1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. NonStop SSL
  6. Reference manual

HP NonStop SSL Reference Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

HP NonStop SSL
Reference Manual
Edition: HP NonStop SSL Reference Manual 1.6
H06.07 and subsequent H-series RVUs
J06.01 and subsequent J-series RVUs
HP Part Number: 628203-007
Published: February 2013
Hewlett Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
© 2013 HP
All rights reserved

Advertisement

Table of Contents
loading

Related Manuals for HP NonStop SSL

Summary of Contents for HP NonStop SSL

  • Page 1 HP NonStop SSL Reference Manual HP Part Number: 628203-007 Published: February 2013 Edition: HP NonStop SSL Reference Manual 1.6 H06.07 and subsequent H-series RVUs J06.01 and subsequent J-series RVUs Hewlett Packard Company 3000 Hanover Street Palo Alto, CA 94304-1185 © 2013 HP...
  • Page 2 Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

  • Page 3: Table Of Contents

    Who Should Read This Guide ....................7 Document History ........................7 Introduction What is the Purpose of HP NonStop SSL? ................9 HP NonStop SSL Features ....................... 10 Support of SSL and TLS Protocol Standards ............10 Fault-Tolerance ......................10 SSL-enabling for HP Client Components Running on Microsoft Windows Systems ...........................
  • Page 4 PASSIVE ........................68 PEERCERTCOMMONNAME ................. 68 PEERCERTFINGERPRINT ..................69 PORT ......................... 69 PTCPIPFILTERKEY ....................70 ROUTINGMODE ..................... 70 SERVCERT....................... 71 SERVKEY ........................ 72 SERVKEYPASS ....................... 72 SLOWDOWN ......................73 SOCKSHOST, SOCKSPORT, SOCKSUSER ............73 iv • Contents HP NonStop SSL Reference Manual...
  • Page 5 Obtaining a Certificate from a Third Party CA ............102 Acting As Your Own CA ..................102 Example: How to Generate SSL Certificates Using OpenSSL........ 103 Requesting the SSL Client to Present a Client Certificate ........107 Contents • v HP NonStop SSL Reference Manual...
  • Page 6 Troubleshooting of Typical Errors ..................126 Address already in use ..................... 126 Could not open xxx file ................... 126 Decode Error ......................126 Handshake Error ...................... 126 Invalid address ......................127 Security violation (error 4013) ................127 vi • Contents HP NonStop SSL Reference Manual...

  • Page 7: Preface

    Preface Who Should Read This Guide This document is for system administrators who are responsible for configuring HP NonStop SSL to secure Telnet, FTP or middleware communication for ODBC, RSC and other protocols used by HP products. Document History Version 1.6 •...
  • Page 8 • This is the initial version of this manual. 8 • Preface HP NonStop SSL Reference Manual...

  • Page 9: Introduction

    To support the above functions, HP NonStop SSL proxy processes can be started in different modes. These so-called "run modes" of a HP NonStop SSL proxy are listed in square brackets in the list above. Multiple HP NonStop SSL proxy processes can co-exist on a single NonStop system to support concurrent proxy services, as well as multiple TCP/IP processes.

  • Page 10: Hp Nonstop Ssl Features

    HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server mode is supported in combination with the Microsoft Windows platform only.

  • Page 11: Secure Proxy For Generic Tcp/Ip Client/Server Protocols

    Typically, a HP NonStop SSL proxy will reside on the same IP process on the same system as the TCP server it tunnels the session to, which allows to create a "local loopback" session (a connection to "127.0.0.1" for IPv4, respectively "::1"...

  • Page 12: Secure Ftp Proxy

    HP NonStop SSL secure FTP proxies front-ending standard FTP and FTPSERV Acting as a proxy server, HP NonStop SSL will use secure FTP connections with the FTP partner and "tunnel" them to a plain FTP client or server. The HP NonStop SSL FTPS proxy will intercept the communication on the FTP command socket to add encryption for both the command and data sockets.

  • Page 13: Secure Proxy For Expand-Over-Ip

    SSL FTP partner the HP NonStop SSL proxy acts as a RFC-2228 compliant secure FTP server or client. Secure Proxy for EXPAND-over-IP HP NonStop SSL running in EXPANDS mode encrypts EXPAND over IP traffic between two NonStop systems. It does...

