Scribd Logo
Upload

Welcome to Scribd!

  • SSL Directives - IBM HTTP Server

    Uploaded by

    ocmain
    76 views8 pages
    The document discusses SSL directives for the IBM HTTP Server. It provides descriptions and usage examples for directives like SSLCipherSpec, SSLCacheEnable, SSLCachePath, and SSLCipherRequire. The directives control SSL acceleration, caching, logging and cipher specifications supported by the server.

    Original Description:

    Ghost networks

    Original Title

    SSL Directives_ IBM HTTP Server

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses SSL directives for the IBM HTTP Server. It provides descriptions and usage examples for directives like SSLCipherSpec, SSLCacheEnable, SSLCachePath, and SSLCipherRequire. The directives control SSL acceleration, caching, logging and cipher specifications supported by the server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views8 pages

    SSL Directives - IBM HTTP Server

    Uploaded by

    ocmain
    The document discusses SSL directives for the IBM HTTP Server. It provides descriptions and usage examples for directives like SSLCipherSpec, SSLCacheEnable, SSLCachePath, and SSLCipherRequire. The directives control SSL acceleration, caching, logging and cipher specifications supported by the server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    8/26/15 SSL Directives: IBM HTTP Server

    SSL Directives

    Keyfile
    SSLClientAuthRequire

    LogLevel SSLCRLHostname

    SSLCRLPort
    SSLAcceleratorDisable

    SSLCacheDisable SSLCRLUserID

    SSLCacheEnable SSLDisable

    SSLCacheErrorLog SSLEnable

    SSLCachePath SSLFakeBasicAuth

    SSLPKCSDriver
    SSLCachePortFilename

    SSLCacheTraceLog SSLServerCert

    SSLCipherBan SSLStashfile

    SSLCipherRequire SSLV2Timeout

    SSLCipherSpec SSLV3Timeout

    SSLClientAuth SSLVersion

    SSLClientAuthGroup Related Information

    Keyfile
    Description - Set the keyfile to be used.
    Scope - Global base and virtual host
    Usage - Keyfile /path to keyfile/keyfile.kdb
    Values - Filename of the keyfile

    LogLevel
    Description - Adjusts the verbosity of the messages recorded in the error logs. When a particular level is specified,
    messages from all other levels of higher significance are also reported . For example, when LogLevel infois specified,
    messages with log levels of noticeand warnare also reported. We recommend specifying level crit, at least.
    Multiple instances in the config file - Allowed. Order of preference is top to bottom, first to last. If the cipher specs are not
    supported by the client, the connection closes.
    Scope - Server configuration, virtual host
    Usage - LogLevel level
    Values - The following levels are available, in order of decreasing significance:
    .

    Level Description Example


    Emergencies - system is
    emerg "Child cannot open lock file. Exiting"
    unusable.
    Action must be taken
    alert "getpwuid: could not determine user name from uid"
    immediately.

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 1/8
    8/26/15 SSL Directives: IBM HTTP Server
    crit Critical Conditions. "socket: Failed to get a socket, exiting child"
    error Error conditions. "Premature end of script headers"
    warn Warning conditions. "child process 1234 did not exit, sending another SIGHUP"
    Normal but significant
    notice "httpd: caught SIGBUS, attempting to dump core in ..."
    condition.
    "Server seems busy, (you may need to increase StartServers, or
    info Informational.
    Min/MaxSpareServers)..."
    debug Debug-level messages. "Opening config file ..."

    Notes - If nothing is specified, LogLevel erroris the default.

    SSLAcceleratorDisable
    Place this directive anywhere inside of the configuration file (including inside a virtual host). During initialization, if it is determined
    that an accelerator device is installed on the machine, that accelerator is used to perform secure transactions. Use
    SSLAcceleratorDisable, if you want to disable the accelerator device.

