faq_security

Skip to end of metadata
Go to start of metadata

Searching Sun Java System Web Server

Frequently asked questions about security

1. I am interested in the crypto acceleration on Niagara 2 (and 1). I would like to know how can Sun Java System Web Server version 7.0 make use of the hardware. How do I configure Solaris Cryptographic Framework? How do I use built in hardware accelerators of Niagara 1 (T 2000) or Niagara 2 in Web Server 7.0?

Here are some pointers,

2. How to create Self Signed SSL Certificates? How do I create a self-signed SSL Certificate for testing purposes for Web Server 7.0?

Please refer to Jyri's blog on Self Signed Certificates in Web Server 6.1.

In Web Server 7.0, you can use wadm as give in Self Signed Certificates in Web Server 7.0 using Administration CLI

3. How to import SSL Certificates from OpenSSL to Web Server 6.1

You can get this done in 2 steps. Using OpenSSL, you need to export the certificate to PKCS#12 format as shown below.

You can import these into Web Server using pk12util. In Web Server 6.1 use pk12util located in <ws-install-dir>/bin/https/admin/bin/ directory. In Web Server 7.0, use pk12util located in <ws-install-dir>/bin directory. The command should be

For example,

For customers using Web Server 7 in Java Enterprise System 5(JES5) environment, Web Server 7 instance root will be /var/opt/SUNWwbsvr7

4. How to list currently configured SSL Certificates ?

In Web Server 6.1, use certutil located in <ws-install-dir>/bin/https/admin/bin/ directory. In Web Server 7.0, certutil is located in <ws-install-dir>/bin/ directory.

For example,

In Web Server 7.0 you can use wadm also

For example, if you want to list certificates in config named test,


5. How to export currently configured SSL Certificates and/ or Keys from NSS Database?

If you want to export only the certificate, you can use certutil http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
-L with -a option returns the certificate in ASCII (PEM) format :

To export certificate in binary DER encoding :

To export/print certificate in "pretty print" format (it may contain utf8 characters, which are not pure ASCII) :

For exporting keys and certificates from NSS database into PEM format :
Use "pk12util" to export keys and certs into p12 file. Refer http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html. In Web Server 6.1 use pk12util located in <ws-install-dir>/bin/https/admin/bin/ directory. In Web Server 7.0, use pk12util located in <ws-install-dir>/bin directory.

Now you can use "openssl pkcs12" to convert it to PEM format. More information is in http://www.openssl.org/docs/apps/pkcs12.html

Some more links from google on how to convert certificates from one format to another :

6. Unable to import the certificate into Web Server 6.1 getting error "pk12util: PKCS12 decode validate bags failed: The user pressed cancel."

This unfortunate error message occurs in all NSS releases before 3.12.0 when all the following conditions are true:

1) there is no certificate already in the PKCS#11 crypto device with the same subject name as the subject name of the cert you're trying to import,

2) the PKCS#12 file has no "nickname" (also known as the "friendly name") for one or more of the certs you're trying to import.

NSS requires that every cert imported from a PKCS#12 file have a nickname. If you had generated the key and the PKCS#12 file with a Mozilla browser, the PKCS#12 file would have had a nickname.

The solution is probably to go back to whatever tool you used to generate the PKCS#12 file, and generate another PKCS#12 file with the same key and same certificates, but this time with a nickname. If you did that with Windows' Certificate Export Wizard, you need to go back into the
Windows Certificate Manger and assign a friendly name to the certificate, and then re-export it with Windows' Certificate Export Wizard.
See also http://www.mail-archive.com/mozilla-crypto@mozilla.org/msg02672.html

7. Is it possible to provide HTTP and HTTPS from the same server?

Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use virtual hosts facility to create two virtual servers, both served by the same instance - one responding over HTTP to requests on port 80, and the other responding over HTTPS to requests on port 443.