  • Page 14: Limiting Remote Ip Addresses

    ODBCMXS mode is currently only valid with IPMODE IPv4. Limiting Remote IP Addresses HP NonStop SSL can be configured to allow only certain remote IP addresses. By default, HP NonStop SSL will allow connections from any IP address; this behavior can be changed by 1.

  • Page 15: Installation

    Installation General Considerations HP NonStop SSL is made available by HP with the purchase of the NonStop Operating System kernel for H Series and J Series NonStop platforms. The files of the package are located on $SYSTEM.ZNSSSL. HP NonStop SSL is not pre-installed or pre-configured. You have to install it depending on your requirements.

  • Page 16: Ipv6 Considerations

    IPv6 Considerations With HP NonStop AAE, IPv6 support was introduced. The new parameter IPMODE was introduced for this purpose: IPMODE {IPv4|IPv6|DUAL} If not specified, the IPMODE parameter will default to IPv4. When IPMODE DUAL is specified, SSLOBJ will listen to both IPv4 and IPv6 with one single dual mode socket.

  • Page 17: Starting An Hp Nonstop Ssl Process

    HP NonStop SSL configuration parameter settings as described in the "Parameter Reference". Note: When you start a HP NonStop SSL process in NOWAIT mode, make sure you have disabled logging to the home terminal. To do so, set the parameter LOGCONSOLE to *. Installing a Secure Telnet Server Proxy...

  • Page 18: Installing A Secure Ftp Server Proxy

    To create a secure connection with a secure Telnet client 1. Configure your SSL Telnet client to connect to the address and port number the HP NonStop SSL secure telnet proxy listens for incoming connections. Make sure that the client has the SSL protocol enabled for the session.

  • Page 19: Installing A Secure Ftp Client Proxy

    To create a secure connection with an FTP-TLS enabled FTP client 1. Configure your FTP client to connect to the address and port number the HP NonStop SSL secure FTPS proxy listens for incoming connections. Make sure that the client has the FTP-TLS protocol enabled for the session.
  • Page 20 TARGETHOST and TARGETPORT. The respective parameter values will be taken into account if the user does not specify the corresponding value - or - if HP NonStop SSL was configured to always use the values of TARGETHOST respectively TARGETPORT due to the additional parameter TARGETHOSTFORCE or TARGETPORTFORCE.

  • Page 21: Installing A Secure Tunnel For Rsc

    To install an SSL tunnel for Remote Server Call (RSC) communication, you will need to perform the following steps: 1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target TDP server process.
  • Page 22 To configure RSC to connect via the RemoteProxy 1. On the RSC workstation, locate the PIPE.INI file that is used by HP Piccolo. 2. In the PIPE.INI file, add an entry for your relevant RemoteProxy session in the [Resolver] section. The entry itself assigns an alias host name (1st argument) for a connection over a specified protocol (2nd argument) to a given peer.

  • Page 23: Installing A Secure Tunnel For Odbc/Mp

    To implement HP NonStop SSL to encrypt an Open Database Connectivity ODBC/MP connection, you will need to perform the following steps: 1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target ODBC server process.
  • Page 24 PROXY.EXE. 2. On the OCBC/MP client workstation, run PROXY.EXE to start the RemoteProxy installation program and follow the installation instructions. 3. Double-click on HP NonStop SSL RemoteProxy icon in your system tray. The "RemoteProxy" configuration window will be displayed.
  • Page 25 NonStop system. 2. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. Installation • 25 HP NonStop SSL Reference Manual...

  • Page 26: Installing A Secure Tunnel For Odbc/Mx

    Note 2: NonStop ODBC/MX uses multiple port numbers to create connections between the ODBC/MX clients and the NonStop server. HP NonStop SSL is aware of that and "multiplexes" many connections over a single IP connection between the clients and the NonStop server. That has two benefits: - only a single port needs to be open at the firewall.
  • Page 27 When logging with default log level 50, the last message of the log should then be similar to the following: $ODBS0|29Jul12 16:31:29.37|30|-- ODBCMXS setup completed, starting to listen... -- Note: Earlier versions of HP NonStop SSL might write out a "target port" with the above log message though it is not relevant for the setup.
  • Page 28 NonStop system. 2. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. 28 • Installation HP NonStop SSL Reference Manual...

