iX 6.5)

ManualsBrandsHP ManualsSoftwareMPE/iX 6.0 Operating System

161

162

163

164

165

166

167

168

169

170

170 Chapter10

HP WebWise MPE/iX Secure Web Server

Server Keys and Certiﬁcates

This is a fairly large and complicated topic. You are STRONGLY ENCOURAGED to read

about it in detail in the Mod_ssl manual, Chapter 2 Introduction and Chapter 6 FAQ List

either at http://www.modssl.org/docs/2.4/ or the copy that comes with your HP

WebWise MPE/iX Secure Web Server

(/APACHE/SECURE/htdocs/manual/mod/mod_ssl/ssl_intro.html and ssl_faq.html)

and is accessible from the default home page.

Secure web servers require a unique private key and a unique server certiﬁcate in order to

establish secure encrypted communication sessions. This software includes a default

private key and server certiﬁcate so that you can immediately start the server and begin

testing. But because the supplied private key and server certiﬁcate are not unique, they

are NOT SECURE AND MUST NOT BE USED FOR PRODUCTION PURPOSES!

You must generate your own private key and either obtain or create your own server

certiﬁcate in order to be secure. Keys and certiﬁcates contain extremely sensitive data and

must be tightly controlled to prevent unauthorized access.

Log on as MGR.APACHE

Before starting any key or certiﬁcate management you should ﬁrst log on as MGR.APACHE

and make sure that all conﬁguration ﬁles and directories are owned by MGR.APACHE:

1. :HELLO MGR.APACHE,SECURE

2. :XEQ SH.HPBIN.SYS -L

3. $ export PATH=/APACHE/SECURE/bin:$PATH

4. $ chown -R MGR.APACHE conf

If you wish to start testing with the default non-secure key and certiﬁcate, perform the

following steps below, and then skip ahead to “Starting the Web Server”:

1. $ cp conf/ssl.crt/server.crt.sample conf/ssl.crt/server.crt

2. $ cp conf/ssl.key/server.key.sample conf/ssl.key/server.key

Create Your Private Server Key

Your private key is an EXTREMELY sensitive and conﬁdential piece of information.

Anybody who obtains your private key will be able to impersonate you. If you should ever

lose your private key or have it stolen, your only recourse is to create a new private key

and do a better job of protecting it.

Appropriate ﬁlesystem security is essential for the ﬁle which contains your private key.

MGR.APACHE should be the owner of the key ﬁle, and the owner is the only user that should

have any kind of access. MGR.APACHE should also be the owner of the directory in which the

key ﬁle resides, and nobody besides the owner should have access to the directory.

For extra added security, it is recommended that you encrypt your server key with a pass

phrase that is stored separately from the key. If you use a pass phrase, this will need to be