hp e3000 hp webwise mpe/ix secure web server webwise secure web server Presented by Mark Bixby mark_bixby@hp.
hp e3000 prerequisite knowledge webwise secure web server • General Apache knowledge • POSIX shell basics • Hierarchical File System basics Solution Symposium April 4, 2002 Page 2
hp e3000 webwise A.03.00 product overview webwise secure web server • A.01.00 released as a separately purchasable product for 6.5 • A.03.00 now bundled into 7.5 FOS as a drop-in replacement for Apache A.02.00 • adds SSL encryption and X.
hp e3000 webwise A.03.00 is built from… webwise secure web server • Apache 1.3.22 • Mod_ssl 2.8.5 SSL/TLS encryption module • MM 1.1.3 shared memory library • OpenSSL 0.9.6b general purpose SSL/TLS and crypto toolkit • RSA BSAFE Crypto-C 5.
hp e3000 new apache functionality since 1.3.14 webwise secure web server • mostly bug fixes & portability enhancements • LogFormat %c for logging connection status at request completion • mod_auth file-owner and file-group authentication enforcement • rotatelogs utility supports date/timestamp references in logfile names • Apache manual pages moved outside of the htdocs DocumentRoot; i.e.
hp e3000 webwise changes since A.01.00 webwise secure web server • Apache 1.3.9 updated to 1.3.22 • child processes run as WWW.APACHE instead of SECURE.APACHE; may have file ownership and permissions implications! • uses the same V.UU.FF-based file layout scheme as Apache A.02.00 (the old SECURE.APACHE group is not modified or referenced by A.03.
hp e3000 webwise secure web server migrating from previous versions of apache or webwise • Create new JHTTPD from JHTTPD.sample • Create new config files from corresponding *.sample files • Copy existing WebWise A.01.00 server key and certificate to new A.03.00 locations • Copy existing WebWise A.01.00 htdocs content and cgi-bin scripts from /APACHE/SECURE to the new A.03.00 /APACHE/PUB locations, or modify the new A.03.00 config files to refer to the old A.01.
hp e3000 migrating to hpux webwise secure web server • WebWise on MPE shares the same core architecture as the Apache bundle on HPUX • 100% upward compatible • a few additional standard Apache modules on HPUX • extra HP modules on HPUX for integration with other HPUX products Solution Symposium April 4, 2002 Page 8
hp e3000 mod_ssl is... webwise secure web server • The heart of WebWise • encrypted TCP connections • client and server X.509 authentication • Consists of: • Patches to extend the Apache API (EAPI) • the mod_ssl module • bin/sign.
hp e3000 mod_ssl is NOT… webwise secure web server • a substitute for a firewall • a substitute for good host security practices • a substitute for good application security practices • a substitute for good human security practices Solution Symposium April 4, 2002 Page 10
hp e3000 definitions: secure sockets layer (ssl) webwise secure web server • A protocol layer between any application stream protocol (such as HTTP) and TCP that allows secure communications via encryption, digests, signatures, and authentication • SSLv2.0 - vendor standard from Netscape • SSLv3.
hp e3000 definitions: secure sockets layer (cont.
hp e3000 definitions: transport layer security (tls) webwise secure web server • An evolution of SSLv3.