  • Page 29: Installing An Ssl Tunnel For Expand-Over-Ip Lines

    Creating an SSL tunnel for an EXPAND-over-IP line requires running a HP NonStop SSL process in EXPANDS mode for the line handler on both sides of the connection. The configuration of the HP NonStop SSL processes can be easily derived from the existing line handler configuration of EXPAND-over-IP line. To enable the tunneling, only a single line handler attribute needs to be changed.
  • Page 30 30 • Installation HP NonStop SSL Reference Manual...

  • Page 31: Configuration

    On startup, HP NonStop SSL parses the given configuration parameters sources. A single parameter may be specified in multiple sources, e.g. in the configuration file and on the startup command line. In this case, HP NonStop SSL will process parameters with the following precedence (highest to lowest): 1.

  • Page 32: The Configuration File

    The configuration file is an edit type file which can be created and modified with a standard NonStop editor such as TEDIT. The name of the file that a HP NonStop SSL process should use as configuration source is passed to the program during startup.

  • Page 33: Startup Line Parameters

    Startup Line Parameters HP NonStop SSL configuration parameters can be passed on the startup line as follows (for a complete description of the RUN SSLOBJ see section "Starting an HP NonStop SSL Process"): <parameter name> <parameter value>; <parameter name> <parameter value>; ...
  • Page 34 FTPMINPORT The minimum port number HP NonStop SSL will use for FTP data connections. INTERFACE Controls the IP address HP NonStop SSL will bind to for connections made to HP NonStop SSL. IPMODE Specifies the TCP/IP mode (IPv4/IPv6/Dual) HP NonStop SSL will run in.

  • Page 35: Allowcerterrors

    Parameter Syntax ALLOWCERTERRORS number1 [, number2, ...] Arguments number comma-separated list of certificate errors which HP NonStop SSL should ignore. The error numbers are defined in the OpenSSL sources used for HP NonStop SSL (see Considerations). Considerations • Warning: The usage of this parameter may compromise the security of your configuration. Use only as workaround and with care.
  • Page 36 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION X509_V_ERR_KEYUSAGE_NO_CRL_SIGN X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION X509_V_ERR_APPLICATION_VERIFICATION Default If omitted, HP NonStop SSL will work normally (all certificate validation errors are treated as such and connection attempts will fail) Example ALLOWCERTERRORS 10 This will temporarily allow expired certificates. 36 • Configuration HP NonStop SSL Reference Manual...

  • Page 37: Allowip

    Use this parameter to specify which remote IP addresses are to be allowed to establish sessions ("white list"). Note: With HP NonStop SSL AAE, the parameter syntax for specifying subnets has been changed to using Classless Interdomain Routing (CIDR) format in order to prevent ambiguous subnet specification and simplify usage, especially with IPv6 entries.

  • Page 38: Auditasciionly

    AUDITASCIIONLY Use this parameter to define how HP NonStop SSL writes raw data to the audit log. Parameter Syntax AUDITASCIIONLY TRUE | FALSE Arguments TRUE Data will be dumped in ASCII format; binary values with coded character will be represented as <hh> where hh is the hexadecimal representation of the binary value.

  • Page 39: Auditconsole

    By default, a value of -1 will be used See also AUDITASCIIONLY AUDITCONSOLE Use this parameter to define if and to what console device HP NonStop SSL audit messages are written to. Parameter Syntax AUDITCONSOLE * | % | $0 | auditdevice Arguments...

  • Page 40: Auditfileretention

    Audit messages will depend on the run mode – see parameter AUDITLEVEL for details See also AUDITCONSOLE, AUDITLEVEL, AUDITFORMAT AUDITFILERETENTION Use this parameter to control how many audit files HP NonStop SSL keeps when audit file rollover occurs. Parameter Syntax AUDITFILERETENTION n Arguments...

  • Page 41: Auditlevel

    Logon of user Network events (connect, disconnect) FTP operations Network events (connect, disconnect) Data flowing through HP NonStop SSL: byte count only Data flowing through HP NonStop SSL: full byte dump (see parameter AUDITASCIIONLY for details) • For PROXYS, PROXYC and ODBCMXS, we recommend 50 for basic auditing and 99 for extended auditing including full traffic log.

  • Page 42: Auditmaxfilelength

    CACERTS file1 [, file2, ...] Arguments file1, file2, ... the designated files are DER encoded X.509 CA certificates. Default If omitted, HP NonStop SSL will search for a single "CACERT" file on the default subvolume. Example CACERTS $DATA1.SSL.MYCA, $DATA1.SSL.MYROOTCA Considerations 42 • Configuration...

