System Administration Commands ksslcfg(1M)
NAME
ksslcfg - enable and configure SMF instance of Kernel SSL
SYNOPSIS
ksslcfg create -f pkcs11 -T token_label -C certificate_label
[-d softtoken_directory]
[-p password_file [-u username]]
[-h ca_certchain_file] [-c ciphersuites]
[-t ssl_session_cache_timeout]
[-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
ksslcfg create -f pkcs12 -i cert_and_key_pk12file
[-p password_file [-u username]]
[-c ciphersuites] [-t ssl_session_cache_timeout]
[-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
ksslcfg create -f pem -i cert_and_key_pemfile
[-p password_file [-u username]]
[-c ciphersuites] [-t ssl_session_cache_timeout]
[-z ssl_session_cache_size] [-v] -x proxy_port [host] ssl_port
ksslcfg delete [-v] [host] ssl_port
ksslcfg -V
ksslcfg -?
DESCRIPTION
ksslcfg manages smf(5) instances for the Kernel SSL proxy
module. An SSL-enabled web server can use the services of
its Kernel SSL proxy to improve the performance of the HTTPS packets processing. It does so by creating an instance of the Kernel SSL service, specifying the SSL proxy port and parameters, and by listening on the proxy port. The create subcommand creates an instance and enables the service for the given address and SSL port. The delete subcommand disables the service for the given address and port, if it is enabled, and deletes the instance from the SMF repository.SunOS 5.11 Last change: 27 May 2008 1
System Administration Commands ksslcfg(1M)
ksslcfg can be run as root or by other users assigned to the
Network Security profile. See rbac(5) and user_attr(4). You
must run ksslcfg to configure your Kernel SSL proxy before
you start your application.ksslcfg allows you to specify an ssl_port operand, described
under OPERANDS, and, with the -x option, a proxy_port value.
When specified for use with the Kernel SSL proxy, these values cannot also be configured for the Solaris Network Cache and Acceleration (NCA) feature. See nca(1) for a description of the NCA feature. The Fault Managed Resource Identifier (FMRI) for the kernelSSL proxy instances is svc://network/ssl/proxy. ksslcfg
creates an instance of that service unique to the combina-
tion of host and SSL port. Instance FMRIs for particularproxy entries can be found with svcs(1) and used for depen-
dencies of other services. OPTIONS The following options are supported:-c ciphersuites
Set of ciphers a client is allowed to negotiate in a sorted order. The supported SSL version3 and TLS ciphersare listed below. Note that the names are case-
insensitive.rsa_rc4_128_sha
rsa_rc4_128_md5
rsa_aes_256_cbc_sha
rsa_aes_128_cbc_sha
rsa_3des_ede_cbc_sha
rsa_des_cbc_sha
-f key_format
Uses the certificate/key format specified in key_format.
The supported options are pkcs11, pkcs12, and pem.-i key_and_certificate_file
When pkcs12 or pem is specified with the -f option,
reads a key and a certificate of the web server fromkey_and_certificate_file. This file can also contain any
intermediate CA certificates that form the certificateSunOS 5.11 Last change: 27 May 2008 2
System Administration Commands ksslcfg(1M)
chain to the root CA for the server certificate. These certificates must follow the server certificate in the file and the order must be bottom up: lowest level CAcertificate followed by the next higher level CA certi-
ficate, and so on.-C certificate_label
PKCS#11 can store multiple certificates in single token.
This option enables you to specify a single certificate,identified by certificate_label. This label must match
the CKA_LABEL on the certificate object in the token
specified by -T. This option is to be used only with -f
pkcs11.-d softtoken_directory
This option is applicable only with the pkcs11 key for-
mat, when the token label is the Sun Software PKCS#11
softtoken. Use this option to override the default loca-
tion of the PKCS#11 softtoken directory ($HOME/.sunw).
See pkcs11_softtoken(5).
-h ca_certchain_file
When pkcs11 is specified with the -f option, reads a set
of intermediate CA certificates that form the certifi-
cate chain to the root CA for the server certificate(specified with the -C option), from ca_certchain_file.
