1ksslcfg(1M) System Administration Commands ksslcfg(1M)
2
3
4
6 ksslcfg - enable and configure SMF instance of Kernel SSL
7
9 ksslcfg create -f pkcs11 -T token_label -C certificate_label
10 [-d softtoken_directory]
11 [-p password_file [-u username]]
12 [-h ca_certchain_file] [-c ciphersuites]
13 [-t ssl_session_cache_timeout]
14 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
15
16
17 ksslcfg create -f pkcs12 -i cert_and_key_pk12file
18 [-p password_file [-u username]]
19 [-c ciphersuites] [-t ssl_session_cache_timeout]
20 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
21
22
23 ksslcfg create -f pem -i cert_and_key_pemfile
24 [-p password_file [-u username]]
25 [-c ciphersuites] [-t ssl_session_cache_timeout]
26 [-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
27
28
29 ksslcfg delete [-v] [host] ssl_port
30
31
32 ksslcfg -V
33
34
35 ksslcfg -?
36
37
39 ksslcfg manages smf(5) instances for the Kernel SSL proxy module. An
40 SSL-enabled web server can use the services of its Kernel SSL proxy to
41 improve the performance of the HTTPS packets processing. It does so by
42 creating an instance of the Kernel SSL service, specifying the SSL
43 proxy port and parameters, and by listening on the proxy port.
44
45
46 The create subcommand creates an instance and enables the service for
47 the given address and SSL port.
48
49
50 The delete subcommand disables the service for the given address and
51 port, if it is enabled, and deletes the instance from the SMF reposi‐
52 tory.
53
54
55 ksslcfg can be run as root or by other users assigned to the Network
56 Security profile. See rbac(5) and user_attr(4). You must run ksslcfg to
57 configure your Kernel SSL proxy before you start your application.
58
59
60 ksslcfg allows you to specify an ssl_port operand, described under OP‐
61 ERANDS, and, with the -x option, a proxy_port value. When specified for
62 use with the Kernel SSL proxy, these values cannot also be configured
63 for the Solaris Network Cache and Acceleration (NCA) feature. See
64 nca(1) for a description of the NCA feature.
65
66
67 The Fault Managed Resource Identifier (FMRI) for the kernel SSL proxy
68 instances is svc://network/ssl/proxy. ksslcfg creates an instance of
69 that service unique to the combination of host and SSL port. Instance
70 FMRIs for particular proxy entries can be found with svcs(1) and used
71 for dependencies of other services.
72
74 The following options are supported:
75
76 -c ciphersuites
77
78 Set of ciphers a client is allowed to negotiate in a sorted order.
79 The supported SSL version3 and TLS ciphers are listed below. Note
80 that the names are case-insensitive.
81
82 rsa_rc4_128_sha
83 rsa_rc4_128_md5
84 rsa_aes_256_cbc_sha
85 rsa_aes_128_cbc_sha
86 rsa_3des_ede_cbc_sha
87 rsa_des_cbc_sha
88
89
90
91 -f key_format
92
93 Uses the certificate/key format specified in key_format. The sup‐
94 ported options are pkcs11, pkcs12, and pem.
95
96
97 -i key_and_certificate_file
98
99 When pkcs12 or pem is specified with the -f option, reads a key and
100 a certificate of the web server from key_and_certificate_file. This
101 file can also contain any intermediate CA certificates that form
102 the certificate chain to the root CA for the server certificate.
103 These certificates must follow the server certificate in the file
104 and the order must be bottom up: lowest level CA certificate fol‐
105 lowed by the next higher level CA certificate, and so on.
106
107
108 -C certificate_label
109
110 PKCS#11 can store multiple certificates in single token. This
111 option enables you to specify a single certificate, identified by
112 certificate_label. This label must match the CKA_LABEL on the cer‐
113 tificate object in the token specified by -T. This option is to be
114 used only with -f pkcs11.
115
116
117 -d softtoken_directory
118
119 This option is applicable only with the pkcs11 key format, when the
120 token label is the Sun Software PKCS#11 softtoken. Use this option
121 to override the default location of the PKCS#11 softtoken directory
122 ($HOME/.sunw). See pkcs11_softtoken(5).
123
124
125 -h ca_certchain_file
126
127 When pkcs11 is specified with the -f option, reads a set of inter‐
128 mediate CA certificates that form the certificate chain to the root
129 CA for the server certificate (specified with the -C option), from
130 ca_certchain_file. The file must be in PEM format.