  • Page 43: Ciphersuites

    If a value of * is used for CACERTS, it will be assumed that the client or server certificate is self-signed. • A CA certificate for testing purposes is delivered as CACERT file on the HP NonStop SSL installation subvolume to enable quick start installation. This test CA certificate signs the test server certificate contained in SERVCERT or CLIENTCERT.
  • Page 44 256_CBC_SHA 6_CBC 0.135 TLS_DHE_DSS_WITH_CAME DHE-DSS- DHE_DSS CAMELLIA_25 LLIA_256_CBC_SHA CAMELLIA256-SHA 6_CBC 0.136 TLS_DHE_RSA_WITH_CAME DHE-RSA- DHE_RSA CAMELLIA_25 LLIA_256_CBC_SHA CAMELLIA256-SHA 6_CBC 0.137 TLS_DH_anon_WITH_CAMEL ADH- DH_anon CAMELLIA_25 LIA_256_CBC_SHA CAMELLIA256-SHA 6_CBC 0.98 TLS_RSA_EXPORT1024_WITH EXP1024-DES-CBC- RSA_EXPORT10 DES_CBC _DES_CBC_SHA 44 • Configuration HP NonStop SSL Reference Manual...
  • Page 45 TLS_ECDHE_ECDSA_WITH_3 ECDHE-ECDSA- ECDHE_ECDSA 3DES_EDE_CB DES_EDE_CBC_SHA DES-CBC3-SHA 192.9 TLS_ECDHE_ECDSA_WITH_A ECDHE-ECDSA- ECDHE_ECDSA AES_128_CBC ES_128_CBC_SHA AES128-SHA 192.10 TLS_ECDHE_ECDSA_WITH_A ECDHE-ECDSA- ECDHE_ECDSA AES_256_CBC ES_256_CBC_SHA AES256-SHA TLS_ECDH_RSA_WITH_NULL ECDH-RSA-NULL- 192.11 ECDH_RSA NULL _SHA 192.12 TLS_ECDH_RSA_WITH_RC4_ ECDH-RSA-RC4- ECDH_RSA RC4_128 128_SHA Configuration • 45 HP NonStop SSL Reference Manual...
  • Page 46 • When running as an SSL client, CIPHERSUITES specifies the cipher suites that should be allowed in order of preference (favorite choice first). During the SSL handshake, HP NonStop SSL will present the list of cipher 46 • Configuration HP NonStop SSL Reference Manual...

  • Page 47: Clientauth

    No certificate request will be sent to the client file1, file2, ... DER encoded X.509 CA certificate(s) which sign the certificate to be sent by the SSL client to HP NonStop SSL. If the SSL client cannot send such a certificate, the connection setup will fail.

  • Page 48: Clientkey

    This parameter only applies to the run modes PROXYC and FTPC, it will be ignored in other run modes • The private key data in the file is password encrypted. For HP NonStop SSL to be able to decrypt the file, the correct password must be specified by the CLIENTKEYPASS parameter.

  • Page 49: Clientkeypass

    The default password ("test") enables quick start installation with the "CLIENTKEY" public key file delivered with HP NonStop SSL. See also CLIENTCERT, CLIENTKEY CONFIG Use this parameter to specify a configuration file for a HP NonStop SSL process. Parameter Syntax CONFIG file Arguments file the name of the configuration file.

  • Page 50: Config2

    CSV : designates output as comma-separated values, primarily targeted to simplify automated parsing of the output. Default Starting with HP NonStop SSL AAE, the default format will be EXTENDED. Prior to that it was ORIGINAL, but not configurable. EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations 50 •...

  • Page 51: Connectioninfoformatdetailed

    CSV : designates output as comma-separated values, primarily targeted to simplify automated parsing of the output. Default Starting with HP NonStop SSL AAE, the default format will be EXTENDED. Prior to that it was ORIGINAL, but not configurable. EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations •...
  • Page 52 CONTENTFILTER CFILTER Considerations • The value of the parameter can be changed without stopping HP NonStop SSL using the SSLCOM command SET CONTENTFILTER file. • The following example shows the syntax of the filter rules. This example will only allow messages starting with "<A"...

  • Page 53: Denyip

    Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP should be changed to using CIDR format. Default If omitted, HP NonStop SSL will use an empty entry, respectively *DEFAULT* to not forbid any remote IP addresses. Example DENYIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42 DENYIP A[abcd::ef00/120] , [abcd:1111::ab00] , [::ffff:172.1.1.0/104]...

