4 SSL Certificate Configuration

This chapter describes a basic procedure to configure a secure socket layer (SSL) certificate for the Sun Ray web server. By configuring the SSL certificate, access to the Administration application from a remote client can be made more secure.

Complete information about setting up and administering SSL certificates is available in Chapter 3 of the Sun WebServer 2.1 Installation Guide. This guide is provided on the Sun Ray enterprise server software 1.1 CD-ROM as the
/cdrom/cdrom0/Sun_WebServer_2.1/Solaris_2.6+/Docs/SWS_Installation.ps file.

Topics in this chapter include:

After successfully configuring the SSL certificate, continue on to Chapter 5.

Secure Socket Layer Certificate

For the Sun WebServer to use secure socket layer (SSL) encryption, it must have public and private keys, and a PKCS#7 certificate to present to clients.The certificate contains information including the web server's identity and public key, and the issuer's identity and digital signature. The SSL library uses the Federated Naming Service (FNS) to store this information. Certificates are typically signed by third-party certificate authorities (CA), such as VeriSign.

Local Root Certificate Authority

A certificate authority (CA) creates and maintains credentials for a web server. For the Sun Ray web server, the root certificate authority (RootCA) creates and maintains the credentials locally. The RootCA user creates credentials for itself, and then uses these credentials to create key packages and sign certificates for any additional web servers. The RootCA user is any user name other than root.

Distinguished Name

A distinguished name (DN) is a globally unique identifier for each user or host that is issued key packages and certificates. The DN is also used in the key package and certificate. The DN is composed of attributes delimited by commas, ordered from most to least significant.

The DN and its attributes are provided by the user in this form:

cn=commonname,ou=organizationunit,o=organization,l=locality,st=state,c=country

Attributes may contain text, numbers, and spaces. The following table explains these attributes in detail:

TABLE 4-1 Distinguished Name Attributes
Attribute
Example
Comment

cn=commonname

cn=sunray.eng.fun.com

The common name must be unique, such as a host name. In this example, a fully-qualified domain name is preferred.

ou=organizationunit

ou=engineering

In a hierarchy, the group in which the common name belongs.

o=organization

o=funmicrosystems

The greater group of all organization units, such as a company.

l=locality

l=laffland

The location of the organization, such as a city or district.

st=state

st=bliss

The state or province where the locality is found. Must be fully spelled out, no abbreviations.

c=country

c=we

The country in which the state or province exists. May be a two-letter abbreviation.

This is an example of a complete DN:

**TABLE 4-1** Distinguished Name Attributes
Attribute	Example	Comment
`cn=`commonname	`cn=`sunray.eng.fun.com	The common name must be unique, such as a host name. In this example, a fully-qualified domain name is preferred.
`ou=`organizationunit	`ou=`engineering	In a hierarchy, the group in which the common name belongs.
`o=`organization	`o=`funmicrosystems	The greater group of all organization units, such as a company.
`l=`locality	`l=`laffland	The location of the organization, such as a city or district.
`st=`state	`st=`bliss	The state or province where the locality is found. Must be fully spelled out, no abbreviations.
`c=`country	`c=`we	The country in which the state or province exists. May be a two-letter abbreviation.

cn=sunray.eng.fun.com,ou=engineering,o=funmicrosystems,l=laffland,st=bliss,c=we

Required Information

Before you configure the Sun WebServer for SSL, you will need the following information:

TABLE 4-2 Required Information
Information
example
Comment

RootCA user

rcauser

Existing user, or new one.

RootCA directory

/var/certs

RootCA Distinguished Name

cn=rcauser,o=fun,c=we

Simplified for table.

RootCA password

rcapass

Requested when the RootCA is used to sign credentials.

Sun Ray server root password

rootpass

Root password of Sun Ray server.

Web server domain name

eng.fun.com

*Web server IP address

192.144.31.118

*Web server Distinguished Name

ou=eng,o=fun,l=laffland, st=bliss,c=we

Every attribute except the common name. Simplified for table.

*Web server certificate directory

/var/certs/192.144.31.118

Directory is the IP address of the web server.

*Web server certificate password

webpass

Requested when configuring the web server's credentials.

* Additional values must be provided for each failover Sun Ray server.

