System Administration Commands ksslcfg(1M)
NAME
ksslcfg - enable and configure SMF instance of Kernel SL
SYNOPSIS
ksslcfg create -f pkcs11 -T tokenlabel -C certificatelabel
[-d softtokendirectory]
[-p passwordfile [-u username]
[-h cacertchainfile] [-c ciphersuites]
[-t sslsessioncachetimeout]
[-z sslsessioncachesize] [-v] -x proxyport [host] sslport
ksslcfg create -f pkcs12 -i certandkeypk12file
[-p passwordfile [-u username]
[-c ciphersuites] [-t sslsessioncachetimeout]
[-z sslsessioncachesize] [-v] -x proxyport [host] sslport
ksslcfg create -f pem -i certandkeypemfile
[-p passwordfile [-u username]
[-c ciphersuites] [-t sslsessioncachetimeout]
[-z sslsessioncachesize] [-v] -x proxyport [host] sslport
ksslcfg delete [-v] [host] sslport
ksslcfg -V
ksslcfg -?
DESCRIPTION
ksslcfg manages smf(5) instances for the Kernel SL proxy
module. An SL-enabled web server can use the services of
its Kernel SL proxy to improve the performance of the HTPS
packets processing. It does so by creating an instance of
the Kernel SL service, specifying the SL proxy port and
parameters, and by listening on the proxy port.
The create subcommand creates an instance and enables the
service for the given address and SL port.
The delete subcommand disables the service for the given
address and port, if it is enabled, and deletes the instance
from the SMF repository.
SunOS 5.11 Last change: 27 May 2008 1
System Administration Commands ksslcfg(1M)
ksslcfg can be run as root or by other users assigned to the
Network Security profile. See rbac(5) and userattr(4). You
must run ksslcfg to configure your Kernel SL proxy before
you start your application.
ksslcfg allows you to specify an sslport operand, described
under OPERANDS, and, with the -x option, a proxyport value.
When specified for use with the Kernel SL proxy, these
values cannot also be configured for the Solaris Network
Cache and Acceleration (NCA) feature. See nca(1) for a
description of the NCA feature.
The Fault Managed Resource Identifier (FMRI) for the kernel
SL proxy instances is svc:/network/ssl/proxy. ksslcfg
creates an instance of that service unique to the combina-
tion of host and SL port. Instance FMRIs for particular
proxy entries can be found with svcs(1) and used for depen-
dencies of other services.
OPTIONS
The following options are supported:
-c ciphersuites
Set of ciphers a client is allowed to negotiate in a
sorted order. The supported SL version3 and TLS ciphers
are listed below. Note that the names are case-
insensitive.
rsarc4128sha
rsarc4128md5
rsaaes256cbcsha
rsaaes128cbcsha
rsa3desedecbcsha
rsadescbcsha
-f keyformat
Uses the certificate/key format specified in keyformat.
The supported options are pkcs11, pkcs12, and pem.
-i keyandcertificatefile
When pkcs12 or pem is specified with the -f option,
reads a key and a certificate of the web server from
keyandcertificatefile. This file can also contain any
intermediate CA certificates that form the certificate
SunOS 5.11 Last change: 27 May 2008 2
System Administration Commands ksslcfg(1M)
chain to the root CA for the server certificate. These
certificates must follow the server certificate in the
file and the order must be bottom up: lowest level CA
certificate followed by the next higher level CA certi-
ficate, and so on.
-C certificatelabel
PKCS#11 can store multiple certificates in single token.
This option enables you to specify a single certificate,
identified by certificatelabel. This label must match
the CKALABEL on the certificate object in the token
specified by -T. This option is to be used only with -f
pkcs11.
-d softtokendirectory
This option is applicable only with the pkcs11 key for-
mat, when the token label is the Sun Software PKCS#11
softtoken. Use this option to override the default loca-
tion of the PKCS#11 softtoken directory ($HOME/.sunw).
See pkcs11softtoken(5).
-h cacertchainfile
When pkcs11 is specified with the -f option, reads a set
of intermediate CA certificates that form the certifi-
cate chain to the root CA for the server certificate
(specified with the -C option), from cacertchainfile.
