Howto setup SSL on Sun Java System Web Server 6.1 on Solaris

This HowTo assums the following:
* You have an instance of Sun Java System Web Server 6.1 on Solaris OS (SPARC/x64)
* The machine has a static IP
* You have root access to install and configure the software.
* All steps are presented in the form of examples with the assumption that you will replace environment specific parameters such as “myserver”, “mydomain.com”, “password”, and any other fields with the appropriate values for your environment.

1. Create a cert database for Web Server
login to Web Server console at http://myserver.mydomain.com:8888
click manage for the target instance
click security tab
click create database link
enter a password for the database

2. Method 1: import a certificate created by a third party
If you prefer to generate your own certificate, see section 3. Before import a certificate, you should create a certificate request for your server.

2.1. Request a Certificate
Click on Request a certificate link under security tab within instance
administration console for Web Server.
Enter a CA Email address. The server will send your request to this email address.
Enter the password you used to create the cert database above for the Key Pair File Password
Fill in rest of the form with your personal information
For Common name field, enter the host name of the server
For State, make sure spell out the full state name. Do not use abbreviation.

2.2. Import a Certificate
After you received the certificate, do the following steps to install the certificate
Login to Web Server’s admin console
Choose to manage the correct instance that the cert was created for and click manage
Click Security tab
Click Install Certificate
Enter password for the cert database for Key Pair File Password field
Choose Message text (with headers)
Copy and past first of the two cert (shorter number of lines) into the
text box. Make sure you include the text that says -----BEGIN
CERTIFICATE-----
and -----END CERTIFICATE-----
Click OK
Click Add Server Certificate button
You will see a pop-up warning window telling you the change will require a sever restart. Click OK.
You should see a pop-up success window. Click OK.
You should be back to Install a Server Certificate page. Now, install
the second part of the certificate (root cert) by choosing Trusted Certificate Authority (CA) option under “Certificate For” section.
Enter the correct certificate database password for Key Pair File Password field
Choose Message text (with headers) option and past-in the second certificate text that you received. Make sure you include the text that says -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Add Server Certificate.
Click Ok on the warning pop-up window.
Click Ok on the success pop-up window.

2.3. (Optional) Install trusted partner’s cert
Use the same instructions as above to install a partner’s cert as Trusted Certificate Authority.

2.4. (Optional) View installed cert
Click Manage Certificate link under Security tab within the instance console.
The new cert should be at the bottom of the list. Enter “End” key to scroll to end of the page and look for your cert. You can click on it and see the its properties.

3. Method 2: Create your own certificate
This method does not require waiting for a third party to generate a certificate, and therefore could be faster. Here are the notes on how it can be done:

3.1. Create a certificate in the certificate database
Instead of generating a request for the third party to create a certificate, this single step will create a certificate and store it in the certificate database. Before you run the command below, create a password file that contains the password for accessing the certificate database. This is a plain-text file containing one password. For more information on this command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -S -s "CN=My Demo, O=My Company., L=My City, ST=CA, C=US" -n Sun -x -t "CT,CT,CT" -1 -2 -5 -f /opt/SUNWwbsvr/alias/pass -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.2. (Optional) List certificate(s)
You can use the following command to list the certificate you just created. Removing the -n option will display a list of certificates installed.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.3 (Optional) Delete a certificate
If you ever needs to recreate a new certificate, you can delete the old one with the following command:

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -D -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.4 (Optional) Export Certificate in DER format for partners
The following command will export the certificate with the name “Sun” to a file “mycert.der” in DER format. Some partners require this file type.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver- -r > mycert.der

3.5 (Optional) Import a partner’s certificate
The following command will import a certificate (160ca.der for this example) into the certificate database with a name “partner”.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -A -i 160ca.der -n partner -t "CT,CT,CT" -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

4 Restart Web Server
Restart the server using Web Server’s administration console or use the start/stop scripts.

5 Add a Listening Socket
Click Add Listen Socket under Preference tab in instance administration console.
Enter 443 for “Port” field.
Change Security field to “Enabled”.
Click OK
You should see a pop-up window telling you to apply changes.
Click Apply link on the upper right corner.
Click Apply Changes.
Type cert db password into Module internal field before click “Sever On” button.

