HP NonStop SSL Reference Manual HP Part Number: 628203-009 Published: January 2014 Edition: HP NonStop SSL Reference Manual 1.8 H06.07 and subsequent H-series RVUs J06.
© Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents Preface 7 Who Should Read This Guide ................................................................................................... 7 Document History ...................................................................................................................... 7 Introduction 9 What is the Purpose of HP NonStop SSL? ................................................................................ 9 HP NonStop SSL Features.............................................................
AUDITCONSOLE .................................................................................................... 40 AUDITFILE .............................................................................................................. 40 AUDITFILELAYOUT .............................................................................................. 41 AUDITFILERETENTION ........................................................................................ 41 AUDITFORMAT ..................................
PTCPIPFILTERKEY ................................................................................................ 73 ROUTINGMODE ..................................................................................................... 74 SERVCERT............................................................................................................... 74 SERVKEY ................................................................................................................ 75 SERVKEYPASS ....................
Using Your Own Server Key and Certificate Files ................................................. 105 The Public/Private Key Pair .................................................................................... 106 The Certificate Signing Request .............................................................................. 106 Obtaining a Certificate from a Third Party CA ....................................................... 106 Acting As Your Own CA ..................................................
Preface Who Should Read This Guide This document is for system administrators who are responsible for configuring HP NonStop SSL to secure Telnet, FTP or middleware communication for ODBC, RSC and other protocols used by HP products. Document History Version 1.8 This version documents the changes and enhancements introduced with HP NonStop SSL AAI: • New ODBC/MX IPv6 capabilities. • Enhanced auditing, especially for FTPS and FTPC, see AUDITFILELAYOUT.
Version 1.3 This version documents the support for configuring all available CIPHERSUITES. This feature is implemented starting with HP NonStop SSL version AAD. • The new parameter HASHALGORITHMS has been documented. • The changes in the TRUST parameter have been documented Version 1.2 • The section about SSL Certificate Generation with OpenSSL was updated. • The ODBC/MX install section was updated. Version 1.1 This version documents the change in the CIPHERSUITES parameter.
Introduction What is the Purpose of HP NonStop SSL? HP NonStop SSL provides encryption of data which is sent or received by programs on HP NonStop servers over TCP/IP. It adds transport layer security to TCP/IP protocols without built-in support of SSL/TLS on HP NonStop, such as Telnet, FTP or ODBC.
Run Mode Usage FTPC FTP client proxy FTPS FTP server proxy PROXYC Generic SSL client proxy PROXYS Generic SSL server proxy TELNETS Secure Telnet proxy EXPANDS Secure EXPAND proxy ODBCMXS Secure ODBC/MX proxy HP NonStop SSL Features Support of SSL and TLS Protocol Standards HP NonStop SSL uses SSL (Secure Socket Layer) in the TLS (Transport Layer Security) variant as standardized by the IETF in RFC 2246, to secure an application on the transport layer. SSL 2.0, SSL 3.0 and TLS 1.0 (SSL 3.
HP NonStop SSL proxy front-ending the NonStop TELVERV process The HP NonStop SSL proxy will accept SSL connections from the network and "tunnel" them to a plain TCP server. Encrypted data received from the SSL client will be decrypted and forwarded to the server. Plain data received from plain TCP server will be encrypted and sent to the SSL client.
HP NonStop SSL securing Remote Server Call (RSC) communication Secure FTP Proxy HP NonStop SSL can be run as a proxy process to front-end the NonStop FTPSERV or FTP process. With its SSL support, HP NonStop SSL will enable secure communication to FTP clients or servers, which support FTP over SSL/TLS according to RFC-2228. SSL capable FTP clients are, for example, MR-Win6530 or WS_FTP Pro from http://www.ipswitch.com/.
Secure Proxy for EXPAND-over-IP HP NonStop SSL running in EXPANDS mode encrypts EXPAND over IP traffic between two NonStop systems.
• The configuration both of the HP NonStop SSL ODBCMXS process and the RemoteProxy is independent of the number of ports used by ODBC/MX. Note: The ODBC/MX protocol supports IPv6 starting with release H06.26/J06.15, but running HP NonStop SSL in ODBCMXS mode is currently only valid with IPMODE IPv4. Limiting Remote IP Addresses HP NonStop SSL can be configured to allow only certain remote IP addresses.
Installation General Considerations HP NonStop SSL is made available by HP with the purchase of the NonStop Operating System kernel for H Series and J Series NonStop platforms. HP NonStop SSL was introduced as SPR T0910 in H06.21/J06.10 and is not available on Sseries. The files of the package are located on $SYSTEM.ZNSSSL. HP NonStop SSL is not pre-installed or pre-configured. You have to install it depending on your requirements. A license file is not required.
IPv6 Considerations With HP NonStop AAE, IPv6 support was introduced. The new parameter IPMODE was introduced for this purpose: IPMODE {IPv4|IPv6|DUAL} If not specified, the IPMODE parameter will default to IPv4. When IPMODE DUAL is specified, SSLOBJ will listen to both IPv4 and IPv6 with one single dual mode socket. In IPMODE DUAL, IPv4 addresses will be shown as mapped IP addresses with the corresponding prefix "::ffff:" for this purpose, e.g. "::ffff:10.10.10.110".
Starting an HP NonStop SSL Process You can start a HP NonStop SSL process by issuing a TACL RUN command using the following syntax: RUN SSLOBJ / runoptions / mode [ ; paramname paramvalue; ...
5. Install the TELNETS proxy persistent process, e.g. > SCF /IN TLNSIN0/ 6. Start the TELNETS proxy persistent process, e.g. > SCF START PROCESS $ZZKRN.#SSL-TELNETS-0 7. Check the log file (configured in the configuration file) to verify the TELNETS proxy has started correctly, e.g. > SHOWLOG TLNSLOG * Verify that the log contains a message of the following pattern: $TLNS0|06Jun10 21:42:15.82|20|secure-to-plain proxy started on target host 127.0.0.