hp e3000 definitions: key webwise secure web server • A really big random number (1024 bits) • 40 bits? 56 bits? 128 bits? 1024 bits? SAY WHAT??? • Split into two mathematically related components: • private key • public key • A key establishes your identity -- protect it! (chmod 400 and pass phrase) • Both servers and clients have keys • RSA keys/algorithm defined by RFC 2437 Solution Symposium April 4, 2002 Page 14
hp e3000 definitions: private key webwise secure web server • Uniquely identifies you • Protect it with your life! • You use it to: • create digital signatures • create digital certificates • decrypt data sent to you that was encrypted with your public key Solution Symposium April 4, 2002 Page 15
hp e3000 definitions: public key webwise secure web server • Allows the public to send you encrypted data which only you can decrypt with your private key • Your public key is also included in your certificate Solution Symposium April 4, 2002 Page 16
hp e3000 definitions: message digest webwise secure web server • Short, fixed-length representation of longer, variablelength messages (hash) • Can’t determine original msg from digest • No two messages have the same digest • Digest algorithms: • MD5 (128-bit hash) • SHA1 (160-bit hash) Solution Symposium April 4, 2002 Page 17
hp e3000 definitions: digital signature webwise secure web server • Message digest (plus sequence number) encrypted with sender’s private key • Alter the message and the digest won’t match • Alter the digest and the public key decryption won’t work Solution Symposium April 4, 2002 Page 18
hp e3000 definitions: certificate webwise secure web server • Validates your identity to others • Format defined by X.
hp e3000 definitions: certificate authority (ca) webwise secure web server • A trusted agency that issues certificates • Validates the identity of a person requesting a certificate • The CA signs the certificate request with their own CA certificate, thus creating a certificate for the requestor • CA certificate may be self-signed (root-level), or signed by a higher CA • You can be your own CA! Solution Symposium April 4, 2002 Page 20
hp e3000 definitions: certificate authority (cont.
hp e3000 msie5.
hp e3000 netscape 6.2.
hp e3000 webwise secure web server definitions: certificate signing request (csr) • What you send to a CA in order to request a certificate • Contains: • your identity (name, company, locality, etc) • your public key • The CA signs your CSR with the CA certificate, resulting in your certificate Solution Symposium April 4, 2002 Page 24
hp e3000 definitions: certificate chain webwise secure web server • Every certificate is signed by a CA • CA certificates are signed by other CAs • A chain of valid CA signatures (assumes trust is inherited) Solution Symposium April 4, 2002 Page 25
hp e3000 webwise secure web server definitions: certificate revocation list (crl) • A list of certificates that a CA has revoked (I.e.
hp e3000 webwise secure web server mod_ssl configuration directives sslengine (required) • Specifies whether SSL/TLS is enabled; typically used inside • on: SSL/TLS is enabled • off: SSL/TLS is disabled Solution Symposium April 4, 2002 Page 27
hp e3000 sslmutex (required) webwise secure web server • Specifies the method of synchronization used between WebWise children • none - use at your own risk! • File:/path/to/mutex - uses fcntl() locking on the specified filename with the parent PID appended for uniqueness • sem - not implemented for MPE! Solution Symposium April 4, 2002 Page 28
hp e3000 sslrandomseed (required) webwise secure web server • SSLRandomSeed context source [bytes] • Seeds the Pseudo Random Number Generator (PRNG) • Context is either “startup” or “connect” • Sources: • builtin - current time, process id, and 1KB of random scoreboard data • file:/path/to/source - reads from a file • exec:/path/to/program - reads from program stdout Solution Symposium April 4, 2002 Page 29
hp e3000 sslsessioncache (recommended) webwise secure web server • Specifies the SSL session cache method used to avoid repeated (slow) SSL handshaking • none - no cache; terrible performance • dbm:/path/to/datafile - disk file cache • shmht:/path/to/datafile(size) - shared memory cache hash table (file not created on MPE) • shmcb:/path/to/datafile(size) - shared memory cache cyclic buffers (file not created on MPE); best performance! Solution Symposium April 4, 2002 Page 30
hp e3000 sslsessioncachetimeout (optional) webwise secure web server • Specifies the session cache timeout in seconds • Default is 300 Solution Symposium April 4, 2002 Page 31
hp e3000 sslprotocol (optional) webwise secure web server • Specifies accepted SSL protocols • + or - syntax like Options • Default is all • SSLv2 • SSLv3 • TLSv1 • All • SSLProtocol All -SSLv2 Solution Symposium April 4, 2002 Page 32
hp e3000 sslciphersuite (optional) webwise secure web server • Specifies the ordered list of ciphers to be negotiated during the SSL handshake • Default: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP • 128-bit RC4 will be chosen first • /APACHE/CURRENT/bin/openssl ciphers -v will list all available ciphers Solution Symposium April 4, 2002 Page 33
hp e3000 sslcertificatekeyfile (required) webwise secure web server • Specifies the server key file • /APACHE/PUB/conf/ssl.key/server.
