hp e3000 hp webwise mpe/ix secure web server webwise secure web server HPWorld 2000 Tutorial Session Presented by Mark Bixby mark_bixby@hp.
hp e3000 prerequisite knowledge webwise secure web server • General Apache knowledge • Mostly upward compatible • POSIX shell basics • Hierarchical File System basics September 14, 2000 Page 2
hp e3000 webwise product overview webwise secure web server • NOT bundled with FOS • Customers must purchase product AND support • Customers on support will receive updates • Push vs.
hp e3000 webwise cpl details webwise secure web server • B9074AA - HP WebWise MPE/iX Secure Web Server • B9074AAE - electronic download from Software Depot (future) • Option 310/330/340 - Tier I/II/III • Option AAF/AAH - CDROM/DDS media September 14, 2000 Page 4
hp e3000 webwise is built from… webwise secure web server • Apache • Mod_ssl SSL/TLS encryption module • MM shared memory library • OpenSSL general purpose SSL/TLS and crypto toolkit • RSA BSAFE Crypto-C crypto toolkit • RC2, RC4, and RSA algorithms September 14, 2000 Page 5
hp e3000 webwise vs. apache webwise secure web server • WebWise is built from Apache 1.3.9 vs. Apache 1.3.4 in 6.0 & 6.5 FOS • Includes many ASF fixes & enhancements since 1.3.
hp e3000 webwise secure web server new modules in webwise not in apache 1.3.
hp e3000 webwise secure web server new modules in webwise not in apache 1.3.4 (cont.) • mod_so • Benefits: customers can build add-on DSO modules to extent the product’s functionality (mod_php, etc) • mod_ssl • Benefits: authentication and encrypted communications for e-commerce • mod_vhost_alias • Benefits: easier to manage large numbers of virtual servers (smaller httpd.
hp e3000 mod_digest webwise secure web server • Implements an MD5 digest-based user authentication scheme that can be used instead of insecure Basic Authentication • Described in RFC2617 • Not currently supported by either MSIE5 or Netscape Communicator 4.
hp e3000 mod_proxy webwise secure web server • Implements a proxy/cache for ftp and http protocols • Proxying is better suited for firewalls September 14, 2000 Page 10
hp e3000 mod_rewrite webwise secure web server ``The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail. The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail.'' -- Brian Behlendorf Apache Group `` Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo. '' -- Brian Moore bem@news.cmc.
hp e3000 mod_rewrite (cont.
hp e3000 mod_rewrite (cont.) webwise secure web server • For further information: • ASF documentation: http://www.apache.org/docs/mod/mod_rewrite.html • URL Rewriting Guide: http://www.engelschall.
hp e3000 mod_vhost_alias webwise secure web server • Special directives for configuring DocumentRoot and ScriptAlias directories • Directory names contain variables that are expanded to include the virtual host name/addr • Useful for managing content of multiple virtual servers in separate directory trees September 14, 2000 Page 14
hp e3000 mod_so webwise secure web server • Supports Dynamic Shared Objects (DSO) • Apache modules loaded from external NMXLs • Allows customers to add-on extra functionality like mod_perl, mod_php, mod_jserv, etc. • Requires patch MPELX44A for 6.0 and MPELX44B for 6.
hp e3000 mod_so (cont.
hp e3000 mod_so (cont.
hp e3000 mod_so (cont.
hp e3000 mod_ssl is... webwise secure web server • The heart of WebWise • encrypted TCP connections • client and server X.509 authentication • Consists of: • Patches to extend the Apache API (EAPI) • the mod_ssl module • bin/sign.
hp e3000 mod_ssl is NOT… webwise secure web server • a substitute for a firewall • a substitute for good host security practices • a substitute for good application security practices • a substitute for good human security practices September 14, 2000 Page 20
hp e3000 definitions: secure sockets layer (ssl) webwise secure web server • A protocol layer between any application stream protocol (such as HTTP) and TCP that allows secure communications via encryption, digests, signatures, and authentication • SSLv2.0 - vendor standard from Netscape • SSLv3.
hp e3000 definitions: secure sockets layer (cont.
hp e3000 definitions: transport layer security (tls) webwise secure web server • An evolution of SSLv3.0 • Defined in RFC2246 • Supported by MSIE5 • NOT supported by Netscape 4.
