Configuring and Managing MPE/iX Internet Services (August 2002)
Chapter 9
HP WebWise MPE/iX Secure Web Server
Product Overview and Feature Set
139
Product Overview and Feature Set
HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and
server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via
X.509 digital certificates. HP WebWise MPE/iX Secure Web Server is A.03.00 and is composed of:
• Apache 1.3.22
• Mod_ssl 2.8.5 SSL security add-ons for Apache
• MM 1.1.3 shared memory library
• Openssl 0.9.6b crytographics/SSL library
• RSA BSAFE Crypto-C 5.2 cryptographic library (for the RC2. RC4, RC5, and RSA algorithms)
HP WebWise MPE/iX Secure Web Server is NOT:
• NOT a substitute for a firewall (explicitly allow acceptable connections, etc.)
• NOT a substitute for good host security practices (change default passwords, keep the OS up-to-date, etc.)
• NOT a substitute for good application security practices (use appropriate file and user security, carefully
validate all input data, etc.)
• NOT a substitute for good human security practices (communicate the importance of protecting sensitive
or proprietary data, no password sharing, etc.)
WebWise is just one component in a secure environment and by itself does nothing to prevent the number one
cause of web server break-in events — poorly written CGI applications. Well-written CGI applications
must rigorously validate every byte of data sent by a browser, and must refuse to process any input data
containing unexpected characters.
New Apache Functionality since 1.3.14
Most of the Apache Software Foundation development work since 1.3.14 consists of portability enhancements
and bug fixes for various problems including security issues. Some minor new functionality has also been
added, as partially listed below:
• A new LogFormat directive of %c to display the connection status when each request is completed.
• mod_auth has been enhanced to allow access to a document to be controlled, based on the owner of the file
being server. Require file-owner will only allow files to be served where the authenicated username
matches the use that owns the document. Require file-group works in a similar way checking that the
group matches.
SSLv2.0, SSLv3.0, and TLSv1.0 Protocols
These protocols lie between the HTTP and TCP/IP protocol layers and provide secure, authenticated,
encrypted communications between the HP WebWise MPE/iX Secure Web Server server and browser clients.
X.509 Digital Certificates
Signed by external trusted Certificate Authorities, X.509 certificates provide authentication for both the HP
WebWise MPE/iX Secure Web Server and browser clients.