**TABLE 4-2** Required Information
Information	example	Comment
RootCA user	rcauser	Existing user, or new one.
RootCA directory	/var/certs
RootCA Distinguished Name	`cn=`rcauser`,o=`fun`,c=`we	Simplified for table.
RootCA password	rcapass	Requested when the RootCA is used to sign credentials.
Sun Ray server root password	rootpass	Root password of Sun Ray server.
Web server domain name	eng.fun.com
*Web server IP address	192.144.31.118
*Web server Distinguished Name	`ou=`eng`,o=`fun`,l=`laffland`, st=`bliss`,c=`we	Every attribute except the common name. Simplified for table.
*Web server certificate directory	/var/certs/192.144.31.118	Directory is the IP address of the web server.
*Web server certificate password	webpass	Requested when configuring the web server's credentials.
* Additional values must be provided for each failover Sun Ray server.

Configuring SSL

Note - The following procedures use the example values listed in TABLE 4-1 and TABLE 4-2. These values are for example only. You must provide real values to properly configure SSL

To Configure SSL on the Primary Sun Ray Server

Verify the skiserv and cryptorand processes are running. If not, restart them using the following commands:


# `/etc/init.d/cryptorand stop` # `/etc/init.d/skiserv stop` # `/etc/init.d/cryptorand start` # `/etc/init.d/skiserv start`

Create the local RootCA user:


# `useradd -c "Root CA user" -m -k /etc/skel -d` /var/certs rcauser # `passwd` rcauser New password: rcapass Re-enter new passwd: rcapass # `chmod 700` /var/certs # `chown rcauser` /var/certs

Become the RootCA user and run the crca script to create the RootCA credentials:


# `su` rcauser $ `/usr/bin/crca`

The crca script asks for the following:

RootCA distinguished name (cn=rcauser,o=fun,st=bliss,c=we)
RootCA directory (/var/certs)
RootCA password (rcapass)
RootCA password again

The crca script asks to store the credentials in the name server, type y (yes).

Type the root password for the Sun Ray server:


Password: rootpass

Create the web server certificate directory and set permissions and ownership:


$ `mkdir` /var/certs/192.144.31.118 $ `chmod 700` /var/certs/192.144.31.118 $ `chown` rcauser /var/certs/192.144.31.118

Run the sslgencrd script to generate the web server certificate:


$ `/usr/http/bin/sslgencrd -r` rcauser `-d` /var/certs/192.144.31.118 `-i` 192.144.31.118

When asked to enter the host name of the httpd server, press the Return key.

The sslgencrd script asks for the following:

Web server domain name (eng.fun.com)
Web server DN without common name (ou=eng,o=fun,l=laffland,st=bliss,c=we)
Web server certificate password (webpass)
Web server certificate password again

The sslgencrd script asks for the RootCA password:


skilogin: Enter your own key package password: rcapass

Install the web server certificate as superuser:


$ `exit` # `/usr/http/bin/sslstore -i` 192.144.31.118 `-p` /var/certs/192.144.31.118`0`

The sslstore script asks for the web server certificate password:


/usr/bin/skilogin; Enter host key package password: webpass

Configure the web server to use SSL

Note - This step is automatically performed by the utconfig script when the user is asked whether to enable SSL.

Open the /etc/http/utadmin.httpd.conf file in a text editor.

Find the text ssl_enable "no" and change it to ssl_enable "yes".

Save the file.

Start or restart the web server to use SSL:


# `/usr/bin/htserver start`

# /usr/bin/htserver restart

To Configure Certificates on Failover Servers

Note - The Sun Ray server software must be installed on the failover server before performing this procedure.

Create a second web server certificate directory for the failover server. For example:


$ `mkdir` /var/certs/192.144.31.119 $ `chmod 700` /var/certs/192.144.31.119 $ `chown rcauser` /var/certs/192.144.31.119

Perform Step 6 and its sub-steps in the previous procedure using values for the failover server, then return here.

Copy the /var/certs/192.144.31.119 directory and its contents to the failover server.

Perform Step 7 through Step 9 as described in the previous procedure using values for the failover server, then return here.

When the failover server is operating satisfactorily, remove the
/var/certs/192.144.31.119 directory from the failover server.

Troubleshooting SSL Configuration

The SSL configuration must be without error. Any problem that occurs because of an SSL configuration is best corrected by reconfiguring SSL altogether, as this is the fastest, most sure way to correct the problem. Before reconfiguring SSL, you must completely remove any configuration information.

To Remove All SSL Information

Note - The following procedure will remove all SSL information, including RootCA information.

Stop the skiserv server:


# `/etc/init.d/skiserv stop`

Remove the Federated Naming Service directory:


# `/usr/bin/rm -rf /var/fn`

Start the skiserv server:


# `/etc/init.d/skiserv start`

Reconfigure SSL according to the procedure "To Configure SSL on the Primary Sun Ray Server" on page 56.