hp e3000 definitions: key webwise secure web server • A really big random number (1024 bits) • 40 bits? 56 bits? 128 bits? 1024 bits? SAY WHAT??? • Split into two mathematically related components: • private key • public key • A key establishes your identity -- protect it! (chmod 400 and pass phrase) • Both servers and clients have keys • RSA keys/algorithm defined by RFC 2437 September 14, 2000 Page 24
hp e3000 definitions: private key webwise secure web server • Uniquely identifies you • Protect it with your life! • You use it to: • create digital signatures • create digital certificates • decrypt data sent to you that was encrypted with your public key September 14, 2000 Page 25
hp e3000 definitions: public key webwise secure web server • Allows the public to send you encrypted data which only you can decrypt with your private key • Your public key is also included in your certificate September 14, 2000 Page 26
hp e3000 definitions: message digest webwise secure web server • Short, fixed-length representation of longer, variablelength messages (hash) • Can’t determine original msg from digest • No two messages have the same digest • Digest algorithms: • MD5 (128-bit hash) • SHA1 (160-bit hash) September 14, 2000 Page 27
hp e3000 definitions: digital signature webwise secure web server • Message digest (plus sequence number) encrypted with sender’s private key • Alter the message and the digest won’t match • Alter the digest and the public key decryption won’t work September 14, 2000 Page 28
hp e3000 definitions: certificate webwise secure web server • Validates your identity to others • Format defined by X.
hp e3000 definitions: certificate authority (ca) webwise secure web server • A trusted agency that issues certificates • Validates the identity of a person requesting a certificate • The CA signs the certificate request with their own CA certificate, thus creating a certificate for the requestor • CA certificate may be self-signed (root-level), or signed by a higher CA • You can be your own CA! September 14, 2000 Page 30
hp e3000 definitions: certificate authority (cont.
hp e3000 msie5 ca window webwise secure web server September 14, 2000 Page 32
hp e3000 netscape 4.
hp e3000 webwise secure web server definitions: certificate signing request (csr) • What you send to a CA in order to request a certificate • Contains: • your identity (name, company, locality, etc) • your public key • The CA signs your CSR with the CA certificate, resulting in your certificate September 14, 2000 Page 34
hp e3000 definitions: certificate chain webwise secure web server • Every certificate is signed by a CA • CA certificates are signed by other CAs • A chain of valid CA signatures (assumes trust is inherited) September 14, 2000 Page 35
hp e3000 webwise secure web server definitions: certificate revocation list (crl) • A list of certificates that a CA has revoked (I.e.
hp e3000 sslengine (required) webwise secure web server • Specifies whether SSL/TLS is enabled; typically used inside • on: SSL/TLS is enabled • off: SSL/TLS is disabled September 14, 2000 Page 37
hp e3000 sslmutex (required) webwise secure web server • Specifies the method of synchronization used between WebWise children • none - use at your own risk! • File:/path/to/mutex - uses fcntl() locking on the specified filename with the parent PID appended for uniqueness • sem - not implemented for MPE! September 14, 2000 Page 38
hp e3000 sslrandomseed (required) webwise secure web server • SSLRandomSeed context source [bytes] • Seeds the Pseudo Random Number Generator (PRNG) • Context is either “startup” or “connect” • Sources: • builtin - current time, process id, and 1KB of random scoreboard data • file:/path/to/source - reads from a file • exec:/path/to/program - reads from program stdout September 14, 2000 Page 39
hp e3000 sslsessioncache (recommended) webwise secure web server • Specifies the SSL session cache method used to avoid repeated (slow) SSL handshaking • none - no cache; terrible performance • dbm:/path/to/datafile - disk file cache • shm:/path/to/datafile(size) - shared memory cache (file not created on MPE); best performance! September 14, 2000 Page 40
hp e3000 sslsessioncachetimeout (optional) webwise secure web server • Specifies the session cache timeout in seconds • Default is 300 September 14, 2000 Page 41
hp e3000 sslprotocol (optional) webwise secure web server • Specifies accepted SSL protocols • + or - syntax like Options • Default is all • SSLv2 • SSLv3 • TLSv1 • All • SSLProtocol All -SSLv2 September 14, 2000 Page 42
hp e3000 sslciphersuite (optional) webwise secure web server • Specifies the ordered list of ciphers to be negotiated during the SSL handshake • Default: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP • 128-bit RC4 will be chosen first • /APACHE/SECURE/bin/openssl ciphers -v will list all available ciphers September 14, 2000 Page 43
hp e3000 sslcertificatekeyfile (required) webwise secure web server • Specifies the server key file • /APACHE/SECURE/conf/ssl.key/server.