Verify that the log contains a message of the following pattern: $FTPS0|18May10 20:22:51.63|20|FTP server proxy started on target host 127.0.0.1, target port 21, source port 8421 When logging with default log level 50, the last message of the log should then be similar to the following: $FTPS0|27Jul12 16:14:55.41|30|-- FTPS setup completed, starting to listen... -- To create a secure connection with an FTP-TLS enabled FTP client 1.
$FTPC0|29Jul12 16:38:40.45|30|-- FTPC setup completed, starting to listen... -- To create a secure FTP connection to a remote FTP-TLS server 1. Issue the following command at the command prompt: > FTP localhost 8021 where • the first parameter denotes the local loopback address • the second parameter specifies the port number the HP NonStop SSL FTPC proxy is listening on The HP NonStop SSL FTP client mode welcome message will now be displayed.
Installing a Secure Tunnel for RSC To install an SSL tunnel for Remote Server Call (RSC) communication, you will need to perform the following steps: 1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target TDP server process. 2. On the workstation, install the HP NonStop SSL RemoteProxy and configure it to route plain connections to the PROXYS process on the NonStop server. 3. Re-configure RSC to connect to the local RemoteProxy.
To install and configure RemoteProxy for RSC 1. Download $SYSTEM.ZNSSSL.PROXYEXE in binary format to your RSC workstation, renaming it to PROXY.EXE. 2. On the RSC workstation, run PROXY.EXE to start the RemoteProxy installation program and follow the installation instructions. 3. Double-click on HP NonStop SSL RemoteProxy icon configuration window will be displayed. 4. Select "New" from the "Session" menu. The "Session Properties" dialog will be displayed. 5.
To connect securely with your RSC client 1. After you have correctly configured the RSC.INI file and started the RemoteProxy session for RSC, use your RSC client like you did before to connect to the NonStop system. 2. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of RemoteProxy.
$PXYS0|29Jul12 16:31:29.37|30|-- PROXYS setup completed, starting to listen... -- To install and configure RemoteProxy for ODBC/MP 1. Download $SYSTEM.ZNSSSL.PROXYEXE in binary format to your OCBC/MP client workstation, renaming it to PROXY.EXE. 2. On the OCBC/MP client workstation, run PROXY.EXE to start the RemoteProxy installation program and follow the installation instructions. 3. Double-click on HP NonStop SSL RemoteProxy icon configuration window will be displayed. 4.
Confirm the changes by clicking "OK". 5. You may use the NonStop Connectivity Tool to test the secure ODBC connection to the NonStop system. 6. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. To connect securely with your ODBC/MP client 1. After you have correctly configured your ODBC driver, use your ODBC client like you did before to connect to the NonStop system. 2.
Installing a Secure Tunnel for ODBC/MX Note 1: The configuration for ODBC/MX differs from the configuration for ODBC/MP. This section describes the configuration for ODBC/MX; please see the prior section for the configuration for ODBC/MP. Note 2: NonStop ODBC/MX uses multiple port numbers to create connections between the ODBC/MX clients and the NonStop server. HP NonStop SSL is aware of that and "multiplexes" many connections over a single IP connection between the clients and the NonStop server.
> SCF START PROCESS $ZZKRN.#SSL-ODBCMXS-0 8. Check the log file (configured in the configuration file) to verify the ODBCMXS process has started correctly, e.g. > SHOWLOG ODBSLOG * Verify that the log contains a message of the following pattern: $ODBS0|01Sep11 09:48:04.64|20|ODBC/MX server proxy started on target host 127.0.0.1, source port 28888, target port will be passed dynamically within client request.
Confirm the changes by clicking "OK". 6. You may use the NonStop Connectivity Tool to test the secure ODBC connection to the NonStop system. 7. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. To connect securely with your ODBC/MX client 1. After you have correctly configured your ODBC/MX driver, use your ODBC client like you did before to connect to the NonStop system. 2.
Installing an SSL Tunnel for EXPAND-over-IP Lines Creating an SSL tunnel for an EXPAND-over-IP line requires running a HP NonStop SSL process in EXPANDS mode for the line handler on both sides of the connection. The configuration of the HP NonStop SSL processes can be easily derived from the existing line handler configuration of EXPAND-over-IP line. To enable the tunneling, only a single line handler attribute needs to be changed.
Note: Again, that change in the SCF configuration has to be done on both systems.
Configuration Configuration Overview HP NonStop SSL processes can be flexibly configured by a set of configuration parameters which can be specified by the following means: • A configuration file • PARAM commands • startup command line parameters • SSLCOM commands The different options to specify a configuration for HP NonStop SSL allow system administrators to easily manage installations with multiple HP NonStop SSL processes running on multiple TCP/IP processes and ports as well as in different m
The Configuration File The configuration file is an edit type file which can be created and modified with a standard NonStop editor such as TEDIT. The name of the file that a HP NonStop SSL process should use as configuration source is passed to the program during startup. The file contains entries of the form parameter-name parameter-value Like in the standard TCP/IP configuration files, any lines starting with a "#" character are interpreted as comments.
Startup Line Parameters HP NonStop SSL configuration parameters can be passed on the startup line as follows (for a complete description of the RUN SSLOBJ see section "Starting an HP NonStop SSL Process"): ; ; ...
Parameter Meaning CONNECTIONINFOFORMATDETAILED Specifies the default format for the output of the SSLCOM command "connections, detail". CONTENTFILTER Activates content-filtering in run modes TELNETS, PROXYS and PROXYC. DENYIP Limits allowed remote IP addresses. DESTIPADDR DESTIPPORT Sets the destination IP address and port for an EXPANDS tunnel. DNSRESOLVERTCPIPPROCESSNAME Can be used to explicitly set a TCP/IP process name for DNS resolution.
