Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Use the SSL Kernel Proxy in Zones

    The SSL kernel proxy works in zones with the following limitations:

  • All of the kernel SSL administration must be done in the global zone. The global zone administrator needs access to the local zone certificate and key files. You can start the web server in the non-global zone after you configure the service instance with the ksslcfg command in the global zone.

  • A specific host name or IP address must be specified with the ksslcfg command when you configure the instance. In particular, the instance cannot specify INADDR_ANY for the IP address.

Before You Begin

The web server service is configured and enabled in the non-global zone.

You must become an administrator who is assigned the Network Security and Zone Management rights profiles. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. In the non-global zone, stop the web server.

    For example, to stop an Apache web server in the apache-zone zone, run the following command:

    apache-zone # svcadm disable svc:/network/http:apache22
  2. In the global zone, create the service instance for the SSL kernel proxy in the zone.

    To create a service instance for the apache-zone, use a command similar to the following:

    # ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem \
    -p /zone/apache-zone/root/skppass -x 8443 apache-zone 443
  3. In the non-global zone, enable the web service instance.

    For example, enable the web service in apache-zone.

    apache-zone # svcadm enable svc:/network/http:apache22