hp e3000 sslpassphrasedialog (recommended) webwise secure web server • How to obtain the pass phrase for encrypted private keys • builtin - read the pass phrase from $STDIN after !RUN HTTPDS • exec:/path/to/program - program prints pass phrase to $STDLIST; two parms: • servername:portname • RSA or DSA • Protect the pass phrase! • Whoever knows the pass phrase can get your key! September 14, 2000 Page 45
hp e3000 sslcertificatefile (required) webwise secure web server • Specifies the web server certificate file • /APACHE/SECURE/conf/ssl.crt/server.
hp e3000 sslcertificatechainfile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CA certificates of all CA signers between the server certificate and the CA root • Makes it easier for browsers to validate your server certificate September 14, 2000 Page 47
hp e3000 sslcacertificatefile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CA certificates that might have been used to sign the certificates of your clients • This directive and/or SSLCACertificatePath is required for client authentication September 14, 2000 Page 48
hp e3000 sslcacertificatepath (optional) webwise secure web server • Specifies the directory containing all of the individual CA certificates that might have been used to sign the certificates of your clients • Hash symlinks must be present in this directory • /APACHE/SECURE/conf/ssl.
hp e3000 sslcarevocationfile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CRLs of all of the CAs that might have signed the certificates of your clients • This directive or SSLCARevocationPath is recommended for client authentication September 14, 2000 Page 50
hp e3000 sslcarevocationpath (optional) webwise secure web server • Specifies the directory containing all of the individual CRLs of all of the CAs that might have signed the certificates of your clients • Hash symlinks must be present in this directory • /APACHE/SECURE/conf/ssl.
hp e3000 sslverifyclient (optional) webwise secure web server • Specifies the type of client certificate authentication desired • none: no client certificate is required • optional: the client may present a valid certificate • require: the client must present a valid certificate • optional_no_ca: the client may present a certificate, but it doesn’t have to be valid • “optional” doesn’t work with all browsers, and “optional_no_ca” is really for testing September 14, 2000 Page 52
hp e3000 sslverifydepth (optional) webwise secure web server • Specifies the maximum number of CA certificates to be used when validating the client certificate • 0 means that self-signed client certificates are accepted only • 1 (default) means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server, etc, etc September 14, 2000 Page 53
hp e3000 ssllog (required) webwise secure web server • Specifies the mod_ssl log file • Serious errors are duplicated to the ErrorLog • |/path/to/program or /path/to/file September 14, 2000 Page 54
hp e3000 sslloglevel (optional) webwise secure web server • Specifies the logfile verbosity fence • none - no dedicated logging, but “error” messages still written to ErrorLog • error - fatal messages • warn - non-fatal messages • info - major processing steps • trace - minor processing steps • debug - very VERY verbose! September 14, 2000 Page 55
hp e3000 sslrequiressl (optional) webwise secure web server • Forbids access unless SSL is being used for this connection • Useful for protecting against exposing sensitive data over non-SSL connections September 14, 2000 Page 56
hp e3000 sslrequire (optional) webwise secure web server • Allow access only if an arbitrarily complex boolean expression is true • SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20) or %{REMOTE_ADDR} =~ m/^192\.76\.162\.
hp e3000 ssloptions (optional) webwise secure web server • Specifies various SSL-related runtime options • Similar to Options directive • StdEnvVars - creates SSL-related environment variables for CGI/SSI applications; expensive! • CompatEnvVars - creates extra environment variables for compatibility with other Apache-based SSL servers September 14, 2000 Page 58
hp e3000 ssloptions (cont.) webwise secure web server • ExportCertData - creates environment variables containing applicable X.
hp e3000 ssloptions (cont.) webwise secure web server • OptRenegotiate - by default, every per-directory SSL parameter reconfiguration causes a full SSL renegotiation handshake (slow!). This option tries to be more granular, but may cause unexpected results.