The file must be in PEM format.-p password_file
Obtains the password used to encrypt the private keyfrom password_file. When using the pkcs11 option (see
-f, above), the password is used to authenticate the
user to the PKCS #11 token.
-t ssl_session_cache_timeout
The timeout value, in seconds, for an SSL session. It corresponds to SSL3SessionTimeout of the Sun ONE web server configuration or SSLSessionCacheTimeout ofmod_ssl.
SunOS 5.11 Last change: 27 May 2008 3
System Administration Commands ksslcfg(1M)
-T token_label
When pkcs11 is specified with -f, uses the PKCS#11 token
specified in token_label. Use cryptoadm list -v to
display all PKCS#11 tokens available.
-u username
The username of the user who owns the password file. If omitted, the system will try to read the password file as root.-v
Verbose mode.-V
Displays the version.-x proxy_port
The SSL proxy port. The port number is designatedexclusively for clear-text HTTP communication between
the web server and the kernel SSL proxy module. No external HTTP packets are delivered to this port.-z ssl_session_cache_size
The maximum number of SSL sessions that can be cached. It corresponds to SSLCacheEntries of the Sun ONE web server configuration. When this option is not specified, the default is 5000 entries.-?
Displays the usage of the command. OPERANDS[host] [ssl_port] The address and the port of the web
server for which the kernel SSL entry is created. If host is omitted, the entry will be used for all requeststhat arrived at the ssl_port, regard-
less of the destination address. Both aSunOS 5.11 Last change: 27 May 2008 4
System Administration Commands ksslcfg(1M)
host name and an IP address are accept-
able forms for host. ssl_port is
required. Typically, this has a value of 443.EXAMPLES
Example 1 Create and Enable a Kernel SSL Instance The following command creates and enables a Kernel SSLinstance using a certificate and a key in PKCS#11 format.
# ksslcfg create -f pkcs11 -T "Sun Software PKCS#11 softtoken" \
-C "Server-Cert" -p /some/directory/password -u webservd \
-x 8080 www.mysite.com 443
% svcs svc:/network/ssl/proxy
STATE STIME FMRIonline Sep_27 svc:/network/ssl/proxy:kssl-www-mysite-com-443
Example 2 Create and Enable a Default Instance for All Addresses The following command creates and enables a default instancefor all addresses from a certicate and key in a pkcs#12
file.# ksslcfg create -x 8888 -f pkcs12 -i /some/directory/keypair.p12 \
-p /some/directory/password -u webservd 443
Example 3 Create and Enable an Instance with Specific Cipher Suites The following command creates and enables an instance with specific cipher suites.# ksslcfg create -x 8080 -f pem \
-i /some/directory/keypair.pem -p /some/directory/password \
-c "rsa_rc4_128_md5,rsa_rc4_128_sha" \
209.249.116.195 443SunOS 5.11 Last change: 27 May 2008 5
System Administration Commands ksslcfg(1M)
Example 4 Disable and Delete an Instance The following command disables and deletes an instance.# ksslcfg delete www.mysite.com 443
EXIT STATUS 0 Successful completion. >0 An error occurred.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWksslu ||_____________________________|_____________________________|
| Interface Stability | See below. ||_____________________________|_____________________________|
Command line options and the utility name are Committed. The command output, the FMRI service name(svc://network/ssl/proxy), and the FMRI instance's name for-
mat are UncommittedSEE ALSO
nca(1), svcprop(1), svcs(1), cryptoadm(1M), svcadm(1M),svccfg(1M), user_attr(4), attributes(5),
pkcs11_softtoken(5), rbac(5), smf(5)
NOTESksslcfg create without an host argument creates an
INADDR_ANY smf instance. ksslcfg delete without an host
argument deletes only the INADDR_ANY instance. ksslcfg
delete needs a host argument to delete any non-INADDR_ANY
instance.SunOS 5.11 Last change: 27 May 2008 6
System Administration Commands ksslcfg(1M)
On a system with zones(5) installed, the ksslcfg command can
be used only in the global zone at this time.SunOS 5.11 Last change: 27 May 2008 7