From: mark_round@ipcmedia.com
Date: Fri Jan 12 2007 - 06:29:20 EST
Hi All,
I have a huge problem trying to get KSSL* up and running. I already
posted this on c.u.s, but got no response. I have included my exact
steps below if anyone feels up for some cut'n'paste fun and games.
I have tried this on Solaris 06/06 and 11/06, on a creaking old
Ultra 5 and a brand new T1000, same results each time. Has
anyone got this working ? I would greatly appreciate any advice or
pointers, and if someone could repeat my steps and let me know what
result they get, that would be fantastic.
I will of course summarise!
Thanks,
-Mark
*=Trumpted as part of Solaris 06/06.
URL : http://blogs.sun.com/enigma/entry/sun_fire_t2000_and_secure
Man page : http://docs.sun.com/app/docs/doc/816-5166/6mbb1kq63?a=view.
There is also a BluePrints document that covers it at
http://www.sun.com/blueprints/0306/819-5782.html.
Steps below :
First, I log in and enable stock Apache 2 so I have something to test
against :
# PATH=$PATH:/usr/sfw/bin; export PATH
# cd /etc/apache2
# cp httpd-std.conf httpd.conf
# svcadm enable apache2
Next, I need to create a SSL certificate, so I just generate a
bog-standard self-signed PEM certificate. When prompted, I just used
the defaults apart from specifying "localhost" as the hostname for the
certificate. I then concatanate the server key and certificate into a
single PEM file :
# openssl genrsa 1024 > kssl.key
# openssl req -new -key kssl.key -out kssl.csr
# openssl req -x509 -key kssl.key -in kssl.csr -out kssl.crt
# cat kssl.key kssl.crt > kssl.pem
Right, now let's try enabling KSSL - I want it to run on port 443 and
forward traffic to port 80, the stock Apache webserver.
# ksslcfg create -f pem -i /etc/apache2/kssl.pem -x 80 localhost 443
Warning: localhost does not appear to have a registered DNS name.
According to the documents, that should work. Let's see what SMF says :
# svcs -a | grep kssl
online 12:25:08 svc:/network/ssl/proxy:kssl-localhost-443
# svcs -x svc:/network/ssl/proxy:kssl-localhost-443
svc:/network/ssl/proxy:kssl-localhost-443 (kernel ssl proxy
configuration)
State: online since Wed 10 Jan 2007 12:25:08 PM GMT
See: ksslcfg(1M)
See: /var/svc/log/network-ssl-proxy:kssl-localhost-443.log
Impact: None.
So we should be in business. However, there is nothing listening on
port 443 (confirmed via netstat), it says it's running but there's no
hint as to what went wrong. There is a log file shown in the output
from svcs -x, so I had a look at that :
# cat /var/svc/log/network-ssl-proxy:kssl-localhost-443.log
[ Jan 10 12:25:08 Enabled. ]
[ Jan 10 12:25:08 Executing start method ("/usr/lib/kssladm create -f
pem -i /et
c/apache2/kssl.pem -x 80 localhost 443") ]
[ Jan 10 12:25:08 Method "start" exited with status 0 ]
So that's no use. It just says it exited with status 0, which I assume
means everything is fine. So I next re-created it with the "-v" flag,
and again checked the log :
# ksslcfg create -v -f pem -i /etc/apache2/kssl.pem -x 80 localhost
443
# cat /var/svc/log/network-ssl-proxy:kssl-localhost-443.log
Jan 10 12:26:52 Stopping because service disabled. ]
[ Jan 10 12:26:52 Executing stop method ("/usr/lib/kssladm delete
localhost 443
") ]
[ Jan 10 12:26:52 Method "stop" exited with status 0 ]
[ Jan 10 12:26:53 Enabled. ]
[ Jan 10 12:26:53 Executing start method ("/usr/lib/kssladm create -v
-f pem -i
/etc/apache2/kssl.pem -x 80 localhost 443") ]
addr=127.0.0.1, port = 443
In PEM_get_x509_info_stack: /etc/apache2/kssl.pem opened
/* subject: /C=US/ST=Some-State/O=Unconfigured OpenSSL
Installation/CN=localhost
*/
In PEM_get_key: /etc/apache2/kssl.pem opened
1 certificates read successfully
Successfully loaded cert and key
[ Jan 10 12:26:53 Method "start" exited with status 0 ]
Great. So now all it tells me is that it managed to sucesfully read the
certificate and loaded it along with the key. So, why on earth is this
not working ??!!
-----------------------------------------------------------------------
This E-mail is from IPC Media Ltd whose registered office is at Kings
Reach Tower, Stamford Street, London SE1 9LS, registered number 53626.
The contents and any attachments to it include information that is
private and confidential and should only be read by those persons to
whom they are addressed. IPC Media accepts no liability for any loss or
damage suffered by any person arising from the use of this e-mail.
Neither IPC Media nor the sender accepts any responsibility for viruses
and it is your responsibility to check the email and attachments (if any).
No contracts may be concluded on behalf of IPC Media by means of e-mail
communications. If you have received this e-mail in error, please destroy
and delete the message from your computer. For unbeatable savings on
magazine subscriptions and great gift ideas visit www.giftmags.co.uk
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:27 EDT