Manualshelf

iTP Secure WebServer System Administrators Guide (Version 7.5+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
4 Configuring for Secure Transport
Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols provide security enhancements
for the Web. The security enhancements include encryption to ensure privacy and authentication
(using key certificates) to verify the identity of servers, and, optionally, clients.
This section provides an overview to the configuration process, explains how to configure the server
for TLS and SSL, and includes these topics:
“Using the Administration Server Securely” (page 53)
“Overview of Server Configuration” (page 54)
“Managing Certificates” (page 55)
“Managing Client Authentication” (page 72)
“Updating TLS and SSL Configuration” (page 74)
“Controlling Access and Privacy” (page 74)
“Controlling Encryption and Integrity Checking” (page 75)
“Migrating the key database from iTP Secure WebServer 7.0 to 7.2 and later” (page 76)
“Configuring Trusted Client Root Certificate Database” (page 79)
“Configuring Support For Certificates with Non-English Characters” (page 79)
This section explains how to prepare the iTP Secure WebServer to use encryption provided by
TLS,SSL, or both. Use the procedures in this section after installing the iTP Secure WebServer (see
“Installing and Configuring the iTP Secure WebServer (page 38)) and configuring the PATHMON
environment (see “Configuring the PATHMON Environment” (page 49)).
NOTE: The nonsecure version of the iTP WebServer does not support TLS or SSL.
The iTP Secure WebServer can handle TLS and SSL requests simultaneously with Hypertext Transfer
Protocol (HTTP) and HTTPS (secure HTTP) requests.
If you are unfamiliar with security concepts such as encryption, authentication, public and private
keys, and Certificate Authorities (CAs), see “Security Concepts” (page 269), before proceeding
further in this section.
Using the Administration Server Securely
HP recommends that you access the iTP Secure WebServer Administration Server only from secure
transport connections. In some cases, you must provide the password with which the server's key
database file is encrypted. This password must not be transmitted unsecuredly.
To specify that the iTP Secure Administration server must accept requests from secure connections
only, modify the httpd.adm.config file to add a RequireSecureTransport command to
the Region directive for the /admin/* region, as shown in this example:
Region /admin/* {
RequireSecureTransport
AllowHost *.company.com
RequirePassword {WebServer Administration User}\
-userfile /conf/adm.passwd
IndexFile index.html
}
For even greater security, choose the -auth option of the RequireSecureTransport directive
to require that a Web client certificate be presented when accessing the administration area.
Using the Administration Server Securely 53