|
|
Admin Guide for SSL transactions
TABLE OF CONTENTS
Overview
Setup
- Starting and Stopping the HP-UX Apache-based Web Server in Secure mode
- Updating the CRL without restarting the Web Server
Configuration
- Changes from Previous Releases
- Available SSL Crypto algorithms
- How to create new certificates?
- How to add a PEM Pass Phrase to your server key?
- How to remove a PEM Pass Phrase from your server key?
- How to create ca-bundle.crt?
Troubleshooting
Known Bugs
Tuning
- SSL Cipher Suite
- Shared memory support
- Custom Log format
Legal Notices
OVERVIEW
The HP-UX Apache-based Web Server solution delivers a compelling value to our
customers by providing state-of-the art security capabilities. A combination
of open source and proprietary solutions are chosen for delivering an
integrated security solution.
- SSL (Secure Socket Layer) plug-in for Apache web server (Apache/mod_ssl)
- SSL implementation toolkit (OpenSSL) {open source}
A plug-in called mod_ssl is required for enabling support for HTTPS (Secure
HTTP) connections through HP-UX Apache-based Web Server. This module was
developed under the open source initiative of www.modssl.org for the 1.3.x
series of Apache web server and is developed as a part of the core web
server for the 2.x series of Apache web server.
Several SSL/TLS protocol implementations are available in the market today.
Some are commercial and the others are open source based. HP has chosen
OpenSSL, a open source software since it is the most reliable, up-to-date
toolkit.
SETUP
Starting and Stopping the HP-UX Apache-based Web Server in Secure mode
HP-UX Apache-based Web Server is running under SSL, it is necessary to
completely stop, and then start HP-UX Apache-based Web Server, instead of
using /opt/hpws/apache/bin/apachectl restart.
Note: You must be root to start/stop the HP-UX Apache-based Web Server.
To start the HP-UX Apache-based Web Server with SSL capability: (log in as root)
$/opt/hpws/apache/bin/apachectl startssl
If you have added a new server key (certificate) which
has a PEM encoded pass phrase, you will be prompted to
enter it here.
To stop the HP-UX Apache-based Web Server with SSL capability: (log in as root)
$/opt/hpws/apache/bin/apachectl stop
Updating the CRL without restarting the Web Server
HP-UX Apache-based Web Server supports an option(updatecrl) which allows to
update a Certificate Revocation List(CRL) without having to restart the entire
Web Server.
To update the CRL just run the following command:
$/opt/hpws/apache/bin/apachectl updatecrl
NOTE: This feature is available on HP-UX Apache-based Web Server 2.0.50 version
onwards.
CONFIGURATION
The SSL related configuration information for the HP-UX Apache-based Web Server
can be found in /opt/hpws/apache/conf/ssl.conf.
Changes from Previous Releases
Added the following new directives
- SSLMaxIOBuffer:
Use this directive to configure the SSL IO buffer size
Usage: SSLMaxIOBuffer <size in number of bytes>
Example: SSLMaxIOBuffer 524288
Default: The default buffer size is 256kb. A value of "0" for the directive sets the size
to default size. The maximum value that can be configured is 2GB.
NOTE: The value should always be in bytes
The following has changed between this release and earlier releases of
Apache 2.x.
v.2.0.0 to v.2.0.39:
SSLLog and SSLLogLevel have been removed. Use Apache directives ErrorLog
and LogLevel instead.
Available SSL Crypto algorithms
The HP-UX Apache-based Web Server supports all the crypto algorithms
available in OpenSSL, with the exception of the IDEA algorithm. As a
result, the following ciphers will not be available :
IDEA-CBC-SHA, IDEA-CBC-MD5
How to create new certificates?
You can create new dummy certificates by using the SSL Certificate
Generation Utility (mkcert.sh). This script generates private keys,
certificate signing requests, and certificates for the CA, server,
and client. More information can be found by typing the following
command at your command prompt :
/opt/hpws/apache/util/mkcert.sh --help
By default, there is no SSL PEM Pass Phrase on the dummy server key
distributed by HP. A PEM ENCODED Pass Phrase can be added or removed
from a server key by following the instructions below:
How to add a PEM Pass Phrase to your server key?
