Proxy & Web Servers


« enable_ssl_cli | Main | New Web Server GUI »
Thursday Jun 08, 2006

Enable SSL - GUI

enable_ssl_GUI

Enabling SSL on WS7.0 through Administration GUI
Pre Requisites:
  1. Sun Java System Web Server 7.0 installed
  2. Administration server is started (from <server-root>/admin-server/bin/startserv)
  3. Configuration and instance exists. eg) config1 on server host
  4. Certificate server for creating CA signed server certificates.

Access Administration User interface on browser through SSL port:

https://<server-host>:<server-ssl-port>

Login with correct username and password.


What is covered in this blog??

Setting token
Requesting  certificates
Installing server certificates
Installing CA certificates
Setting trust flags for CA
CRL management
Deleting certificates
Enabling SSL on default listener
Edit listener - security properties

Steps to be followed will be described from the start page or the admin console. Deploy config after each set of steps.

Setting token pin

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> PKCS11 tokens

Steps:
  1. Select default token internal from the tokens table.
  2. In the edit token properties wizard, select 'Set Password' checkbox.
  3. Enter token pin. eg) 88888888
  4. Click OK and close wizard.
  5. If token is set, then the password has to be set in the Server Certificates, Certificate Authorities pages using the 'Set password' button for that session. Only then will the contents of the table be displayed.

Requesting certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note: Requesting Certificates can also be done from the following screens:
  • Common Tasks -> Request Server Certificate -> Select config
  • Server Certificates -> Request Button -> Select config
  • Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> select listener (http-listener-1) -> Security -> Request link
Steps:
  1. Click on Request button in the Server certificates page
  2. Enter token pin (if set). Next
  3. Enter Server name (eg. server-host) , Organization, Organizational unit , Locality, State and Country. Next
  4. There are two key types for certificate creation:
    • Key type RSA: Select radio button RSA and then select key size from drop down menu. Next
    • Key type ECC: Select radio button ECC and then select curve name from drop down menu. Next
  5. Two types of certificate can be created:
    • Self signed certificate: Select radio button for self signed certificate. Enter nickname and validity. Http listener can be selected to enable SSL. Next
    • CA signed certificate: Select radio button for CA signed certificate. Next
  6. Review Settings. Finish
  7. For self signed certificate,  message shows successful creation of certificate and  table lists the newly created certificate.
  8. To view certificate details, click on the certificate name link in the server certificates table.
  9. For CA signed  certificate,  a Certificate Signing Request is displayed . This CSR (including the BEGIN /END NEW CERTIFICATE REQUEST ) has to be sent to the certificate signing authority to get the requested certificate. See steps in 'Installing server certificates' to install the CA signed server certificate.

[Get CSR signed by CA (Certificate Server) and generate certificate in DER format.]

Installing server certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note: Installing Server Certificates can also be done from the following screens:
  • Common Tasks -> Install Server Certificate -> Select config
  • Server Certificates -> Install Button -> Select config
Steps:
  1. Click Install button in the Server certificates page
  2. Enter token pin (if set). Next
  3. The CSR obtained from the Request certificate wizard should be signed by valid CA and can be provided as data to the install server certificate wizard. Two ways by which certificate data can be provided:
    • Certificate data in DER format can provided directly : Select radio button Certificate and enter data in the text area. Next
    • Certificate data can be provided in DER/binary format in a file(*) accessible by the server: Select radio button Certificate file and provide path to the file on the server. Next
  4. Enter nickname for the certificate. Http listener can be selected to enable SSL. Next
  5. Review Settings. Finish
  6. Message shows successful installation of certificate and table lists the newly installed certificate.
  7. To view certificate details, click on the certificate name link in the server certificates table.

Installing CA certificates

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click Install button in the Certificate Authorities page
  2. Enter token pin (if set). Next
  3. Two ways by which certificate data for CA can be provided:
    • Certificate data in DER format can provided directly : Select radio button Certificate and enter data in the text area. Next
    • Certificate data can be provided in DER/binary format in a file(*) accessible by the server: Select radio button Certificate file and provide path to the file on the server. Next
  4. There are two Certificate types:
    • CA Certificate : Select radio button to install CA certificate. Next
    • Certificate Chain: Select radio button to install certificate chain. Next
  5. Review Settings. Finish
  6. Message shows successful installation of CA certificate/ certificate chain and table lists  newly installed certificate.
  7. Use filter to hide built in certificates to display  newly installed CA certificate.
  8. To view certificate details, click on the certificate name link in the Certificate Authorities table.

Setting trust flags for CA

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click on the CA certificate name link to edit trust flags
  2. In the trust flags section, edit checkboxes for 'Trusted to sign client certificates' or 'Trusted to sign server certificates'.
  3. Apply and close.

CRL management

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Steps:
  1. Click Install CRL button in the Certificate Authorities page
  2. In the Install CRL wizard, enter path to the CRL file on local system/server.
  3. CRL installation can be verified in the CA certificates table, under the CRL column, against the corresponding CA. eg) for CA Verisign Class 1 Public Primary Certification Authority, CRL installed will be pca1.1.1.crl
  4. To view CRL details, click on the CA name link. In the Certificate Authority properties page, CRLs will be displayed.
  5. To uninstall CRL, click on the Uninstall CRL button seen in Certificate Authority properties page in step 4.
  6. Message shows successful uninstallation of CRL. Close.

Deleting certificates

Server certificates:
Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates -> Server Certificates

Note: Deleting Certificates can also be done from the following screen:
  • Server Certificates tab
Steps:
  1. Select checkbox against the certificate to be deleted
  2. Click on Delete button. Message shows certificate is successfully deleted.
CA certificates:
Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> Certificates ->  Certificate Authorities

Note: Built in CA certificates cannot be deleted

Steps:
  1. Select checkbox against the CA certificate to be deleted
  2. Click on Delete button. Message shows  certificate is successfully deleted.

Enabling SSL

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> Select listener (http-listener-1) -> Security  tab

Note: At least one certificate of type RSA or ECC must exist to enable SSL

Steps:
  1. Enable the 'Security' checkbox
  2. Select certificate(s) to be used to enable security from drop down menus of RSA/ ECC certificate or both.
  3. If ECC certificates are used to enable SSL, at least one ECC cipher from  SSL3/TLS list should be selected (browser should also support ECC and should have the respective cipher enabled)
  4. Apply and close.
  5. Http listeners table shows 'Security' as enabled against the listener

Edit listener - Security properties

Navigation path : Common Tasks -> Select config (config1) -> Edit configuration -> HTTP Listeners -> Select listener (http-listener-1) -> Security  tab

Steps:
  1. Select different certificate(s) to be used to enable security from drop down menus of RSA/ ECC certificate for the same listener
  2. Edit Client authentication - required/optional, Authentication timeout, Maximum Authentication data
  3. Also possible to select or remove the SSL3/TLS and SSL2 ciphers.
  4. Apply changes and close

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Deploy config from the 'Deployment Pending' link and start instance from Instances tab. Now you have an SSL enabled instance.....

Access from browser as https://<server-host>:<instance-port>/





(*) Not available in Sun Java System Web Server 7.0-Technology-Preview-1


Posted at 07:56PM Jun 08, 2006 by Devika Gopinathan in Sun  |  Comments[1]

Comments:

This blog Is very informative , I am really pleased to post my comment on this blog . It helped me with ocean of knowledge so I really belive you will do much better in the future . Good job web master .

Posted by Jeff Paul on December 23, 2008 at 10:43 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed

Today's Page Hits: 16