Administering the Caching of Web Pages (Tasks)
The following sections cover the procedures to enable or disable parts of the
service.
How to Enable Caching of Web Pages
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Register the interfaces.
Type the names of each of the physical interfaces in the /etc/nca/nca.if file.
See the nca.if(4) man page for more information.
# cat /etc/nca/nca.if
hme0
hme1
Each interface must have an accompanying hostname.interface-name file and an entry in
/etc/hosts file for the contents of hostname.interface-name. To start the NCA feature on
all interfaces, place an asterisk, *, in the nca.if file.
- Enable the ncakmod kernel module.
Change the status entry in /etc/nca/ncakmod.conf to enabled.
# cat /etc/nca/ncakmod.conf
#
# NCA Kernel Module Configuration File
#
status=enabled
httpd_door_path=/var/run/nca_httpd_1.door
nca_active=disabled
See the ncakmod.conf(4) man page for more information.
- (Optional) Enable NCA logging.
Change the status entry in /etc/nca/ncalogd.conf to enabled.
# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=enabled
logd_path_name="/var/nca/log"
logd_file_size=1000000
You can change the location of the log file by changing the path
that is indicated by the logd_path_name entry. The log file can be a
raw device or a file. See the following examples for samples of NCA
log file paths. See the ncalogd.conf(4) man page for more information about the
configuration file.
- (Optional) Define ports for multiple instance support.
Add the port numbers in the /etc/nca/ncaport.conf file. This entry causes NCA to monitor
port 80 on all configured IP addresses.
# cat /etc/nca/ncaport.conf
#
# NCA Kernel Module Port Configuration File
#
.
.
ncaport=*/80
- For x86 only: Increase the virtual memory size.
Use the eeprom command to set the kernelbase of the system.
# eeprom kernelbase=0x90000000
# eeprom kernelbase
kernelbase=0x90000000
The second command verifies that the parameter has been set.
Note - By setting the kernelbase, you reduce the amount of virtual memory that user
processes can use to less than 3 Gbytes. This restriction means that the
system is not ABI compliant. When the system boots, the console displays a
message that warns you about noncompliance. Most programs do not actually need the full
3–Gbyte virtual address space. If you have a program that needs more than
3 Gbytes, you need to run the program on a system that does
not have NCA enabled.
- Reboot the server.
Example 2-1 Using a Raw Device as the NCA Log File
The logd_path_name string in ncalogd.conf can define a raw device as the
place to store the NCA log file. The advantage to using a raw
device is that the service can run faster because the overhead in accessing
a raw device is less.
The NCA service tests any raw device that is listed in the file
to ensure that no file system is in place. This test ensures that
no active file systems are accidentally written over.
To prevent this test from finding a file system, run the following command.
This command destroys part of the file system on any disk partition that
had been configured as a file system. In this example, /dev/rdsk/c0t0d0s7 is
the raw device that has an old file system in place.
# dd if=/dev/zero of=/dev/rdsk/c0t0d0s7 bs=1024 count=1
After running dd, you can then add the raw device to the ncalogd.conf
file.
# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=enabled
logd_path_name="/dev/rdsk/c0t0d0s7"
logd_file_size=1000000
Example 2-2 Using Multiple Files for NCA Logging
The logd_path_name string in ncalogd.conf can define multiple targets as the place
to store the NCA log file. The second file is used when the
first file is full. The following example shows how to select to write
to the /var/nca/log file first and then use a raw partition.
# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=enabled
logd_path_name="/var/nca/log /dev/rdsk/c0t0d0s7"
logd_file_size=1000000
How to Disable Caching of Web Pages
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Disable the ncakmod kernel module.
Change the status entry in /etc/nca/ncakmod.conf to disabled.
# cat /etc/nca/ncakmod.conf
# NCA Kernel Module Configuration File
#
status=disabled
httpd_door_path=/var/run/nca_httpd_1.door
nca_active=disabled
See the ncakmod.conf(4) man page for more information.