Advertisements

16 thoughts on “Howto setup SSL on Sun Java System Web Server 6.1 on Solaris

  1. In case of an existing Verisign cert, how to generate the CSR?
    As the installed cert is expiring.
    Thnx and regds.

  2. Thanks for the update. Few doubts:
    1. If I use the Manage Server > Security > Request a Certificate
    option and choose Certificate Renewal to generate a csr, will the existing cert still be available. Because the CA takes 3-4 days to email the cert after getting the csr.
    2. After receiving the cert and installing the same, how can I configure the new cert to be used for ssl instead of the old one. Say, the old cert expires on T and the renewal cert is installed on T-5.
    3. how to transfer the new cert to the other webserver (load balanced)?
    Kindly help. Thanks and regards.

  3. Hi BKaushik,

    For your question #1, I am not 100% certain if the existing cert still be available. I expect that a CSR is not a cert and is a different action/command than installing a cert, so it should not impact your existing cert. Then again, your mileage may very.

    In your web application, you may already have a reference to the certificate’s name. If so, make sure you either keep the same cert name or update the reference to point to the new cert’s name. This was true for the web app that I worked with, so that’s how I worked with certs.

    The cert will come in plain text for a particular server. So, I assume it isn’t transferable. Since it is in plain text, you can always try to import it into a second machine and see what happens. 😉

    Hope this helps.

  4. Hi, I was wondering if you know how to specify https to https url forwarding in Sun One web server 6.1.

    I know how to set up http to https url forwarding using content management -> URL forwarding but there’s no obvious way to specify https to https.

    Any advice will be appreciated. Thanks

  5. This is really good information specially with SJS 6.1.
    I need to renew SSL certificate in my environment. I got the certificate file as well in txt format.
    Is it ok (enough) to complete 2.2. Import a Certificate section or do i need to perform any other steps.
    Thanks,
    Ravi.

  6. Hi,

    I need to upgrade Sun One 6.1 to SP17. Does it come with it’s own SSL? Can you tell me the patch number I need to download for this SP(Solaris sparc 64 bit)? How is the patch added? How is it backed out?

  7. I’ve been exploring for a bit for any high-quality articles or blog posts in this kind of area . Exploring in Yahoo I ultimately stumbled upon this web site. Studying this info So i’m happy to show that
    I have an incredibly excellent uncanny feeling I came upon exactly what I needed.

    I such a lot undoubtedly will make certain to don?
    t disregard this web site and provides it a look on a constant basis.

  8. hi, i try to install a certificate and get this error,” Incorrecte Usage: no private key, the server could not find the private key associated with this certificate”
    how can install a private key, ihave the file —–BEGIN RSA PRIVATE KEY—–

  9. Its such as you read my thoughts! You seem to know
    so much approximately this, like you wrote the ebook in it or something.

    I believe that you can do with a few % to pressure the message
    home a bit, but instead of that, that is magnificent blog.

    An excellent read. I’ll definitely be back.

  10. I do accept as true with all of the ideas you’ve presented to your post.
    They are really convincing and can certainly work.
    Nonetheless, the posts are very short for beginners.
    May you please extend them a little from next time?
    Thanks for the post.

  11. Normally I don’t learn post on blogs, however I would like to say that this write-up very compelled me to
    try and do it! Your writing taste has been amazed me.
    Thanks, very nice post.

  12. You really make it seem so easy with your presentation but
    I find this matter to be really something which I think I
    would never understand. It seems too complicated and very broad for
    me. I’m looking forward for your next post, I will try to get the
    hang of it!

  13. I am really enjoying the theme/design of your web site.
    Do you ever run into any browser compatibility problems?
    A couple of my blog visitors have complained about my site not
    working correctly in Explorer but looks great in Opera.
    Do you have any ideas to help fix this issue?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s