hp e3000 sslpassphrasedialog (recommended) webwise secure web server • How to obtain the pass phrase for encrypted private keys • builtin - read the pass phrase from $STDIN after !RUN HTTPD • exec:/path/to/program - program prints pass phrase to $STDLIST; two parms: • servername:portname • RSA or DSA • Protect the pass phrase! • Whoever knows the pass phrase can get your key! Solution Symposium April 4, 2002 Page 35
hp e3000 sslcertificatefile (required) webwise secure web server • Specifies the web server certificate file • /APACHE/PUB/conf/ssl.crt/server.
hp e3000 sslcertificatechainfile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CA certificates of all CA signers between the server certificate and the CA root • Makes it easier for browsers to validate your server certificate Solution Symposium April 4, 2002 Page 37
hp e3000 sslcacertificatefile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CA certificates that might have been used to sign the certificates of your clients • This directive and/or SSLCACertificatePath is required for client authentication Solution Symposium April 4, 2002 Page 38
hp e3000 sslcacertificatepath (optional) webwise secure web server • Specifies the directory containing all of the individual CA certificates that might have been used to sign the certificates of your clients • Hash symlinks must be present in this directory • /APACHE/PUB/conf/ssl.
hp e3000 sslcarevocationfile (optional) webwise secure web server • Specifies the all-in-one file containing the concatenated CRLs of all of the CAs that might have signed the certificates of your clients • This directive or SSLCARevocationPath is recommended for client authentication Solution Symposium April 4, 2002 Page 40
hp e3000 sslcarevocationpath (optional) webwise secure web server • Specifies the directory containing all of the individual CRLs of all of the CAs that might have signed the certificates of your clients • Hash symlinks must be present in this directory • /APACHE/PUB/conf/ssl.
hp e3000 sslverifyclient (optional) webwise secure web server • Specifies the type of client certificate authentication desired • none: no client certificate is required • optional: the client may present a valid certificate • require: the client must present a valid certificate • optional_no_ca: the client may present a certificate, but it doesn’t have to be valid • “optional” doesn’t work with all browsers, and “optional_no_ca” is really for testing Solution Symposium April 4, 2002 Page 42
hp e3000 sslverifydepth (optional) webwise secure web server • Specifies the maximum number of CA certificates to be used when validating the client certificate • 0 means that self-signed client certificates are accepted only • 1 (default) means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server, etc, etc Solution Symposium April 4, 2002 Page 43
hp e3000 ssllog (required) webwise secure web server • Specifies the mod_ssl log file • Serious errors are duplicated to the ErrorLog • |/path/to/program or /path/to/file Solution Symposium April 4, 2002 Page 44
hp e3000 sslloglevel (optional) webwise secure web server • Specifies the logfile verbosity fence • none - no dedicated logging, but “error” messages still written to ErrorLog • error - fatal messages • warn - non-fatal messages • info - major processing steps • trace - minor processing steps • debug - very VERY verbose! Solution Symposium April 4, 2002 Page 45
hp e3000 sslrequiressl (optional) webwise secure web server • Forbids access unless SSL is being used for this connection • Useful for protecting against exposing sensitive data over non-SSL connections Solution Symposium April 4, 2002 Page 46
hp e3000 sslrequire (optional) webwise secure web server • Allow access only if an arbitrarily complex boolean expression is true • SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20) or %{REMOTE_ADDR} =~ m/^192\.76\.162\.
