Join/Renew Benefits Sage Programs SysAdmin Resources Jobs Board SAGE Home
The USENIX Special Interest Group for Sysadmins

Netscape Web Server SSL Configuration

Basic SSL Overview

SSL (Secure Sockets Layer) provides privacy and reliability by encrypting the link between two SSL-enabled applications. The server in an SSL link determines the encryption strength and the cryptographic algorithms used in setting up the SSL link.

SSL is based on a combination of public (asymmetric) and private (symmetric) key cryptography. A public key is used to generate a private session key during the SSL handshake. The private key generated during the SSL handshake is then used to encrypt session data. This combination of public and private key cryptography provides acceptable performance while maintaining the ease of key distribution associated with public key cryptography. The SSL handshake is the first step in setting up an SSL link, so the link is encrypted before any data is transmitted.

SSL uses digital certificates as a means to authenticate servers (and, optionally, clients). A digital certificate binds information about a server or a person to a public key. The digital certificates used must be issued by a certificate authority (CA). The CA is responsible for verifying the identity and key ownership of an individual or server before issuing a certificate. Both the client and the server must trust the CA that issues the other's certificate.

To use SSL you must have access to a certificate authority (CA). Several commercial vendors offer certificate issuing services. As an alternative, you can set up your own CA, but you will need a server.

Generate a Public/Private Key Pair

From a command line on the Enterprise Server, issue the following commands:

# cd /Server-Root/bin/admin/admin/bin
# ./sec-key

Enter the appropriate information or take appropriate action when prompted:

Alias: The server name is OK
Password: This password will have to be entered each time you start the SSL-enabled server.

Once the key pair has been generated, you must change the ownership of the key pair file to that of the unprivileged user that the Enterprise Server runs as:

# chown httpd /opt/ns-home/alias/servername-key.db

Request a Server Certificate

A server certificate for the Enterprise Server can be requested via the Admin server interface. From the browser, go to http://servername:admin port number, as defined during the server installation.

Under the General Administration heading, select Keys & Certificates and complete the steps outlined below. Note: Those items marked with an asterisk (*) are required fields.

Main Menu
(along the top)		 Subheading
(within left frame)		 Prompt
(Wwithin right frame)		 Response
(within right frame)
Keys & Certificates Request Certificate *New or Renewal Select New Certificate.
*Submit to Certificate Authority via: Select CA URL

Enter the URL of the CA, i.e., https://<servername>[:<port number>]/.
*Key Pair File Password: Enter the password you assigned during the key-pair-generation steps.
*Requestor: Enter your full name.
*Telephone Number: Enter it.
*Common Name: This is the name of your server as you want it to appear in your certificate.
*Email address: Email should not be enabled on your server; however, this can be an outside channel for communication between the CA administrator and yourself.
*Organization: This is the top-level organization designation for your server.
Organizational Unit: This is the lower-level organization designation for your server.
Locality: This is not a required field.
State or Province: This is not a required field.
*Country: US

Once the form is completed, select the OK button at the bottom of the form. You are then presented with a preview form of the certificate request. This form contains a field for any requestor comments, in which you may enter any additional information you feel may be pertinent to the request. To submit the request, select the OK button at the bottom of this form.

Install the Server Certificate

The server certificate is installed via the Enterprise Server Admin interface. It is extracted from a text file, either mailed to you or saved from a browser view of the certificate server.

From the browser, go to http://servername:admin port number/, as defined during the server installation.

Under the General Administration heading, select Keys & Certificates and complete the steps outlined below.

Main Menu
(along the top)		 Subheading
(within left frame)		 Prompt
(within right frame)		 Response
(within right frame)
Keys & Certificates Install Certificate Certificate for: Select This Server.
Certificate Name: Leave blank.
Select Message Text with Headers Copy the portion of the certificate text or mail file shown here:
---BEGIN CERTIFICATE---
kdjfkljdgjskldjfglksjdfjgl
jfdglkdfdhfhaskdfkahskdka
............
---END CERTIFICATE---

Paste this information into the field.

Your server certificate will then be presented to you. Select the Add Certificate button.

Install the CA Certificate

The CA certificate is also installed via the Enterprise Server Admin interface. It is extracted from a text file, either mailed to you or saved from a browser view of the certificate server.

From the browser, go to http://servername:admin port number/, as defined during the server installation.

Under the General Administration heading, select Keys & Certificates and complete the steps outlined below.

Main Menu
(along the top)		 Subheading
(within left frame)		 Prompt
(within right frame)		 Response
(within right frame)
Keys & Certificates Install Certificate Certificate for: Select Trusted Certificate Authority (CA).
Certificate Name: Enter a name you wish to identify the CA.
Select Message Text with Headers Copy the portion of the certificate text or mail file shown here:
---BEGIN CERTIFICATE---
kdjfkljdgjskldjfglksjdfjgl
jfdglkdfdhfhaskdfkahskdka
............
---END CERTIFICATE---

Paste this information into the field.

The CA certificate will then be presented to you. Select the Add Certificate button.

Configure Your Server to Use SSL

Once the server and CA certificates have been installed, SSL must be enabled for the server.

From the browser, go to http://servername:admin port number/, as defined during the server installation.

Select the button associated with your Web server and complete the steps outlined below.

Main Menu
(along the top)		 Subheading
(within left frame)		 Prompt
(within right frame)		 Response
(within right frame)
Server Preferences Encryption On/Off Encryption: Select On.
Port Number: Verify that the port identified is that which you defined during installation. Then select OK.
Encrytion Preferences Allow: Only allow SSL3.

By deselecting SSL version 2, the values in the SSL 2.0 Ciphers section further below in the form can be ignored.
Require client certificates... Select Yes.
SSL 3.0 Ciphers Enable only
RC4 w/ 128 bit encryption
Triple DES w/ 168 bit encryption
DES w/ 56 bit encryption
Stronger Ciphers   Select Require 128 bit secret key size for access.

Once encryption is enabled, the Web server must be started manually from the command line in order to supply the key-pair password.

To enable encryption on the Admin server, perform the steps outlined above. Go to Admin Preferences under General Administration from the Admin server main page.