Parameter Meaning MAXSESSIONS Limits the number of parallel connections in run modes PROXYS, PROXYC, TELNETS. MAXVERSION Maximum admissible SSL/TLS protocol version. MINVERSION Minimum admissible SSL/TLS protocol version. PASSIVE Sets the direction of the data socket connections in FTPC mode. PEERCERTCOMMONNAME For verification of remote certificates. PEERCERTFINGERPRINT For verification of remote certificates. PORT The port the HP NonStop SSL server listens on for incoming connections.
comma-separated list of certificate errors which HP NonStop SSL should ignore. The error numbers are defined in the OpenSSL sources used for HP NonStop SSL (see Considerations). Considerations • Warning: The usage of this parameter may compromise the security of your configuration. Use only as workaround and with care. • The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details.
Error Name Error number X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 X509_V_ERR_APPLICATION_VERIFICATION 50 Default If omitted, HP NonStop SSL will work normally (all certificate validation errors are treated as such and connection attempts will fail) Example ALLOWCERTERRORS 10 This will temporarily allow expired certificates. ALLOWIP Use this parameter to specify which remote IP addresses are to be allowed to establish sessions ("white list").
• Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP should be changed to using CIDR format. Default If omitted, HP NonStop SSL will use * to allow all remote IP addresses. Example ALLOWIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42 ALLOWIP A[abcd::ef00/120] , [abcd:1111::ab00] , [::ffff:172.1.1.0/104] ALLOWRENEGOTIATION This parameter can be used to allow or disallow SSL/TLS Session renegotiation.
FALSE Data will be dumped as full hex dump. This consumes a lot of resources but provides the most complete view. Default By default, a value of TRUE will be used Considerations • Audit messages will depend on the run mode – see parameter AUDITLEVEL for details • See also parameters AUDITASCIIDUMPLENIN and AUDITASCIIDUMPLENOUT to control how much data is dumped.
AUDITASCIIONLY AUDITCONSOLE Use this parameter to define if and to what console device HP NonStop SSL audit messages are written to. Parameter Syntax AUDITCONSOLE * | % | $0 | auditdevice Arguments * means that no audit messages are written to a console % means that audit messages are written to the home terminal of the HP NonStop SSL process $0 audit messages are written to $0 auditdevice audit messages are written the given device.
• Audit messages will depend on the run mode – see parameter AUDITLEVEL for details See also AUDITCONSOLE, AUDITLEVEL, AUDITFORMAT AUDITFILELAYOUT Use this parameter to control the layout format of the audit file. In particular, this parameter can be used to enable writing audit in CSV (comma separated values) format for easy subsequent processing in other tools like Excel, SQL, etc..
AUDITFORMAT format Arguments format a number representing a bit mask controlling the format options. Please see parameter LOGFORMAT for the bit mask.
• Audit Level Run Modes TELNETS,PROXYS,PROXYC,ODBCMXS 90 Data flowing through HP NonStop SSL: full byte dump (see parameter AUDITASCIIONLY for details) Run Mode FTPS For PROXYS, PROXYC and ODBCMXS, we recommend 50 for basic auditing and 99 for extended auditing including full traffic log. Note: If set to 99, all data flowing through the network is dumped to the audit log. This could include confidential data or passwords so make sure to properly secure the audit log files.
the designated files are DER encoded X.509 CA certificates. Default If omitted, HP NonStop SSL will search for a single "CACERT" file on the default subvolume. Example CACERTS $DATA1.SSL.MYCA, $DATA1.SSL.MYROOTCA Considerations • The first file on the list must contain a certificate signing the given server certificate. Subsequent files must contain certificates that sign the previous certificate in the list.
Specifier RFC Algo Name OpenSSL Name KEX Enc Mac 0.10 TLS_RSA_WITH_3DES_EDE_ CBC_SHA DES-CBC3-SHA RSA 3DES_EDE_CB C SHA 0.17 TLS_DHE_DSS_EXPORT_WIT H_DES40_CBC_SHA EXP-EDH-DSS-DESCBC-SHA DHE_DSS_EXP ORT DES40_CBC SHA 0.18 TLS_DHE_DSS_WITH_DES_C BC_SHA EDH-DSS-DESCBC-SHA DHE_DSS DES_CBC SHA 0.19 TLS_DHE_DSS_WITH_3DES_ EDE_CBC_SHA EDH-DSS-DESCBC3-SHA DHE_DSS 3DES_EDE_CB C SHA 0.20 TLS_DHE_RSA_EXPORT_WIT H_DES40_CBC_SHA EXP-EDH-RSADES-CBC-SHA DHE_RSA_EXP ORT DES40_CBC SHA 0.
Specifier RFC Algo Name OpenSSL Name KEX Enc Mac 0.132 TLS_RSA_WITH_CAMELLIA_ 256_CBC_SHA CAMELLIA256-SHA RSA CAMELLIA_25 6_CBC SHA 0.135 TLS_DHE_DSS_WITH_CAME LLIA_256_CBC_SHA DHE-DSSCAMELLIA256-SHA DHE_DSS CAMELLIA_25 6_CBC SHA 0.136 TLS_DHE_RSA_WITH_CAME LLIA_256_CBC_SHA DHE-RSACAMELLIA256-SHA DHE_RSA CAMELLIA_25 6_CBC SHA 0.137 TLS_DH_anon_WITH_CAMEL LIA_256_CBC_SHA ADHCAMELLIA256-SHA DH_anon CAMELLIA_25 6_CBC SHA 0.
Specifier RFC Algo Name OpenSSL Name KEX Enc Mac 192.8 TLS_ECDHE_ECDSA_WITH_3 DES_EDE_CBC_SHA ECDHE-ECDSADES-CBC3-SHA ECDHE_ECDSA 3DES_EDE_CB C SHA 192.9 TLS_ECDHE_ECDSA_WITH_A ES_128_CBC_SHA ECDHE-ECDSAAES128-SHA ECDHE_ECDSA AES_128_CBC SHA 192.10 TLS_ECDHE_ECDSA_WITH_A ES_256_CBC_SHA ECDHE-ECDSAAES256-SHA ECDHE_ECDSA AES_256_CBC SHA 192.11 TLS_ECDH_RSA_WITH_NULL _SHA ECDH-RSA-NULLSHA ECDH_RSA NULL SHA 192.