hp e3000 ssloptions (optional) webwise secure web server • Specifies various SSL-related runtime options • Similar to Options directive • StdEnvVars - creates SSL-related environment variables for CGI/SSI applications; expensive! • CompatEnvVars - creates extra environment variables for compatibility with other Apache-based SSL servers Solution Symposium April 4, 2002 Page 48
hp e3000 ssloptions (cont.) webwise secure web server • ExportCertData - creates environment variables containing applicable X.
hp e3000 ssloptions (cont.) webwise secure web server • OptRenegotiate - by default, every per-directory SSL parameter reconfiguration causes a full SSL renegotiation handshake (slow!). This option tries to be more granular, but may cause unexpected results.
hp e3000 custom log formats webwise secure web server • Extra format function for use by the mod_log_custom module • %{varname}x - inserts the value of the varname env variable into the message • CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Solution Symposium April 4, 2002 Page 51
hp e3000 accounting structure webwise secure web server • Same scheme as Apache 1.3.14 A.02.00: • APACHE account (PM) • PUB group (PM) • V.UU.
hp e3000 directory & file structure webwise secure web server • Same scheme as Apache 1.3.14 A.02.00 • All files owned & managed by MGR.
hp e3000 webwise secure web server new files and directories compared to apache • bin/openssl - general crypto utility • supported for key/cert management only • add /APACHE/CURRENT/bin to PATH • bin/sign.
hp e3000 webwise secure web server new files and directories compared to apache (cont.) • conf/ssl.crl/ - CRL directory • conf/ssl.crt/ - certificate directory • protect directory with chmod 700 • server.crt - server certificate (chmod 400) • Sensitive data! Protect it! • conf/ssl.csr/ - CSR directory • conf/ssl.key/ - key directory • protect directory with chmod 700 • server.
hp e3000 webwise secure web server new files and directories compared to apache (cont.) • logs/ssl_engine_log - the SSL error_log • logs/ssl_request_log - the SSL access_log • includes protocol and cipher used • logs/ssl_mutex.
hp e3000 version information webwise secure web server • HTTPD -v (same as Apache) Server version: Apache/1.3.22 (HP MPE/iX WebWise A.03.00) Server built: Jan 15 2002 15:47:50 • bin/openssl version OpenSSL 0.9.
hp e3000 server configuration webwise secure web server • Copy sample files to normal names • /APACHE/PUB/JHTTPD.sample • conf/access.conf.sample, httpd.conf.sample, magic.sample, mime.types.sample, srm.conf.sample • conf/ssl.crt/server.crt.sample (test only!) • conf/ssl.key/server.key.
hp e3000 browser configuration webwise secure web server • MSIE allows you to enable/disable SSLv2.0, SSLv3.0, and TLSv1.0; no cipher choice • Netscape allows you to enable/disable SSLv2.0, SSLv3.0, TLSv1.
hp e3000 browser configuration - msie5.
hp e3000 browser configuration – netscape 6.2.
hp e3000 browser configuration – netscape 6.2.1 (cont.
hp e3000 creating the server key webwise secure web server • conf/ssl.key/server.key.
hp e3000 creating the server key (cont.) webwise secure web server • $ cd conf/ssl.key • $ openssl genrsa -rand /SYS/PUB/HPSWINFO \ -des3 -out server.key 1024 unable to load 'random state’ 28199 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ................+++++ .................
hp e3000 creating the server key (cont.
hp e3000 creating the server key (cont.) webwise secure web server • $ openssl rsa -noout -text -in server.key • displays details about the newly created key • $ chmod 400 server.
hp e3000 server key pass phrase webwise secure web server • SSLPassPhraseDialog builtin • HTTPD reads pass phrase from stdin (I.e.