  • Page 54: Destipaddr, Destipport

    Use this parameter to log selected errors with LOGLEVEL 20 rather than as WARNING. By default, all errors on sockets result in a WARNING being displayed in the HP NonStop SSL log. Using this parameter, a log message with LOGLEVEL 20 will be issued instead for the configured error numbers.

  • Page 55: Dynamicroutingenableipv6

    This parameter is relevant only if HP NonStop SSL is running in the FTPS mode. FTPCALLOW200REPLY Use this parameter to specify whether HP NonStop SSL will allow an illegal "200" response to the AUTH TLS command sent to the remote FTP/TLS server.

  • Page 56: Ftplocaldataport

    FTP/TLS server with HP NonStop SSL in FTPC mode. FTPLOCALDATAPORT Use this parameter to specify how HP NonStop SSL will pick the local data port for the data connection in FTPC mode with PASSIVE set to true.

  • Page 57: Ftpminport

    You can change this value to make sure that the FTP data connections will not interfere with other TCP/IP services on your system. INTERFACE Use this parameter to specify the IP address HP NonStop SSL should use for local binding on incoming connections. Parameter Syntax INTERFACE ip-address...

  • Page 58: Hashalgorithms

    NonStop FTP client) • Use this parameter to control which IP address HP NonStop SSL binds to for incoming connections. • If a host name rather than an IP address is used to configure INTERFACE, name resolution will take place only once during startup.

  • Page 59: Keepalive

    Default By default, keep alive messages are sent (1). LOGCONSOLE Use this parameter to define if and to what console device HP NonStop SSL log messages are written to. Parameter Syntax LOGCONSOLE * | % | $0 | logdevice Arguments...

  • Page 60: Logems

    Interface" for details. • If the EMS collector cannot be opened during startup, HP NonStop SSL will terminate. If the EMS collector cannot be opened after changing it through SSLCOM, the old collector will stay active See also LOGLEVELEMS, LOGFORMATEMS, LOGMAXFILELENGTH, LOGFILERETENTION LOGFILE Use this parameter to define if and to what file HP NonStop SSL log messages are written.

  • Page 61: Logfileretention

    Rollover" in chapter "Monitoring" for details on logfile rollover. See also LOGLEVELFILE, LOGFORMATFILE, LOGMAXFILELENGTH, LOGFILERETENTION LOGFILERETENTION Use this parameter to control how many log files HP NonStop SSL keeps when logfile rollover occurs Parameter Syntax LOGFILERETENTION n Arguments number of log files to keep Default By default, 10 files are kept.

  • Page 62: Logformatconsole

    Display date, time only: LOGFORMATCONSOLE 5 See also LOGFORMAT, LOGFORMATEMS, LOGFORMATFILE LOGFORMATEMS Use this parameter to control the format of the log messages that are written to EMS. Parameter Syntax LOGFORMATEMS format Arguments format 62 • Configuration HP NonStop SSL Reference Manual...

  • Page 63: Logformatfile

    7 (decimal 64) Log Level of Message Default If omitted, the file log format is derived from LOGFORMAT. Example Display date, time, and milliseconds only: LOGFORMATFILE 13 Display date, time only: LOGFORMATFILE 5 Configuration • 63 HP NonStop SSL Reference Manual...

  • Page 64: Loglevel

    Different log levels can be used for the outputs to LOGCONSOLE, LOGLEVELEMS, and LOGFILE. • The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. See also LOGCONSOLE, LOGLEVEL, LOGFORMATCONSOLE 64 • Configuration HP NonStop SSL Reference Manual...

  • Page 65: Loglevelems

    The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. See also LOGFILE, LOGLEVEL, LOGMAXFILELENGTH, LOGFORMATFILE, LOGFILERETENTION LOGMAXFILELENGTH Use this parameter to control the maximum size of a log file. Parameter Syntax LOGMAXFILELENGTH length Configuration • 65 HP NonStop SSL Reference Manual...

  • Page 66: Logmemory

    Parameter Syntax LOGMEMORY number_of_io’s Arguments number_of_io’s a number representing after how many I/O operations HP NonStop SSL will send its memory usage to the log output Default The default is 0 meaning that memory usage will not be logged Considerations •...

