1ksslcfg(1M) System Administration Commands ksslcfg(1M)
2
6 ksslcfg - enable and configure SMF instance of Kernel SSL
7
9 ksslcfg create -f pkcs11 -T token_label -C certificate_label
10 [-d softtoken_directory]
11 [-p password_file [-u username]]
12 [-h ca_certchain_file] [-c ciphersuites]
13 [-t ssl_session_cache_timeout]
14 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
15 ksslcfg create -f pkcs12 -i cert_and_key_pk12file
18 [-p password_file [-u username]]
19 [-c ciphersuites] [-t ssl_session_cache_timeout]
20 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
21 ksslcfg create -f pem -i cert_and_key_pemfile
24 [-p password_file [-u username]]
25 [-c ciphersuites] [-t ssl_session_cache_timeout]
26 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
27 ksslcfg delete [-v] [host] ssl_port
30 ksslcfg -V
33 ksslcfg -?
36
39 ksslcfg manages smf(5) instances for the Kernel SSL proxy module. An
40 SSL-enabled web server can use the services of its Kernel SSL proxy to
41 improve the performance of the HTTPS packets processing. It does so by
42 creating an instance of the Kernel SSL service, specifying the SSL
43 proxy port and parameters, and by listening on the proxy port.
44 The create subcommand creates an instance and enables the service for
47 the given address and SSL port.
48 The delete subcommand disables the service for the given address and
51 port, if it is enabled, and deletes the instance from the SMF reposi‐
52 tory.
53 ksslcfg can be run as root or by other users assigned to the Network
56 Security profile. See rbac(5) and user_attr(4). You must run ksslcfg to
57 configure your Kernel SSL proxy before you start your application.
58 ksslcfg allows you to specify an ssl_port operand, described under OP‐
61 ERANDS, and, with the -x option, a proxy_port value. When specified for
62 use with the Kernel SSL proxy, these values cannot also be configured
63 for the Solaris Network Cache and Acceleration (NCA) feature. See
64 nca(1) for a description of the NCA feature.
65 The Fault Managed Resource Identifier (FMRI) for the kernel SSL proxy
68 instances is svc://network/ssl/proxy. ksslcfg creates an instance of
69 that service unique to the combination of host and SSL port. Instance
70 FMRIs for particular proxy entries can be found with svcs(1) and used
71 for dependencies of other services.
72
74 The following options are supported:
75 -c ciphersuites
77 Set of ciphers a client is allowed to negotiate in a sorted order.
79 The supported SSL version3 and TLS ciphers are listed below. Note
80 that the names are case-insensitive.
81 rsa_rc4_128_sha
83 rsa_rc4_128_md5
84 rsa_aes_256_cbc_sha
85 rsa_aes_128_cbc_sha
86 rsa_3des_ede_cbc_sha
87 rsa_des_cbc_sha
88 -f key_format
92 Uses the certificate/key format specified in key_format. The sup‐
94 ported options are pkcs11, pkcs12, and pem.
95 -i key_and_certificate_file
98 When pkcs12 or pem is specified with the -f option, reads a key and
100 a certificate of the web server from key_and_certificate_file. This
101 file can also contain any intermediate CA certificates that form
102 the certificate chain to the root CA for the server certificate.
103 These certificates must follow the server certificate in the file
104 and the order must be bottom up: lowest level CA certificate fol‐
105 lowed by the next higher level CA certificate, and so on.
106 -C certificate_label
109 PKCS#11 can store multiple certificates in single token. This
111 option enables you to specify a single certificate, identified by
112 certificate_label. This label must match the CKA_LABEL on the cer‐
113 tificate object in the token specified by -T. This option is to be
114 used only with -f pkcs11.
115 -d softtoken_directory
118 This option is applicable only with the pkcs11 key format, when the
120 token label is the Sun Software PKCS#11 softtoken. Use this option
121 to override the default location of the PKCS#11 softtoken directory
122 ($HOME/.sunw). See pkcs11_softtoken(5).
123 -h ca_certchain_file
126 When pkcs11 is specified with the -f option, reads a set of inter‐
128 mediate CA certificates that form the certificate chain to the root
129 CA for the server certificate (specified with the -C option), from
130 ca_certchain_file. The file must be in PEM format.
