Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide Table of ContentsPrevious ChapterNext ChapterBook Index


C H A P T E R  5
Installing and Configuring iPlanet Web Server 6.0

This chapter explains how to enable the Sun Crypto Accelerator 1000 board for use with iPlanet 6.0 Web Servers. This chapter includes the following sections:

Installing iPlanet Web Server 6.0

You must perform these procedures in order. Refer to the iPlanet Web Server documentation for more information about using iPlanet Web Servers.


procedure icon  To Install iPlanet Web Server 6.0

1. Download the iPlanet Web Server 6.0 software.

You can find the web server software at the following URL:

http://www.iplanet.com

2. Install the web server.

Instructions are included for one example, you may decide to configure your web server differently. The default path name for the server is: /usr/iplanet/servers

Accept the default path during the iPlanet Web Server installation. This book refers to these default paths. If you decide to install it in a different location, be sure to note where you installed it.

3. Run the setup program.

4. Answer the prompts in the installation script.

Except for the following prompts, you can accept the defaults for ease of use:

a. Agree to accept the license terms by typing yes.

b. Enter a fully qualified hostname.domain.

c. Enter the iWS administration server password twice.

d. Press Return when prompted.


procedure icon  To Create a Trust Database

1. Start the administration server.

To start an iPlanet Web Server, use the following command (instead of running startconsole as setup requests): 

# /usr/iplanet/servers/https-admserv/start

iPlanet-WebServer-Enterprise/6.0SP1 B08/20/2001 00:58

warning: daemon is running as super-user

[LS ls1] http://hostname.domain/port 8888 ready to accept requests

startup: server started successfully

The response provides the URL for connecting to your servers.

2. Start the iPlanet administration server by opening up a web browser and entering: 

http://hostname.domain:admin_port

In the pop-up window, enter the iWS administration server username and password you selected while running setup.


Note - If you used the default settings during iPlanet Web Server setup, enter the word admin for the User ID or the iWS administration server username.


3. Click OK.

4. Create the trust database for the web server instance.

You might want to enable security on more than one web server instance. If so, repeat this process for each web server instance.


Note - If you want to run SSL on the administration server as well, the process of setting up a trust database is similar. Refer to the iPlanet documentation for more information.


a. Click the Servers tab in the administration server.

b. Select a server and click the Manage button.

c. Click the Security tab near the top of the page and select the Create Database link.

d. Enter a password (web server trust database) in the two dialog boxes and click OK.

Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the iPlanet Web Server runs in secure mode.

5. Execute the following script to enable the Sun Crypto Accelerator 1000 board: 

# /opt/SUNWconn/crypto/bin/sslconfig

This script prompts you to choose a web server. It installs the Sun Crypto Accelerator 1000 cryptographic modules for the iPlanet Web Server or Apache Web Server. The script then updates the configuration files to enable the Sun Crypto Accelerator 1000 board.

6. Type 1 to configure your iPlanet Web Server to use SSL and press Enter. 

Sun Crypto Accelerator Installation

---------------------------------------------------------

This script will install the Sun Crypto Accelerator

cryptographic modules for iPlanet Web Server

or Apache.

 

Please select the type of web server you wish to configure

to use the Sun Crypto Accelerator:

---------------------------------------------------------

1. Configure iPlanet Web Server for SSL

2. Configure Apache for SSL

3. Work with iPlanet and Apache keys

Your selection (0 to quit): 1

7. Enter the path of the web server root directory when prompted and press Enter. 

Please enter the full path of the web server

root directory [/usr/iplanet/servers]: /usr/iplanet/servers

8. Type y and press Enter when prompted, if you want proceed. 

This script will update your iPlanet Web Server installation

in /usr/iplanet/servers to use the Sun Crypto Accelerator

You will need to restart your admin server after this has completed.

Ok to proceed? [Y/N]: y

 

Using database directory /usr/iplanet/servers/alias...

Module "Sun Crypto Accelerator" added to database.

/usr/iplanet/servers has been configured to use

the Sun Crypto Accelerator.

 

 

<Press ENTER to continue>

9. Type 0 to quit.


procedure icon  To Generate a Server Certificate

1. Restart the administration server by typing the following commands: 

# /usr/iplanet/servers/https-admserv/stop

# /usr/iplanet/servers/https-admserv/start

2. To request the server certificate, click the Security tab near the top of this page.

The Create Trust Database window is displayed.

3. Select the Request a Certificate link on the left frame.

 

Screenshot of the Create Trust Database window of the Netscape Web Server Enterprise Edition graphical user interface.[ D ]

4. Fill out the form to generate a certificate request, using the following information:

a. Select a New Certificate.