Example CIPHERSUITES 0.53,0.47 Considerations • Please note that the default CIPHERSUITES are subject to change in order to make sure that only the most secure ciphers are used by default. • When running as an SSL client, CIPHERSUITES specifies the cipher suites that should be allowed in order of preference (favorite choice first). During the SSL handshake, HP NonStop SSL will present the list of cipher suites to the SSL server.
CLIENTCERT Use this parameter to specify the client certificate that HP NonStop SSL should use to authenticate itself to an SSL server. Parameter Syntax CLIENTCERT * | file Arguments * SSL client authentication is deactivated. file Guardian file name of a DER encoded X.509 client certificate. Default If omitted or set to *, HP NonStop SSL will not authenticate itself to the SSL server. Example CLIENTCERT $DATA1.SSL.
Considerations • This parameter only applies to the run modes PROXYC and FTPC, it will be ignored in other run modes • The private key data in the file is password encrypted. For HP NonStop SSL to be able to decrypt the file, the correct password must be specified by the CLIENTKEYPASS parameter. • A private key file for testing purposes is delivered as "CLNTKEY" file on the HP NonStop SSL installation subvolume to enable quick start installation.
If omitted, HP NonStop SSL will not use a configuration file. Example CONFIG $DATA1.SSL.SSLCONF Considerations • This parameter can only be specified as PARAM or on the startup line. It is not valid within a configuration file. • Parameters specified in the configuration file can be overwritten by PARAM or startup line settings. CONFIG2 Use this parameter to specify a second configuration file for a HP NonStop SSL process.
o CSV : designates output as comma-separated values, primarily targeted to simplify automated parsing of the output. Default Starting with HP NonStop SSL AAE, the default format will be EXTENDED. Prior to that it was ORIGINAL, but not configurable. EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations • Both the ORIGINAL and the EXTENDED format are primarily targeted for human readers and are subject to change.
CONTENTFILETER * | file Arguments * no filtering. file The filename of the rule set file. Default If omitted, HP NonStop SSL will use a value of * (no filtering). Example CONTENTFILTER CFILTER Considerations • The value of the parameter can be changed without stopping HP NonStop SSL using the SSLCOM command SET CONTENTFILTER file. • The following example shows the syntax of the filter rules. This example will only allow messages starting with "" to pass the filter.
# allow any message starting with "
DESTIPADDR, DESTIPPORT Use these parameters to for the configuration of an HP NonStop SSL EXPANDS process. Parameter Syntax DESTIPADDR ip-address DESTIPPORT port Arguments ip-address specifies the IP address of the remote end of the EXPAND line. port specifies the port number of the remote end of the EXPAND line. Example DESTIPADDR 10.0.0.
DONOTWARNONERROR Use this parameter to log selected errors with LOGLEVEL 20 rather than as WARNING. By default, all errors on sockets result in a WARNING being displayed in the HP NonStop SSL log. Using this parameter, a log message with LOGLEVEL 20 will be issued instead for the configured error numbers. Parameter Syntax DONOTWARNONERROR ErrorList Arguments ErrorList specifies a list of comma-separated error numbers Default If omitted, HP NonStop SSL will use an empty entry.
Example EXPANDCOMPRESSION TRUE Considerations • For compression to work, both SSLOBJ processes across an EXPAND connection must be version AAI or later. It is possible to have only one side of the connection use compression. • Compression can be enabled/disabled while the SSLOBJ process is running by using the corresponding SSLCOM command SET EXPANDCOMPRESSION {ON|OFF} EXPANDENCRYPTION This parameter controls whether encryption is used for EXPAND connections.
FTPCALLOW200REPLY Use this parameter to specify whether HP NonStop SSL will allow an illegal "200" response to the AUTH TLS command sent to the remote FTP/TLS server. Parameter Syntax FTPCALLOW200REPLY boolean Arguments boolean if set to TRUE or 1 or Yes, HP NonStop SSL will allow the illegal response. Default If omitted, HP NonStop SSL will *not* allow the illegal 200 response. Example FTPCALLOW200REPLY TRUE Considerations • This parameter is relevant only if HP NonStop SSL is running in the FTPC mode.
FTPMAXPORT number Arguments number The maximum port number HP NonStop SSL will use for FTP data connections Default If omitted, HP NonStop SSL will use a value of 41000 Example FTPMAXPORT 22000 Considerations • This parameter is relevant only if HP NonStop SSL is running in the FTPS or FTPC mode. • Together with the parameter FTPMINPORT it controls the values HP NonStop SSL assigns for the FTP data sockets.
The value of the maximum heap to be used in bytes. Default The default heap size limit is set to in 367001600 (=350 MiB). See Considerations for further explanation. Considerations SSLOBJ regularly checks its heap usage. At the point the heap usage reaches 85% of HEAPSIZELIMIT, newly incoming connections will be rejected until the heap usage has decreased again below 85% of HEAPSIZELIMIT. In theory the heap could grow as large as the available main memory, however there are various limiting factors.
HASHALGORITHMS Use this parameter to define which hash algorithms are used when verifying the SSL server side based on its fingerprint. Parameter Syntax HASHALGORITHMS hashAlgorithm [, hashAlgorithm , ...] Arguments hashAlgorithm Name of hash algorithm that should be used. If the parameter is explicitly set, at least one hash algorithm has to be given.
• 1 (on) for sending keep alive messages • 0 (off) no messages are sent Default By default, keep alive messages are sent (1). LOGCONSOLE Use this parameter to define if and to what console device HP NonStop SSL log messages are written to.
By default, no log messages are written to EMS ("*"). Example LOGEMS $0 Considerations • The LOGLEVEEMS parameter controls what messages are produced by HP NonStop SSL. • The LOGFORMATEMS parameter controls the log message format. • The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. • If the EMS collector cannot be opened during startup, HP NonStop SSL will terminate.
