System Administration IBM HTTP Server documentation

Using Secure Sockets Layer directives

This section provides information on using SSL directives. This information includes specific syntax, descriptions, scopes and associated notes Note:. Links to related topics appear at the end of this section.

 .
  • Keyfile
  • SSLCRLHostname
  • LogLevel
  • SSLCRLPort
  • SSLAcceleratorDisable
  • SSLCRLUserID
  • SSLCacheDisable
  • SSLDisable
  • SSLCacheEnable
  • SSLEnable
  • SSLCacheErrorLog
  • SSLFakeBasicAuth
  • SSLCachePath
  • SSLFIPSDisable
  • SSLCachePortFilename
  • SSLFIPSEnable
  • SSLCacheTraceLog
  • SSLPKCSDriver
  • SSLCipherBan
  • SSLServerCert
  • SSLCipherRequire
  • SSLStashfile
  • SSLCipherSpec
  • SSLV2Timeout
  • SSLClientAuth
  • SSLV3Timeout
  • SSLClientAuthGroup
  • SSLVersion
  • SSLClientAuthRequire
  • Finding related information
  • Keyfile

    • Description: Sets the key file to use.
    • Default: No default
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global base and virtual host
    • Syntax: Keyfile [prompt]/fully qualified path to key file/keyfile.kdb
    • Values: File name of the key file. Use the prompt option to enable the HTTP server to prompt you for the Key file password during start up. See Using SSL Password Prompting.

    LogLevel

    • Description: Adjusts the verbosity of the messages recorded in the error logs. When you specify a particular level, the server reports messages from all other levels of higher significance. For example, when you specify LogLevel info, the server reports messages with log levels of notice and warn. Specifying at least level crit is recommended.
    • Default: LogLevel error
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Allowed. Order of preference is top to bottom, first to last. If the client does not support cipher specifications, the connection closes.
    • Scope: Server configuration, virtual host
    • Syntax: LogLevel level
    • Values: The following available levels appear in order of decreasing significance:

      .
      Level Description Example
      emerg Emergencies: system rendered unusable. "Child cannot open lock file. Exiting"
      alert Take immediate action. "getpwuid: could not determine user name from uid"
      crit Critical conditions. "socket: Failed to get a socket, exiting child"
      error Error conditions. "Premature end of script headers"
      warn Warning conditions."child process 1234 did not exit, sending another SIGHUP"
      notice Normal, but significant condition. "httpd: caught SIGBUS, attempting to dump core in ..."
      info Informational. "Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..."
      debug Debug-level messages. "Opening configuration file ..."

    SSLAcceleratorDisable

    • Description: Disables the accelerator device.
    • Default: Accelerator device is enabled
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: Virtual and global
    • Syntax: SSLAcceleratorDisable
    • Values: None
    • Tips: Place this directive anywhere inside of the configuration file, including inside a virtual host. During initialization, if the system determines that an accelerator device is installed on the machine, the system uses that accelerator to increase number of secure transactions. This directive does not take arguments.

    Pertains to UNIX environments

    SSLCacheDisable

    • Description: Disables the external SSL session ID cache
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas
    • Syntax: SSLCacheDisable
    • Values: None
    • Note: Valid only in UNIX environments.

    Pertains to UNIX environments

    SSLCacheEnable

    • Description: Enables the external SSL session ID cache
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas
    • Syntax: SSLCacheEnable
    • Values: None
    • Note: Valid only in UNIX environments.

    Pertains to UNIX environments

    SSLCacheErrorLog

    • Description: Sets the file name for session ID cache error logging
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical server instance, allowed only outside of virtual host stanzas.
    • Syntax: SSLCacheErrorLog /usr/HTTPServer/log/sidd_log
    • Values: Valid file name
    • Note: Not valid on Windows operating system.

    Pertains to UNIX environments

    SSLCachePath

    • Description: Specifies the path to the session ID caching daemon executable.
    • Default: <server-root>/bin/sidd
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical IBM HTTP Server
    • Syntax: SSLCachePath /usr/HTTPServer/bin/sidd
    • Values: Valid path name.
    • Note: Not valid on Windows operating system.