hp e3000 custom log formats webwise secure web server • Extra format function for use by the mod_log_custom module • %{varname}x - inserts the value of the varname env variable into the message • CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" September 14, 2000 Page 61
hp e3000 installation prerequisite patches webwise secure web server • 6.0 • MPEKXT3B/MPEKX86I/MPEKXU3F (EINTR) – sporadic “access forbidden” errors • MPELX51A (SM&AM enhanced kill) – WebWise restart/shutdown unable to kill children • MPELX44A (HPGETPROCPLABEL for data items) – DSOs cannot be loaded • 6.
hp e3000 obtain the installation files webwise secure web server • via DDS - :RESTORE @.@.@ (restores /tmp/webwiseVUUFF.tar.Z) • via CDROM from desktop - ftp upload L:\WEBWISE.TZ as /tmp/webwise-VUUFF.tar.Z • via Software Depot from desktop - ftp upload the electronic download file as /tmp/webwise-VUUFF.tar.
hp e3000 ftp in bytestream mode!!! webwise secure web server • Also known as “tenex” or “local 8” • Binary mode is NOT the same thing! • Set bytestream mode in command-line clients via Quote Type L 8 September 14, 2000 Page 64
hp e3000 unpack and :stream JINSTALL webwise secure web server • :HELLO MANAGER.SYS • :XEQ SH.HPBIN.SYS -L • $ tar xvfopz /tmp/webwise-VUUFF.tar.
hp e3000 accounting structure webwise secure web server • Same as Apache (all have PM capability): • APACHE account • PUB group • MGR user • New for WebWise: • SECURE group (PM capability) • SECURE user September 14, 2000 Page 66
hp e3000 directory & file structure webwise secure web server • Same as Apache for MPE/iX, but under /APACHE/SECURE instead of /APACHE/PUB • All files owned & managed by MGR.
hp e3000 new files and directories webwise secure web server • HTTPDS - server daemon NMPRG • JHTTPDS - server daemon job • bin/apxs - Perl script for building DSOs • Perl not included or supported • bin/openssl - general crypto utility • supported for key/cert management only • add /APACHE/SECURE/bin to PATH • bin/sign.
hp e3000 new files and directories (cont.) webwise secure web server • conf/ssl.crl/ - CRL directory • conf/ssl.crt/ - certificate directory • protect directory with chmod 700 • server.crt - server certificate (chmod 400) • Sensitive data! Protect it! • conf/ssl.csr/ - CSR directory • conf/ssl.key/ - key directory • protect directory with chmod 700 • server.
hp e3000 new files and directories (cont.) webwise secure web server • include/ - C header files for DSOs • libexec/ - DSO NMXLs (mod_example.so) • logs/ssl_engine_log - the SSL error_log • logs/ssl_request_log - the SSL access_log • includes protocol and cipher used • logs/ssl_mutex.
hp e3000 version information webwise secure web server • HTTPDS -v (same as Apache) Server version: Apache/1.3.9 (HP MPE/iX WebWise A.00.02) Server built: Apr 10 2000 13:44:59 • bin/openssl version OpenSSL 0.9.4 09 Aug 1999 [HP MPE/iX WebWise A.00.
hp e3000 server configuration webwise secure web server • Copy sample files to normal names • /APACHE/SECURE/JHTTPDS.sample • conf/access.conf.sample, httpd.conf.sample, magic.sample, mime.types.sample, srm.conf.sample • Edit httpd.conf to specify real hostname instead of “www.zaicorp.com” • conf/ssl.crt/server.crt.sample (test only) • conf/ssl.key/server.key.
hp e3000 browser configuration webwise secure web server • MSIE5 allows you to enable/disable SSLv2.0, SSLv3.0, and TLSv1.0; no cipher choice • Netscape 4.72 allows you to enable/disable SSLv2.0, SSLv3.
hp e3000 browser configuration - msie5 webwise secure web server September 14, 2000 Page 74
hp e3000 browser configuration - netscape webwise secure web server September 14, 2000 Page 75
hp e3000 browser configuration - netscape (cont.
hp e3000 webwise secure web server runtime differences compared to apache • umask 007 specified in JHTTPDS • better default security (no world read/write) • existing Apache CGIs may be expecting umask 000 • different parent/child userids (MPELX51) • JHTTPDS parent runs under MGR.APACHE – Specified on !JOB statement • spawned children run under SECURE.APACHE – Specified by User directive in httpd.conf – Helps prevent CGIs from being malicious • Apache for MPE/iX runs everything under WWW.
