HP OpenVMS Systems

Secure Web Server (based on Apache™)
Content starts here

C O N T E N T S

HP Secure Web Server Documentation

SSL User Guide

  • SSL Setup Information

    Introduction to SSL

    An SSL Primer

    Using mod_ssl Directives

    Understanding Certificates

    Using the Certificate Tool

    Using Certificates

    Glossary

    SSL Resource Guide

    		•  Chapter 1:

    SSL Setup Information

    __Topics_____________________________________

    Documentation

    SSL files

    After installing

    Configuration options

    Verifying an SSL connection

    Disabling SSL


    Documentation

    This document, the SSL User Guide, contains information for working with the Secure Sockets Layer protocol in HP Secure Web Server.

    The setup information in this chapter is intended to supplement the general Installation and Configuration Guide for CSWS. Release notes that are SSL-specific are contained in the Release Notes for CSWS.

    SSL files

    HP Secure Web Server includes two modules for its Secure Sockets Layer (SSL) functionality. These are OpenSSL and mod_ssl.

    Mod_ssl integrates OpenSSL with a set of source patches for Apache called the Extended API (EAPI). HP Secure Web Server implements OpenSSL using RSA Security's Crypto-C (BSAFE) library. These components are included and automatically installed in CSWS.

    After installing CSWS

    After installing HP Secure Web Server, additional steps are performed automatically for you by running the configuration utility.

    $ @SYS$MANAGER:APACHE$CONFIG.COM

    This includes creating a self-signed server certificate, good for 30 days, and installing it. CSWS will not run without a server certificate that is valid for your system. You may want to view the contents of this file using the OpenSSL Certificate Tool before starting the server.

    Note: Following expiration of your self-signed certificate in 30 days, your SSL-enabled server will not run. If you wish to continue running in SSL mode, you must replace it.

    Configuration options

    During the configuration procedure, you have the option to enable or disable SSL (see Disabling SSL) and to add optional command-line arguments to the server.

    To enable SSL, choose the default response of "Yes":

    Do you want to enable the security features provided by MOD_SSL? If so, the server will support the HTTPS (HTTP over the Secure Socket Layer) protocol.

    Enable MOD_SSL? [YES]

    The optional command-line arguments enable you to make settings in the main configuration file (HTTPD.CONF) that can be turned on and off for individual systems.

    Choose "Yes" in response to the following question if you want to enter new command-line arguments:

    You can specify optional command-line arguments for the server below. (For example, specify "-D<name>" to define a name for the <IfDefine> directives or specify "-d<path>" to specify the ServerRoot directory.) Note that the optional arguments are case-sensitive.

    There are currently no optional command-line arguments.

    Change this value? [NO] Yes

    Then enter the command-line argument(s) when prompted, as shown in the following example:

    Setting a command-line argument:

    New command-line arguments: -DSample

    Removing the argument by leaving the optional argument blank (a null string):

    Current arguments: "-DSample"

    Change this value [NO] Yes

    New command-line arguments: [carriage return]

    Verifying an SSL Connection

    The server now has a self-signed server certificate, meaning that clients can establish secure (encrypted) connections with your server.

    Note: For purposes of a production environment, your server certificate should normally be signed by a third-party commercial certificate authority.

    To verify that your SSL-aware server is working:

    1. Start your server in the normal way:

    $ @SYS$STARTUP:APACHE$STARTUP.COM

    1. Connect to it from a client browser by appending "s" to "http" in the URL:

     https://<my_server>

    In Netscape Navigator you should see the New Site Certificate wizard, and in Internet Explorer you should see the Security Alert dialog. As a client, you can choose between not proceeding or proceeding with or without permanently installing the server certificate as a "trusted root certificate authority."

    Disabling SSL

    You can disable SSL on CSWS by running the configuration utility. Customizations you have made to your mod_ssl directives and certificates you have generated with the OpenSSL Certificate Tool are preserved.

    1. Run the configuration utility:

    $ @SYS$MANAGER:APACHE$CONFIG.COM

    Choose "No" in response to the question:

    Do you want to enable the security features provided by MOD_SSL?

    If so, the server will support the HTTPS (HTTP over the Secure Socket

    Layer) protocol.

     

    Enable MOD_SSL? [YES] No

     

    1. Restart the server (confirming first that the APACHE$WWW processes have stopped):

    $ @SYS$STARTUP:APACHE$SHUTDOWN.COM

    $ SHOW SYSTEM/PROC=APACHE*

    $ @SYS$STARTUP:APACHE$STARTUP.COM