LOGFILERETENTION n Arguments n number of log files to keep Default By default, 10 files are kept. Considerations • a minimum of 10 is enforced for that parameter • See section "Logfile/Auditfile Rollover" in chapter "Monitoring" for details on logfile rollover. See also LOGMAXFILELENGTH, LOGFILE LOGFORMAT Use this parameter to control the default format the log messages.
Parameter Syntax LOGFORMATCONSOLE format Arguments format a number representing a bit mask controlling the following format options: bit 1 (decimal 1) Date bit 2 (decimal 2) header (log messages a pre-fixed with "[log]") bit 3 (decimal 4) Time bit 4 (decimal 8) Milliseconds bit 5 (decimal 16) Process ID (name or PIN) bit 7 (decimal 64) Log Level of Message Default If omitted, the console log format is derived from LOGFORMAT.
Display date, time, and milliseconds only: LOGFORMATEMS 13 Display date, time only: LOGFORMATEMS 5 See also LOGFORMAT, LOGFORMATCONSOLE, LOGFORMATFILE LOGFORMATFILE Use this parameter to control the format of the log messages that are written to the log file.
Default If omitted, a level of 50 is used. Considerations • If no value is set for the parameters LOGLEVELCONSOLE, LOGLEVELEMS, or LOGLEVELFILE, they will inherit their value from the parameter LOGLEVEL. • If LOGLEVELCONSOLE, LOFLEVELEMS, and LOGLEVELFILE are all set with a value, the parameter of LOGLEVEL becomes meaningless. See also LOGLEVELCONSOLE, LOGLEVELEMS, LOGLEVELFILE LOGLEVELCONSOLE Use this parameter to control what messages are written to the log console.
• Different log levels can be used for the outputs to LOGCONSOLE, LOGLEVELEMS, and LOGFILE. • The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. See also LOGEMS, LOGLEVEL, LOGFORMATEMS LOGLEVELFILE Use this parameter to control what messages are written to the log file. Parameter Syntax LOGLEVELFILE detail Arguments detail a number representing the detail level Default If omitted, the console file level is derived from LOGLEVEL.
Arguments length a number representing the maximum log file length in kilobytes in the range of 100 to 40000 (~40MB). Default The default length is 20000. Considerations • After the current file reaches the maximum size a log rollover will occur. Please see section "Logfile/Auditfile Rollover" in chapter "Monitoring" for details on logfile rollover. See also LOGFILE, LOGFILERETENTION LOGMEMORY Use this parameter to have HP NonStop SSL log memory usage information output in regular intervals.
Example MAXSESSIONS 100 Considerations • If the number of allowed sessions is reached, any further connection request will be rejected and a warning will be written to the log file. • The current number of connections is displayed in the STATUS command of SSLCOM. MAXVERSION Use this parameter to define the maximum admissible SSL/TLS protocol version. Parameter Syntax MAXVERSION version Arguments version an SSL/TLS version number. Currently, the supported values are: • 2.0: SSL 2.0 • 3.0: SSL 3.
• For security reasons, it is recommended to use the latest version of the TLS protocol as standardized by the IETF (3.1). This requires setting MINVERSION to "3.1". See also MAXVERSION PASSIVE Use this parameter to define the direction of the data socket connection in FTPC mode Parameter Syntax PASSIVE mode Arguments mode 1 for passive mode, 0 for active mode. Default The default for this parameter is 1 (passive mode enabled).
• If the actual value of the common name in the remote certificate is part of the value configured in the parameter, it will be accepted. This allows configuring a list of common names. • If the matching fails, the connection will be rejected. PEERCERTFINGERPRINT Use this parameter to enforce verification of the leaf certificate of the remote peer.
the decimal number of a TCP/IP port. Default The default for this parameter depends on the HP NonStop SSL run mode: TELNETS 11011 (*) PROXYS 11011 (*) PROXYC 11012 (*) FTPS 11013 (*) FTPC 11014 (*) Considerations • If operating as a secure server, HP NonStop SSL will only accept SSL connections on the specified port. • Starting HP NonStop SSL to listen on a port number <=1024 requires SUPER group access.
ROUTINGMODE The ROUTINGMODE parameter can be used in run modes PROXYC and PROXYS and is used to define in what way incoming connections shall be forwarded. By default this happens statically (the "S" stands for static), i.e. you have to specify the target to which connections are forwarded at the moment HP NonStop SSL is started. The second possible value for ROUTINGMODE is "D" which stands for dynamic routing.
Example SERVCERT $DATA1.SSL.MYCERT Considerations • A server certificate for testing purposes is delivered as SERVCERT file on the HP NonStop SSL installation subvolume to enable a quick start installation. • The server certificate must match the private key file specified by SERVKEY. See also SERVCERT, SERVKEY, SSLCOM SSLINFO, SSLCOM RELOAD CERTIFICATES SERVKEY Use this parameter to specify the private key file for an HP NonStop SSL server.
Default If omitted, HP NonStop SSL will try "test" as password. Example SERVKEYPASS my private passphrase Considerations • The default password ("test") enables a quick start installation with the "SERVKEY" public key file delivered with HP NonStop SSL. See also SERVCERT, SERVKEYPASS, SSLCOM SSLINFO, SSLCOM RELOAD CERTIFICATES SLOWDOWN Use this parameter to make HP NonStop SSL use less CPU cycles for encryption. This will result in a decrease of possible throughput.
Parameter Syntax SOCKSHOST sockshost SOCKSPORT socksport SOCKSUSER socksuser Arguments sockshost the hostname or IP address of the host running the SOCKS-Version 4 enabled firewall. A value of * indicates that the SOCKS protocol will not be used. socksport the listening port of the host running the SOCKS-Version 4 enabled firewall. socksuser the SOCKS user name to be used to authenticate against the SOCKS server.
• The parameters should be set exactly to the original equivalent parameter values of the EXPAND line handler, as shown by the SCF INFO LINE DETAIL command. • The parameters are ignored with any run mode other than EXPANDS. See also DESTIPADDR, DESTIPPORT SUBNET Use this parameter to specify the TCP/IP process HP NonStop SSL should listen on for incoming connections. Parameter Syntax SUBNET tcpip-process-name Arguments tcpip-process-name the name of an existing TCP/IP process on your system.