  • Page 67: Maxversion

    The default for this parameter is "3.1" Considerations • For security reasons, it is recommended to use the latest version of the TLS protocol as standardized by the IETF (3.1). This requires setting MINVERSION to "3.1". Configuration • 67 HP NonStop SSL Reference Manual...

  • Page 68: Passive

    • HP NonStop SSL in FTPS mode currently only supports passive mode, therefore to interact with HP NonStop SSL in FTPS mode, make sure to set the PASSIVE parameter to 1 for HP NonStop SSL running in FTPC mode. PEERCERTCOMMONNAME Use this parameter to enforce verification of the content of remote certificates presented to HP NonStop SSL.

  • Page 69: Peercertfingerprint

    Fingerprints will be compared both as MD5 and SHA1 hashes, however for security reasons you should not use MD5 anymore. • If the matching fails, the session will be rejected. PORT Use this parameter to specify the port number a HP NonStop SSL server should listen for incoming connections. Parameter Syntax PORT number Arguments number the decimal number of a TCP/IP port.

  • Page 70: Ptcpipfilterkey

    Arguments password a password serving as a key to enable round robin filtering for multiple instances of HP NonStop SSL servers listening on the same port. The password will override the value of the DEFINE =PTCPIP^FILTER^KEY, which may have been passed to HP NonStop SSL at startup.

  • Page 71: Servcert

    The second possible value for ROUTINGMODE is "D" which stands for dynamic routing. In that case the first network packet sent to HP NonStop SSL needs to contain the destination IP address and port on the NonStop system in dotted decimal notation, preceded by a "D"...

  • Page 72: Servkey

    SERVKEY $DATA1.SSL.MYKEY Considerations • The private key data in the file is password encrypted. For HP NonStop SSL to be able to decrypt the file, the correct password must be specified by the SERVKEYPASS parameter. • A private key file for testing purposes is delivered as "SERVKEY" file on the HP NonStop SSL installation subvolume to enable quick start installation.

  • Page 73: Slowdown

    The impact of HP NonStop SSL high volume data encryption/decryption can also be influenced by the priority of the HP NonStop SSL process. However, if it is desirable to run HP NonStop SSL at a higher priority than the target plain servers/clients, the SLOWDOWN can be used to limit the impact of the cryptographic operations.

  • Page 74: Srcipaddr, Srcipport

    SOCKS user name to be used to authenticate against the SOCKS server. Default If omitted, HP NonStop SSL will use a value of * for SOCKSHOST meaning the SOCKS protocol will not be used. Example SOCKSHOST 172.3.5.99 SOCKSPORT 1911...

  • Page 75: Subnet

    • If you use TCPIPV6 and want to share identical ports across multiple HP NonStop SSL processes, you need to add an identical DEFINE to all instances sharing that port as in the following example (please refer to the HP NonStop manual "...

  • Page 76: Targetinterface

    The following commands are considered sensitive: all SET commands LOGMESSAGE, ROLLOVER LOGFILE and RELOAD CERTIFICATES TARGETINTERFACE Use this parameter to specify the IP address HP NonStop SSL should use for local binding of outgoing connections. Parameter Syntax TARGETINTERFACE ip-address Arguments ip-address the IP address to bind to or “*”...

  • Page 77: Targethostforce

    This FTPC only parameter can be used in combination with TARGETHOST to force the override of the targethost in the FTPC user command. HP NonStop SSL will use the TARGETHOST (if set) in FTPC to default to a certain host if none is given in the actual user command.

  • Page 78: Targetportforce

    This FTPC only parameter can be used in combination with TARGETPORT to force the override of the target port in the FTPC user command. HP NonStop SSL will use the TARGETPORT (if set) in FTPC to default to a certain port if none is given in the actual user command.

  • Page 79: Tcpiphostfile

    DNS name resolution. The node file will override the value of the DEFINE =TCPIP^NODE^FILE, which may have been passed to HP NonStop SSL at startup. No node file will be set. However, any DEFINE =TCPIP^NODE^FILE passed to HP NonStop SSL at startup will remain in effect.

