Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy

The SSL kernel proxy can improve the speed of SSL packet processing on an Apache 2.2 web server. This procedure implements the simple scenario that is illustrated in Figure 3–1.

Before You Begin

You have configured an Apache 2.2 web server. This web server is included in Oracle Solaris.

You must assume the root role.

  1. Stop the web server.
    # svcadm disable svc:/network/http:apache22
  2. Place the server private key and the server certificate in one file.

    If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for the SSL kernel proxy.

    If the SSLCertificateKeyFile parameter is also specified, then you must combine the certificate file and the private key file. Run a command similar to the following to combine the files:

    # cat cert.pem key.pem > cert-and-key.pem
  3. Determine which parameters to use with the ksslcfg command.

      See the ksslcfg(1M) man page for the full list of options. The parameters that you must supply follow:

    • key-format – Used with the –f option to define the certificate and key format. For the SSL kernel proxy, the supported formats are pkcs11, pem, and pkcs12.

    • key-and-certificate-file – Used with the –i option to set the location of the file that stores the server key and the certificate for the pem and pkcs12 key-format options.

    • password-file – Used with the –p option to obtain the password used to encrypt the private key for the pem or pkcs12 key-format options. For pkcs11, the password is used to authenticate to the PKCS #11 token. You must protect the password file with 0400 permissions. This file is required for unattended reboots.

    • token-label – Used with the –T option to specify the PKCS #11 token.

    • certificate-label – Used with the –C option to select the label in the certificate object in the PKCS #11 token.

    • proxy-port – Used with the –x option to set the SSL proxy port. You must specify a different port from the standard port 80. The web server listens on the SSL proxy port for unencrypted plaintext traffic. Typically, the value is 8443.

    • ssl-port – Specifies the listening port for the SSL kernel proxy. Typically, the value is 443.

  4. Create the service instance for the SSL kernel proxy.

    Specify the SSL proxy port and associated parameters by using one of the following formats:

    • Specify PEM or PKCS #12 as the key format.
      # ksslcfg create -f key-format -i key-and-certificate-file \
      -p password-file -x proxy-port ssl-port
    • Specify PKCS #11 as the key format.
      # ksslcfg create -f pkcs11 -T PKCS11-token -C certificate-label \ 
      -p password-file -x proxy-port ssl-port
  5. Verify that the service instance is online.
    # svcs svc:/network/ssl/proxy
    STATE          STIME    FMRI
    online         02:22:22 svc:/network/ssl/proxy:default

    The following output indicates that the service instance was not created:

    svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances
    STATE          STIME    FMRI
  6. Configure the web server to listen on the SSL proxy port.

    Edit the /etc/apache2/2.2/http.conf file and add a line to define the SSL proxy port. If you use the server's IP address, then the web server listens on that interface only. The line is similar to the following:

    Listen proxy-port
  7. Set an SMF dependency for the web server.

    The web server service can start only after the SSL kernel proxy instance is started. The following commands establish that dependency:

    # svccfg -s svc:/network/http:apache22
    svc:/network/http:apache22> addpg kssl dependency
    ...apache22> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443
    ...apache22> setprop kssl/grouping = astring: require_all
    ...apache22> setprop kssl/restart_on = astring: refresh
    ...apache22> setprop kssl/type = astring: service
    ...apache22> end
  8. Enable the web server service.
    # svcadm enable svc:/network/http:apache22