Sun Microsystems 4000 SSL Configuration Directives for Apache Web Servers

143

APPENDIX B

SSL Configuration Directives forApache Web Servers

This appendix lists directives for using Sun Crypto Accelerator 4000 software to

configure SSL support for Apache WebServers. Configure directives in your

http.conf file. Refer to the Apache WebServer documentation for more

information.

1. SSLPassPhraseDialog exec:program

Context: Global

This directive informs the Apache WebServer that the specified program should

be executed to collect the passwordfor key file. program should print the collected

password to standard output.

If multiple key files are present, and have common passwords,then program will

only be executed once (each collected password is tried before running program

again.)

program is executed with two arguments, the firstis the name of the server, in the

form servername:port, for example, www.fictional-company.com:443. (Port

443 is the typical port for SSL based web servers.) The second argument is the

type of key in the key file (keytype). keytype can be either RSA or DSA.

Note – Because this program can be executed during system startup, be sure to

design it to cope with the situation where the console is not a tty device (that is, a

tty(3c) returns false).

The supplied program /opt/SUNWconn/cryptov2/bin/apgetpass can be

used for the program executable. This program automatically prompts for the

password, suppressing the display of the password as it is entered.

The supplied sslpassword program also automatically searches for passwords

in files, which can be used to avoid user interaction when the web server starts

up. Passwords for key files are searchedfor in files named

Contents

Main Please Recycle Declaration of Conformity (Fiber MMF) EMC European Union Safety Supplementary Information Declaration of Conformity (Copper UTP) EMC European Union EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Safety Supplementary Information EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Page Regulatory Compliance Statements FCCClass A Notice Note: ShieldedCables: Modifications: Page Page Page Contents Page Page Page Page Page Page Page Tables Page Page Page Preface How This Book Is Organized Using UNIX Commands Typographic Conventions Shell Prompts AaBbCc123 Page Product Overview Product Features Key Protocols and Interfaces Key Features Supported Applications Supported Cryptographic Protocols Diagnostic Support Cryptographic Algorithm Acceleration Supported Cryptographic Algorithms SSL Acceleration Bulk Encryption Hardware Overview IPsec Hardware Acceleration Note Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE1-4. Sun Crypto Accelerator 4000 UTP Adapter LED Displays See TABLE1-5. Server 4.1 or 6.0 is mentioned. Note Dynamic Reconfiguration and High Availability Load Sharing Hardware and Software Requirements Required Patches Apache Web Server Patch Page Page Installing the Sun Crypto Accelerator 4000 Board Handling the Board Caution Installing the Board To Install the Hardware Page Installing the Sun Crypto Accelerator 4000 Software To Install the Software Note Installing the Optional Packages Directories and Files Note / / Removing the Software Caution To Remove the Software Caution Page Configuring Driver Parameters Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters Caution Driver Parameter Values and Definitions Advertised Link Parameters Note Page Flow Control Parameters Gigabit Forced Mode Parameter Interpacket Gap Parameters Page Interrupt Parameters Random Early Drop Parameters Page PCI Bus Interface Parameters Setting vca Driver Parameters Setting Parameters Using the ndd Utility To Specify Device Instances for the ndd Utility Note Noninteractive and Interactive Modes Using the ndd Utility in Noninteractive Mode Using the ndd Utility in Interactive Mode (See TABLE3-1 through TABLE 3-9 for parameter descriptions.) Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: To Disable Autonegotiation Mode Note Setting Parameters Using the vca.conf File Caution To Set Driver Parameters Using a vca.conf File Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File Example vca.conf File Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM Caution Note Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics Cryptographic Driver Statistics Ethernet Driver Statistics Page Page Page Reporting the Link Partner Capabilities Page Page To Check Link Partner Settings Note number should reflect the instance number of the board for which you arerunning the kstat command. Network Configuration Configuring the Network Host Files Note Page Page Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities Using vcaadm Note Modes of Operation Note