iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

100

Configuring for Secure Transport

iTP Secure WebServer System Administrator’s Guide—522659-001

4-24

Managing Client Authentication

2. Note that when a certificate chain is sent from VeriSign, the leaf certificate is the

certificate that follows the text SERVER SUBSCRIBER CERTIFICATE, and the

intermediate certificate is the certificate that follows the text INTERMEDIATE CA

CERTIFICATE.

3. Store the leaf and intermediate certificates as follows:

•

Store the leaf certificate, including the lines labeled

----- BEGIN CERTIFICATE ----- and

----- END CERTIFICATE -----, in the designated certificate file

(cert.txt in the example) using the keyadmin command as shown in the

following example:

keyadmin -addcert cert.txt

•

Store the intermediate certificate, including the lines labeled

----- BEGIN CERTIFICATE ----- and

----- END CERTIFICATE -----, in the designated intermediate

certificate file (intermediate.txt in the example) using the keyadmin

command as shown in the following example:

keyadmin -addcert intermediate.txt

For details about adding certificates using keyadmin, see Adding a Certificate to the

Key Database File on page 4-11.

Managing Client Authentication

For SSL 3.0 the server always authenticates itself to its clients. However, you can

configure the server to request or require the web client to authenticate itself to the

server.

The AcceptSecureTransport

configuration directive accepts two options for specifying

how the server controls client authentication:

Client authentication does not occur unless you specify either the -requestauth or

-requireauth option. Specifying one of these options allows you to use the web client’s

authentication information in Region configuration directives to restrict access to the iTP

Secure WebServer. Client authentication can be set by using the

RequireSecureTransport -auth command or by accessing specific Region variables and

restricting access based on these variables.

After the iTP Secure WebServer requests and receives the web client certificate from the

web client as either an individual certificate or as a certificate chain, it performs the

following steps for client authentication:

1. Builds an internal certificate chain using what the web client has returned (a

certificate for SSL 2.0 or PCT, or a certificate chain for SSL 3.0).

-requestauth The server requests that the web client present a certificate, and

the web client can choose to do so.

-requireauth The server requires that the web client present its certificate and

terminates communication if the web client declines.