HP OpenVMS Systems

Setup and release notes for using SSL

__Topics_____________________________________

» Documentation

» SSL files

» After installing

» Configuration options

» Verifying an SSL connection

» Disabling SSL

» Release notes

Documentation

Comprehensive usage information for working with SSL is available in this Compaq Secure Web Server SSL User Guide.

These notes are intended to supplement the general Installation and Configuration Guide for CSWS.

SSL files

Compaq Secure Web Server includes two modules for its SSL functionality. These are OpenSSL and mod_ssl.

Mod_ssl integrates OpenSSL with a set of source patches for Apache called the Extended API (EAPI). These components are included and automatically installed in CSWS: the OpenVMS implementation of Apache with mod_ssl.

After installing

After installing C ompaq Secure Web Server, additional steps are performed automatically for you by running the configuration utility.

$ @SYS$MANAGER:APACHE$CONFIG.COM

This includes creating a self-signed server certificate and installing it. CSWS will not run without a server certificate that is valid for your system. You may want to view th e contents of this file using the OpenSSL Certificate Tool before starting the server.

Configuration Options

During the configuration procedure, you have the option to enable or disable SSL (see Disabling SSL) and to add optional command-line arguments to the server.

The optional command-line arguments enable you to make settings in the main configuration file (HTTPD.CONF) that can be turned on and off for individual systems.

Choose "Yes" in response to the following question if you want to enter new command-line arguments:

You can specify optional command-line arguments for the server below (e.g. "-D<name>" to define a name for the <IfDefine> directives or "-d<path>" to specify the ServerRoot directory). Note that the optional arguments are case-sensitive.

There are currently no optional command-line arguments.

Change this value (YES or NO)(default NO): Yes

Then enter the command-line argument(s) when prompted, as in the following example:

Setting a command-line argument:

New command-line arguments: -DSample

Removing the argument by leaving the optional argument blank (a null string):

Current arguments: "-DSample"

Change this value (YES or NO)(default NO): yes

New command-line arguments:

Verifying an SSL connection

T h e server now has a self-signed server certificate, meaning that clients can establish secure (encrypted) connections with your server.

Note: For purposes of a production environment, your server certificate should normally be signed by a third-party commercial certificate authority.

To verify that your SSL-aware server is working:

1. Start your server in the normal way:

$ @SYS$STARTUP:APACHE$STARTUP.COM

2. Connect to it from a client browser by appending "s" to "http" in the URL:

 http s ://<my_server>

In Netscape Navigator you should see the New Site Certificate wizard, and in Internet Explorer you should see the Security Alert dialog. As a client, you can choose between not proceeding or proceeding with or without permanently installing the server certificate as a "trusted root certificate authority."

Disabling SSL

You can disable SSL on CSWS by running the configuration utility. Customizations you have made to your mod_ssl directives and certificates you have generated with the OpenSSL Certificate Tool are preserved.

1. Run the configuration utility:

$ @SYS$MANAGER:APACHE$CONFIG.COM

Choose "No" in response to the question:

Do you want to enable the security features provided by MOD_SSL?

If so, the server will support the HTTPS (HTTP over the Secure Socket

Layer) protocol.

 

Enable MOD_SSL? [YES] No

 

2. Restart the server (confirming the APACHE$WWW processes have stopped):

$ @SYS$STARTUP:APACHE$STARTUP.COM

$ SHOW SYSTEM/PROC=APACHE*

$ @SYS$STARTUP:APACHE$SHUTDOWN.COM

Release Notes

These notes are intended to supplement the general Release Notes for CSWS. Comprehensive usage information for working with SSL is available in this Compaq Secure Web Server SSL User Guide.

Do not install Java or Perl modules

Compaq Secure Web Server T1.0 Beta 1 is not designed for use with the JServ/JSSI beta kit or the Mod_Perl beta kit. Do not install these kits after installing CSWS. You are strongly recommended to use these modules only with Apache Web Server Version 1.3.12 for OpenVMS Alpha.

Child processes stuck in KEEPALIVE state

In SSL mode, child processes (APACHE$WWW_n) are getting stuck in KEEPALIVE state. Once in this state, they never time out so eventually the server reaches its maximum process limit.

Recovery requires restarting the server. Use the normal shutdown command:

$ @SYS$STARTUP:APACHE$SHUTDOWN

If the server does not shut down, use STOP PROC using the parent process PID. For example:

STOP PROC/ID=<PID>

where PID is obtained by: SHOW SYSTEM/PROC=APACHE$WWW

Do not use the <Location> statement

The <Location> statement (which provides for access control by URL) does not work with mod_ssl directives. Although it's use in other contexts is permitted in HTTPD.CONF, mod_ssl directives should be enclosed in the <Directory> or <Virtualhost> section commands.