hp e3000 creating the server csr webwise secure web server • Identifies the company and the server • Attributes chosen here are visible to browser users, so choose carefully Solution Symposium April 4, 2002 Page 68
hp e3000 creating the server csr (cont.) webwise secure web server • $ cd conf/ssl.csr • $ openssl req -new -key ../ssl.key/server.key \ -out server.csr Country Name (2 letter code) [AU]:US State or Prov Name (full name) []:My State Locality Name (eg, city) []:My City Organization Name (eg, company) []:My Company Organizational Unit Name []:My Org Common Name []:www.mycompany.com Email Address []:webmaster@www.mycompany.
hp e3000 creating the server csr (cont.
hp e3000 creating the server csr (cont.) webwise secure web server • $ openssl req -noout -text -in server.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/Email=webmaster@www.myco mpany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): • $ chmod 400 server.
hp e3000 get signed by a trusted ca... webwise secure web server • Browsers configured with trusted CAs • I.e. www.verisign.com and many others • can add additional trusted CAs • Paste your CSR into a CA web form • Receive certificate by e-mail, save as conf/ssl.crt/server.
hp e3000 ...or become your own ca webwise secure web server • $ cd conf/ssl.key • $ openssl genrsa -des3 -out ca.key 1024 • $ chmod 400 ca.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ openssl req -new -x509 -days 365 \ -key ca.key -out ca.crt Country Name (2 letter code) [AU]:US State or Province Name [Some-State]:My State Locality Name (eg, city) []:My City Organization Name (eg, company) []:My Company Organizational Unit Name []:My Company CA Common Name []:Certificate Authority Email Address []:ca@mycompany.
hp e3000 ...or become your own ca (cont.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ openssl x509 -noout -text -in ca.crt Certificate: Data: Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com Validity Not Before: Apr 7 23:19:40 2000 GMT Not After : Apr 7 23:19:40 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com • $ chmod 400 ca.
hp e3000 ...or become your own ca (cont.) webwise secure web server $ sign.sh ../ssl.csr/server.csr CA signing: ../ssl.csr/server.csr -> ../ssl.csr/server.crt: The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'My State' localityName :PRINTABLE:'My City' organizationName :PRINTABLE:'My Company' organizationalUnitName:PRINTABLE:'My Org' commonName :PRINTABLE:'www.mycompany.com' emailAddress :IA5STRING:'webmaster@www.mycompany.
hp e3000 ...or become your own ca (cont.) webwise secure web server Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: ../ssl.csr/server.crt <-> CA cert ../ssl.csr/server.
hp e3000 ...or become your own ca (cont.) webwise secure web server • $ rm -fR ca.db.* • remove temporary files from conf/ssl.key • $ cd .. • $ mv ssl.csr/server.crt ssl.crt/server.crt • move newly created server certificate into the correct location • $ mv ssl.key/ca.crt ssl.crt/ca.
hp e3000 installing the server certificate webwise secure web server • $ openssl x509 -noout -text -in ssl.crt/server.crt Certificate: Data: Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/Email=ca@mycompany.com Validity Not Before: Apr 7 23:54:01 2000 GMT Not After : Apr 7 23:54:01 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/ Email=webmaster@www.mycompany.
hp e3000 installing the server certificate (cont.) webwise secure web server • Rebuild the symlink hash • $ cd conf/ssl.crt • $ make ca-bundle.crt ... Skipped ca.crt ... dc91dd8e.0 server.crt ... 2f66b362.0 snakeoil-ca-dsa.crt ... 0cf14d7d.0 snakeoil-ca-rsa.crt ... e52d41d0.0 snakeoil-dsa.crt ... 5d8360e1.0 snakeoil-rsa.crt ... 82ab5372.0 zzyzx-ca-rsa.crt ... f28a2a0f.0 • $ chmod 400 server.
hp e3000 starting the web server webwise secure web server • :STREAM JHTTPD.PUB.
hp e3000 using the web server webwise secure web server • conf/httpd.conf.sample uses ports 80 and 443 • Default browser ports are 80 and 443 • http://your3000.host.name (port 80) • https://your3000.host.name (port 443) • Non-default port numbers can also be used: • http://your3000.host.name:nnn (http port nnn) • https://your3000.host.
