108 • SSL Reference HP NonStop SSL Reference Manual
3. If CACERTS contain the signing certificate(s), HP NonStop SSL will sent the whole certificate chain to the
server.
CACERTS $SYSTEM.MYCERT.CACERT
CLIENTKEY $SYSTEM.MYCERT.CLNTKEY
CLIENTKEYPASS mysecret
CLIENTCERT $SYSTEM.MYCERT.CLNTCERT
Security Considerations
While SSL is a very powerful and flexible protocol to encrypt TCP/IP traffic, it has to be used properly to be protected
against some common attacks. The two most important factors in making an SSL installation fully secure are:
• protecting against the man-in-the middle attack through proper usage of certificates
• protecting the private key file
Note: Ignoring those two factors will result in a system open to well-known attacks. Please read this section and follow
the recommendations to make sure you are deploying SSL properly.
Protecting Against the Man-in-the-Middle Attack
The man-in-the-middle attack is based on a weakness of the TCP/IP protocol which allows adding an "intermediary"
between two systems communicating via TCP/IP.
To protect against that kind of attack, SSL uses certificates. See the following sections of the chapter "SSL Reference",
for more information:
• "X.509 Certificates".
• "Configuring SSL for Production as SSL Server".
• "Configuring SSL for Production as SSL Client".
Make sure to generate your own certificates for production and to configure all your SSL clients to verify the certificates
used by the SSL server.
Protecting the Private Key File
If an attacker gets access to the private key file, he can attack the SSL protocol in various ways. Therefore it is important
that you protect the private key file residing on your NonStop system.
The private key file is created during the generation of your certificates and is a file in your Guardian file system. The
location of the file is configured using the parameter SERVKEY. Standard procedures (such as SAFEGUARD ACL's)
should be employed so that only the HP NonStop SSL process can open that file.
The private key file is encrypted using a so-called pass phrase. An attacker needs both the private key file and the pass
phrase for a successful attack. The pass phrase is configured through the SERVKEYPASS parameter, that parameter is
probably present in some startup file or macro. This startup file needs again to be protected properly.
Note: Never send the private key file and/or the pass phrase to anybody via e-mail. Make sure the file resides only on
your NonStop system and is properly protected via SAFEGUARD.
If the Private Key is Compromised
If you have reason to believe that your server private key file has been compromised, you should immediately install a
new server certificate along with a private key file encrypted with a different pass phrase.
To Next Page
Loading...
Need help?
General