C H A P T E R 6 |
Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board |
This chapter explains how to configure the Sun Crypto Accelerator 4000 board for use with Apache Web Servers. This chapter includes the following sections:
If you plan to use the Apache Web Server, you must also install Patch 109234-09. Once the SUNWkcl2a package is added, the system will be configured with Apache Web Server mod_ssl 1.3.26.
Note - The bulk encryption feature for Apache Web Server software is enabled by default and cannot be disabled. |
This section provides an overview of how to enable the Sun Crypto Accelerator 4000 board for use with Apache Web Servers.
Apache Web Server 1.3.26 or later is required for use with the Sun Crypto Accelerator 4000 board. The following instructions are for the 1.3.26 release of Apache Web Server. Refer to the Apache Web Server documentation for more information about using Apache Web Servers.
1. Create an httpd configuration file.
For Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows:
# cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf |
2. Replace ServerName with your server name in the httpd.conf file.
# /opt/SUNWconn/cryptov2/bin/apsslcfg |
4. Select 1 to configure your Apache Web Server to use SSL:
5. Provide the directory where the Apache binaries exist.
On Solaris systems, this is usually /usr/apache.
Please enter the directory where the Apache binaries and libraries exist [/usr/apache]: /usr/apache |
6. Provide the location of the configuration files for Apache.
On Solaris systems, this is usually /etc/apache.
Please enter the directory where the Apache configuration files exist [/etc/apache]: /etc/apache |
7. Create an RSA keypair for your system.
If you choose not to create a keypair, you must go back later and use apsslcfg to generate keys.
Do you wish to create a new RSA keypair and certificate request? [Y/N]: |
If you answer No to this question, skip to To Create a Certificate.
8. Provide the directory for storing the keys.
If this directory does not exist, it is created.
Where would you like the keys stored? [/etc/apache/keys]: /etc/apache/keys |
9. Choose a base name for the key material.
This name is appended with different suffixes to distinguish key files, certificate request files and later on, certificate files from one another.
Please choose a base name for the key and request file: base_name |
10. Provide a key length between 512 and 2048 bits.
For most web server applications, 1024 bits is sufficiently strong, but you can choose stronger keys if preferred.
11. Create your PEM pass phrase.
This pass phrase protects the key material. Be sure to select a strong pass phrase, but one that you can remember. If you forget the pass phrase, you will be unable to access your keys.
Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: |
Caution - You must remember the pass phrase you enter. Without the pass phrase, you cannot access your keys. There is no way to retrieve a lost pass phrase. |
The following procedure describes how to create the certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 4000 board.
1. Create a certificate request using the keys you created in To Enable the Apache Web Server.
You must first enter the password to access your keys. Then provide the appropriate information for the following fields:
The following is an example of how the certificate fields are entered:
2. Modify the /etc/apache/httpd.conf file as directed.
You are shown information concerning your key and certificate files. You are also instructed on how to modify the/etc/apache/httpd.conf file for use with the Sun Crypto Accelerator 4000 software.
Note - The correct version-number will be displayed for your configuration. |
3. If you chose not to set up a VirtualHost, you must place the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives in the httpd.conf file, just above the SSLPassPhraseDialog directive.
If you answered no to the question in Step 7 of To Enable the Apache Web Server, you will also be given additional information on how to generate key material later:
4. Select 0 to quit when you finish with apsslcfg.
5. Copy your certificate request with the headers from /etc/apache/keys/base_name-certreq.pem (where base_name was set in Step 9 of To Enable the Apache Web Server) and hand it off to your certificate authority.
6. Once the certificate is generated, create the certificate file /etc/apache/keys/base_name-cert.pem and paste your certificate into it.
7. Start the Apache Web Server.
This assumes your Apache binary directory is /usr/apache/bin. If this is not your binary directory, type in the correct directory.
Copyright © 2003, Sun Microsystems, Inc. All rights reserved.