iTP Secure WebServer System Administrator's Guide (Version 7.0)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-012
4-34
Controlling Access and Privacy
Controlling Access and Privacy
With SSL and PCT, all connections between a Web client and the server are
encrypted. A Web client can verify the server’s identity by using the server’s public-key
certificate. As described previously, you also can request or require a Web client to
authenticate itself to the server.
To control server access and privacy, you can:
•
Specify Region commands to control server responses
•
Use SSL and PCT variables to access information within CGI programs
Specifying Content Access Using the Region Command
You use the Region directive’s RequireSecureTransport command to mandate
that only SSL or PCT connections can access particular regions of content. For
example, if you need to protect all your secret recipes from eavesdropping, you could
use the RequireSecureTransport command:
Region /recipes/* {
RequireSecureTransport
}
In this example, all requests for objects in the /recipes region on the server must be
made using SSL or PCT.
You can further restrict access by using the -auth option of the
RequireSecureTransport command to require that client authentication occurs, as
in this example:
Region /recipes/* {
RequireSecureTransport -auth
}
In this example, only clients that have been authenticated using SSL or PCT are
allowed access to objects in the /recipes/top-secret region on the server. (For a full
description of the Region command, see Region on page A-49.)
You also can use CGI environment variables in Region commands. All security-
related CGI variables are available in Region commands. For example:
The following command allows access only to clients using keys 128 bits long:
Region /* {
if {$HTTPS_KEYSIZE != 128} {Deny}
}
Following is another example, using the Web client’s DN:
set goodusers {CN=User 1, OU=Persona Certificate, O="RSA Data
Security, Inc.", C=US}
lappend goodusers {CN=User 2, OU=Persona Certificate, O="RSA
Data Security, Inc.", C=US}