  • Page 80: Tcpnodelay

    Considerations • See the HP NonStop manual for details of the usage of the DEFINE =TCPIP^RESOLVER^NAME. TCPNODELAY Use this parameter to specify whether RFC1323 will be activated on all sockets which HP NonStop SSL controls. Parameter Syntax TCPNODELAY boolean Arguments boolean If set to TRUE or 1 or Yes, HP NonStop SSL will activate RFC1323.
  • Page 81 CA certificate in PKCS-8 DER encoded format Default If omitted, HP NonStop SSL will not check the TLS/SSL partner’s certificate chain. Examples TRUST WHIRLPOOL:85A8DAF0D76139154335C46E5E53C5A175CC1BDB8B7D80716CF19A93EDB75046F4BDD9BCDC005DAA5433D2D BCE47AF0D4A2C9EB6DDBD1F94EF166308EA47FE73, SHA256:1F4F7E0A6E1E92DDD6D5411C371C100B74DD7D32EAE7F447486AA4DAC5F43056 TRUST rootcert Considerations • The TRUST parameter can be specified in two ways: either by specifying the fingerprints of the CA certificates or by specifying a filename containing the full certificate in DER encoding.

  • Page 82: Advanced Configuration Topics

    Multiple SSL Tunnels in a Single Process A single HP NonStop SSL process can listen on multiple ports at once and forward them to different IP addresses/port numbers. The following parameters are global to a single HP NonStop SSL instance: •...
  • Page 83 EXPAND. Load will also be re-distributed dynamically and transparently, if a CPU of a HP NonStop SSL EXPANDS process is heavily loaded by processes with a higher priority. Hence, bandwidth can be preserved, even if the HP NonStop SSL processes run at a low priority to avoid impact on critical application processes.
  • Page 84 The SSL tunnel was associated to the line using the same SRCIPPORT and DESTIPPORT parameters as in the line configuration. • The DESTIPADDR parameter of the HP NonStop SSL EXPANDS processes was set to the remote system's IP address. 84 • Configuration...

  • Page 85: Monitoring

    Monitoring Overview HP NonStop SSL writes log and audit messages to a terminal, to a file, or to EMS. This is controlled by the parameters LOGCONSOLE, LOGFILE and LOGEMS for log messages and AUDITCONSOLE, AUDITFILE and AUDITEMS for audit messages. Messages can be written to any combination of those three “targets” (i.e. a single one, two of them, all of them, none of them).

  • Page 86: Log And Audit Level Recommendations

    Customizing the Log and Audit Format HP NonStop SSL allows customizing the appearance of the log or audit messages to a certain extent. For example, you may add the current date to the log message header. Please refer to the AUDITFORMATEMS, AUDITFORMATCONSOLE, AUDITFORMATFILE, LOGFORMATCONSOLE, LOGFORMATEMS, and LOGFORMATFILE parameter descriptions for details.
  • Page 87 3> SHOWLOG FTPCLOG comForte SHOWLOG log file converter Version T9999A05_16Apr2009_comForte_SHOWLOG_0022 starting at binary offset 0 ---processing in-file 'ftpclog' $FCMH |23Jun10 12:43:09.91| 5|HP SSLOBJ version T0910H01_15Jun2010_HP_1059 $FCMH |23Jun10 12:43:09.92|10|using OpenSSL 1.0.0 29 Mar 2010 - see http://www.o penssl.org $FCMH |23Jun10 12:43:09.92|10|config file: '$DATA1.T0910.FCMHCF'...
  • Page 88 Note: By using '*' as the second runtime argument the output is written to the home terminal. When using the byte offset parameter or the byte offset parameter and length parameter, the out file parameter must be entered as well. 88 • Monitoring HP NonStop SSL Reference Manual...

  • Page 89: Viewing File Contents From Oss

    Logfile/Auditfile Rollover When logging to a file, HP NonStop SSL uses round-robin to switch to a new file. Logfile rollover applies both to auditing (to the file configured with the AUDITFILE parameter) as logging (to the file configured with the LOGFILE parameter).
  • Page 90 90 • Monitoring HP NonStop SSL Reference Manual...

  • Page 91: Sslcom Command Interface

    SSLCOM Command Interface Using SSLCOM, you can: • get an overview of the status of a HP NonStop SSL process • list sessions which are currently open and obtain detailed information about single sessions (limited to certain run modes) •...

  • Page 92: Usage Of Sslcom: A Sample Session

    Usage of SSLCOM: a Sample Session The usage of SSLCOM is similar to the HP PATHCOM program. You connect to an existing HP NonStop SSL instance using the OPEN command, then you issue commands against that instance of HP NonStop SSL. The HELP command will give you a brief overview of the supported commands.

  • Page 93: Supported Commands

    SET commands have been used from within SSLCOM to change values. In run modes ending with an "S", the fingerprint of the root certificate will be displayed. The number of sockets as well as the CPU ms used by HP NonStop SSL will be displayed. •...