Example SSLCOMSECURITY TRUE Considerations • The following commands are considered sensitive: o all SET commands o LOGMESSAGE, ROLLOVER LOGFILE and RELOAD CERTIFICATES TARGETINTERFACE Use this parameter to specify the IP address HP NonStop SSL should use for local binding of outgoing connections. Parameter Syntax TARGETINTERFACE ip-address Arguments ip-address the IP address to bind to or “*” for none.
the IP address of the target host. Default If omitted, the HP NonStop SSL proxy route connections to the "local loopback address" ("127.0.0.1"). Example TARGETHOST 192.45.23.3 Considerations • If the target server process runs on the same TCP/IP process (SUBNET) you should use the "local loopback address" ("127.0.0.1"). This is recommended for proxy servers, as it avoids that unencrypted data has to traverse the network.
If omitted, the HP NonStop SSL proxy will try route connections to the well known telnet port (23). Example TARGETPORT 1023 Considerations • Starting with HP NonStop SSL AAE this parameter is not ignored anymore in run mode FTPC but can be used to specify the default port number in case none is given in the FTPC user command. • You can specify a comma-separated list of multiple target ports; see section "Multiple SSL Tunnels in a Single Process" for details.
• If you added a DEFINE =TCPIP^PROCESS^NAME to the TACL environment you use to start SSLOBJ, this setting will override the TARGETSUBNET parameter. • If running in IPMODE DUAL the TARGETSUBNET must support both IPv4 and IPv6 (even for IPv4 connections). TCPIPHOSTFILE Use this parameter to specify the value of the DEFINE=TCPIP^HOST^FILE value. Parameter Syntax TCPIPHOSTFILE hostfile | * Arguments hostfile a hostfile to be used for DNS name resolution.
TCPIPRESOLVERNAME Use this parameter to specify the value of the DEFINE =TCPIP^RESOLVER^NAME value. Parameter Syntax TCPIPRESOLVERNAME resolver | * Arguments resolver a resolver to be used for DNS name resolution. The resolver will override the value of the DEFINE =TCPIP^RESOLVER^NAME, which may have been passed to HP NonStop SSL at startup. * No resolver will be set. However, any DEFINE =TCPIP^RESOLVER^NAME passed to HP NonStop SSL at startup will remain in effect.
TRUST certificate [, certificate, ...] Arguments hashalgorithm:fingerprint the trusted CA certificate’s fingerprint generated with the hash algorithm 'hashalgorithm'. certificate the trusted CA certificate in PKCS-8 DER encoded format Default If omitted, HP NonStop SSL will not check the TLS/SSL partner’s certificate chain.
See also HASHALGORITHMS Advanced Configuration Topics Multiple SSL Tunnels in a Single Process A single HP NonStop SSL process can listen on multiple ports at once and forward them to different IP addresses/port numbers.
EXPAND Multi-Line versus Multi-CPU Paths The choice between Multi-Line or Multi-CPU paths (SUPERPATH) is influenced by the nature of the traffic between the systems, as well as the load-balancing and fault-tolerance goals to be achieved.
• Systems have 8 CPUs each • TCPIPv6 Configuration: The following figure shows a complete setup: The following steps have been performed for the above setup: 1. 2. An Expand Multi-Line path was created on each system. • 2 CPUs were selected for the LH primary and backup. • To distribute SSL CPU load over the remaining CPUs, 6 lines were created for the path. • A unique port number was selected for each line (SRCIPPORT and DESTIPPORT can be identical).
• The SSL tunnel was associated to the line using the same SRCIPPORT and DESTIPPORT parameters as in the line configuration. • The DESTIPADDR parameter of the HP NonStop SSL EXPANDS processes was set to the remote system's IP address.
Monitoring Overview HP NonStop SSL writes log and audit messages to a terminal, to a file, or to EMS. This is controlled by the parameters LOGCONSOLE, LOGFILE and LOGEMS for log messages and AUDITCONSOLE, AUDITFILE and AUDITEMS for audit messages. Messages can be written to any combination of those three “targets” (i.e. a single one, two of them, all of them, none of them). By default, log and audit messages are neither written to EMS nor to a log file.
Log and Audit Level Recommendations The log level can be chosen individually for each log device through the parameters LOGLEVELFILE, LOGLEVELEMS and LOGCONSOLE. Depending on the device, it may be desirable to see different kind of log messages. The following table gives an indication of what “severity” individual log levels relate to: Log Lever Meaning Level 0 fatal errors. Up to level 10 only warnings. Up to level 30 On Startup, HP NonStop SSL issues a whole set of log messages.
SHOWLOG logfile * "30Jan07 20:00" "30Jan07 21:00" messages in timeframe to home terminal 4> If SHOWLOG is run with only the name of the log file as first runtime argument, it will dump the complete log file to the home terminal. The byte offset within the log file will be displayed regularly; this allows you to limit the output of SHOWLOG to certain sections of the log file as shown below.
----- EOF reached, done --- The second runtime argument can be used to create a new EDIT file containing the log file contents.
Viewing File Contents from OSS The log or audit files created by SSH2 are unstructured files and can be viewed from OSS with standard OSS tools such as more or tail. Standard OSS filter tools such as grep, awk, or wc can also be applied. This allows users to make use of the powerful Unix syntax for doing text processing. Logfile/Auditfile Rollover When logging to a file, HP NonStop SSL uses round-robin to switch to a new file.
• Monitoring HP NonStop SSL Reference Manual
SSLCOM Command Interface Using SSLCOM, you can: • get an overview of the status of a HP NonStop SSL process • list sessions which are currently open and obtain detailed information about single sessions (limited to certain run modes) • view and change the following parameters (please refer to the "Parameter Reference" for the meaning of the parameters): • o ALLOWCERTERRORS o ALLOWIP o CONNECTIONINFOFORMAT[DETAILED] o CONTENTFILTER o DENYIP o EXPANDCOMPRESSION o LOGCONSOLE o LOGEMS o
o SSLINFO Usage of SSLCOM: a Sample Session The usage of SSLCOM is similar to the HP PATHCOM program. You connect to an existing HP NonStop SSL instance using the OPEN command, then you issue commands against that instance of HP NonStop SSL. The HELP command will give you a brief overview of the supported commands. The following example session illustrates how to: 1. Start SSLCOM and connect to a HP NonStop SSL instance running with the process name "$TELS" 2.