The file must be in PEM format.
-p passwordfile
Obtains the password used to encrypt the private key
from passwordfile. When using the pkcs11 option (see
-f, above), the password is used to authenticate the
user to the PKCS #11 token.
-t sslsessioncachetimeout
The timeout value, in seconds, for an SL session. It
corresponds to SL3SessionTimeout of the Sun ONE web
server configuration or SLSessionCacheTimeout of
modssl.
SunOS 5.11 Last change: 27 May 2008 3
System Administration Commands ksslcfg(1M)
-T tokenlabel
When pkcs11 is specified with -f, uses the PKCS#11 token
specified in tokenlabel. Use cryptoadm list -v to
display all PKCS#11 tokens available.
-u username
The username of the user who owns the password file. If
omitted, the system will try to read the password file
as root.
-v
Verbose mode.
-V
Displays the version.
-x proxyport
The SL proxy port. The port number is designated
exclusively for clear-text HTP communication between
the web server and the kernel SL proxy module. No
external HTP packets are delivered to this port.
-z sslsessioncachesize
The maximum number of SL sessions that can be cached.
It corresponds to SLCacheEntries of the Sun ONE web
server configuration. When this option is not specified,
the default is 5000 entries.
-?
Displays the usage of the command.
OPERANDS
[host] [sslport] The address and the port of the web
server for which the kernel SL entry
is created. If host is omitted, the
entry will be used for all requests
that arrived at the sslport, regard-
less of the destination address. Both a
SunOS 5.11 Last change: 27 May 2008 4
System Administration Commands ksslcfg(1M)
host name and an IP address are accept-
able forms for host. sslport is
required. Typically, this has a value
of 443.
EXAMPLES
Example 1 Create and Enable a Kernel SL Instance
The following command creates and enables a Kernel SL
instance using a certificate and a key in PKCS#11 format.
# ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" \
-C "Server-Cert" -p /some/directory/password -u webservd \
-x 8080 www.mysite.com 443
% svcs svc:/network/ssl/proxy
STATE STIME FMRI
online Sep27 svc:/network/ssl/proxy:kssl-www-mysite-com-443
Example 2 Create and Enable a Default Instance for All
Addresses
The following command creates and enables a default instance
for all addresses from a certicate and key in a pkcs#12
file.
# ksslcfg create -x 8888 -f pkcs12 -i /some/directory/keypair.p12 \
-p /some/directory/password -u webservd 443
Example 3 Create and Enable an Instance with Specific Cipher
Suites
The following command creates and enables an instance with
specific cipher suites.
# ksslcfg create -x 8080 -f pem \
-i /some/directory/keypair.pem -p /some/directory/password \
-c "rsarc4128md5,rsarc4128sha" \
209.249.116.195 443
SunOS 5.11 Last change: 27 May 2008 5
System Administration Commands ksslcfg(1M)
Example 4 Disable and Delete an Instance
The following command disables and deletes an instance.
# ksslcfg delete www.mysite.com 443
EXIT STATUS
0 Successful completion.
>0 An error occurred.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWksslu
Interface Stability See below.
Command line options are Evolving; command output is
Unstable. The FMRI service name (svc:/network/ssl/proxy) is
Unstable, as is the FMRI instance's name format. The utility
name is Stable.
SEE ALSO
nca(1), svcprop(1), svcs(1), cryptoadm(1M), svcadm(1M),
svccfg(1M), userattr(4), attributes(5),
pkcs11softtoken(5), rbac(5), smf(5)
NOTES
ksslcfg create without an host argument creates an
INADRANY smf instance. ksslcfg delete without an host
argument deletes only the INADRANY instance. ksslcfg
delete needs a host argument to delete any non-INADRANY
instance.
SunOS 5.11 Last change: 27 May 2008 6
System Administration Commands ksslcfg(1M)
On a system with zones(5) installed, the ksslcfg command can
be used only in the global zone at this time.
SunOS 5.11 Last change: 27 May 2008 7
|