8. Which port does HTTPS use?

You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL. For example, if your server is set up to serve pages over HTTPS on port 8080, you can access them at https://test.sun.com:8080/

9. How do I speak HTTPS manually for testing purposes?

While you usually just use

$ telnet localhost 80
GET / HTTP/1.0

for simple testing a Web server via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL's s_client command, however, you can do a similar check via HTTPS:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

Before the actual HTTP response you will receive detailed information about the SSL handshake. For a more general command line client which directly understands both HTTP and HTTPS, can perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the cURL tool. Using this, you can check that Web Server is responding correctly to requests via HTTP and HTTPS as follows:

$ curl http://localhost/
$ curl https://localhost/

See Jyri's blog Issuing test requests to an SSL-enabled web server

10. How do I troubleshoot SSL requests

[ Observing SSL Requests | http://blogs.sun.com/jyrivirkki/entry/observing_ssl_requests ]
[ More on Observing SSL Requests| http://blogs.sun.com/jyrivirkki/entry/more_on_observing_ssl_requests]
[ Using ssldump | http://blogs.sun.com/jyrivirkki/entry/using_ssldump ]

11. Do you have any information about PKCS#11 and SSL Performance and PKCS11 bypass

[ PKCS#11 and SSL Performance | http://blogs.sun.com/jyrivirkki/entry/pkcs_11_and_ssl_performance]

12. Do you have any information about ECC vs RSA Performance using Web Server 7

[ Web Server 7 ECC Performance Notes | http://blogs.sun.com/jyrivirkki/entry/web_server_7_ecc_performance]
[ More On Web Server ECC Performance | http://blogs.sun.com/jyrivirkki/entry/more_on_web_server_ecc ]

13. Do we have FIPS 140 Certification for Web Server 7?

FIPS 140 Certification

14. What are RSA Private Keys, CSRs and Certificates?

An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

See the Overview of an SSL Application chapter for a general description of the SSL protocol.

15. How do I create a real SSL Certificate?

You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Web Server. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it. Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:

See
Requesting a Certificate
Installing a Certificate

16. How can I get rid of the pass-phrase dialog at Web Server startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. You can set in your instances server.xml <pkcs11><token> <name>internal</name> <pin>...</pin> </token> </pkcs11>

16. How can I migrate a certificate from JKS Keystore to NSS Database

Use migrate-jks-keycert CLI.

17. Why does my web server have a higher load, now that it serves SSL encrypted traffic?

SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases.

18. How to improve SSL performance ?

We can offload ssl transactions to crypto by configuring crypto card or Niagara 2.

19. What SSL Ciphers are supported and enabled in Web Server 7.0?

Admin CLIs
list-ciphers(1) lists ciphers
enable-ciphers(1) - enables SSL ciphers

20. Do we support ECC in Web Server 7.0 ?

Yes Refer http://docs.sun.com/app/docs/doc/820-2210/gduwa?l=en&a=view

21. How do I migrate Open SSL based configuration to Web Server 7.0

Refer http://wikis.sun.com/display/WebServer/Migration from Apache HTTP Server

22. How to save / store SSL passphrase within Web Server 6.1

If you would like the ability to start your SSL based Sun Web Server without requiring a password at the time of startup, please refer to Sun documentation from here- which describes the process involved in doing this.

References :

http://httpd.web%20server.org/docs/2.2/ssl/ssl_faq.html

23. What is one-way SSL authentication and how to configure within Web Server 7 ?

 One-way SSL authentication , also known as server authentication, enables the application operating as the SSL client (like Internet Explorer or Firefox) to verify the identity of the SSL enabled web server. SSL enabled web server does not have to authenticate the identity of the SSL client.

