Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

How to Configure an Oracle iPlanet Web Server to Use the SSL Kernel Proxy

The SSL kernel proxy can improve the speed of SSL packet processing on an Oracle iPlanet Web Server. This procedure implements the simple scenario that is illustrated in Kernel-Encrypted Web Server Communications.

Before You Begin

You have installed and configured an Oracle iPlanet Web Server. The server can be downloaded from Oracle iPlanet Web Server (http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html?ssSourceSiteId=ocomen). For instructions, see Oracle iPLANET WEB SERVER 7.0.15 (http://docs.oracle.com/cd/E18958_01/index.htm).

You must become an administrator who is assigned the Network Security rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Stop the web server.

    Use the administrator web interface to stop the server. For instructions, see Oracle iPLANET WEB SERVER 7.0.15 (http://docs.oracle.com/cd/E18958_01/index.htm).

  2. Determine which parameters to use with the ksslcfg command.

    See the ksslcfg(1M) man page for the full list of options. For the list of parameters that you must supply, see Step 3 in How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy.

  3. Create the service instance for the SSL kernel proxy.

    Specify the SSL proxy port and associated parameters by using one of the following formats:

    • Specify PEM or PKCS #12 as the key format.
      # ksslcfg create -f key-format -i key-and-certificate-file \
      -p password-file -x proxy-port ssl-port
    • Specify PKCS #11 as the key format.
      # ksslcfg create -f pkcs11 -T PKCS11-token -C certificate-label \ 
      -p password-file -x proxy-port ssl-port
  4. Verify that the instance is online.
    # svcs svc:/network/ssl/proxy
    STATE          STIME    FMRI
    online         02:22:22 svc:/network/ssl/proxy:default
  5. Configure the web server to listen on the SSL proxy port.

    For instructions, see Oracle iPLANET WEB SERVER 7.0.15 (http://docs.oracle.com/cd/E18958_01/index.htm).

  6. Set an SMF dependency for the web server.

    The web server service can start only after the SSL kernel proxy instance is started. The following commands establish that dependency, assuming the FMRI of the web server service is svc:/network/http:webserver7:

    # svccfg -s svc:/network/http:webserver7
    svc:/network/http:webserver7> addpg kssl dependency
    ...webserver7> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443
    ...webserver7> setprop kssl/grouping = astring: require_all
    ...webserver7> setprop kssl/restart_on = astring: refresh
    ...webserver7> setprop kssl/type = astring: service
    ...webserver7> end
  7. Enable the web server service.
    # svcadm enable svc:/network/http:webserver7