    SSLCacheDisable (Not valid on Windows NT)


    Description - Disables the external SSL session ID cache
    Multiple instances in the config file - Not allowed
    Scope - One per physical Apache server instance
    (allowed only outside of virtual host stanzas)
    Usage - SSLCacheDisable
    Values - None
    Notes - Valid only on UNIX

    SSLCacheEnable (Not valid on Windows NT)


    Description - Enables the external SSL session ID cache
    Multiple instances in the config file - Not allowed
    Scope - One per physical Apache server instance
    (allowed only outside of virtual host stanzas)
    Usage - SSLCacheEnable
    Values - None
    Notes - Valid only on UNIX

    SSLCacheErrorLog (Not valid on Windows NT)


    Description - Sets the filename for session ID cache error logging
    Scope - One per physical server instance
    (allowed only outside of virtual host stanzas)
    Usage - SSLCacheErrorLog /usr/HTTPServer/log/sidd_log
    Values - Valid filename
    Notes - Not valid on Windows NT

    SSLCachePath (Not valid on Windows NT)


    Description - Specify the path to the session ID caching daemon executable.
    Example - SSLCachePath /usr/HTTPServer/bin/sidd
    Scope - One per physical IBM HTTP Server
    Values- Valid path name.
    Notes - Not valid on Windows NT

    SSLCachePortFilename (Not valid on Windows NT)


    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 2/8
    8/26/15 SSL Directives: IBM HTTP Server
    Description - Sets the filename for the UNIX domain socket used for communication between the server instances and the
    session ID cache daemon.
    Scope - One per physical Apache server instance (allowed only outside of virtual host stanzas).
    Values - Valid filename. Note: The Web server deletes this file during startup; do not use an existing filename.
    Usage - SSLCachePortFilename /usr/HTTPServer/logs/siddport
    Notes
    For AIX: the default is /usr/HTTPServer/logs/siddport
    For Solaris: the default is /opt/IBMHTTPD/logs/siddport

    SSLCacheTraceLog (Not valid on Windows NT)


    Description - Specify the trace log to which session ID trace messages will be logged.
    Example - SSLCacheTraceLog /usr/HTTPServer/log/sidd-trace.log
    Scope - One per physical IBM HTTP Server
    Values - Valid path name.
    Notes - Not valid on Windows NT

    SSLCipherBan
    Description - Denies access to an object if the client attempts the specified cipher
    Scope - Multiple instances per directory stanza
    Usage - SSLCipherBan <cipher specification>
    Values - See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications

    SSLCipherRequire
    Description - Allows for access to objects to be limited to specified ciphers.
    Scope - Multiple instances per directory stanza
    Usage - SSLCipherRequire <cipher specification>
    Values - See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications

    SSLCipherSpec
    Description - Specifies a cipher specification that can be used in a secure transaction
    Multiple instances in the config file - Allowed. Order of preference is top to bottom, first to last. If the cipher specs are not
    supported by the client, the connection closes.
    Scope - virtual host
    Usage - SSLCipherSpec shortname or
    SSLCipherSpec longname
    Values - See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications
    Notes - If nothing is specified, the server uses all cipher specs available from the installed GSK library

    Version 2 Cipher Specifications


    Shortname Longname Description
    27 SSL_DES_192_EDE3_CBC_WITH_MD5 Triple-DES (168 bit)

    21 SSL_RC4_128_WITH_MD5 RC4 (128 bit)

    23 SSL_RC2_CBC_128_CBC_WITH_MD5 RC2 (128 bit)


    26 SSL_DES_64_CBC_WITH_MD5 DES (56 bit)
    22 SSL_RC4_128_EXPORT40_WITH_MD5 RC4 (40 bit)
    24 SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 RC2 (40 bit)

    SSL Version 3 and TLS Version 1 Cipher Specifications

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 3/8
    8/26/15 SSL Directives: IBM HTTP Server
    Shortname Longname Description
    3A SSL_RSA_WITH_3DES_EDE_CBC_SHA Triple-DES SHA (168 bit)
    33 SSL_RSA_EXPORT_WITH_RC4_40_MD5 RC4 SHA (40 bit)
    34 SSL_RSA_WITH_RC4_128_MD5 RC4 MD5 (128 bit)
    39 SSL_RSA_WITH_DES_CBC_SHA DES SHA (56 bit)
    35 SSL_RSA_WITH_RC4_128_SHA RC4 SHA (128 bit)
    36 (See Note 1.) SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 RC2 MD5 (40 bit)
    32 SSL_RSA_WITH_NULL_SHA
    31 SSL_RSA_WITH_NULL_MD5
    30 SSL_NULL_WITH_NULL_NULL
    62 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA RC4 SHA Export 1024 (56 bit)
    64 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA DES SHA Export 1024 (56 bit)

    Note 1: Cipher spec 36 requires Netscape Navigator 4.07; it does not work on earlier versions of Netscape browsers.

