Manualshelf

iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
919293949596979899100
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide522659-001
4-25
Using the -requireauth Option
2. Attempts to back-build the internal certificate chain by retrieving issuer certificates
from the certificate database and adding them to the internal certificate chain. The
chain is built until the server either retrieves a certificate that is marked as root from
the database or it cannot find an issuer of a certificate on the chain in the database.
3. Verifies each certificate in the chain, starting with the leaf, to ensure that the chain is
well-formatted, is in its validity period, follows the Basic Constraints and Key
Usage extensions rules, and has a valid signature that was issued by its successor in
the chain.
4. Stores the results of this verification in the various Tool Command
Language/Common Gateway Interface (Tcl/CGI) variables.
5. Appends the appropriate log messages to the Extended Log File (ELF) entry.
From this point, the server’s action depends on its specific configuration, as shown in the
list of variable settings in Using the -requestauth Option
below.
Using the -requireauth Option
When you set the -requireauth option, and the web client supplies an invalid certificate
(for example, if the certificate does not exist, contains an error, is forged or expired, or is
issued by a CA that is unknown to the server), the server always refuses the connection
request from the web client, then logs error messages to the error and extended log files.
When the web client supplies a valid certificate, the server allows the connection and
sets the HTTPS_CLIENT_STATUS variable to valid. The server also sets all the other
HTTPS_CLIENT Tcl/CGI variables at the same time. For information about these
Tcl/CGI variables, see Passing CGI Environment Variables
on page 8-11.
Using the -requestauth Option
When you set the -requestauth option, the server always allows the web client
connection, regardless of the state of the client certificate. In addition, the server sets the
HTTPS_CLIENT_STATUS variable to reflect the status of the client certificate (if the
certificate is valid or invalid). The server sets the variable to one of the following values:
No certificate The certificate does not exist.
Error in certificate The certificate contains an error.
Not verified The certificate is issued by a CA that is unknown to the server.
Forged The certificate is forged.
Not valid yet The server requested and received the client certificate or a
certificate chain, but the begin date of the certificate is a future
date.
Expired The certificate is expired.