C H A P T E R  6

Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board

This chapter explains how to configure the Sun Crypto Accelerator 4000 board for use with Apache Web Servers. This chapter includes the following sections:



caution icon

Caution - Do not configure Apache Web Server for use with the Sun Crypto Accelerator 1000 board and the Sun Crypto Accelerator 4000 at the same time. If both boards are configured to use the Apache Web Server at the same time, Apache will not work correctly.



If you plan to use the Apache Web Server, you must also install Patch 109234-09. Once the SUNWkcl2a package is added, the system will be configured with Apache Web Server mod_ssl 1.3.26.



Note - The bulk encryption feature for Apache Web Server software is enabled by default and cannot be disabled.




Enabling the Board for Apache Web Servers

This section provides an overview of how to enable the Sun Crypto Accelerator 4000 board for use with Apache Web Servers.

Enabling Apache Web Servers

Apache Web Server 1.3.26 or later is required for use with the Sun Crypto Accelerator 4000 board. The following instructions are for the 1.3.26 release of Apache Web Server. Refer to the Apache Web Server documentation for more information about using Apache Web Servers.


procedure icon  To Enable the Apache Web Server

1. Create an httpd configuration file.

For Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows:

# cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf

2. Replace ServerName with your server name in the httpd.conf file.

3. Start apsslcfg.

# /opt/SUNWconn/cryptov2/bin/apsslcfg

4. Select 1 to configure your Apache Web Server to use SSL:

Sun Crypto Accelerator Apache Installation
---------------------------------------------------------
This script will install the Sun Crypto Accelerator
cryptographic modules for Apache.
 
Please select what you wish to do:
---------------------------------------------------------
1. Configure Apache for SSL
2. Work with Apache keys
 
Your selection (0 to quit): 1

5. Provide the directory where the Apache binaries exist.

On Solaris systems, this is usually /usr/apache.

Please enter the directory where the Apache
binaries and libraries exist [/usr/apache]: /usr/apache

6. Provide the location of the configuration files for Apache.

On Solaris systems, this is usually /etc/apache.

Please enter the directory where the Apache configuration files exist [/etc/apache]: /etc/apache

7. Create an RSA keypair for your system.

If you choose not to create a keypair, you must go back later and use apsslcfg to generate keys.

Do you wish to create a new RSA keypair and certificate request? [Y/N]:

If you answer No to this question, skip to To Create a Certificate.

8. Provide the directory for storing the keys.

If this directory does not exist, it is created.

Where would you like the keys stored? [/etc/apache/keys]: /etc/apache/keys

9. Choose a base name for the key material.

This name is appended with different suffixes to distinguish key files, certificate request files and later on, certificate files from one another.

Please choose a base name for the key and request file: base_name

10. Provide a key length between 512 and 2048 bits.

For most web server applications, 1024 bits is sufficiently strong, but you can choose stronger keys if preferred.

What size would you like the RSA key to be [1024]? 1024
Using configuration from /opt/SUNWconn/cryptov2/ssl/openssl.cnf
Generating a 1024 bit RSA private key
........++++++
...................................................++++++
writing new private key to /etc/apache/keys/base_name

11. Create your PEM pass phrase.

This pass phrase protects the key material. Be sure to select a strong pass phrase, but one that you can remember. If you forget the pass phrase, you will be unable to access your keys.

Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:



caution icon

Caution - You must remember the pass phrase you enter. Without the pass phrase, you cannot access your keys. There is no way to retrieve a lost pass phrase.



Creating a Certificate

The following procedure describes how to create the certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 4000 board.


procedure icon  To Create a Certificate

1. Create a certificate request using the keys you created in To Enable the Apache Web Server.

You must first enter the password to access your keys. Then provide the appropriate information for the following fields:

  • Country Name: The two-letter ISO code for the country, which is asserted on the certificate and is a required field (for example, the United States is US)
  • State or Province Name: (Optional) The full name of the state in this field (or type a dot character (.) and press Return).
  • Locality: (Optional) City, county, principality, or country, which is also asserted on the certificate if provided
  • Organization Name: A value for the organization to be asserted on the certificate
  • Organizational Unit Name: (Optional) A value for the organizational unit to be asserted on the certificate
  • SSL Server Name: Website domain that is typed in a visitor's browser
  • Email Address: Contact information for requestor

The following is an example of how the certificate fields are entered:

Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) []: Fictional Company, Inc.
Organizational Unit Name (eg, section) []: Online Sales Division
SSL Server Name (eg, www.company.com) []:www.fictional-company.com
Email Address []:admin@fictional-company.com

2. Modify the /etc/apache/httpd.conf file as directed.

You are shown information concerning your key and certificate files. You are also instructed on how to modify the/etc/apache/httpd.conf file for use with the Sun Crypto Accelerator 4000 software.

The keyfile is stored in /etc/apache/keys/base_name-key.pem.
The certificate request is in /etc/apache/keys/base_name-certreq.pem.
 
You will need to edit /etc/apache/httpd.conf for the following items:
 
You must specify the ports that Apache will listen to for
SSL connections, as well as for non-SSL connections.  One
way to accomplish this is to add the following lines in
the Listen section:
 
Listen 80
Listen 443
 
In the LoadModule section, add the following:
 
LoadModule ssl_module /usr/apache/libexec/mod_ssl.so.version-number
 
In the AddModule section, add the following:
 
AddModule mod_ssl.c



Note - The correct version-number will be displayed for your configuration.



3. If you chose not to set up a VirtualHost, you must place the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives in the httpd.conf file, just above the SSLPassPhraseDialog directive.

You may need a virtual host directive similar to
what is shown below:
 
<VirtualHost _default_:443>
        SSLEngine on
        SSLCertificateFile /etc/apache/keys/base_name-cert.pem
        SSLCertificateKeyFile /etc/apache/keys/base_name-key.pem
</VirtualHost>
 
You must add the following line after all of your VirtualHost definitions:
 
SSLPassPhraseDialog exec:/opt/SUNWconn/cryptov2/bin/apgetpass
 
Other SSL-related directives and their explanations
can be found in the Sun Crypto Accelerator documentation.
 
Other Apache-related directives may need to be configured
in order to start your Apache Web Server.  Please refer
to your Apache documentation.
 
<Press ENTER to continue>

If you answered no to the question in Step 7 of To Enable the Apache Web Server, you will also be given additional information on how to generate key material later:

Since you did not create keys, you will need to
make sure that you have a key file and a certificate
file in place before enabling SSL for Apache.
 
You can create a new key file and certificate request
by selecting the "Generate a keypair and request a
certificate for Apache" option after choosing
"Work with Sun ONE and Apache keys" from the
apsslcfg main menu.

4. Select 0 to quit when you finish with apsslcfg.

5. Copy your certificate request with the headers from /etc/apache/keys/base_name-certreq.pem (where base_name was set in Step 9 of To Enable the Apache Web Server) and hand it off to your certificate authority.

6. Once the certificate is generated, create the certificate file /etc/apache/keys/base_name-cert.pem and paste your certificate into it.

7. Start the Apache Web Server.

This assumes your Apache binary directory is /usr/apache/bin. If this is not your binary directory, type in the correct directory.

# /usr/apache/bin/apachectl start

8. Enter your PEM pass phrase when prompted for it.

9. Verify the new SSL-enabled web server with a browser by going to the following URL:

https://server_name:server_port/

Note that the default server_port is 443.