To put back the pass phrase that has been removed from a
private key or to add a phase phrase for the first time,
from "/opt/hpws/apache/conf/ssl.key/server.key", as root run:
/opt/hpws/apache/bin/openssl rsa -des3 -in server.key -out server1.key
If necessary, update /opt/hpws/apache/conf/ssl.conf:
Replace: SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server.key
With: SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server1.key
How to remove a PEM Pass Phrase from your server key?
To remove the pass phrase in the private key that's stored within
"/opt/hpws/apache/conf/ssl.key/server.key", as root run:
/opt/hpws/apache/bin/openssl rsa -in server.key -out server1.key
In /opt/hpws/apache/conf/ssl.conf:
Replace: SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server.key
With: SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/server1.key
NOTE FOR WEBMIN:
---------------
Webmin can also generate keys, certificates, and certificate
requests for the Certificate Authority (CA) and the server
using the OpenSSL toolkit. Click on "Generate Certificates"
from Webmin's main HP-UX Apache-based Web Server screen.
How to create ca-bundle.crt?
The ca-bundle.crt is required *only* if you're trying to use the Client
Authentication feature of mod_ssl, and the client certificates are issued
by one or more CA's. There are two methods to generate the ca-bundle.crt.
Get the CA certificate(s) from your Certificate Authority.
-- OR --
Generate the ca-bundle.crt yourself.
The steps to generate the ca-bundle.crt yourself are as below :
Requirement : A Netscape browser (version 4.7 or higher) on HP-UX.
Steps :
1. Create a Netscape certificate database by invoking a Netscape browser
(version 4.7 and above) on your HP-UX box. A Certificate database will
be created in your home directory ($HOME/.netscape)
2. Invoke /opt/hpws/apache/bin/certmig to extract the certificates from the
Netscape Certificate database. At the command prompt, type the following :
/opt/hpws/apache/bin/certmig -E -d $HOME/.netscape
3. Upon entering the above command, you'll be asked the following :
"Enter Filename where the certificates are to be extracted :"
Enter a temporary filename, ex. /tmp/ca-certs.
4. The next question will be to select the certificates that are to be
extracted. Select all the certificates to be extracted.
5. Now, cut-and-paste the following perl program to /tmp/parse.pl.
The following perl program parses the output of certmig for the
certificates and generates the ca-bundle.crt file.
-----------------------START OF PARSE.PL---------------------------------
#!/opt/perl/bin/perl
$|++;
$openssl="/opt/hpws/apache/bin/openssl";
$inputfile=shift;
$outputfile=shift;
if ( !$inputfile || !$outputfile ) {
print "Usage: parse.pl <certmig_output_filename> \n";
exit 1;
}
open (INPUT, "<$inputfile") || die "Cannot open $inputfile";
open (OUTPUT, ">$outputfile") || die "Cannot open $outputfile";
close (OUTPUT);
$inside_certificate=0;
while ( <INPUT> ) {
if ( !$inside_certificate && /-----BEGIN CERTIFICATE-----/ ) {
$inside_certificate=1;
open (OUTPUT, ">${inputfile}.tmp")|| die "Cannot open ${inputfile}.tmp";
}
if ( $inside_certificate ) {
printf OUTPUT $_;
if ( /-----END CERTIFICATE-----/ ) {
$inside_certificate = 0;
close (OUTPUT);
system ("$openssl x509 -text -in ${inputfile}.tmp >> $outputfile");
}
}
}
close (INPUT);
-----------------------END OF PARSE.PL---------------------------------
6. chmod a+x /tmp/parse.pl
7. Run the parse.pl utility to generate the ca-bundle.crt file.
[MAKE SURE TO SAVE ANY EXISTING CA-BUNDLE.CRT FILES].
At the command prompt, type the following command :
/tmp/parse.pl /tmp/ca-certs /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt
8. You now have a ca-bundle.crt that you can use with HP-UX Apache-based Web
Server.