hp e3000 creating the server key webwise secure web server • conf/ssl.key/server.key.
hp e3000 creating the server key (cont.) webwise secure web server • $ cd conf/ssl.key • $ openssl genrsa -rand /SYS/PUB/HPSWINFO des3 -out server.key 1024 unable to load 'random state’ 28199 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ................+++++ .................
hp e3000 creating the server key (cont.
hp e3000 creating the server key (cont.) webwise secure web server • $ openssl rsa -noout -text -in server.key • displays details about the newly created key • $ chmod 400 server.
hp e3000 server key pass phrase webwise secure web server • SSLPassPhraseDialog builtin • HTTPDS reads pass phrase from stdin (I.e.
hp e3000 creating the server csr webwise secure web server • Identifies the company and the server • Visible to browser users, so choose carefully September 14, 2000 Page 83
hp e3000 creating the server csr (cont.) webwise secure web server • $ cd conf/ssl.csr • $ openssl req -new -key ../ssl.key/server.key -out server.csr Country Name (2 letter code) [AU]:US State or Prov Name (full name) []:My State Locality Name (eg, city) []:My City Organization Name (eg, company) []:My Company Organizational Unit Name []:My Org Common Name []:www.mycompany.com Email Address []:webmaster@www.mycompany.
hp e3000 creating the server csr (cont.
hp e3000 creating the server csr (cont.) webwise secure web server • $ openssl req -noout -text -in server.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/Email=webmaster@www.myco mpany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): • $ chmod 400 server.
hp e3000 get signed by a trusted ca... webwise secure web server • Browsers configured with trusted CAs • www.verisign.com • www.equifax.com • many others • can add additional trusted CAs • Paste your CSR into a CA web form • Receive certificate by e-mail, save as conf/ssl.crt/server.
hp e3000 ...or become your own ca webwise secure web server • $ cd conf/ssl.key • $ openssl genrsa -des3 -out ca.key 1024 • $ chmod 400 ca.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Country Name (2 letter code) [AU]:US State or Province Name [Some-State]:My State Locality Name (eg, city) []:My City Organization Name (eg, company) []:My Company Organizational Unit Name []:My Company CA Common Name []:Certificate Authority Email Address []:ca@mycompany.
hp e3000 ...or become your own ca (cont.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ openssl x509 -noout -text -in ca.crt Certificate: Data: Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com Validity Not Before: Apr 7 23:19:40 2000 GMT Not After : Apr 7 23:19:40 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com • $ chmod 400 ca.
hp e3000 ...or become your own ca (cont.) webwise secure web server $ sign.sh ../ssl.csr/server.csr CA signing: ../ssl.csr/server.csr -> ../ssl.csr/server.crt: The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName localityName :PRINTABLE:'My State' :PRINTABLE:'My City' organizationName :PRINTABLE:'My Company' organizationalUnitName:PRINTABLE:'My Org' commonName :PRINTABLE:'www.mycompany.com' emailAddress :IA5STRING:'webmaster@www.mycompany.
hp e3000 ...or become your own ca (cont.) webwise secure web server Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: ../ssl.csr/server.crt <-> CA cert ../ssl.csr/server.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ rm -fR ca.db.* • remove temporary files from conf/ssl.key • $ cd .. • $ mv ssl.csr/server.crt ssl.crt/server.crt • move newly created server certificate into the correct location • $ mv ssl.key/ca.crt ssl.crt/ca.
hp e3000 installing the server certificate webwise secure web server • $ openssl x509 -noout -text -in ssl.crt/server.crt Certificate: Data: Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com Validity Not Before: Apr 7 23:54:01 2000 GMT Not After : Apr 7 23:54:01 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/ Email=webmaster@www.mycompany.
hp e3000 installing the server certificate (cont.) webwise secure web server • Rebuild the symlink hash • $ cd conf/ssl.crt • $ make ca-bundle.crt ... Skipped ca.crt ... dc91dd8e.0 server.crt ... 2f66b362.0 snakeoil-ca-dsa.crt ... 0cf14d7d.0 snakeoil-ca-rsa.crt ... e52d41d0.0 snakeoil-dsa.crt ... 5d8360e1.0 snakeoil-rsa.crt ... 82ab5372.0 zzyzx-ca-rsa.crt ... f28a2a0f.0 • $ chmod 400 server.