----------------------------------------------------------% show show LOGLEVEL 50 LOGFILE lproxysl LOGCONSOLE * LOGMEMORY 0 % set loglevel 30 set loglevel 30 log level was set to 30 % exit exit 16> Supported Commands The following commands are supported: • OPEN : connects to an instance of HP NonStop SSL running. The process name may also be supplied as runtime parameter as shown in the example above. • HELP: lists supported commands. • STATUS: shows current status.
• PROCESSINFO: displays some details about CPU and memory usage. • STATISTICS [,RESET]: displays status and additional statistics for some run modes. When used with RESET option, resets all statistics counters. Multiple commands can be concatenated with semicolons in-between. The CONNECTION Commands In the run modes TELNETS, PROXYS, PROXYC, FTPS and FTPC, HP NonStop SSL will have a set of TCP/IP connections open during normal operation.
Port,Local Conn. Local IP, Local Conn. Local Port,Direction,Local Conn. Remote IP, Local Conn. Remote Port, Direction, Remote Conn. Local IP, Remote Conn. Local Port, Remote Conn. Remote IP, Remote Conn. Remote Port 6837,10.0.0.194,11011,<--,192.168.113.4,37814,127.0.0.1,6837,-->,127.0.0.1,23 6838,10.0.0.194,11011,<--,192.168.113.4,37815,127.0.0.1,6838,-->,127.0.0.1,23 6839,10.0.0.194,11011,<--,192.168.113.4,37817,127.0.0.1,6839,-->,127.0.0.
CONNECTIONINFOFORMATDETAILED CSV: % connections, detail connections, detail Port,Local Conn. Local IP, Local Conn. Local Port,Direction,Local Conn. Remote IP, Local Conn. Remote Port, Direction, Remote Conn. Local IP, Remote Conn. Local Port, Remote Conn. Remote IP, Remote Conn. Remote Port,Handshake(s),First Handshake,Last Handshake 6840,10.0.0.194,11011,<--,192.168.113.4,37950,127.0.0.1,6840,-->,127.0.0.1,23,1,30Jul12-11:36:15,30Jul12-11:36:15 6841,10.0.0.194,11011,<--,192.168.113.4,37951,127.0.0.
%info connection 3625 info connection 3625 accepting socket: ================= [TLS_SERVER](0/1): 10.0.0.198:8989<--10.0.1.24:2000 connecting socket: ================== : 127.0.0.1:3625-->127.0.0.1:23 peer certificate information: ============================= issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign C lass 1 CA Individual Subscriber-Persona Not Validated subject=/O=VeriSign, Inc.
• SSLCOM Command Interface HP NonStop SSL Reference Manual
SSL Reference Secure Sockets Layer The SSL (secure sockets layer) protocol is an open, non-proprietary protocol originally designed by Netscape. It has been standardized by the IETF as Transport Layer Security (TLS) protocol. SSL has been universally accepted on the Internet for authenticated and encrypted communication between clients and servers and is used in millions of browsers around the world. HP NonStop SSL implements SSL using OpenSSL (© acknowledged).
Implementation Overview Cipher Suites HP NonStop SSL uses the SSL protocol - as used in standard browsers and servers - for session security. It supports SSL 2.0, SSL 3.0 and the latest version SSL 3.1, which has been standardized by the IETF as Transport Layer Security (TLS) protocol.
For SSL, the certificates are used to provide mutual authenticity. Before establishing a session, clients can authenticate a server to ensure it is connecting to a trusted site (SSL server authentication). In this case the server presents its "server certificate" along with the "certificate chain" to the client.
If your server is accessed by external internet users (e.g. customers) that do not know your organization yet, you would probably purchase a server certificate. Remember certificates are used to establish trust. The users trust the CA you purchased your server certificate from, while the CA vouches for your certificate's correctness. If you want to secure access to an application for internal users only, you would probably prefer using your own root CA to issue the server certificate.
Example: How to Generate SSL Certificates Using OpenSSL This example shows how to create a self-signed CA certificate and a server certificate signed by the CA certificate, and how to convert the certificates into the format used by HP NonStop SSL, as well as setting the appropriate configuration parameters. The example also shows how to create a signing request to be submitted to a Certification Authority (CA). Many customers require server certificates to be signed by a trusted CA (e.g.
3. Convert the PEM format certificate to DER format. The file "cacert.der" will contain the CA certificate in DER format. openssl x509 -inform PEM -outform DER -in ca\cacert.pem -out ca\cacert.der The "ca" directory now should contain three files: cacert.pem, cakey.pem, and the root certificate cacert.der. To Generate the Server Certificate 1. First, generate the private key for the server certificate and assign a pass phrase to be used later as value of the SERVKEYPASS parameter.
NonStop SSH is installed by default on NonStop servers for maintenance LANs, and can be accessed from the system console via an SFTP client such as available in Win6530 or OpenSSH in a DOS window. sftp .. cd $SYSTEM.SSLCERTS put server\servcert.der SERVCERT put server\servkey.der SERVKEY put ca\cacert.der CACERT Note: the NonStop SSL installation subvolume $system.znsssl contains a set of test certificates that should not be used in production systems.
into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Requesting the SSL Client to Present a Client Certificate HP NonStop SSL supports client authentication when running in SSL server mode (PROXYS, FTPS, TELNETS, ODBCMXS, EXPANDS). The behavior is controlled by the TRUST parameter (please note: the parameter has different meanings for HP NonStop SSL running in server or client mode). TRUST set to "*" (default) will disable the checking, thus no client cert will be required.