- Disable NCA logging.
Change the status entry in /etc/nca/ncalogd.conf to disabled.
# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=disabled
logd_path_name="/var/nca/log"
logd_file_size=1000000
See the ncalogd.conf(4) man page for more information.
- Reboot the server.
How to Enable or Disable NCA Logging
NCA logging can be turned on or turned off, as needed, after NCA
has been enabled. See How to Enable Caching of Web Pages for more information.
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Change NCA logging.
To permanently disable logging, you need to change the status in /etc/nca/ncalogd.conf to
disabled and reboot the system. See the ncalogd.conf(4) man page for more information.
- Stop logging.
# /etc/init.d/ncalogd stop
- Start logging.
# /etc/init.d/ncalogd start
How to Load the Socket Utility Library for NCA
Follow this process only if your web server does not provide native support
of the AF_NCA socket.
In the startup script for the web server, add a line that causes
the library to be preloaded. The line should resemble the following:
LD_PRELOAD=/usr/lib/ncad_addr.so /usr/bin/httpd
How to Add a New Port to the NCA Service
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Add a new port.
Add a new port entry to /etc/nca/ncaport.conf. This example adds port 8888 on IP
address 192.168.84.71. See ncaport.conf(4) for more information.
# cat /etc/nca/ncaport.conf
#
# NCA Kernel Module Port Configuration File
#
.
.
ncaport=*/80
ncaport=192.168.84.71/8888
- Start a new web instance.
An address needs to be in the file that contains the NCA port
configurations before a web server can use the address for NCA. If the
web server is running, it must be restarted after the new address is
defined.
How to Configure an Apache 2.0 Web Server to Use the SSL Kernel Proxy
This procedure should be used to improve the performance of SSL packet process
on an Apache 2.0 web server.
Before You Begin
The following procedure requires that an Apache 2.0 web server has been installed
and configured. The Apache 2.0 web server is included in the Solaris 10
release.
To use the SSL kernel proxy, the server private key and the server
certificate need to exist in a single file. If only the SSLCertificateFile
parameter is specified in the ssl.conf file, then the specified file can
be used directly for kernel SSL. If the SSLCertificateKeyFile parameter is also specified, then
the certificate file and the private key file need to be combined. One
way to combine the certificate and the key file is to run the
following command:
# cat cert.pem key.pem >cert-and-key.pem
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration The ksslcfg
command is included in the Network Security profile.
- Stop the web server.
This command will stop the web server on a system in which the
server is configured to run using SMF.
# svcadm disable svc:/network/http:apache2
If the service has not be converted yet, stop the service with this
command syntax: /usr/apache2/bin/apachectl stop
- Determine what parameters to use with the ksslcfg command.
All of the options are listed in the ksslcfg(1M) man page. The
parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format. For the SSL kernel proxy the value should be either pem or pkcs12.
key-and-certificate-file – Used with the -i option to set the location of the file that stores to server key and the certificate.
password-file – Used with the -p option to select the location of the file that includes the password used to encrypt the private key. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port – Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80.
ssl-port – Selects the port of the server application. Normally this is set to 443.
Note - The ssl-port and the proxy-port values can not be configured for NCA
since these ports are used exclusively by the SSL kernel proxy. Usually, port
80 is used for NCA, port 8080 for the proxy-port and 443 for the
ssl-port
- Create the service instance.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -i key-and-certificate-file -p password-file -x proxy-port ssl-port
- Verify that the instance was created properly.
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
- Configure the web server to listen on the SSL proxy port.
Edit the /etc/apache2/http.conf file and add a line to define the SSL proxy
port. If you use the servers IP address, then the web server will
only listen on that interface. The line should look like:
Listen 0.0.0.0:proxy-port
- Set an SMF dependency for the web server.
The web server should only be started after the SSL kernel proxy instance. The
following commands establish that dependency.