    Pertains to UNIX environment

    SSLCachePortFilename

    • Description: Sets the file name for the UNIX domain socket used for communication between the server instances and the session ID cache daemon.
    • Default: If this directive is not specified and the cache is enabled, then the server attempts to use the file: <server-root>/logs/siddport
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas.
    • Syntax: SSLCachePortFilename /usr/HTTPServer/logs/siddport
    • Values: Valid file name. Tip The Web server deletes this file during startup; do not use an existing file name.
    • Tips Valid only on UNIX platform.

    Pertains to UNIX environment

    SSLCacheTraceLog

    • Description: Specifies the trace log to which session ID trace messages log.
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Not allowed
    • Scope: One per physical IBM HTTP Server
    • Syntax: SSLCacheTraceLog /usr/IBMIHS/log/sidd-trace.log
    • Values: Valid path name.
    • Note to Windows users: Not valid on Windows operating systems.

    SSLCipherBan

    SSLCipherRequire

     

    SSLCipherSpec

    • Description: Specifies a cipher specification that you can use in a secure transaction.
    • Default: If nothing is specified, the server uses all cipher specifications available from the installed GSK library.
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Allowed. Order of preference is top to bottom, first to last. If the client does not support the cipher specifications, the connection closes.
    • Scope: Virtual host
    • Syntax: SSLCipherSpec shortname or
      SSLCipherSpec longname
    • Values: See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications
     
    Version 2 Cipher Specifications
    Short name Long name Description
    27 SSL_DES_192_EDE3_CBC_WITH_MD5 Triple-DES (168-bit)
    21 SSL_RC4_128_WITH_MD5 RC4 (128-bit)
    23 SSL_RC2_CBC_128_CBC_WITH_MD5 RC2 (128-bit)
    26 SSL_DES_64_CBC_WITH_MD5 DES (56-bit)
    22 SSL_RC4_128_EXPORT40_WITH_MD5 RC4 (40-bit)
    24 SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 RC2 (40-bit)
     
    SSL Version 3 and TLS Version 1 Cipher Specifications
    Short name Long name Description
    3A SSL_RSA_WITH_3DES_EDE_CBC_SHA Triple-DES SHA (168-bit)
    33 SSL_RSA_EXPORT_WITH_RC4_40_MD5 RC4 SHA (40-bit)
    34 SSL_RSA_WITH_RC4_128_MD5 RC4 MD5 (128-bit)
    39 SSL_RSA_WITH_DES_CBC_SHA DES SHA (56-bit)
    35 SSL_RSA_WITH_RC4_128_SHA RC4 SHA (128-bit)
    36 (See Tip:) SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 RC2 MD5 (40-bit)
    32 SSL_RSA_WITH_NULL_SHA
    31 SSL_RSA_WITH_NULL_MD5
    30 SSL_NULL_WITH_NULL_NULL
    62 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA RC4 SHA Export 1024 (56-bit)
    64 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA DES SHA Export 1024 (56-bit)
     

    Tip Cipher specification 36 requires Netscape Navigator V4.07; it does not work on earlier versions of Netscape browsers.

     

    SSLClientAuth

    • Description: Sets the mode of client authentication to use (none (0), optional (1), or required (2)).
    • Default: SSLClientAuth none
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host
    • Scope: Virtual host
    • Syntax: SSLClientAuth <level required> [crl]
    • Values:
      • 0/None: No client certificate requested.
      • 1/Optional: Client certificate requested, but not required.
      • 2/Required: Valid client certificate required.
      • CRL: Turns crl on and off inside an SSL virtual host. If you use certificate revocation list (CRL), you need to specify crl as a second argument for SSLClientAuth. For example: SSLClientAuth 2 crl. If you do not specify crl, you cannot perform CRL in an SSL virtual host.

      Tip If you specify the value 0/None, you cannot use the CRL option.