131 -p password_file
134 Obtains the password used to encrypt the private key from pass‐
136 word_file. When using the pkcs11 option (see -f, above), the pass‐
137 word is used to authenticate the user to the PKCS #11 token.
138 -t ssl_session_cache_timeout
141 The timeout value, in seconds, for an SSL session. It corresponds
143 to SSL3SessionTimeout of the Sun ONE web server configuration or
144 SSLSessionCacheTimeout of mod_ssl.
145 -T token_label
148 When pkcs11 is specified with -f, uses the PKCS#11 token specified
150 in token_label. Use cryptoadm list -v to display all PKCS#11 tokens
151 available.
152 -u username
155 The username of the user who owns the password file. If omitted,
157 the system will try to read the password file as root.
158 -v
161 Verbose mode.
163 -V
166 Displays the version.
168 -x proxy_port
171 The SSL proxy port. The port number is designated exclusively for
173 clear-text HTTP communication between the web server and the kernel
174 SSL proxy module. No external HTTP packets are delivered to this
175 port.
176 -z ssl_session_cache_size
179 The maximum number of SSL sessions that can be cached. It corre‐
181 sponds to SSLCacheEntries of the Sun ONE web server configuration.
182 When this option is not specified, the default is 5000 entries.
183 -?
186 Displays the usage of the command.
188
191 [host] [ssl_port] The address and the port of the web server for
192 which the kernel SSL entry is created. If host is
193 omitted, the entry will be used for all requests
194 that arrived at the ssl_port, regardless of the
195 destination address. Both a host name and an IP
196 address are acceptable forms for host. ssl_port is
197 required. Typically, this has a value of 443.
198
201 Example 1 Create and Enable a Kernel SSL Instance
202 The following command creates and enables a Kernel SSL instance using a
205 certificate and a key in PKCS#11 format.
206 # ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" \
209 -C "Server-Cert" -p /some/directory/password -u webservd \
210 -x 8080 www.mysite.com 443
211 % svcs svc:/network/ssl/proxy
213 STATE STIME FMRI
214 online Sep_27 svc:/network/ssl/proxy:kssl-www-mysite-com-443
215 Example 2 Create and Enable a Default Instance for All Addresses
219 The following command creates and enables a default instance for all
222 addresses from a certicate and key in a pkcs#12 file.
223 # ksslcfg create -x 8888 -f pkcs12 -i /some/directory/keypair.p12 \
226 -p /some/directory/password -u webservd 443
227 Example 3 Create and Enable an Instance with Specific Cipher Suites
231 The following command creates and enables an instance with specific
234 cipher suites.
235 # ksslcfg create -x 8080 -f pem \
238 -i /some/directory/keypair.pem -p /some/directory/password \
239 -c "rsa_rc4_128_md5,rsa_rc4_128_sha" \
240 209.249.116.195 443
241 Example 4 Disable and Delete an Instance
245 The following command disables and deletes an instance.
248 # ksslcfg delete www.mysite.com 443
251
255 0 Successful completion.
256 >0 An error occurred.
259
262 See attributes(5) for descriptions of the following attributes:
263 ┌─────────────────────────────┬─────────────────────────────┐
268 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
269 ├─────────────────────────────┼─────────────────────────────┤
270 │Availability │SUNWksslu │
271 ├─────────────────────────────┼─────────────────────────────┤
272 │Interface Stability │See below. │
273 └─────────────────────────────┴─────────────────────────────┘
274 Command line options are Evolving; command output is Unstable. The FMRI
277 service name (svc://network/ssl/proxy) is Unstable, as is the FMRI
278 instance's name format. The utility name is Stable.
279
281 nca(1), svcprop(1), svcs(1), cryptoadm(1M), svcadm(1M), svccfg(1M),
282 user_attr(4), attributes(5), pkcs11_softtoken(5), rbac(5), smf(5)
283
285 ksslcfg create without an host argument creates an INADDR_ANY smf
286 instance. ksslcfg delete without an host argument deletes only the
287 INADDR_ANY instance. ksslcfg delete needs a host argument to delete any
288 non-INADDR_ANY instance.
289 On a system with zones(5) installed, the ksslcfg command can be used
292 only in the global zone at this time.
293SunOS 5.11 27 May 2008 ksslcfg(1M)