C O N T E N T S

Secure Web Server Documentation
SSL User Guide

SSL Setup Information
Introduction to SSL
An SSL Primer
Using mod_ssl Directives
Understanding Certificates
Using the Certificate Tool
Using Certificates
Glossary

Chapter 1:
SSL Setup Information

__Topics_____________________________________

Documentation

SSL files

After installing

Configuration options

Verifying an SSL connection

Disabling SSL

Documentation

This document, the SSL User Guide , contains information for working with the Secure Sockets Layer protocol in Secure Web Server .

The setup information in this chapter is intended to supplement the general Installation and Configuration Guide for CSWS . Release notes that are SSL_specific are contained in the Release Notes for CSWS .

SSL files

Secure Web Server includes two modules for its Secure Sockets Layer (SSL) functionality. These are OpenSSL and mod_ssl .

Mod_ssl integrates OpenSSL with a set of source patches for Apache called the Extended API (EAPI) . Secure Web Server implements OpenSSL using RSA Security's Crypto_C (BSAFE ) library. These components are included and automatically installed in CSWS .

After installing CSWS

After installing Secure Web Server , additional steps are performed automatically for you by running the configuration utility.

$ @SYS$MANAGER:APACHE$CONFIG.COM

This include s creating a self_signed server certificate, good for 30 days, and installing it. CSWS will not run without a server certificate that is valid for your system. You may want to view the contents of this file using the OpenSSL Certificate Tool before starting the server.

Note: Following expiration of your self_signed certificate in 30 days, your SSL_enabled server will not run. If you wish to continue running in SSL mode, you must replace it.

Configuration options

During the configuration procedure, you have the option to enable or disable SSL (see Disabling SSL ) and to add optional command_line arguments to the server.

To enable SSL, choose the default response of "Yes":

Do you want to enable the security features provided by MOD_SSL? If so, the server will support the HTTPS (HTTP over the Secure Socket Layer) protocol.

Enable MOD_SSL? [YES]

The optional command_line arguments enable you to make settings in the main configuration file (HTTPD.CONF) that can be turned on and off for individual systems.

Choose "Yes" in response to the following question if you want to enter new command_line arguments:

You can specify optional command_line arguments for the server below. (For example, specify "_D<name>" to define a name for the <IfDefine> directives or specify "_d<path>" to specify the ServerRoot directory.) Note that the optional arguments are case_sensitive.

There are currently no optional command_line arguments.

Change this value? [NO] Yes

Then enter the command_line argument(s) when prompted, as shown in the following example:

Setting a command_line argument:

New command_line arguments: _DSample

Removing the argument by leaving the optional argument blank (a null string):

Current arguments: "_DSample"

Change this value [NO] Yes

New command_line arguments: [carriage return]

Verifying an SSL Connection

The server now has a self_signed server certificate, meaning that clients can establish secure (encrypted) connections with your server.

Note: For purposes of a production environment, your server certificate should normally be signed by a third_party commercial certificate authority.

To verify that your SSL_aware server is working:

Start your server in the normal way:

$ @SYS$STARTUP:APACHE$STARTUP.COM

Connect to it from a client browser by appending "s" to "http" in the URL:

http s ://<my_server>

In Netscape Navigator you should see the New Site Certificate wizard, and in Internet Explorer you should see the Security Alert dialog. As a client, you can choose between not proceeding or proceeding with or without permanently installing the server certificate as a "trusted root certificate authority."

Disabling SSL

You can disable SSL on CSWS by running the configuration utility. Customizations you have made to your mod_ssl directives and certificates you have generated with the OpenSSL Certificate Tool are preserved.

Run the configuration utility:

$ @SYS$MANAGER:APACHE$CONFIG.COM

Choose "No" in response to the question:

Do you want to enable the security features provided by MOD_SSL?

If so, the server will support the HTTPS (HTTP over the Secure Socket

Layer) protocol.

