Proxy & Web Servers


« Setting wadm options... | Main | Enable SSL - GUI »
Wednesday May 24, 2006

enable_ssl_cli

certcli

Enabling SSL on WS7.0* using CLI



Sun Java System Web Server 7.0  provides an easy to use Command Line tool wadm which allows installation and management of certificates. Enabling SSL on the server involves use of the following CLI :

set-token-pin
create-selfsigned-cert
list-certs
create-cert-request
install-cert
delete-cert
set-ssl-prop


All the CLI explained below are executed from the wadm prompt. To enter the wadm prompt, execute the following from <server-root>/bin. (eg, if user=admin, port=8888, admin password is saved in <server-root>/bin/admin.pwd)
./wadm --user=admin --port=8888 --password-file=admin.pwd
wadm>

For seeing the usage of any CLI, give command name at the wadm prompt.


Pre  requisites:
1) SJSWS7.0 Technology Preview-1 installed
2) Config and instance exists


Setting token password for internal (optional):
wadm> set-token-pin --save-pin=true --token=internal --config=config1
Please enter token-pin> {Enter token pin if set already}
Please enter new-token-pin> {Enter new pin, say 88888888}
Please enter new-token-pin again> {88888888}
CLI201 Command 'set-token-pin' ran successfully

The pin can also be set in a passwordfile as follows:
vi <server-root>/bin/certdb.pwd

wadm_token_pin=12345678
wadm_new_token_pin=88888888

=========================

wadm> set-token-pin --save-pin=true --password-file=certdb.pwd --token=internal --config=config1

Note: For the execution of the remaining CLI,  if wadm_token_pin is set in the passwordfile, user will not be prompted for the pin each time.


Creating self signed certificates:

Key type: RSA (there is option to specify key size)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=rsa --config=config1 --server-name=server1 --nickname=cert1
CLI201 Command 'create-selfsigned-cert' ran successfully

Key type: ECC ( there is an option to specify the curvename)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=ecc --config=config1 --server-name=server2 --nickname=cert2
CLI201 Command 'create-selfsigned-cert' ran successfully


Listing the installed certificates:

The same CLI can be used with different options of cert-type  to list server and CA certificates.

wadm> list-certs --token=internal --cert-type=server --config=config1
cert1
cert2

wadm> list-certs --token=internal --cert-type=ca --config=config1
Builtin Object Token:Verisign/RSA Secure Server CA
Builtin Object Token:GTE CyberTrust Root CA
Builtin Object Token:GTE CyberTrust Global Root
Builtin Object Token:Thawte Personal Basic CA
.
.
.
.

Generating certificate request:

wadm> create-cert-request --org=SUN --config=config1 --token=internal --server-name=server3

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBXzCByQIBADAgMQwwCgYDVQQKEwNTVU4xEDAOBgNVBAMTB3NlcnZlcjMwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMDp+9nvsAglieLcgXQ/czAAn5xlsx1a
/3cZc9FlZw3/ILJ3/eMDVbo9ZrQLinW+xk7tYwH5zLPnhJFad55XSr2yT/1tHG8u
gjHFXninrSsNNjg47jt6Q+RUWKy/HOgXhqAXtBz+eyvzGUFK1OcZhK2xim1dXAg3
hS1X53G/1TUtAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAeKF4itZlI3jGgqjNk
bxKR6PvEjYqQlo6Ux9BLTXCYxKpHQMcJLOENt3IyB9UqUFRDJZGsX4/TDIWcm+oM
0ny/xAAsHNsj8Rt1cu9uBCIMicJbBqhESj+LWZSIO+yQ2OlNyqhV4APpKyh8tSbJ
qSxgnLG+ozaAxOpJbEFg++HcQw==
-----END NEW CERTIFICATE REQUEST-----

Copy the above request to a file and get it signed by certificate signing authority.


Installing CA signed server certificates, CA certificates, certificate chain:

The same CLI can be used with different options of cert-type to install server, CA or certificate chain.

