enable SSL, how to enter the passphrase

TS 6.5 Solaris.

So we set up SSL for iw-webd. Now when we start teamsite, there is a prompt asking for a passphrase. So when TeamSite tries to automatically start, say when the machine was rebooted, there's way of entering the passphrase as theres no prompt.

Is this normal?... do we need to use a passphrase on the commandline?

The only thing I can think of now is to modify iw-home/private/bin/iwuiboot and pass in a file containing the passphrase to iw-webd. Is this the best approach? I want to avoid touching files like that if it's possible.

Thanks

John Cuiuli

Find more posts tagged with

Comments

kailash1

Hi Johnny,

I don't think there is a was as you have to type the pass phrase manually. Apachec site has a way to remove the pass phrase from your certificate.

Check http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#removepassphrase

Regards
Kailash

kailash1

Johnny,

Also check http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
where you can change "SSLPassPhraseDialog builtin" to "SSLPassPhraseDialog exec:/path/to/program "

exec:/path/to/program :

Here an external program is configured which is called at startup for each encrypted Private Key file. It is called with two arguments (the first is of the form ``servername Smiley Tongue

ortnumber'', the second is either ``RSA'' or ``DSA''), which indicate for which server and algorithm it has to print the corresponding Pass Phrase to stdout. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase.

Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Mod_ssl just defines the interface: an executable program which provides the Pass Phrase on stdout. Nothing more or less! So, if you're really paranoid about security, here is your interface. Anything else has to be left as an exercise to the administrator, because local security requirements are so different.

The reuse-algorithm above is used here, too. In other words: The external program is called only once per unique Pass Phrase.

Example:

SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter

Hope this helps you.

Regards
Kailash

skip11

Hi,

A simple matter to remove the passphrase:

openssl rsa -in yourcert.key -out yourcert_wo_pass.key

regards,

R.Barger
Credit Suisse Group
Zurich, Switzerland

Johnny

Hey, these all sound like good ideas. Thanks for the tips with Apache.

Unfortunately no-one here has worked with Apache before.

One thing I would like to make clear, I think there are parts of the documentation that are lacking in detail and hint on the assumption that you should know certain open source packages. I don't think that's right at all. All of this stuff should be part of the TeamSite documentation. We shouldn't care whether it's apache or something else.

Thanks for the help again.

John Cuiuli