Enable MOD_SSL? [YES] No

Restart the server (confirming first that the APACHE$WWW processes have stopped):

$ @SYS$STARTUP:APACHE$SHUTDOWN.COM

$ SHOW SYSTEM/PROC=APACHE*

$ @SYS$STARTUP:APACHE$STARTUP.COM

C O N T E N T S
Secure Web Server Documentation SSL User Guide SSL Setup Information Introduction to SSL An SSL Primer Using mod_ssl Directives Understanding Certificates Using the Certificate Tool Using Certificates Glossary		Chapter 1: SSL Setup Information __Topics_____________________________________ Documentation SSL files After installing Configuration options Verifying an SSL connection Disabling SSL Documentation This document, the SSL User Guide , contains information for working with the Secure Sockets Layer protocol in Secure Web Server . The setup information in this chapter is intended to supplement the general Installation and Configuration Guide for CSWS . Release notes that are SSL_specific are contained in the Release Notes for CSWS . SSL files Secure Web Server includes two modules for its Secure Sockets Layer (SSL) functionality. These are OpenSSL and mod_ssl . Mod_ssl integrates OpenSSL with a set of source patches for Apache called the Extended API (EAPI) . Secure Web Server implements OpenSSL using RSA Security's Crypto_C (BSAFE ) library. These components are included and automatically installed in CSWS . After installing CSWS After installing Secure Web Server , additional steps are performed automatically for you by running the configuration utility. `$ @SYS$MANAGER:APACHE$CONFIG.COM` This include s creating a self_signed server certificate, good for 30 days, and installing it. CSWS will not run without a server certificate that is valid for your system. You may want to view the contents of this file using the OpenSSL Certificate Tool before starting the server. Note: Following expiration of your self_signed certificate in 30 days, your SSL_enabled server will not run. If you wish to continue running in SSL mode, you must replace it. Configuration options During the configuration procedure, you have the option to enable or disable SSL (see Disabling SSL ) and to add optional command_line arguments to the server. To enable SSL, choose the default response of "Yes": Do you want to enable the security features provided by MOD_SSL? If so, the server will support the HTTPS (HTTP over the Secure Socket Layer) protocol. Enable MOD_SSL? [YES] The optional command_line arguments enable you to make settings in the main configuration file (HTTPD.CONF) that can be turned on and off for individual systems. Choose "Yes" in response to the following question if you want to enter new command_line arguments: You can specify optional command_line arguments for the server below. (For example, specify "_D<name>" to define a name for the <IfDefine> directives or specify "_d<path>" to specify the ServerRoot directory.) Note that the optional arguments are case_sensitive. There are currently no optional command_line arguments. Change this value? [NO] Yes Then enter the command_line argument(s) when prompted, as shown in the following example: Setting a command_line argument: New command_line arguments: _DSample Removing the argument by leaving the optional argument blank (a null string): Current arguments: "_DSample" Change this value [NO] Yes New command_line arguments: [carriage return] Verifying an SSL Connection The server now has a self_signed server certificate, meaning that clients can establish secure (encrypted) connections with your server. Note: For purposes of a production environment, your server certificate should normally be signed by a third_party commercial certificate authority. To verify that your SSL_aware server is working: Start your server in the normal way: `$ @SYS$STARTUP:APACHE$STARTUP.COM` Connect to it from a client browser by appending "s" to "http" in the URL: `http` `s ://<my_server>` `In Netscape Navigator` you should see the New Site Certificate wizard, and in Internet Explorer you should see the Security Alert dialog. As a client, you can choose between not proceeding or proceeding with or without permanently installing the server certificate as a "trusted root certificate authority." Disabling SSL You can disable SSL on CSWS by running the configuration utility. Customizations you have made to your mod_ssl directives and certificates you have generated with the OpenSSL Certificate Tool are preserved. Run the configuration utility: `$ @SYS$MANAGER:APACHE$CONFIG.COM` Choose "No" in response to the question: Do you want to enable the security features provided by MOD_SSL? If so, the server will support the HTTPS (HTTP over the Secure Socket Layer) protocol. Enable MOD_SSL? [YES] No Restart the server (confirming first that the APACHE$WWW processes have stopped): $ @SYS$STARTUP:APACHE$SHUTDOWN.COM $ SHOW SYSTEM/PROC=APACHE* $ @SYS$STARTUP:APACHE$STARTUP.COM

SSL Setup Information

Documentation

SSL files

After installing CSWS

Configuration options

Verifying an SSL Connection

Disabling SSL