For installing CA signed server certificate, first generate request using CLI create-cert-request and get it signed by CA. Then use following CLI to provide file path to the CA signed certificate which can be in ascii or binary format.

wadm>install-cert  --config=config1 --token=internal --cert-type=server --nickname=cert3 /space/certreq/server.cert
CLI201 Command 'install-cert' ran successfully

For CA certificate and chain, provide the certificate file.
wadm>install-cert  --config=config1 --token=internal --nickname="Cert Manager" --cert-type=ca  /space/certreq/ca.cert
CLI201 Command 'install-cert' ran successfully

Use CLI list-certs with option cert-type as server/ca to verify the installation of these certificates.


Deletion of certificates:

wadm> delete-cert --token=internal --config=config1 cert1
CLI201 Command 'delete-cert' ran successfully


Enabling SSL:

To enable ssl on the default listener using certificate cert2:

wadm> set-ssl-prop --config=config1 --http-listener=http-listener-1 server-cert-nickname=cert2
CLI201 Command 'set-ssl-prop' ran successfully


wadm>get-ssl-prop --config=config1 --http-listener=http-listener-1
tls=true
server-cert-nickname=[cert2]
client-auth-timeout=60
client-auth=false
enabled=false
ssl2=false
max-client-auth-data=1048576
tls-rollback-detection=true
ssl3=true

Other properties such as SSL/TLS settings, Client authentication etc can be edited with the same CLI set-ssl-prop.

Deploy the config and start instance.

wadm> deploy-config config1
CLI201 Command 'deploy-config' ran successfully

wadm> start-instance --config=config1 server1
CLI204 Successfully started the server instance.

Now you have an SSL enabled instance running.

========================================

Installing certificates & enabling SSL through admininstration GUI, installing binary certificates shall be discussed in the next couple of posts...


*Sun Java System Web Server 7.0-Technology-Preview-1


Posted at 06:38PM May 24, 2006 by Devika Gopinathan in Sun  |  Comments[3]

Comments:

I'm certainly and completely upset because of your issuing any kind of certificates without asking if the person is entitled to. Somebody, perhaps a sick minded, has asked for the installation of your certificates (a lot of them) in my pc, without my knowing or authorizing it. On bottom of each certificate appears two coded signatures: SHA 1 51:A8:39:A3:E4:4A:84:32:65:CB37:IC:BB:C7:CO: 19:70:EF:97:34 MD5 CE:F5:CD:EA:17:4F:C4:36:17:67:F6:94:50:EF:59:EF I have lost the FREEDOM of using my own pc, because of the intruding into my privacy, to which I'm entitled under any law around the world. So, I demand you to DISABLE those certificates INMEDIATELY (WITHIN 24 HOURS), otherwise, I will go to authorities.

Posted by GLADYS ELENA OCAMPO RIOS on January 06, 2007 at 05:19 AM IST #

Dear Sirs: This is not a comment, this is a requesting for your dissabling all the certificates that are running on my pc, WITHOUT MY REQUESTING OR AUTHORIZATION. I have had a lot of patient regarding this issue. I'm not a cyber expert, but as I'm having a lot of troubles I tryed to learn from the information on the net and finally found the reason of my problems:YOUR CERTIFICATES. We have 3 pcs at home and in anyone of them, neither my 28ys old son, 18ys old daughter, or me, are able to change passwords on the hotmail (just one of the problems). Please, be nice and remove those certificates. I am talking as what I am, a decent person. I wouldn't like to go to any court of law. I would appreciate having the pcs free of certificates by tomorrow morning. Gladys Elena Ocampo RĂ­os

Posted by GLADYS ELENA OCAMPO RIOS on January 08, 2007 at 05:16 AM IST #

I am sure you have the wrong blog. Our product DOES NOT install any certificates of any nature on any pc without explicit commands given by the adminitrator of the pc. Even so our product installs certificates only in a folder private to our product. We are also not a certificate issuing authority. First of all could you clarify if you have downloaded and installed our web server product. If not then it is confirmed that the problem that you are facing has nothing to do with our product. NOTE: As a helpful tip I suggest you clear your browser cache, close all your browser instances and reopen your browser. It should clear your problem.

Posted by Isvaran Krishnamurthy on January 24, 2007 at 06:35 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed

Today's Page Hits: 51