Single-Command Mode Note File Mode Interactive Mode Logging In and Out With vcaadm Logging In to a Board With vcaadm Logging In to a New Board Note Logging In to a Board With a Changed Remote Access Key vcaadm Prompt Logging Out of a Board With vcaadm Example: Entering Commands With vcaadm Getting Help for Commands Quitting the vcaadm Program in Interactive Mode Initializing the Sun Crypto Accelerator 4000 Board With vcaadm To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore Note Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore Managing Keystores With vcaadm Note Naming Requirements Password Requirements Setting the Password Requirements Populating a Keystore With Security Officers Populating a Keystore With Users Caution Note Listing Users and Security Officers Changing Passwords Enabling or Disabling Users Note Deleting Users Deleting Security Officers Backing Up the Master Key Caution Locking the Keystore to Prevent Backups Caution Managing Boards With vcaadm Setting the Auto-Logout Time Displaying Board Status Determining if the Board is Operating in FIPS 140-2 Mode Loading New Firmware Resetting a Sun Crypto Accelerator 4000 Board Rekeying a Sun Crypto Accelerator 4000 Board Zeroizing a Sun Crypto Accelerator 4000 Board Note Using the vcaadm diagnostics Command Using vcadiag Note Page The following is an example of the -K option: The following is an example of the -Q option: The following is an example of the -Z option: The following is an example of the -R option: Page Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board Note Administering Security for Sun ONE Web Servers Note Concepts and Terminology Note Tokens and Token Files Example Token Files Note Enabling and Disabling Bulk Encryption Configuring Sun ONE WebServers Passwords Populating a Keystore Note To Populate a Keystore Caution Overview for Enabling Sun ONE Web Servers Caution Installing and Configuring Sun ONE Web Server 4.1 Installing Sun ONE Web Server 4.1 To Install Sun ONE WebServer 4.1 To Create a Trust Database Note To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 4.1 for SSL To Configure the Sun ONE Web Server 4.1 Page Note Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 To Install Sun ONE WebServer 6.0 To Create a Trust Database Note Page To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 6.0 for SSL To Configure the Sun ONE Web Server 6.0 Page Page Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board Caution Note Enabling the Board for Apache Web Servers Enabling Apache Web Servers To Enable the Apache WebServer Page Caution Creating a Certificate To Create a Certificate Note Page Page Diagnostics and Troubleshooting SunVTS Diagnostic Software Installing SunVTS netlbtest and nettest Support for the vca Driver Note Using SunVTS Software to Perform vcatest, nettest, and netlbtest Note To Perform vcatest Note Test Parameter Options for vcatest vcatest Command-Line Syntax To Perform netlbtest Note To Perform nettest Page Note Using kstat to Determine Cryptographic Activity Note Using the OpenBoot PROM FCode Self- Test Performing the Ethernet FCode Self-Test Diagnostic Page Note Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs .properties watch-net Specifications Sun Crypto Accelerator 4000 MMF Adapter Connectors 136 Sun Crypto Accelerator 4000 Board Installation and Users Guide May 2003 TABLEA-1 lists the characteristics of the SC connector (850 nm). Operating range Up to 260 meters Up to 550 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Sun Crypto Accelerator 4000 UTP Adapter Connectors Appendix A Specifications 139 TABLEA-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter. Operating range Up to 100 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Page SSL Configuration Directives for Apache Web Servers Note Page Page Page Page Page Page Building Applications for Use With the Sun Crypto Accelerator 4000 Board Note Page Software Licenses Note Sun Microsystems, Inc. Binary Code License Agreement Page Sun Microsystems, Inc. Supplemental Termsfor Sun Crypto Accelerator 4000 Third Party License Terms OPENSSL LICENSE ISSUES OpenSSL License Original SSLeay License MOD_SSL LICENSE Page Page Manual Pages man -M /opt/SUNWconn/man page Page Zeroizing the Hardware Caution Note Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State Note Board With the Hardware Jumper Note Caution Page Frequently Asked Questions How Do I Configure the WebServer to Startup Without User Interaction on Reboot? To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot How Do I Assign Different MAC Addresses to Multiple Boards Installed in the Same Server? Page How Do I Self-Sign a Certificate for Testing? Index SYMBOLS NUMERICS A B C D E F G H I K L M N O P Q R S T U V