Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Configure the SSL Kernel Proxy to Fall Back to the Apache 2.2 SSL

In this procedure, you configure an Apache 2.2 web server from scratch and configure the SSL kernel proxy as the primary SSL session-handling mechanism. When the set of SSL ciphers that the client offers does not include a cipher that the SSL kernel proxy offers, the Apache 2.2 web server serves as a fallback mechanism. This procedure implements the complex scenario that is illustrated in Kernel-Encrypted Web Server Communications With User-Level Fallback Option.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. On the Apache 2.2 web server, create a key certificate to be used by the server's SSL kernel proxy.
    1. Generate a Certificate Signing Request (CSR).

      The following command generates a CSR and associated private key for the SSL kernel proxy:

      # cd /root
      # openssl req \
      > -x509 -new \
      > -subj "/C=CZ/ST=Prague region/L=Prague/CN=`hostname`" \
      > -newkey rsa:2048 -keyout webkey.pem \
      > -out webcert.pem
      Generating a 2048 bit RSA private key
      .+++
      ........+++
      writing new private key to 'webkey.pem'
      Enter PEM pass phrase: JohnnyCashIsCool
      Verifying - Enter PEM pass phrase:  JohnnyCashIsCool
      #
      # chmod 440 /root/webcert.pem ; chown root:webservd /root/webcert.pem

      Note -  For FIPS 140-2 compliance, the minimum length RSA key is 2048. For more information, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.

      For more information, see the openssl(5) man page.

    2. Send the CSR to your certificate authority (CA).
    3. Replace the webcert.pem file with the signed certificate from your CA.
  2. Configure the SSL kernel proxy with a passphrase and the public/private key certificate.
    1. Create, save, and protect the passphrase.
      # echo "RefrigeratorsAreCool" > /root/kssl.pass
      # chmod 440 /root/kssl.pass; chown root:webservd /root/kssl.pass

      Note - The passphrase cannot contain any space characters.
    2. Combine the private key and the public key certificate into one file.
      # cat /root/webcert.pem /root/webkey.pem > /root/webcombo.pem
    3. Configure the SSL kernel proxy with the public/private key certificate and passphrase.
      # ksslcfg create -f pem -i /root/webcombo.pem -x 8443 -p /root/kssl.pass 443
  3. Configure the web server to listen on port 8443 for unencrypted communications.

    Edit the Listen line in the /etc/apache2/2.2/httpd.conf file.

    # pfedit /etc/apache2/2.2/httpd.conf
    ...
    ## Listen 80
    Listen 8443
  4. Add the SSL module template, ssl.conf, to the Apache configuration directory.
    # cp /etc/apache2/2.2/samples-conf.d/ssl.conf /etc/apache2/2.2/ssl.conf

    This module adds listening on port 443 for encrypted connections.

  5. Enable the web server to decrypt the passphrase in the /root/kssl.pass file.
    1. Create a shell script that reads the kssl.pass file.
      # pfedit /root/put-passphrase.sh
      #!/usr/bin/ksh -p
      ## Reads SSL kernel proxy passphrase
      /usr/bin/cat /root/kssl.pass
    2. Make the script executable and protect the file.
      # chmod 500 /root/put-passphrase.sh
      # chown webservd:webservd /root/put-passphrase.sh
    3. Modify the SSLPassPhraseDialog parameter in the ssl.conf file to call this shell script.
      # pfedit /etc/apache2/2.2/ssl.conf
      ...
      ## SSLPassPhraseDialog  builtin
      SSLPassPhraseDialog exec:/root/put-passphrase.sh
  6. Place the web server's public and private key certificates in the correct location.

    The values of the SSLCertificateFile and SSLCertificateKeyFile parameters in the ssl.conf file contain the expected placement and names. You can copy or link the certificates to the correct location.

    # ln -s  /root/webcert.pem /etc/apache2/2.2/server.crtSSLCertificateFile default location
    # ln -s /root/webkey.pem /etc/apache2/2.2/server.keySSLCertificateKeyFile default location
  7. Enable the Apache service.
    # svcadm enable apache22
  8. (Optional)Verify that the two ports are working.

    Use the openssl s_client and kstat commands to view the packets.

    1. Use a cipher that is available to the SSL kernel proxy.
      # openssl s_client -cipher RC4-SHA -connect web-server:443

      An increase of 1 to the kstat counter kssl_full_handshakes verifies that the SSL session was handled by the SSL kernel proxy.

      # kstat -m kssl -s kssl_full_handshakes
    2. Use a cipher that is not available to the SSL kernel proxy.
      # openssl s_client -cipher CAMELLIA256-SHA -connect web-server:443

      An increase of 1 to the kstat counter kssl_fallback_connections verifies that the packet arrived, but the SSL session was handled by the Apache web server.

      # kstat -m kssl -s kssl_fallback_connections
Example 1  Configuring an Apache 2.2 Web Server to Use the SSL Kernel Proxy

The following command creates a service instance for the SSL kernel proxy that uses the pem key format:

# ksslcfg create -f pem -i cert-and-key.pem -p kssl.pass -x 8443 443