Manualshelf

iTP Secure WebServer System Administrators Guide (Version 7.5+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
71727374757677787980
The server requested client authentication and received a
client certificate chain that contains X509 version 3
certificates, but the certificate cannot be trusted.
INVALID_CERTIFICATE
The server requested and received a client certificate or
client certificate chain, and all previous checks have
passed.
VALID
NOTE: If the iTP Secure WebServer finds one or more errors when validating a certificate, it
reports the first error only.
Updating TLS and SSL Configuration
After you have generated the public/private key pair, installed the certificate, and changed the
key database file password, you must update the configuration file httpd.stl.config with this
new information and the DN you used when running the keyadmin utility. This file is located in
the /usr/tandem/webserver/conf directory.
The contents of httpd.stl.config are shown in “Sample Secure Transport httpd.stl.config File
(page 74). Brief descriptions of them follow the example. For a complete description of the directives,
see “Configuration Directives” (page 198).
Table 5 Sample Secure Transport httpd.stl.config File
# httpd.stl.config
# Configure the required Secure Transport information
#
KeyDatabase $root/conf/test_key.db
ServerPassword WebServer
AcceptSecureTransport -transport /G/ZTC0 -port 4571 -address
172.31.24.12 -cert
{CN=Secure Transport Bootstrap Certificate, OU=Testing Only - Do
Not Trust for Secure Transactions, OU=No Assurance - Self-
Signed, OU=Generated Mon Dec 22 09:1421 UTC+ 2003, O=HP-NED}
The KeyDatabase directive specifies the file to be used for storing keys and public-key certificates.
The ServerPassword directive specifies the password used to encrypt the key database file.
This password must agree with the one you specified when running the keyadmin utility. For
details, see “Changing the Key Database File Password” (page 62).
The AcceptSecureTransport directive specifies the TCP/IP process, DN, and port to use for
TLS and SSL connections.
NOTE: The standard port for TLS and SSL is 443. If you use this port, the server must be started
using the super ID, as described in “Installing the iTP Secure WebServer” (page 34).
The DN you enter must match the one specified in the keyadmin command when the certificate
request was generated.
The Region directive enables you to control how clients access your secure server and its contents.
(These commands are entered between the curly braces.) The directive in the example restricts
access to /ssl-sample-dirto clients that use a TLS or an SSL connection.
Controlling Access and Privacy
With TLS and SSL, all connections between a Web client and the server are encrypted. A Web
client can verify the server's identity by using the server's public-key certificate. As described
previously, you also can request or require a Web client to authenticate itself to the server.
74 Configuring for Secure Transport