3. If CACERTS contain the signing certificate(s), HP NonStop SSL will sent the whole certificate chain to the server. CACERTS $SYSTEM.MYCERT.CACERT CLIENTKEY $SYSTEM.MYCERT.CLNTKEY CLIENTKEYPASS mysecret CLIENTCERT $SYSTEM.MYCERT.CLNTCERT Security Considerations While SSL is a very powerful and flexible protocol to encrypt TCP/IP traffic, it has to be used properly to be protected against some common attacks.
Note: If you authenticate the HP NonStop SSL server in your clients, you should consider basing trust on the Root CA certificate (e.g. check the Root CA fingerprint). In case the server certificate is compromised you can simply replace it without having to update your client configuration. TLS Alerts If a TLS Alert happens on an SSL-encrypted session, the TLS alert number will be logged.
• SSL Reference HP NonStop SSL Reference Manual
Remote SSL Proxy The RemoteProxy Component The RemoteProxy component included with HP NonStop SSL is used to enable SSL encryption for HP client components running on Microsoft Windows systems. Usage of the RemoteProxy component is supported for selected HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform.
RemoteProxy Configuration General Configuration Considerations You will need at least one session entry for one of the available protocols (Generic TCP/IP which allows TELNET, LPD Server and ODBC/MX Client) as shown in the illustrations below. You can name the sessions as desired. The Main Configuration Screen After you have installed RemoteProxy, you will have the icon of the Proxy manager clicking the icon will bring up the main configuration screen: in your system tray.
• "New" to add a sessions • "Delete" to delete a session • "Properties" to configure a session Right-clicking on a session will bring up a context menu, which also allows you to start or stop a session.
Authentication on SSL protocol level is performed with the help of SSL certificates. When configuring a RemoteProxy session for LPDS Server mode, configuration of corresponding server certificates per session is always required. In case of client run modes, certificates only have to be configured when client authentication is to be performed.
Field Tab Meaning Default Value certificates only have to be configured when client authentication is to be performed. According to this the pass phrase of the private key file (as opposed to its public RSA key) must be configured in the "Pass-Phrase" field in the following cases: a) Session is configured as LPDS server (SSL server proxy for LPD) b) Session is configured for running as a client and SSL Client Authentication is to be used.
• Remote SSL Proxy HP NonStop SSL Reference Manual
Appendix Log Messages and Warnings This section lists log and warning messages issued by HP NonStop SSL. Startup messages This section contains messages which are displayed during startup and which are of an informational nature only. HP NonStop SSL version version_info Appears right after startup and notifies about the version umber of the HP NonStop SSL using openssl version 0.9.7 - see http://www.openssl.
Notification that the value of the SUBNET parameter will be overridden by the DEFINE =TCPIP^PROCESS^^NAME TCP/IP process is Notification about the TCP/IP process used for the communication in the current context of this message.
ProcessInfo follows: ProcessInfo --ENDThis message will be issued at startup and is an informational message informing about the current process state, including current stack and heap usage. Warning messages The following messages are displayed under conditions where HP NonStop SSL can recover from an error and will continue to run. Firewall: connection rejected from: Warning about a connection from a remote host identified by ip address being rejected.
F|<-- reply to STOR/RETR/LIST command from FTP server has error: Warning that the reply from the remote FTP server upon one of the mentioned requests is erroneous. If this happens frequently contact your support representative. F|<-- reply to PORT command from FTP server has error: Warning about the receipt of an erroneous reply from a FTP server upon requesting active mode FTP. Check whether the remote FTP server supports active mode FTP.
This warning indicates that the parameter PREVENT_TLS_1_0_CBC_VULNERABILITY was set to FALSE by the user, which results in not preventing a certain vulnerability on CBC algorithms, known as the BEAST attack. Changing the default value TRUE of the parameter should only be done if advised to by support. Invalid value ("") given for parameter TARGETHOST. Override will not be enabled () This warning indicates that an invalid value for TARGETHOST was specified in FTPC mode.
This warning indicates an incorrect sequence in the communication with the HP NonStop SSL process. It e.g happens when SSLCOM is run with a certain HP NonStop SSL process and the HP NonStop SSL process is then restarted with the same process name without restarting SSLCOM. In this case, any command in SSLCOM will result in an empty response. To resolve the error condition, restart SSLCOM.
fingerprint trusted. is a cryptographically broken hash algorithm! DO NOT USE FINGERPRINTS ANYMORE! It is strongly recommended to specify fingerprints calculated with a secure hash algorithm ()! This is a warning message indicating that the has been cryptographically broken. It is recommended to use a more secure hash algorithm instead, please see section HASHALGORITHMS for details.
Fatal Errors The following messages are displayed in situations where a fatal error occurred. HP NonStop SSL will abend because it cannot recover from that error. Fatal Error: could not listen on port , error Error condition which is caused either by another application listening on same port or by configuring the HP NonStop SSL with a PORT param less than 1024 while not starting the HP NonStop SSL under the SUPER user logon. The HP NonStop SSL terminates.
This error indicates a failure to set up a FTPC proxy with the shown parameter values. Check that these values are correct, and that no other process does already listen on port . Watch for other message which come along with this one for additional hints on why the FTPC setup failed. Error when processing cipher suite list, empty list. At least one cipher suite has to be given. This error indicates that an empty value has been given for the CIPHERSUITES parameter.
Invalid IPMODE specified, run mode EXPANDS does not support IPMODE DUAL This error occurs when IPMODE DUAL was specified in run mode EXPANDS, however this is not supported in runmode EXPANDS by design. Please set up one EXPANDS process for both IPMODE IPv4 and IPMODE IPv6 to resolve the error condition.
Invalid address If the message "Invalid address..." appears, please check whether PARAMS TARGETHOST and TARGETPORT describe a valid host::port address in your network. Security violation (error 4013) If HP NonStop SSL fails with a security violation, you may have attempted to start HP NonStop SSL to listen on a PORT smaller than 1024 without having a SUPER group user id. Excerpt from the "Tandem TCP/IP programming manual": EACCES (4013) Cause.