    SSLClientAuthGroup

    • Description: Enables you to group client certificate attributes together for use in the SSLClientAuthRequire directive.
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: Allowed. The function joins these directives by "AND".

    • Scope: Multiple instances per directory stanza
    • Syntax: <SSLClientAuthGroup group name> <logic string>
    • Values: Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses.

    Description of valid logical expressions

    The following section provides a description of examples with valid logical expressions. For example:

    SSLClientAuthGroup (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM
    
    means that the object is not served, unless the client certificate contains a common name of either Fred Smith, or John Deere and the organization is IBM. The only valid comparisons for the attribute checks, are equal and not equal (= and !=). You can link each attribute check with AND, OR, or NOT (also &&, ||, and !). Use parentheses to group comparisons. If the value of the attribute contains a nonalphanumeric character, you must delimit the value with quotes.

    A listing of valid attributes follows:

    • CommonName
    • Country
    • Email
    • Group
    • IssuerCommonName
    • IssuerCountry
    • IssuerEmail
    • IssuerLocality
    • IssuerOrg
    • IssuerOrgUnit
    • IssuerStateOrProvince
    • Locality
    • Org
    • OrgUnit
    • StateOrProvince

    A listing of valid short names follows:

         CN, C, E, G, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST 
    

    SSLClientAuthRequire

    • Description: Enables extensive validation of client certificate information before serving an object
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in a configuration file: Allowed. The function joins these directives by "AND".
    • Scope: Directory
    • Syntax: SSLClientAuthRequire CommonName = Richard
    • Values: Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses.

    Description of valid logical expressions

    For example:

    SSLClientAuthRequire (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM
    
    means that the object is not served unless the client certificate contains a common name of either Fred Smith, or John Deere, and the organization is IBM. The only valid comparisons for the attribute checks are equal, and not equal (= and !=). You can link each attribute check with AND, OR, or NOT (also &&, ||, and !). Use parentheses to group comparisons. If the value of the attribute contains a nonalphanumeric character, you must delimit the value with quotes.

    A listing of valid attributes follow:

    • CommonName
    • Country
    • Email
    • IssuerCommonName
    • IssuerCountry
    • IssuerEmail
    • IssuerLocality
    • IssuerOrg
    • IssuerOrgUnit
    • IssuerStateOrProvince
    • Locality
    • Org
    • OrgUnit
    • StateOrProvince

    A listing of valid short names follows:

         CN, C, E, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST 
    

    SSLCRLHostname

    • Description: TCP/IP name, or address of LDAP server, where CRL database resides.
    • Default: SSLCRLHostname is disabled by default.
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global server or virtual host
    • Syntax: SSLCRLHostname <TCP/IP name or address>
    • Values: TCP/IP name or address of LDAP server

    SSLCRLPort

    • Description: Port of LDAP server, where CRL database resides.
    • Default: SSLCRLPort is disabled by default.
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global server or virtual host
    • Syntax: SSLCRLPort <port number>
    • Values: Port of LDAP server; default=389

    SSLCRLUserID

    • Description: User ID to send to the LDAP server, where CRL database resides.
    • Default: Defaults to anonymous, if you do not specify a user ID
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global server or virtual host
    • Syntax: SSLCRLUserID <[prompt]userid>
    • Values: User ID of LDAP server. Use the prompt option to enable the HTTP server to prompt you for the password needed to access the LDAP server during start up. See Using SSL Password Prompting.

    SSLDisable

    • Description: Disables SSL for this virtual host.
    • Default: SSL is disabled by default.
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global server or virtual host
    • Syntax: SSLDisable
    • Values: None

    SSLEnable

    • Description: Enables SSL for this virtual host.
    • Default: SSL is disabled by default.
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server>
    • Scope: Global server or virtual host
    • Syntax: SSLEnable
    • Values: None
     

    SSLFakeBasicAuth

    • Description: Enables the fake basic authentication support. This support enables the client certificate distinguished name to become the user portion of the user and password basic authentication pair. Use the password password.
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Within a directory stanza, used along with AuthName, AuthType, and require directives.
    • Syntax: SSLFakeBasicAuth
    • Values: None