131
132
133 -p password_file
134
135 Obtains the password used to encrypt the private key from pass‐
136 word_file. When using the pkcs11 option (see -f, above), the pass‐
137 word is used to authenticate the user to the PKCS #11 token.
138
139
140 -t ssl_session_cache_timeout
141
142 The timeout value, in seconds, for an SSL session. It corresponds
143 to SSL3SessionTimeout of the Sun ONE web server configuration or
144 SSLSessionCacheTimeout of mod_ssl.
145
146
147 -T token_label
148
149 When pkcs11 is specified with -f, uses the PKCS#11 token specified
150 in token_label. Use cryptoadm list -v to display all PKCS#11 tokens
151 available.
152
153
154 -u username
155
156 The username of the user who owns the password file. If omitted,
157 the system will try to read the password file as root.
158
159
160 -v
161
162 Verbose mode.
163
164
165 -V
166
167 Displays the version.
168
169
170 -x proxy_port
171
172 The SSL proxy port. The port number is designated exclusively for
173 clear-text HTTP communication between the web server and the kernel
174 SSL proxy module. No external HTTP packets are delivered to this
175 port.
176
177
178 -z ssl_session_cache_size
179
180 The maximum number of SSL sessions that can be cached. It corre‐
181 sponds to SSLCacheEntries of the Sun ONE web server configuration.
182 When this option is not specified, the default is 5000 entries.
183
184
185 -?
186
187 Displays the usage of the command.
188
189
191 [host] [ssl_port] The address and the port of the web server for
192 which the kernel SSL entry is created. If host is
193 omitted, the entry will be used for all requests
194 that arrived at the ssl_port, regardless of the
195 destination address. Both a host name and an IP
196 address are acceptable forms for host. ssl_port is
197 required. Typically, this has a value of 443.
198
199
201 Example 1 Create and Enable a Kernel SSL Instance
202
203
204 The following command creates and enables a Kernel SSL instance using a
205 certificate and a key in PKCS#11 format.
206
207
208 # ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" \
209 -C "Server-Cert" -p /some/directory/password -u webservd \
210 -x 8080 www.mysite.com 443
211
212 % svcs svc:/network/ssl/proxy
213 STATE STIME FMRI
214 online Sep_27 svc:/network/ssl/proxy:kssl-www-mysite-com-443
215
216
217
218 Example 2 Create and Enable a Default Instance for All Addresses
219
220
221 The following command creates and enables a default instance for all
222 addresses from a certicate and key in a pkcs#12 file.
223
224
225 # ksslcfg create -x 8888 -f pkcs12 -i /some/directory/keypair.p12 \
226 -p /some/directory/password -u webservd 443
227
228
229
230 Example 3 Create and Enable an Instance with Specific Cipher Suites
231
232
233 The following command creates and enables an instance with specific
234 cipher suites.
235
236
237 # ksslcfg create -x 8080 -f pem \
238 -i /some/directory/keypair.pem -p /some/directory/password \
239 -c "rsa_rc4_128_md5,rsa_rc4_128_sha" \
240 209.249.116.195 443
241
242
243
244 Example 4 Disable and Delete an Instance
245
246
247 The following command disables and deletes an instance.
248
249
250 # ksslcfg delete www.mysite.com 443
251
252
253
255 0 Successful completion.
256
257
258 >0 An error occurred.
259
260
262 See attributes(5) for descriptions of the following attributes:
263
264
265
266
267 ┌─────────────────────────────┬─────────────────────────────┐
268 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
269 ├─────────────────────────────┼─────────────────────────────┤
270 │Availability │SUNWksslu │
271 ├─────────────────────────────┼─────────────────────────────┤
272 │Interface Stability │See below. │
273 └─────────────────────────────┴─────────────────────────────┘
274
275
276 Command line options are Evolving; command output is Unstable. The FMRI
277 service name (svc://network/ssl/proxy) is Unstable, as is the FMRI
278 instance's name format. The utility name is Stable.
279
281 nca(1), svcprop(1), svcs(1), cryptoadm(1M), svcadm(1M), svccfg(1M),
282 user_attr(4), attributes(5), pkcs11_softtoken(5), rbac(5), smf(5)
283
285 ksslcfg create without an host argument creates an INADDR_ANY smf
286 instance. ksslcfg delete without an host argument deletes only the
287 INADDR_ANY instance. ksslcfg delete needs a host argument to delete any
288 non-INADDR_ANY instance.
289
290
291 On a system with zones(5) installed, the ksslcfg command can be used
292 only in the global zone at this time.
293
294
295
296SunOS 5.11 27 May 2008 ksslcfg(1M)