# svccfg -s svc:/network/http:apache2
svc:/network/http:apache2> addpg kssl dependency
svc:/network/http:apache2> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443
svc:/network/http:apache2> setprop kssl/grouping = astring: require_all
svc:/network/http:apache2> setprop kssl/restart_on = astring: refresh
svc:/network/http:apache2> setprop kssl/type = astring: service
svc:/network/http:apache2> end
- Enable the web server.
# svcadm enable svc:/network/http:apache2
If the service is not started using SMF, use the following command: /usr/apache2/bin/apachectl startssl
Example 2-3 Configuring an Apache 2.0 Web Server to Use the SSL Kernel Proxy
The following command creates an instance using the pem key format.
# ksslcfg create -f pem -i cert-and-key.pem -p file -x 8080 443
How to Configure a Sun Java System Web Server to Use the SSL Kernel Proxy
This procedure should be used to improve the performance of SSL packet process
on a Sun Java System Web Server. See the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for information about
this web server.
Before You Begin
The following procedure requires that a Sun Java System Web Server has been
installed and configured.
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration The ksslcfg
command is included in the Network Security profile.
- Stop the web server.
Use the administrator web interface to stop the server. See Starting and Stopping the Server in the
Sun Java System Web Server 6.1 SP4 Administrator’s Guidefor more information.
- Determine what parameters to use with the ksslcfg command.
All of the options are listed in the ksslcfg(1M) man page. The
parameters that you must have information for are:
key-format – Used with the -f option to define the certificate and key format.
token-label – Used with the -T option to specify the PKCS#11 token.
certificate-label – Used with the -C option to select the label in the certificate object in the PKCS#11 token
password-file – Used with the -p option to select the location of the file that includes the password used to login the user to the PKCS#11 token used by the web server.. This password is used to allow unattended reboots. The permissions on the file should be 0400.
proxy-port– Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80.
ssl-port – Defines the port of the server application. This value is set in the server.xml file. Normally this value is set to 443.
Note - The ssl-port and the proxy-port values can not be configured for NCA
since these ports are used exclusively by the SSL kernel proxy. Usually, port
80 is used for NCA, port 8080 for the proxy-port and 443 for the
ssl-port
- Create the service instance.
The ksslcfg command to specify the SSL proxy port and associated parameters.
ksslcfg create -f key-format -T PKCS#11-token -C certificate-label -p password-file -x proxy-port ssl-port
- Verify that the instance was created properly.
The service state reported by the following command should be “online”.
# svcs svc:/network/ssl/proxy
- Configure the web server to listen on the SSL proxy port.
See Adding and Editing Listen Sockets in the Sun Java System Web Server 6.1 SP4 Administrator’s Guide for more information.
- Start the web server.
Example 2-4 Configuring a Sun Java System Web Server to Use the SSL Kernel Proxy
The following command creates an instance using the pkcs11 key format.
# ksslcfg create -f pkcs11 -T "NSS Internal PKCS #11 Module" -C "Server-Cert" -p file -x 8080 443
Using the SSL Kernel Proxy in Zones
The SSL Kernel Proxy works in zones with the following limitations:
All of the kernel SSL administration must be done from the global zone. The global zone administrator needs access to the local zone certificate and key files. The local zone web server can be started once the service instance is configured using the ksslcfg command in the global zone.
A specific host name or IP address must be specified when running the ksslcfg command to configure the instance. In particular, the instance can not use INADDR_ANY.
Example 2-5 Configuring an Apache Web Server in a Local Zone to Use the SSL Kernel Proxy
In the local zone, first stop the web server. In the global zone
do all of the steps to configure the service. To create a
instance for a local zone called apache-zone, use the following command:
# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem -p /zone/apache-zone/root/pass \ -x 8080 apache-zone 443
In the local zone, run the following command to enable the service instance:
# svcadm enable svc:/network/http:apache2