TROUBLESHOOTING
- Need to replace a digitalbadge server certificate
----------------------------------------------------
SOLUTION:
https://digitalbadge.hp.com/client/revoke.htm
- Need to make HP a trusted Certificate Authority (CA).
----------------------------------------------------------------
SOLUTION:
https://digitalbadge.hp.com/DBEC/Server_req/server_apache_SSL.html
- Digitalbadge doesn't accept my *.csr file or
server certificate requests fail at http://digitalbadge.hp.com/
---------------------------------------------------------------
SOLUTION:
Add "NEW" to header and footer
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
should be:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
KNOWN BUGS
- When HP-UX Apache-based Web Server is running under SSL, it is necessary to
completely stop, and then start HP-UX Apache-based Web Server, instead of
using /opt/hpws/apache/bin/apachectl restart.
- It is recommended to use SHMCB session caching. Other caching mechanisms
(DBM and SHMHT) are under development.
TUNING
The following tuning recommendations have already been implemented in the
default configuration of HP-UX Apache-based Web Server in the
/opt/hpws/apache/conf/ssl.conf file.
SSL Cipher Suite
SSLCipherSuite directive in ssl.conf signifies the Cipher suites
available for SSL handshake. Although 3DES algorithm provides strong security,
it could slow down the performance of SSL transactions. This is because 3DES
is a computationally intensive algorithm, when compared to RC4-128. On the
other hand, RC4 is tuned for best performance on HP-UX platforms. To take
advantage of the RC4 performance, in the ssl.conf we disable the 3DES since
this algorithm is bound to be negotiated first.
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Please note that if the *ALL* is defined in the SSLCipherSuite, it causes
some of the browsers to negotiate using the 3DES algorithm. Since most of
the browsers today support the RC4-128 algorithm, we try to disable the use
of 3DES by deleting the *ALL* keyword from the SSLCipherSuite directive.
Shared memory support
The apr_shm library offers Caching of SSL transactions through shared memory.
This is similar to the functionality provided by shmem in the previous
release of HP-UX Apache-based Web Server.
This module improves the performance of SSL transactions by more than
50-100% by caching non-transient parts of the SSL message body in case of
keepalive transactions.
To take advantage of this feature, by default the following directive is
enabled in ssl.conf.
SSLSessionCache shmcb:logs/ssl_scache(512000)
Custom Log format
When mod_ssl is used in HP-UX Apache-based Web Server, additional extensions
are provided by mod_ssl for the CustomLog feature of mod_log_config. These
CustomLog eXtensions, Ex., ``%{varname}x'' can used to expand variables
provided by module, thus helping the debugging / learning more about the
connections.
Example:
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Although this offers extended traceability, this type of logging introduces
a lot of overhead on the SSL performance. This directive is commented out by
default in ssl.conf. Enabling this directive must be done with care, fully
understanding the performance implications on SSL transactions.
***************************************************************************
LEGAL NOTICES
The information in this document is subject to change without notice.
WARRANTY DISCLAIMER
HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
INFORMATION, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard
shall not be liable for errors contained herein or for direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance or use of this material.
RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD
agencies. Rights for non-DOD U.S. Government Department and Agencies are
as set forth in FAR 52.227-19 (c)(1,2).
COPYRIGHT NOTICES
Copyright 2001-2007 Hewlett-Packard Development Company, L.P.
This document contains information which is protected by copyright.
All Rights Reserved. Reproduction, adaptation, or translation without
prior written permission is prohibited, except as allowed under the
copyright laws.
TRADEMARK NOTICES
UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.
Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc. in the U.S. and
other countries.
Netscape and Netscape Navigator are U.S. trademarks of Netscape Communications
Corporation.
ACKNOWLEDGEMENTS
This product includes software developed by the Apache Software Foundation.
This documentation is based on information from the Apache Software Foundation
(http://www.apache.org).
This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org).
This product includes cryptographic software written by Eric Young
([email protected]).
|
