Copying and Creating Package Repositories in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014

Configuring HTTPS Repository Access

Any client can download packages from a repository that is configured to serve packages over HTTP. In some cases, you need to restrict access. One way to restrict access to the repository is to run the depot server behind an SSL-enabled Apache instance that supports client certificates.

Using SSL provides the following benefits:

  • Ensures encrypted transfer of package data between the client and the server

  • Enables you to grant access to repositories based on the certificate the client presents to the server

To set up a secure repository server, you must create a custom certificate chain:

  1. Create a certificate authority (CA), which is the head of the certificate chain.

  2. Issue certificates from this CA to the clients that are allowed to access the repository.

One copy of the CA is stored on the repository server. Whenever a client presents a certificate to the server, that client certificate is verified against the CA on the server to determine whether to grant access.

This section describes the following steps to create the certificate chain and configure the Apache front end to verify client certificates:

  • Create a keystore

  • Create a certificate authority for client certificates

  • Add SSL configuration to the Apache configuration file

  • Create a self-signed server certificate authority

  • Create a PKCS12 keystore

For information about Apache web server privileges in Oracle Solaris, see Locking Down Resources by Using Extended Privileges in Securing Users and Processes in Oracle Solaris 11.2 .