iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

101

102

103

104

105

106

107

108

109

110

Configuring for Secure Transport

iTP Secure WebServer System Administrator’s Guide—523346-002

4-27

Updating SSL and PCT Configuration

Once you have generated the public/private key pair, installed the certificate, and

changed the key database file password, you must update the configuration file

httpd.stl.config with this new information and the DN you used when running the

keyadmin utility. This file is located in the /usr/tandem/webserver/conf directory.

The contents of httpd.stl.config are shown in Example 4-3. Brief descriptions of

them follow the example. Refer to Appendix A, Configuration Directives for a complete

description of the directives.

Valid certificate

but root

certificates don’t

match

The server requested client authentication and received a client

certificate chain which contains X509 version 3 certificates. The

public key contained within the root certificate of the chain

provided by the web client matches the public key from the root

certificate in the key database file, but one or more other fields

within the two certificates do not match. This condition usually

happens when the root certificate has been renewed, but either

the web client or the key database file has not been updated

with the new certificate.

Valid certificate The server requested and received a client certificate or client

certificate chain, and all previous checks have passed.

Note. If the iTP Secure WebServer finds one or more errors when validating a certificate, it

reports the first error only.

Example 4-3. Sample Secure Transport httpd.stl.config File

# httpd.stl.config

# Configure the required Secure Transport information

# Disable transmission of SSLv3 close_notify alert messages to

# Microsoft browsers.

Region /* {

if {[info exists HEADER(user-agent)]

&& [string match "*MSIE*" $HEADER(user-agent)]} {

DisableCloseNotify

}

KeyDatabase $root/conf/test_key.db

ServerPassword WebServer

AcceptSecureTransport -transport /G/ZTC0 -port 443 -cert

{CN=Test Key, OU=Testing Only, O="Tandem Computers,Inc.",

ST=California,C=US}

Region /*/ssl-sample-dir {

RequireSecureTransport

}