    SSLClientAuth
    Description - Sets the mode of client authentication to be used (none (0), optional (1), or required (2)).
    Scope - virtual host
    Usage - SSLClientAuth <level required> [crl]
    Values
    0/None: No client certificate is requested
    1/Optional: Client certificate is requested, but not required
    2/Required: Valid client certificate is required
    CRL: Turns crl on and off inside an SSL virtual host. If you use certificate revocation list (CRL), you need to specify
    "CRL" as a second argument for SSLClientAuth. For example: SSLClientAuth 2 crl. If you do not specify "crl", you will
    not be able to perform CRL in an SSL virtual host.
    Notes -
    If nothing is specified, SSLClientAuth none is the default.
    If the value 0/None is specified, you cannot use the CRL option

    SSLClientAuthGroup
    Description - Allows for groups of client certificate attributes to be grouped together for use in the SSLClientAuthRequire
    directive.
    Scope - Virtual host
    Usage - <SSLClientAuthGroup group name> <logic string>

    Description of valid logical expressions


    For example:
    SSLClientAuthGroup (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM
    means that the object will not be served unless the client certificate contains a common name of either Fred Smith or John Deere
    and the organization is IBM. For the attribute checks, the only valid comparisons are equal and not equal (= and !=). Each attribute
    check can be linked with AND, OR, or NOT (also &&, ||, and !). Parentheses can be used to group comparisons. If the value of the
    attribute contains a non-alphanumeric character, the value must be delimited with quotes.
    Valid attributes are:
    CommonName
    Country
    Email
    Group
    IssuerCommonName
    IssuerCountry

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 4/8
    8/26/15 SSL Directives: IBM HTTP Server
    IssuerEmail
    IssuerLocality
    IssuerOrg
    IssuerOrgUnit
    IssuerStateOrProvince
    Locality
    Org
    OrgUnit
    StateOrProvince
    Also valid are the short names:
    CN, C, E, G, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST
    Note that multiple SSLClientAuthRequire directives are allowed per object; the net effect is that these directives are joined by
    "AND".

    SSLClientAuthRequire
    Description - Allows extensive validation of client certificate information before serving an object
    Scope - Directory
    Usage - SSLClientAuthRequire CommonName = Richard
    Values - Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses.

    Description of valid logical expressions


    For example:
    SSLClientAuthRequire (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM
    means that the object will not be served unless the client certificate contains a common name of either Fred Smith or John Deere
    and the organization is IBM. For the attribute checks, the only valid comparisons are equal and not equal (= and !=). Each attribute
    check can be linked with AND, OR, or NOT (also &&, ||, and !). Parentheses can be used to group comparisons. If the value of the
    attribute contains a non-alphanumeric character, the value must be delimited with quotes.
    Valid attributes are:
    CommonName
    Country
    Email
    IssuerCommonName
    IssuerCountry
    IssuerEmail
    IssuerLocality
    IssuerOrg
    IssuerOrgUnit
    IssuerStateOrProvince
    Locality
    Org
    OrgUnit
    StateOrProvince
    Also valid are the short names:
    CN, C, E, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST
    Note that multiple SSLClientAuthRequire directives are allowed per object; the net effect is that these directives are joined by
    "AND".

    SSLCRLHostname
    Description - TCP/IP name or address of LDAP server, where CRL database resides.
    Scope - Global server or virtual host
    Usage - SSLCRLHostname <TCP/IP name or address>
    Values - TCP/IP name or address of LDAP server
    Notes - SSL is disabled by default.

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 5/8
    8/26/15 SSL Directives: IBM HTTP Server
    SSLCRLPort
    Description - Port of LDAP server, where CRL database resides.
    Scope - Global server or virtual host
    Usage - SSLCRLPort <port number>
    Values - Port of LDAP server; default=389
    Notes - SSL is disabled by default.

