Manualshelf

iTP Secure WebServer System Administrators Guide (Version 7.5+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
71727374757677787980
Using Server Certificate Chains With the iTP Secure WebServer
The TLS and SSL 3.0 protocols allow iTP Secure WebServer to send and receive certificate chains.
You can use the certificate chain option to establish a certificate hierarchy that is more than two
certificates deep.
For more information about certificates and certificate chains, see “Using Certificates (page 272).
No configuration changes to the iTP Secure WebServer are required for this feature.
To create a server certificate chain, follow these steps:
1. Obtain leaf and intermediate certificates from the appropriate CA.
2. Store the leaf and the CA certificates:
Store the root certificate, including the lines labeled ----- BEGIN CERTIFICATE
-----and ----- END CERTIFICATE -----, in a certificate file (a plain text file).
Add this certificate to the designated key database file using the keyadmin utility.
NOTE: While adding the root certificate to the key database file using keyadmin utility,
root option of keyadmin must be used.
Store the intermediate certificate, including the lines labeled ----- BEGIN
CERTIFICATE ----- and ----- END CERTIFICATE -----, in a certificate file (a
plain text file). Add this certificate to the designated key database file using the keyadmin
utility.
NOTE: While adding the intermediate certificate to the key database file using keyadmin
utility, root option of keyadmin must be used.
Store the leaf certificate, including the lines labeled ----- BEGIN CERTIFICATE
----- and ----- END CERTIFICATE -----, in a certificate file (a plain text file).
Add this certificate to the designated key database file using the keyadmin utility.
For details about adding certificates using keyadmin, see Adding a Certificate to the Key
Database File” (page 59).
Managing Client Authentication
With TLS and SSL 3.0, the server always authenticates itself to its clients. However, you can
configure the server to request or require the Web client to authenticate itself to the server.
The AcceptSecureTransport configuration directive accepts two options for specifying how
the server controls client authentication:
The server requests that the Web client present a certificate,
and the Web client can choose to do so.
-requestauth
The server requires that the Web client present its certificate
and terminates communication if the Web client declines.
-requireauth
Unless you specify either the -requestauth or -requireauth option, client authentication
does not occur. Specifying one of these options enables you to use the Web client's authentication
information in Region configuration directives to restrict access to the iTP Secure WebServer. Client
authentication can be set by using the RequireSecureTransport -auth command or by accessing
specific Region variables and restricting access based on these variables.
After the iTP Secure WebServer requests and receives the Web client certificate from the Web
client as either an individual certificate or as a certificate chain, it performs these steps for client
authentication:
72 Configuring for Secure Transport