Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide Table of ContentsPrevious ChapterNext ChapterBook Index


C H A P T E R  6
Enabling Apache Web Servers

This chapter explains how to enable the Sun Crypto Accelerator 1000 board for use with Apache Web Servers. This chapter includes the following sections:

Enabling Apache Web Servers

Apache Web Server 1.3.12 is provided with the Solaris 8 7/01 operating environment. Apache Web Server 1.3.22 is provided with the Solaris 9 operating environment. The following instructions are for these specific releases of Apache Web Server. Refer to the Apache Web Server documentation for more information about using Apache Web Servers.


procedure icon  To Enable the Apache Web Server

1. Create an httpd configuration file.

For Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows: 

# cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf

2. Replace ServerName with your server name in the http.conf file.

3. Start sslconfig. 

# /opt/SUNWconn/crypto/bin/sslconfig

4. Select 2 to configure your Apache Web Server to use SSL: 

Sun Crypto Accelerator Installation

---------------------------------------------------------

This script will install the Sun Crypto Accelerator

cryptographic modules for iPlanet Web Server

or Apache.

 

Please select the type of web server you wish to configure

to use the Sun Crypto Accelerator:

---------------------------------------------------------

1. Configure iPlanet Web Server for SSL

2. Configure Apache for SSL

3. Work with iPlanet and Apache keys

 

Your selection (0 to quit): 2

5. Provide the directory where the Apache binaries exist.

On Solaris systems, this is usually /usr/apache. 

Please enter the directory where the Apache

binaries and libraries exist [/usr/apache]: /usr/apache

6. Provide the location of the configuration files for Apache.

On Solaris systems, this is usually /etc/apache. 

Please enter the directory where the Apache

configuration files exist [/etc/apache]: /etc/apache

7. Create an RSA keypair for your system.

If you choose not to create a keypair, you must go back later and use sslconfig to generate keys. 

Do you wish to create a new RSA keypair and certificate request? [Y/N]:

If you answer No to this question, skip to To Create a Certificate.

8. Provide the directory for storing the keys.

If this directory does not exist, it is created. 

Where would you like the keys stored? [/etc/apache/keys]: /etc/apache/keys

9. Choose a base name for the key material.

This name is appended with different suffixes to distinguish key files, certificate request files and later on, certificate files from one another. 

Please choose a base name for the key and request file:

10. Provide a key length between 512 and 2048 bits.

For most web server applications, 1024 bits is sufficiently strong, but you can opt for stronger keys if you prefer. 

What size would you like the RSA key to be [1024]? 1024

Generating RSA private key, 1024 bit long modulus

..........++++++

......++++++

e is 65537 (0x10001)

11. Create your PEM pass phrase.

This pass phrase protects the key material. Be sure to select a strong pass phrase, but one that you can remember. If you forget the password, you will be unable to access your keys. 

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:


caution icon

Caution - You must remember the pass phrase you enter. Without the pass phrase, you cannot access your keys. There is no way to retrieve a lost pass phrase.


Creating a Certificate

The following procedure describes how to create the certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 1000 board.


procedure icon  To Create a Certificate

1. Create a certificate request using the keys you just created.

You must first enter the password to access your keys. Then provide the appropriate information for the following fields:

  • Country Name: The two-letter ISO code for the country, which is asserted on the certificate and is a required field (for example, the United States is US)

  • State or Province Name: (Optional) The full name of the state in this field (or type "." and press Return).

  • Locality: (Optional) City, county, principality, or country, which is also asserted on the certificate if provided

  • Organization Name: A value for the Organization to be asserted on the certificate

  • Organizational Unit Name: (Optional) A value for the Organizational Unit that will be asserted on the certificate

  • SSL Server Name: Website Domain that is typed in a visitor's browser

  • Email Address: Contact information for requestor

The following is an example of how the certificate fields are entered: 

Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:US

State or Province Name (full name) [Some-State]:.

Locality Name (eg, city) []:.

Organization Name (eg, company) []:Fictional Company, Inc.

Organizational Unit Name (eg, section) []:Online Sales Division

SSL Server Name (eg, www.company.com) []:www.fictional-company.com

Email Address []:admin@fictional-company.com

2. Modify the /etc/apache/httpd.conf file as directed.

You are shown information concerning your key and certificate files. You are also instructed on how to modify the/etc/apache/httpd.conf file for use with the Sun Crypto Accelerator 1000 software. 

The keyfile is stored in /etc/apache/keys/base_name-key.pem.

The certificate request is in /etc/apache/keys/base_name-certreq.pem.

 

You will need to edit /etc/apache/httpd.conf for the following items:

 

You must specify the ports that Apache will listen to for

SSL connections, as well as for non-SSL connections.  One

way to accomplish this is to add the following lines in

the Listen section:

 

Listen 80

Listen 443

 

In the LoadModule section, add the following:

 

LoadModule ssl_module /usr/apache/libexec/mod_ssl.so.version-number

 

In the AddModule section, add the following:

 

AddModule mod_ssl.c


Note - The correct version-number will be displayed for your configuration.


3. If you chose not to set up a VirtualHost the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives must be placed in httpd.conf file, just above the SSLPassPhraseDialog directive. 

You may need a virtual host directive similar to

what is shown below:

 

<VirtualHost _default_:443>

        SSLEngine on

        SSLCertificateFile /etc/apache/keys/base_name-cert.pem

        SSLCertificateKeyFile /etc/apache/keys/base_name-key.pem

</VirtualHost>

 

You must add the following line after all of your VirtualHost definitions:

 

SSLPassPhraseDialog exec:/opt/SUNWconn/crypto/bin/sslpassword

 

Other SSL-related directives and their explanations

can be found in the Sun Crypto Accelerator documentation.

 

Other Apache-related directives may need to be configured

in order to start your Apache Web Server.  Please refer

to your Apache documentation.

 

<Press ENTER to continue>

If you answered no to the question in Step 7 of To Enable the Apache Web Server, you will also be given additional information on how to generate key material later: 

Since you did not create keys, you will need to

make sure that you have a key file and a certificate

file in place before enabling SSL for Apache.

 

You can create a new key file and certificate request

by selecting the "Generate a keypair and request a

certificate for Apache" option after choosing

"Work with iPlanet and Apache keys" from the

sslconfig main menu.

4. Select 0 to quit when you finish with sslconfig.

5. Copy your certificate request with the headers from /etc/apache/keys/base_name-certreq.pem (where base_name was set in Step 9 of To Enable the Apache Web Server)and hand it off to your certificate authority.

6. Once the certificate is generated, create the certificate file /etc/apache/keys/base_name-cert.pem and paste your certificate into it.

7. Start the Apache Web Server.

This assumes your Apache binary directory is /usr/apache/bin. If this is not your binary directory, type in the correct directory. 

# /usr/apache/bin/apachectl start

8. Enter your PEM pass phrase when prompted for it.

9. Verify the new SSL-enabled web server with a browser by going to the following URL:

https://server_name:server_port/

Note that the default server_port is 443.



  Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide 816-2450-11 Table of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2002, Sun Microsystems, Inc. All rights reserved.