The SSL kernel proxy works in zones with the following limitations:
All of the kernel SSL administration must be done in the global zone. The global zone administrator needs access to the local zone certificate and key files. You can start the web server in the non-global zone after you configure the service instance with the ksslcfg command in the global zone.
A specific host name or IP address must be specified with the ksslcfg command when you configure the instance. In particular, the instance cannot specify INADDR_ANY for the IP address.
Before You Begin
The web server service is configured and enabled in the non-global zone.
You must become an administrator who is assigned the Network Security and Zone Management rights profiles. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
For example, to stop an Apache web server in the apache-zone zone, run the following command:
apache-zone # svcadm disable svc:/network/http:apache22
To create a service instance for the apache-zone, use a command similar to the following:
# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem \ -p /zone/apache-zone/root/skppass -x 8443 apache-zone 443
For example, enable the web service in apache-zone.
apache-zone # svcadm enable svc:/network/http:apache22