and choose it. The connections are listed as
IP_Address:Portcombinations. -
Click
<to move the connection in the Site Connections list.
Note -This option is disabled for default sites because default sites automatically listen in on all connection endpoints for the server. If you are configuring the default site for the server instance, skip steps 12 through 15.
-
Click
Saveto save the web site changes. -
If you want the web site to be available only through server SSL connections, remove all other ports from its Site Connections list.
Continue with the next configuration procedure, "Requesting Signed Certificates ".
- © 2010, Oracle Corporation and/or its affiliates