 When both SSL client (like Internet Explorer or Mozilla Firefox) and server using standard 'root' CA certificates , then SSL enabled web server does not have to authenticate the identity of the SSL client. However, SSL client will have to still verify the identity of the SSL server. In this case, an authentication works some thing like

       

             SSL client                                          SSL web server with CA certificate

=====================                       ===========================

    initial HELLO request from browser    ->      

                                                               <- responds with its root CA certificate

   verifies server CA with its built-in    

   database

  To configure one-way SSL authentication, you will need to perform the following steps

  1. Use Web Server 7 Administration GUI to create a certificate signing request (CSR) and private key. This step creates the certificate with an embedded public key and a separate private key and places the private key in the open keystore. For more information on how to do this, please refer to link Requesting Certificates and Installing a Certificate under Certificates and Keys within Web Server 7 documentation.
  2. Submit the CSR to the certificate authority (CA) using the instructions supplied by the CA. When you submit the CSR, specify that you want the root CA certificate returned with the server certificate.
  3. Configure  an HTTP listener to run on port 443 and then SSL enable this listener . For more information, refer to link  Enabling Security for HTTP listenerwithin web server 7 documentation.
  4. Start the server instance.
  5. Most common browsers typically bundles with root certificate of the CA in its keystore. If your SSL client is not a browser, then you will need to ensure that the application has stored the root certificate of the CA (CA certificate) in its keystore. If it does not contain the CA certificate, add it to the keystore of the SSL client application.
  6. Test the SSL connection.  Now, you can also monitor the SSL transaction using utility like 'ssldump'

24. What is two-way SSL authentication and how to configure within Web Server 7 ?


 In two-way SSL authentication, also known as client authentication, SSL client like browsers (Internet Explorer or Firefox) verifies the identity of the SSL enabled web server and in turn SSL enabled web server verifies the identity of the SSL client. Here the SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client. Two-way SSL authentication or client authentication typically involves using self signed certificates. For more information on how to configure self signed certificates, please refer to link

             SSL client                                          SSL web server with CA certificate

=====================                       ===========================

    initial HELLO request from browser    ->      

                                                               <- present with its self signed certificate

    verifies the identity of the certificate  

    and presents its corresponding 

    certificate to the server                      ->

                                                              <-  SSL server verifies the authentication of the

                                                                    client and proceeds with SSL transaction.
 

  To configure two-way authentication within Web Server 7 , you will need to do the following

  1. Use Web Server 7 Administration GUI to create a self signed certificate  This step creates the certificate with an embedded public key and a separate private key and places the private key in the open keystore. For more information on how to do this, please refer to link Creating self signed certificate under Certificates and Keys within Web Server 7 documentation.
  2. Configure  an HTTP listener to run on port 443 and then SSL enable this listener . For more information, refer to link  Configuring SSL web server 7 documentation.
  3. Start the server instance.
  4. Test the SSL connection.  Now, you can also monitor the SSL transaction using utility like 'ssldump'

25. Do we support Microsoft Active Directory Server Authentication database in Sun Java System Web Server 7.0 ?

Yes. Refer Jyri's blog Using Web Server 7 with Microsoft Active Directory http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with
In Web Server 6.1 the attributes and search patterns are hardcoded which does not provide the necessary flexibility for some customers. The search expressions and match attributes are configurable for Web Server 7.0. This configurability is generic in nature, it can be used by customers to tune the LDAP searches as they wish. One use of this configurability is to tune the LDAP auth-db so it will handle user authentication and static group lookups against MSAD (Microsoft Active Directory). The following additional options are supported in Web Server 7.0 :

A sample configuration:

A sample configuration targeting MSAD (key difference is value of search-filter):

26. I am unable to see newly added keyfile/digestfile authentication databases or new users added to the keyfile/digestfile database in Sun Java System Web Server 7.0.

Ans. Your changes will be picked up only after restarting the server.

27. How do I delete a certificate and/or key from NSS database using certutil?

The following steps will initialize NSS database, create a certificate and delete a certificate (and not the key) :

This will create a certificate and delete a certificate as well as the key :


28. Why is NSS Database password necessary when server is running in FIPS mode?

Web Server 7.0 onwards we can have NSS database password as blank. But when you are running it in FIPS mode, you need to set NSS Database password. It's a FIPS requirement that needs to be enforced when FIPS is enabled by any FIPS compliant module.

