Configuring and Managing MPE/iX Internet Services (MPE/iX 6.5)

170 Chapter10
HP WebWise MPE/iX Secure Web Server
Server Keys and Certificates
Server Keys and Certificates
This is a fairly large and complicated topic. You are STRONGLY ENCOURAGED to read
about it in detail in the Mod_ssl manual, Chapter 2 Introduction and Chapter 6 FAQ List
either at http://www.modssl.org/docs/2.4/ or the copy that comes with your HP
WebWise MPE/iX Secure Web Server
(/APACHE/SECURE/htdocs/manual/mod/mod_ssl/ssl_intro.html and ssl_faq.html)
and is accessible from the default home page.
Secure web servers require a unique private key and a unique server certificate in order to
establish secure encrypted communication sessions. This software includes a default
private key and server certificate so that you can immediately start the server and begin
testing. But because the supplied private key and server certificate are not unique, they
are NOT SECURE AND MUST NOT BE USED FOR PRODUCTION PURPOSES!
You must generate your own private key and either obtain or create your own server
certificate in order to be secure. Keys and certificates contain extremely sensitive data and
must be tightly controlled to prevent unauthorized access.
Log on as MGR.APACHE
Before starting any key or certificate management you should first log on as MGR.APACHE
and make sure that all configuration files and directories are owned by MGR.APACHE:
1. :HELLO MGR.APACHE,SECURE
2. :XEQ SH.HPBIN.SYS -L
3. $ export PATH=/APACHE/SECURE/bin:$PATH
4. $ chown -R MGR.APACHE conf
If you wish to start testing with the default non-secure key and certificate, perform the
following steps below, and then skip ahead to “Starting the Web Server”:
1. $ cp conf/ssl.crt/server.crt.sample conf/ssl.crt/server.crt
2. $ cp conf/ssl.key/server.key.sample conf/ssl.key/server.key
Create Your Private Server Key
Your private key is an EXTREMELY sensitive and confidential piece of information.
Anybody who obtains your private key will be able to impersonate you. If you should ever
lose your private key or have it stolen, your only recourse is to create a new private key
and do a better job of protecting it.
Appropriate filesystem security is essential for the file which contains your private key.
MGR.APACHE should be the owner of the key file, and the owner is the only user that should
have any kind of access. MGR.APACHE should also be the owner of the directory in which the
key file resides, and nobody besides the owner should have access to the directory.
For extra added security, it is recommended that you encrypt your server key with a pass
phrase that is stored separately from the key. If you use a pass phrase, this will need to be