If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, choose CA Email Address and enter an email address where you would like the certificate request to be emailed to.

b. Select the Cryptographic Module you want to use.

Each realm has its own entry in this pull-down menu. Be sure that you select the correct realm. To use the Sun Crypto Accelerator 1000, you must select a module in the form of user@realm-name.

c. In the Key Pair File Password dialog box, provide the password for the user@realm-name that will own the key.

d. Provide the appropriate information for the following fields:

    • Requestor Name: Contact information for the requestor

    • Telephone Number: Contact information for the requestor

    • Common Name: Website Domain that is typed in a visitor's browser hostname.domain

    • Email Address: Contact information for requestor

    • Organization: A value for the Organization to be asserted on the certificate

    • Organizational Unit: (Optional) A value for the Organizational Unit that will be asserted on the certificate

    • Locality: (Optional) City, county, principality, or country, which is also asserted on the certificate if provided

    • State: (Optional) The full name of the state in this field

    • Country: The two-letter ISO code for the country (for example, the United States is US)

e. Click the OK button to submit the information.

5. Use a certificate authority to generate the certificate.

  • If you choose to post your certificate request to a CA URL, the certificate request is automatically posted there.

  • If you choose the CA Email Address, copy the certificate request that was mailed to you with the headers and hand it off to your certificate authority.

6. Once the certificate is generated, copy it, along with the headers, to the clipboard.

Note that the certificate is different from the certificate request and is usually presented to you in text form.


procedure icon  To Install the Server Certificate

1. Select the Install Certificate link on the left side of the page.

Once your request has been approved by a certificate authority and a certificate has been issued, you must install it in the iPlanet Web Server.

2. Select the Security tab

3. On the left frame, choose the Install Certificate link.

 

Screenshot of the Install Certificate window of the Netscape Web Server Enterprise Edition graphical user interface.[ D ]

4. Fill out the form to install your certificate:

  • Certificate For: This Server

  • Cryptographic Module: Select the appropriate user@realm-name.

  • Key Pair File Password: Provide the password for the user@realm-name that owns the key that was generated earlier.

  • Certificate Name: In most cases, you can leave this blank. If you choose to provide a name, it will alter the name the web server uses to access the certificate and key when running with SSL support.

5. Choose Message text (with headers) and paste the certificate you copied earlier.

6. Click the OK button at the bottom of the page.

7. Paste the certificate you copied from the certificate authority into the Message box.

You are shown some basic information about the certificate.

8. If everything looks correct, click the Add Server Certificate button.

On-screen messages tell you to restart the server. This is not necessary as the web server instance has been shut down the entire time. You are also notified that in order for the web server to use SSL the web server must be configured to do so. Use the following procedure to configure the web server.

Configuring iPlanet Web Server 6.0

Now that your web server and the Server Certificate are installed, you must configure the web server for SSL.


procedure icon  To Configure the iPlanet Web Server 6.0

1. Click the Preferences tab near the top of the page.

2. Select the Edit Listen Sockets link on the left frame.

The main frame lists all the listen sockets set for the web server instance.

a. Alter the following fields:

    • Port: Set to the port on which you will be running your SSL-enabled web server (usually this is port 443).

    • Security: Set to On.

b. Click the OK button to apply these changes.

In the security field of the Edit Listen Sockets page, there should now be an Attributes link.

3. Click the Attributes link.

4. Enter the user@realm-name password to authenticate to the user@realm-name on the system.

5. Select SSL settings from the pop-up window.

You can choose Cipher Default settings, SSL2, or SSL3/TLS. The default choice does not show the default settings. The other two choices require you to select the algorithms you want to enable.

6. Select the certificate for the user@realm-name followed by: Server-Cert (or the name you chose if it is different).

Only keys that the appropriate user@realm-name owns appear in the Certificate Name field.

7. When you have chosen a certificate and confirmed all the security settings, click the OK button.

8. Click the Apply link in the far upper right corner to apply these changes before you start your server.

9. Click the Load Configuration Files link to apply the changes.

You are redirected to a page that allows you to start your web server instance.

If you click the Apply Changes button when the server is off, a pop-up window prompts you for a password. This window is not resizable, and you might have problem submitting the change.

There are two workarounds for the problem noted above:

  • Click the Load Configuration Files instead.

  • Start up the web server first, and click on the Apply Changes button.

10. Provide the requested passwords in the dialog boxes to start the server.

You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.

11. At the Module user@realm-name prompt, enter the password you set when you created user in the realm-name using secadm.

12. Verify the new SSL-enabled web server at the following URL:

https://hostname.domain:server_port/

Note that the default server_port is 443.

 



  Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide 816-2450-11 Table of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2002, Sun Microsystems, Inc. All rights reserved.