hp e3000 starting the web server webwise secure web server • :STREAM JHTTPDS.SECURE.
hp e3000 using the web server webwise secure web server • conf/httpd.conf.sample uses ports 8080 and 8443 • http://your3000.host.name:8080 • https://your3000.host.name:8443 • Standard ports are 80 and 443 • http://your3000.host.name • https://your3000.host.
hp e3000 restarting the web server webwise secure web server • Why? To reread config files. • Log on as SM user (MPELX51 on 6.0) or MGR.APACHE • Normal restart • $ kill -HUP `cat /APACHE/SECURE/logs/httpd.pid` • Graceful restart • $ kill -USR1 `cat /APACHE/SECURE/logs/httpd.
hp e3000 stopping the web server webwise secure web server • Log on as SM user (MPELX51 on 6.0) or MGR.APACHE • $ kill `cat /APACHE/SECURE/logs/httpd.pid` • Only use :ABORTJOB as a last resort! • Will leak SVIPC semaphores • Use IPCS.HPBIN.SYS to display • Use IPCRM.HPBIN.
hp e3000 performance webwise secure web server • First 5 minutes in tight CPU loop • Brief CPU burst for new SSL sessions • Bytestream instead of MPE for content • Content-length: header problem • Symptom: browser hangs at end of content • Make sure RESLVCNF.NET.
hp e3000 security tips webwise secure web server • WebWise only protects the TCP/IP connection between browser and server! • Protect the key and certificate files! • Protect the key pass phrase! September 14, 2000 Page 102
hp e3000 security tips (cont.) webwise secure web server • Most security problems BY FAR are the result of sloppy CGI programming • Explicitly validate every byte of data sent by browser • A CGI hole can give the whole world the same access as a :HELLO SECURE.
hp e3000 security tips (cont.
hp e3000 troubleshooting server problems webwise secure web server • All Apache troubleshooting methods apply • Check the log files first! • If JHTTPDS terminates at startup, investigate Pass Phrase • Is SSLEngine On? • Does SSLProtocol match the browser? • Does SSLCipherSuite match the browser? September 14, 2000 Page 105
hp e3000 troubleshooting server problems (cont.) webwise secure web server • echo “HEAD / HTTP/1.
hp e3000 troubleshooting server problems (cont.
hp e3000 troubleshooting server problems (cont.) webwise secure web server • Are the configuration file permissions correct? • Parent process running as the JHTTPDS !JOB user (MGR.APACHE) must be able to read everything • Child processes running as the conf/httpd.conf User user (SECURE.APACHE) must be able to read CA & CRL files if doing X.
hp e3000 troubleshooting server problems (cont.) webwise secure web server • If getting inappropriate “forbidden access” errors on 6.
hp e3000 troubleshooting server problems (cont.) webwise secure web server • Check the mod_ssl bug database • http://www.modssl.org/support/bugdb/ • No OpenSSL bug database :-( • Search the mailing list archives at http://www.openssl.org/support/ • Check the Apache bug database • http://bugs.apache.
hp e3000 troubleshooting browser problems webwise secure web server • No response to browser • Check httpd.conf or SOCKINFO to verify the ports being listened to • “The page cannot be displayed” (MSIE) • Speaking https to the http server port • Speaking the wrong security protocol (I.e. SSLv2 when the server requires SSLv3) • “A network error occurred while Netscape was receiving data” • Speaking https to the http server port • Speaking the wrong security protocol (I.e.
hp e3000 webwise secure web server troubleshooting browser problems (cont.
hp e3000 webwise secure web server troubleshooting browser problems (cont.
hp e3000 further documentation webwise secure web server • Complete product documentation • http://your.host.name/ • Mod_ssl documentation • http://www.modssl.org/docs/2.4/ • OpenSSL documentation • http://www.openssl.org/docs/apps/openssl.html • Apache documentation • http://www.apache.
hp e3000 join the hp3000-l community webwise secure web server • Available as a mailing list and as the Usenet newsgroup comp.sys.hp.mpe • In-depth discussions of all things HP e3000 • Talk with other WebWise & Apache users • seek advice, exchange tips & techniques • Keep up with the latest HP e3000 news • Interact with CSY • http://jazz.external.hp.com/papers/hp3000-info.
