Administration GuideSSL and the Secure Proxy Server › SSL Configuration for FIPS COMPAT and MIGRATE Modes

Previous Topic: Install a Signed Certificate

Next Topic: SSL Configuration for FIPS ONLY Mode

SSL Configuration for FIPS COMPAT and MIGRATE Modes

The procedure for enabling SSL on the SPS varies slightly depending on the FIPS mode. In a new installation with FIPS in COMPAT or MIGRATE mode, configure SSL with the steps listed following. With a new installation or migration to FIPS in ONLY mode, additional steps are required.

To configure SSL in FIPS COMPAT or FIPS MIGRATE mode

  1. Generate a Private RSA Key (This is also referred as server key): 
    openssl genrsa -des3 -out server.key
  2. Remove the encryption from a private key:
    1. Make a copy of the encrypted key as a backup, for example:
    2. copy server.key server.key.org
  3. Enter this command for removing encryption: 
    openssl rsa -in server.key.org -out server.key
  4. Generate a Certificate Signing Request (CSR): 
    openssl req -config openssl.cnf -new -key server.key -out server.csr
  5. Have the certificate signed by a Certificate Authority (CA).
  6. Install the signed certificate.
  7. Verify that httpd-ssl.conf file is pointing to correct directives/paths of server key and certs.
  8. Enable SSL on the SPS:

    On UNIX:

    sps_home/secure-proxy/proxy-engine/sps-ctl startssl

    On Windows:

    sps_home\httpd\bin\configssl.bat -enable
  9. Restart the Secure Proxy Service.

    The SPS is configured for SSL.

If at a later time you want to run without SSL, enter this command:

sps_home\httpd\bin\configssl.bat -disable.