Go to main content

Creating Package Repositories in Oracle® Solaris 11.4

Exit Print View

Updated: May 2020

Adding SSL Configuration to the Apache Configuration File

To use client certificate based authentication for your repository, first set up a generic depot server Apache configuration as described in Depot Server Apache Configuration. Then add the following SSL configuration at the end of your httpd.conf file:

# Let Apache listen on the standard HTTPS port
Listen 443

# VirtualHost configuration for request on port 443
        # DNS domain name of the server, needs to match your server certificate
        ServerName pkg-sec.example.com
        # enable SSL
        SSLEngine On

        # enable all available TLSv1 flavors, but not SSLv2 or SSLv3
        SSLProtocol all -SSLv2 -SSLv3

        # Location of the server certificate and key.
        # You either have to get one from a certificate signing authority like
        # VeriSign or create your own CA for testing purposes (see "Creating a 
        # Self-Signed CA for Testing Purposes") 
        SSLCertificateFile /path/to/server.crt
        SSLCertificateKeyFile /path/to/server.key

        # Intermediate CA certificate file. Required if your server certificate
        # is not signed by a top-level CA directly but an intermediate authority
        # Comment out this section if you are using a test certificate or your
        # server certificate doesn't require it.
        # For more info: 
        # http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile 
        SSLCertificateChainFile /path/to/ca_intermediate.pem

        # CA certs for client verification.
        # This is where the CA certificate created in step 3 needs to go.
        # If you have multiple CAs for multiple repos, just concatenate the
        # CA certificate files
        SSLCACertificateFile /path/to/ca_cert.pem

        # If the client presents a certificate, verify it here. If it doesn't, 
        # ignore.
        # This is required to be able to use client-certificate based and
        # anonymous SSL traffic on the same VirtualHost.
        # This statement could also go into the <Location> tags but putting it
        # here avoids re-negotiation which can cause security issues with older
        # servers/clients:
        # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
        SSLVerifyClient optional

        <Location /repo>
                SSLVerifyDepth 1
                # This is the SSL requirement for this location.
                # Requirements can be made based on various information encoded
                # in the certificate. Two variants are the most useful for use
                # with IPS repositories:
                # a) SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/reponame/ )
                #    only allow access if the CN in the client certificate matches
                #    "reponame", useful for different certificates for different
                #    repos
                # b) SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
                #    grant access if clients certificate is signed by one of the
                #    CAs specified in SSLCACertificateFile
                SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )

                # proxy request to depot running at internal.example.com:12345
                ProxyPass http://internal.example.com:12345 nocanon max=500