HP NonStop SSL Reference Manual SSL Reference • 107
Requesting the SSL Client to Present a Client Certificate
HP NonStop SSL supports client authentication when running in SSL server mode (PROXYS, FTPS, TELNETS,
ODBCMXS, EXPANDS). The behavior is controlled by the TRUST parameter (please note: the parameter has different
meanings for HP NonStop SSL running in server or client mode).
TRUST set to "*" (default) will disable the checking, thus no client cert will be required.
When TRUST contains a certificate filename this certificate will be sent to the client. The client will send back a
certificate signed by the one sent to it. If the client sends no certificate or an invalid one, the connection will be rejected.
Configuring SSL for Production as SSL Client
In run modes PROXYC and FTPC, HP NonStop SSL will be an SSL client. This section only is relevant for those run
modes.
The default installation of HP NonStop SSL is streamlined to enable an easy setup and immediate testing and will not
verify the remote certificate for authenticity, nor will it send an SSL client certificate to the server for client
authentication.
For a secure production installation, it is recommended to configure HP NonStop SSL to verify the remote certificates
using the TRUST parameter. Not doing so may compromise the security of the system.
To Configure HP NonStop SSL to verify the remote certificate
1. Obtain the root CA certificate that signed the server certificate of the target SSL server.
2. If required, convert the root CA certificate into the DER format (e.g. with OpenSSL)
3. Upload the DER-encoded root CA certificate file to your NonStop server in binary mode.
4. Configure the TRUST parameter to point to DER-encoded root CA certificate file, e.g.
TRUST ROOTCA
5. If desired, configure the PEERCERTCOMMONNAME parameter to validate the common name of the server
certificate.
6. Restart your HP NonStop SSL client proxy process and check these initialization log messages for any errors.
Note: If you have multiple target systems with different root CA certificates, you can enter a list of comma-separated file
names for the TRUST parameter.
Presenting a Client Certificate to the SSL server
If Client Authentication is required, HP NonStop SSL can send a client certificate or a client certificate chain to the
server.
HP NonStop SSL can be configured to cover 3 scenarios:
1. If CACERTS and CLIENTCERT are set to ‘*’, HP NonStop SSL will sent NO certificate to the server (this is
the default setting).
CACERTS *
CLIENTCERT *
2. To send a self-signed certificate to the server, CACERTS must be set to ‘*’ and
CLIENTCERT/CLIENTKEY/CLIENTKEYPASS must point to a valid self-signed certificate.
CACERTS *
CLIENTKEY $SYSTEM.MYCERT.CLNTKEY
CLIENTKEYPASS mysecret
CLIENTCERT $SYSTEM.MYCERT.CLNTCERT
To Next Page
Loading...
Need help?
General