hp e3000 restarting the web server webwise secure web server • Why? To reread config files. • Log on as SM user or MGR.APACHE • Normal restart • $ kill -HUP $(cat /APACHE/PUB/logs/httpd.pid) • Graceful restart • $ kill -USR1 $(cat /APACHE/PUB/logs/httpd.
hp e3000 stopping the web server webwise secure web server • Log on as SM user or MGR.APACHE • $ kill $(cat /APACHE/PUB/logs/httpd.pid) • Only use :ABORTJOB as a last resort! • Will leak SVIPC semaphores • Use IPCS.HPBIN.SYS to display • Use IPCRM.HPBIN.
hp e3000 performance webwise secure web server • First few minutes in tight CPU loop • Brief CPU burst for new SSL sessions • Use bytestream instead of MPE record format for content • Content-length: header problem • Symptom: browser hangs at end of content • Make sure RESLVCNF.NET.
hp e3000 security tips webwise secure web server • WebWise only protects the TCP/IP connection between browser and server! • Protect the key and certificate files! • Protect the key pass phrase! Solution Symposium April 4, 2002 Page 87
hp e3000 security tips (cont.) webwise secure web server • Most security problems BY FAR are the result of sloppy CGI programming • Explicitly validate every byte of data sent by browser • A CGI hole can give the whole world the same access as a :HELLO WWW.
hp e3000 security tips (cont.
hp e3000 troubleshooting server problems webwise secure web server • All Apache troubleshooting methods apply • Check the log files first! • If JHTTPD terminates at startup, investigate Pass Phrase • Is SSLEngine On? • Does SSLProtocol match the browser? • Does SSLCipherSuite match the browser? Solution Symposium April 4, 2002 Page 90
hp e3000 troubleshooting server problems (cont.) webwise secure web server • echo “HEAD / HTTP/1.
hp e3000 troubleshooting server problems (cont.
hp e3000 troubleshooting server problems (cont.) webwise secure web server • Are the configuration file permissions correct? • Parent process running as the JHTTPD !JOB user (MGR.APACHE) must be able to read everything • Child processes running as the conf/httpd.conf User user (WWW.APACHE) must be able to read CA & CRL files if doing X.
hp e3000 troubleshooting server problems (cont.) webwise secure web server • Check the mod_ssl bug database • http://www.modssl.org/support/bugdb/ • No OpenSSL bug database :-( • Search the mailing list archives at http://www.openssl.org/support/ • Check the Apache bug database • http://bugs.apache.
hp e3000 troubleshooting browser problems webwise secure web server • No response to browser • Check httpd.conf or SOCKINFO.NET.SYS to verify the correct ports (80, 443) are being listened to • “The page cannot be displayed” (MSIE) • Speaking https to the http server port • Speaking the wrong security protocol (I.e. SSLv2 when the server requires SSLv3) • “A network error occurred while Netscape was receiving data” • Speaking https to the http server port • Speaking the wrong security protocol (I.e.
hp e3000 webwise secure web server troubleshooting browser problems (cont.
hp e3000 further documentation webwise secure web server • Complete product documentation • http://your.host.name/manual/ • Mod_ssl documentation • http://www.modssl.org/docs/2.8/ • OpenSSL documentation • http://www.openssl.org/docs/apps/openssl.html • Apache documentation • http://www.apache.org/docs/ • 7.5 Communicator • 7.
hp e3000 join the hp3000-l community webwise secure web server • Available as a mailing list and as the Usenet newsgroup comp.sys.hp.mpe • In-depth discussions of all things HP e3000 • Talk with other WebWise & Apache users • seek advice, exchange tips & techniques • Keep up with the latest HP e3000 news • Interact with CSY • http://jazz.external.hp.com/papers/hp3000-info.