Solaris 10 is almost ready to run an SSL-secured Apache instance out of the box. What you really need is just the server certificate. The certificate, basically, contains the public key your clients will use to encrypt the communication with your SSL-secured server. If you're setting up a production site, chances are you already have a certificate from a trusted Certificate Authority. If you don't, go and get one. Instead, if you're running a non critical, internal or testing site, you can build a self-signed certificate and use it for your site.
Stop apache
Stop apache! ;)# svcadm disable svc:/network/http:apache2
svccfg -s apache2 setprop httpd/ssl = boolean: 'true'
Safe harbor statement: This step, as explained in the introduction, will not generate a certificate suitable for production use.
Solaris 10 provides a bundled OpenSSL package which is just what you need to produce a self-signed certificate. The openssl binary is installed by default at /usr/sfw/bin/openssl.
To create the certificate, issue the following command:
$ openssl req -new -x509 -out server.crt -keyout server.key
When filling in the questions made by openssl, please note that the Common Name field must contain the name of the server you're creating the certificate for.
The server.key file produced in the previous step is a just a plain text file. If you want (I do) to protect your key with a passphrase, then launch openssl once more:
$ openssl rsa -des3 -in server.key -out server.key.crypt
You can now safely delete server.key and store server.key.crypt in a secure place. However, Apache won't start unless you type a pass phrase and can be a pain. I usually store the key with a very restrictive permission mask (400) and install it unencrypted. Another option you might use if you don't like letting the key unencrypted is using the SSLPassPhraseDialog directive in ssl.conf and built a script to output the pass phrase. Please note, however, that this method is not inherently more secure than leaving the key unencrypted.
SSLCertificateFile
SSLCertificateKeyFile
directives. Solaris 10 ships with a functional /etc/apache2/ssl.conf file: edit the file and make sure the SSLCertificate* directive are pointing to your certificate and its key.
# svcadm enable svc:/network/http:apache2
and test your site with openssl:
$ openssl s_client -connect localhost:443 -state -debug
Enabling SSL
Solaris 10 uses SMF to manage its services and the bundled Apache is no exception. To enable SSL for the bundled Apache instance, you've got to modify the service configuration:svccfg -s apache2 setprop httpd/ssl = boolean: 'true'
Creating a certificate
Safe harbor statement: This step, as explained in the introduction, will not generate a certificate suitable for production use.
Solaris 10 provides a bundled OpenSSL package which is just what you need to produce a self-signed certificate. The openssl binary is installed by default at /usr/sfw/bin/openssl.
To create the certificate, issue the following command:
$ openssl req -new -x509 -out server.crt -keyout server.key
When filling in the questions made by openssl, please note that the Common Name field must contain the name of the server you're creating the certificate for.
The server.key file produced in the previous step is a just a plain text file. If you want (I do) to protect your key with a passphrase, then launch openssl once more:
$ openssl rsa -des3 -in server.key -out server.key.crypt
You can now safely delete server.key and store server.key.crypt in a secure place. However, Apache won't start unless you type a pass phrase and can be a pain. I usually store the key with a very restrictive permission mask (400) and install it unencrypted. Another option you might use if you don't like letting the key unencrypted is using the SSLPassPhraseDialog directive in ssl.conf and built a script to output the pass phrase. Please note, however, that this method is not inherently more secure than leaving the key unencrypted.
Tell Apache where the certificate and the key are
To tell Apache where the certificate and the key are you have to use theSSLCertificateFile
SSLCertificateKeyFile
directives. Solaris 10 ships with a functional /etc/apache2/ssl.conf file: edit the file and make sure the SSLCertificate* directive are pointing to your certificate and its key.
Reviewing your configuration
You're probably going to spend some minutes reviewing your ssl.conf file and learn about mod_ssl directive you'll find in there in case you need further customization.Start Apache
Start the Apache service issuing a:# svcadm enable svc:/network/http:apache2
and test your site with openssl:
$ openssl s_client -connect localhost:443 -state -debug
This is a really good article. I am in the middle of a project which requires me to FTP over SSL files to a mainframe. I can't figure out how to set this up. What commands are used to FTPS files? Below is my setup:
ReplyDeleteSunOS libfrdzta07 5.10 Generic_141444-09 sun4v sparc SUNW,T5240
system SUNWopenssl-commands OpenSSL Commands (Usr)
system SUNWopenssl-include OpenSSL Header Files
system SUNWopenssl-libraries OpenSSL Libraries (Usr)
system SUNWopenssl-man OpenSSL Manual Pages
system SUNWopensslr OpenSSL (Root)
Any help you could give me would be GREATLY appreciated.
Thanks
Michael
Hi Michael.
ReplyDeleteThank you. Well, to say the truth I usually use scp between Solaris boxes, I'm using FTPS almost never.
By the way, if FTPS is what you're looking for, have you tried cURL? You can get it from several Solaris package repositories such as Sunfreeware (http://www.sunfreeware.com/), Blastwave (http://www.blastwave.org/) or OpenCSW (http://www.opencsw.org/).
Hope this helps,
Grey.