In FIPS compliant mode you're password also should be of the form:

  • The password must be at least 7 characters long.
  • The password must consist of characters from three or more character classes. We define five character classes: digits (0-9), ASCII lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric characters (such as space and punctuation
    marks), and non-ASCII characters. If an ASCII uppercase letter is the first character of the password, the uppercase letter is not counted toward its character class. Similarly, if a digit is the last character of the password, the digit is not counted toward its character class.

If you and your customer are interested in FIPS compliance please review the security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

29. Where are root certificates located? Root certificates are missing in Web Server.

Look for <ws7.0-install-dir>/lib/libnssckbi.so. You can go to <ws7.0-install-dir>/https-<instance>/config directory and run this modutil command

See also
*http://www.mozilla.org/projects/security/pki/nss/intro.html#names
*http://forums.sun.com/thread.jspa?threadID=5045860
*http://forums.sun.com/thread.jspa?threadID=5331383

30. Can we use PEM (base64 encoded) CRLs in Sun Java System Web Server 7.0?

We can not directly use PEM (base64 encoded) CRL. You need to convert it into binary DER format first. That is because NSS function Sun Java System Web Server uses for importing CRLs (CERT_CacheCRL) expects them to be binary DER format. You can use openssl crl command for the conversion. PEM format CRL file will have BEGIN And END tags as shown below:

Save a PEM format(base64 encoded) CRL file as mycrl.PEM. Now convert it into binary DER encoded format using "openssl crl" command and then put it into <instancename>/config/crl directory.

More info about "openssl crl" command is in http://www.openssl.org/docs/apps/crl.html

31. what happen if role-name(web.xml and sun-web.xml) is an ldap group in Sun Java System Web Server 7.0?

In SJS web server 7.0 if you have a role-name called ldap-def and the same role exists as a group in ldap (ldap-def) then all the user in this ldap group are allowed to access to the defined resources independently of the security constrains you have defined.

there is a long standing convention that if the group and role names are the same the role mapping element can be omitted as a short cut.

There is an undocumented property which can be used to disable this convention which might still work (it is undocumented therefore of course unsupported and never tested) called com.sun.enterprise.security.acl.roleIsNotAGroup
tested in lab env and it works, once you add the following jvm option:
<jvm-options>-Dcom.sun.enterprise.security.acl.roleIsNotAGroup</jvm-options>

then users from ldap group (ldap-def) can NOT access to the resources.


32. All about certutil and trust flags we need to know : Notes from Nelson-Bolyard Brown bag

http://blogs.sun.com/meena/entry/notes_about_trust_flags


33. I am having troubles with certificate renewal in SJS Web Server 7.0.

Make sure you are using SJS Web Server 7.0 update 6 or above. Please look at the new certificate and the old one. Examine

  • the subject names
  • the issuer names
  • the serial numbers and
  • the Subject Public Keys in both of the certificates.
    Also, check, who is the issuer of the new certificate. Is is a professional CA or did this client play CA and do this themselves with (say) OpenSSL?

    If old certificate and new certificate have the same serial number, you have NO CHOICE but to get a new certificate with a unique serial number.

    NSS keeps certificates in the cert DB, unencrypted, and private keys in the key DB encrypted. When you generate a CSR, typically a new private key is generated and put into the key DB. If the key DB is removed, that key is lost forever.

    When you get the certificate back from CA, if you install it into the cert DB that is paired with the key DB where the private key lives, then NSS will show the "u,u,u", meaning that it found the private key. If you install the certificate in a cert DB that is not paired with the key DB where the private key lives, then you will NOT get the "u,u,u" and the UI tool will complain that the private key is missing.

    The index for each of the private keys stored in the key DB is the corresponding public key. When NSS gets a certificate, it takes the public key from the certificate, and looks it up in the private key DB. If it finds a matching record with that public key in the private key DB, then it shows the u,u,u, otherwise it doesn't.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Jul 10, 2008

    For compatibility issues, you can export certificates into .der format.

    /sun/webserver7/bin/certutil -L -n nickname -d /sun/webserver7/https-mywebinstance/config -r > /save_path/certname.der

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Oracle community and they might not be employed or in any way formally affiliated with Oracle. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Oracle nor any other party necessarily agrees with them.