    SSLFIPSDisable

    • Description: Disables Federal Information Processing Standards (FIPS).
    • Default: FIPS is disabled by default.
    • Scope: Virtual and global.
    • Syntax: SSLFIPSDisable

    SSLFIPSEnable

    • Description: Enables Federal Information Processing Standards (FIPS).
    • Default: FIPS is disabled by default.
    • Scope: Virtual and global.
    • Syntax: SSLFIPSEnable

    SSLPKCSDriver

    • Description: Identifies the fully qualified name to the module, or driver used to access the PKCS11 device
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global server, or virtual host
    • Syntax: <Fully qualified name to module used to access PKCS11 device> If the module exists in the user's path, then specify just the name of the module.
    • Values: Path and name of PKCS11 module, or driver.
    Pertains to AIX users
    Pertains to HP-UX users
    Pertains to Solaris users
    Pertains to Windows users

    The default locations of the modules for each PKCS11 device follow, by platform:

    nCipher

    • AIX: /opt/nfast/toolkits/pkcs11/libcknfast.so
    • HP: /opt/nfast/toolkits/pkcs11/libcknfast.sl
    • Solaris: /opt/nfast/toolkits/pkcs11/libcknfast.so
    • Windows: c:\nfast\toolkits\pkcs11\cknfast.dll

    IBM 4758

    Pertains to AIX users
    Pertains to Windows users
    • AIX: /usr/lib/pkcs11/PKCS11_API.so
    • Windows: $PKCS11_HOME\bin\nt\cryptoki.dll

    Pertains to AIX users Pertains to Linux users

    IBM e-business Cryptographic Accelerator

    • AIX: /usr/lib/pkcs11/PKCS11_API.so

    SSLServerCert

    • Description: Sets the server certificate to use for this virtual host
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host
    • Scope: IP-based virtual hosts
    • Syntax: SSLServerCert [prompt]my_certificate_label; on PKCS11 device - SSLServerCert mytokenlabel:mykeylabel
    • Values: Certificate label. Use the /prompt option to enable the HTTP server to prompt you for the Crypto token password during start up. See Using SSL Password Prompting.
    • Tips Use no delimiters around the certificate label. Ensure that the label is contained on one line; leading and trailing white space is ignored.

     

    SSLStashfile

    • Description: Indicates path to file with file name, containing the encrypted password for opening the PKCS11 device.
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Virtual host and global server
    • Syntax: sslstash [-c] <file> <function> <password>, where:
      • -c = Create a new stash file. If not specified, the server updates an existing stash file
      • File = Fully qualified name of the file to create or update
      • Function = Function with which to use the password Valid values include crl or crypto
      • Password = The password to stash
      • Usage - sslstash -c conf\pkcs11.passwd crypto pkcs11
    • Values: Path with file name
    • Tip Locate an sslstash command in the bin directory of the IBM HTTP Server, for UNIX, and the server installation root for the Windows platform. Use this command to store the password for the PKCS11 device. The stash file created after using the sslstash command can hold two different passwords for two different functions: crl and cryptography.

     

    SSLV2Timeout

    • Description: Sets the timeout for SSL Version 2 session IDs
    • Default: 40
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global base and virtual host
    • Syntax: SSLV2Timeout 60
    • Values: 0 to 100 seconds
     

    SSLV3Timeout

    • Description: Sets the timeout for SSL Version 3 session IDs
    • Default: 120
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: Global base and virtual host
    • Syntax: SSLV3Timeout 1000
    • Values: 0 to 86400 seconds

    SSLVersion

    • Description: Enables object access rejection, if the client attempts to connect with an SSL protocol version other than the one specified.
    • Default: None
    • Module: mod_ibm_ssl
    • Multiple instances in the configuration file: One instance per virtual host and global server
    • Scope: One per directory stanza
    • Syntax: SSLVersion ALL
    • Values: SSLV2|SSLV3|TLSV1|ALL
     
    Finding related information

         (Back to the top)