    SSLCRLUserID
    Description - User ID to send to the LDAP server, where CRL database resides.
    Scope - Global server or virtual host
    Usage - SSLCRLUserID <userid>
    Values - User ID of LDAP server
    Notes - Defaults to anonymous, if bind is not specified.

    SSLDisable
    Description - Disable SSL for this virtual host.
    Scope - Global server or virtual host
    Usage - SSLDisable
    Values - None
    Notes - SSL is disabled by default.

    SSLEnable
    Description - Enable SSL for this virtual host.
    Scope -Global server or virtual host
    Usage - SSLEnable
    Values - None
    Notes - SSL is disabled by default.

    SSLFakeBasicAuth
    Description - Enables the fake basic authentication support. This allows the client certificate distinguished name to become
    the user portion of the user/password basic authentication pair. The password is "password."
    Scope - Within a directory stanza, used along with AuthName, AuthType, and require directives.
    Usage - SSLFakeBasicAuth
    Values - None

    SSLPKCSDriver
    Description - Identifies the fully qualified path to the module used to access the PKCS11 device
    Scope - Global server or virtual host
    Usage - <Path to module used to access PKCS11 device>; If the module is in the user's path, then just specify the name of
    the module.

    The following are the default locations of the modules for each PKCS11 device:
    Ncipher
    AIX: /opt/nfast/xlc_r/lib/libcknfast.so
    HPUX: /opt/nfast/ansic/lib/libcknfast.sl
    SUN: /opt/nfast/swspro/lib/libcknfast.so
    Windows NT: c:\nfast\bin\cknfast.dll
    IBM4758
    AIX: /usr/lib/pkcs11/PKCS11_API.so
    Windows NT: c:\pkcs\bin\nt\cryptoki.dll

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 6/8
    8/26/15 SSL Directives: IBM HTTP Server
    SSLServerCert
    Description - Sets the server certificate to use for this virtual host
    Scope - IP-based virtual hosts
    Usage - SSLServerCert my_certificate_label; on PKCS11 device - SSLServerCert mytokenlabel:mykeylabel
    Values - Certificate label
    Notes - Use no delimiters around the certificate label.
    Ensure that the label is contained on one line.
    Leading and trailing whitespace is ignored.

    SSLStashfile
    Description - Path to file with filename, containing the encrypted password for opening the PKCS11 device.
    Scope - Virtual host
    Usage - SSLStashfile "c:/usr/HTTPServer/IBM HTTP Server/conf/pkcs11.passwd"
    Values - Path with filename
    Notes - There should be an sslstash command located in the bin of IHS. This command is used to store the password for the
    PKCS11 device. The stash file created after using the sslstash command can hold two different passwords for two different
    functions: crl and cryptography.
    The syntax for sslstash is: sslstash [-c] <file> <function> <password>, where:
    -c = Create a new stash file. If not specified, an existing stash file is updated
    File = Fully qualified name of the file to be created or updated
    Function = Function for which the password is used. Valid values are crl or crypto
    Password = The password to stash
    Usage - sslstash -c conf\pkcs11.passwd crypto pkcs11

    SSLVersion
    Description - Allows for object access rejection, if the client attempts to connect with an SSL protocol version other than the
    one specified.
    Scope - One per directory stanza
    Usage - SSLVersion ALL
    Values - SSLV2|SSLV3|TLSV1|ALL

    SSLV2Timeout
    Description - Sets the timeout for SSL Version 2 session IDs
    Scope - Global base and virtual host
    Usage - SSLV2Timeout 60
    Values - 0 to 100 seconds
    Notes - 40 is the default value

    SSLV3Timeout
    Description - Sets the timeout for SSL version 3 session IDs
    Scope - Global base and virtual host
    Usage - SSLV3Timeout 1000
    Values - 0 to 86400 seconds
    Notes - 120 is the default

    Related information...
    Caching session IDs
    Client authentication
    Enable client authentication
    Enable session ID caching

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 7/8
    8/26/15 SSL Directives: IBM HTTP Server
    (Back to Top)

    www-01.ibm.com/software/webservers/httpservers/doc/v1319/9acdssl.htm 8/8

    You might also like