HTTPS IPS repository using pkg.depotd

Say we have a company rule stating that all network traffic has to be encrypted. So let's create a new IPS package repo with https-only access.

We'll do that in a LDOM (NGZ or KZ is fine, too) with a separate LUN.

# zpool create tank c1d1
# zfs create -o mountpoint=/install tank/install
# zfs create -o atime=off tank/install/pkgrepo
# zfs create tank/install/pkgrepo/solaris

Now download the repository from Oracle Solaris 11.3 Repository

# LC_ALL=C ./install-repo.ksh -c -d /install/pkgrepo/solaris
Using sol-11_3-repo download.

Comparing checksums of downloaded files...done. Checksums match.

Uncompressing sol-11_3-repo_1of5.zip...done.
Uncompressing sol-11_3-repo_2of5.zip...done.
Uncompressing sol-11_3-repo_3of5.zip...done.
Uncompressing sol-11_3-repo_4of5.zip...done.
Uncompressing sol-11_3-repo_5of5.zip...done.

Repository can be found in /install/pkgrepo/solaris.

# zfs snapshot tank/install/pkgrepo/solaris@ga

# pkgrepo -s /install/pkgrepo/solaris list entire
PUBLISHER NAME                                          O VERSION
solaris   entire                                          0.5.11-0.175.3.1.0.5.0:20151006T140051Z

And create a new solaris image packaging repository service entity.

# svccfg -s pkg/server add solaris
# svccfg -s pkg/server:solaris
svc:/application/pkg/server:solaris> setprop pkg/inst_root = /install/pkgrepo/solaris
svc:/application/pkg/server:solaris> setprop pkg/standalone = boolean: false
svc:/application/pkg/server:solaris> setprop pkg/readonly = boolean: true
svc:/application/pkg/server:solaris> refresh
svc:/application/pkg/server:solaris> ^D

Time to install pkg.depotd.

# pkg install --no-backup-be package/pkg/depot

See How to create a SSL CA/certificate/key with pktool how to create a new SSL CA/cert/key. The next steps depend on this.

# cp CA.crt /etc/pkg/depot/server-ca.crt
# cp server.crt /etc/pkg/depot/server.crt
# cp server.key /etc/pkg/depot/server.key
# chown pkg5srv:pkg5srv /etc/pkg/depot/server*

Good, we have a CA certificate and a key/certificate for our webserver. We can make pkg.depotd https aware now.

# cat << 'EOF' > /etc/pkg/depot/conf.d/pkcs11.conf
SSLCryptoDevice pkcs11
SSLProtocol TLSv1.2
SSLCipherSuite AESGCM:AES
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
EOF

# chgrp bin /etc/pkg/depot/conf.d/pkcs11.conf

Now setup pkg.depotd

# svccfg -s application/pkg/depot:default
svc:/application/pkg/depot:default> setprop config/host = pkg.mycompany.com
svc:/application/pkg/depot:default> setprop config/port = 443
svc:/application/pkg/depot:default> setprop config/https = boolean: true
svc:/application/pkg/depot:default> setprop config/ssl_ca_cert_file = "/etc/pkg/depot/server-ca.crt"
svc:/application/pkg/depot:default> setprop config/ssl_cert_file = "/etc/pkg/depot/server.crt"
svc:/application/pkg/depot:default> setprop config/ssl_key_file = "/etc/pkg/depot/server.key"
svc:/application/pkg/depot:default> refresh
svc:/application/pkg/depot:default> ^D

Sadly, pkg.depotd has some problems when the repository is https-only (when you dig into the SMF start script you'll see that it's using curl on a http:// URL to check if the depot is up), so we have to fix that before starting pkg/depot:

# perl -w -pi -e 's/(url="http):/$1s:/' /lib/svc/method/svc-pkg-depot

# svcadm enable svc:/application/pkg/server:solaris
# svcadm enable svc:/application/pkg/depot:default

You should have a https-only pkg repository running at https://pkg.mycompany.com now. If not check /var/log/pkg/depot/error_log for errors.

$ openssl s_client -connect pkg.mycompany.com:443 < /dev/null
...
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
...
    Verify return code: 0 (ok)

The apache logfiles in /var/log/pkg/depot/ are not rotated by default. Let's add some logadm rules to do that.

# cat << 'EOF' > /etc/logadm.d/pkg-depot.logadm.conf
/var/log/pkg/depot/access_log -C 4 -N -a '/usr/sbin/svccfg -s svc:/application/pkg/depot:default refresh'
/var/log/pkg/depot/error_log -C 4 -N -a '/usr/sbin/svccfg -s svc:/application/pkg/depot:default refresh'
/var/log/pkg/depot/rewrite.log -C 4 -N -a '/usr/sbin/svccfg -s svc:/application/pkg/depot:default refresh'
EOF
# chgrp sys /etc/logadm.d/pkg-depot.logadm.conf
# chmod 444 /etc/logadm.d/pkg-depot.logadm.conf
# svcadm refresh logadm-upgrade

What's next? Distribute CA.crt to all our Solaris 11 clients (put it in /etc/certs/CA/UNIX_Dep_CA.pem and run svcadm refresh svc:/system/ca-certificates:default) and add the new repo with pkg set-publisher -G '*' -g https://pkg.mycompany.com solaris.

We should also keep in mind that we have to run svcadm restart pkg/depot when adding new SRUs.

Read the next part at How to add a SRU to a local IPS repository or Veritas InfoScale 7.3.1 IPS repo how to add another repo.

Links

• How to start an IPS repository with SSL Enabled (Doc ID 1491393.1)
• Bug 25492360 pkg/depot server_ping function should be able to check https only url
• SCALABLE REPOSITORY SERVER
• Copying and Creating Package Repositories in Oracle® Solaris 11.3
• Security/Server Side TLS
• Cryptographic Framework and SPARC T-Series Servers
• Setting up a Solaris Repository & SRU Updates...
• Scaling IPS repositories with Apache on Oracle Solaris