Previous Topic: Install a Signed Certificate

Next Topic: SSL Configurations for FIPS ONLY Mode

Administration GuideSSL and the Secure Proxy ServerSSL Configuration for FIPS COMPAT and FIPS MIGRATE Modes

SSL Configuration for FIPS COMPAT and FIPS MIGRATE Modes

When you install with FIPS in COMPAT or MIGRATE mode, configure SSL for the FIPS mode. Use the default passphrase or use a customized passphrase.

To use the default passphrase, perform the following steps:

  1. Generate a server key.

    Example:

    openssl genrsa -des3 -out server.key
  2. Back up the encrypted key.
  3. Execute the following command to remove the encryption from the server key: 
    openssl rsa -in server.key.org -out server.key
  4. Execute the following command to generate a Certificate Signing Request (CSR): 
    openssl req -config openssl.cnf -new -key server.key -out server.csr
  5. Sign the certificate by a Certificate Authority (CA).
  6. Install the signed certificate.
  7. Verify that httpd-ssl.conf file is pointing to correct directives/paths of server key and certs.
  8. Enable SSL on SPS:

    On UNIX:

    sps_home/secure-proxy/proxy-engine/sps-ctl startssl

    On Windows:

    sps_home\httpd\bin\configssl.bat -enable
  9. Restart the Secure Proxy Service.

    SSL is enabled and configured.

To use a customized passphrase, perform the following steps:

  1. Generate a server key.

    Example:

    openssl genrsa -des3 -out server.key
  2. Execute the following command to generate a Certificate Signing Request (CSR): 
    openssl req -config openssl.cnf -new -key server.key -out server.csr
  3. Sign the certificate by a Certificate Authority (CA).
  4. Install the signed certificate.
  5. Verify that httpd-ssl.conf file is pointing to correct directives/paths of server key and certs.
  6. Set the value of the SSLPassPhraseDialog variable to custom.
  7. Uncomment the following line in httpd-ssl.conf: 
    SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"
  8. Set the value of the SSLCustomPropertiesFile variable to <sps_home>\httpd\conf\spsapachessl.properties.
  9. Perform one of the following steps:
    1. If you are configuring FIPS mode on Windows, perform the following steps:
      1. Execute the following command from the command prompt: 
           sps_home\httpd\bin\configssl.bat -enable passphrase

      Note: The passphrase value must match the passphrase value of the server key.

      The passphrase is encrypted and is stored in the spsapachessl.properties file.

      1. Restart the Secure Proxy Service.
    2. If you are configuring FIPS mode on UNIX, perform the following steps:
      1. Execute the following command: 
           sps_home/secure-proxy/proxy-engine/configssl.sh passphrase

      Note: The passphrase value must match the passphrase value of the server key.

      The passphrase is encrypted and is stored in the spsapachessl.properties file.

      1. Execute the following command: 
           sps_home/secure-proxy/proxy-engine/sps-ctl startssl

    SSL is enabled and configured.

Note: If you want to run SPS without SSL, you can execute the sps_home\httpd\bin\configssl.bat -disable command to disable SSL.