  • Page 94: The Connection Commands

    The CONNECTION Commands In the run modes TELNETS, PROXYS, PROXYC, FTPS and FTPC, HP NonStop SSL will have a set of TCP/IP connections open during normal operation. The number of open connections can vary between zero and several hundred. With the commands described in the following sections, HP NonStop SSL can display information about the connections.

  • Page 95: Connections, Detail

    Note: The first column contains the local port of the connection. This number is used to access an individual session with the INFO CONNECTION or RENEGOTIATE CONNECTION commands. CONNECTIONS, DETAIL The CONNECTIONS, DETAIL command displays the list of connection with some additional information to each line. CONNECTIONINFOFORMATDETAILED EXTENDED (default since HP NonStop SSL AAE): % connections, detail connections, detail +-----+-----------------------------------------------------------------------+...

  • Page 96: Info Connection

    The SSL protocol allows both parties to initiate a new SSL handshake to refresh the session keys. The RENEGOTIATE CONNECTION command lets HP NonStop SSL do that from the server side. The following two log messages show that a renegotiation has been successful.

  • Page 97: Sslinfo Command

    • HP NonStop SSL does some limited tests on the new certificate chain. However, some errors in the certificate chain cannot be detected by merely loading the certificates. It is thus recommended to immediately check the new certificate chain with the SSLINFO command as well as with creating a new client connection.
  • Page 98 98 • SSLCOM Command Interface HP NonStop SSL Reference Manual...

  • Page 99: Ssl Reference

    IETF as Transport Layer Security (TLS) protocol. SSL has been universally accepted on the Internet for authenticated and encrypted communication between clients and servers and is used in millions of browsers around the world. HP NonStop SSL implements SSL using OpenSSL (© acknowledged). SSL Features The SSL protocol has the following basic properties: •...

  • Page 100: Implementation Overview

    Cipher Suites HP NonStop SSL uses the SSL protocol - as used in standard browsers and servers - for session security. It supports SSL 2.0, SSL 3.0 and the latest version SSL 3.1, which has been standardized by the IETF as Transport Layer Security (TLS) protocol.

  • Page 101: Configuring Ssl For Production As Ssl Server

    If HP NonStop SSL is running as SSL server (run modes FTPS, TELNETS, PROXYS, EXPANDS) HP NonStop SSL will send the configured server certificates to the client. It is up to the client to check for the proper server certificates. The certificates are configured using the parameters SERVKEY, SERVKEYPASS, SERVCERT and CACERTS;...

  • Page 102: The Public/Private Key Pair

    CA certificate to HP NonStop SSL with the CACERTS parameter, the root CA certificate file need to be uploaded to the system you have HP NonStop SSL installed on. If you received the root CA certificate in BASE64-encoded format, you may convert for HP NonStop SSL usage just like the BASE64-encoded server certificate.

  • Page 103: Example: How To Generate Ssl Certificates Using Openssl

    This example shows how to create a self-signed CA certificate and a server certificate signed by the CA certificate, and how to convert the certificates into the format used by HP NonStop SSL, as well as setting the appropriate configuration parameters.
  • Page 104 Note that the private key file SERVKEY must NOT be transferred over a plain connection such as FTP. If NonStop SSL is not already installed, it is recommended to use SFTP for certificate/key transfers. 104 • SSL Reference...
  • Page 105 SERVKEY put ca\cacert.der CACERT Note: the NonStop SSL installation subvolume $system.znsssl contains a set of test certificates that should not be used in production systems. Unless the configuration file contains parameter settings pointing to a different set of certificates, the default certificates in znsssl will be used.
  • Page 106 Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Comforte\OpenSSL_certificates>openssl x509 -inform PEM -outform DER -in server\servcert.pem -out server\servcert.der C:\Comforte\OpenSSL_certificates> 106 • SSL Reference HP NonStop SSL Reference Manual...

  • Page 107: Requesting The Ssl Client To Present A Client Certificate

    If the client sends no certificate or an invalid one, the connection will be rejected. Configuring SSL for Production as SSL Client In run modes PROXYC and FTPC, HP NonStop SSL will be an SSL client. This section only is relevant for those run modes.

  • Page 108: Security Considerations

    3. If CACERTS contain the signing certificate(s), HP NonStop SSL will sent the whole certificate chain to the server. CACERTS $SYSTEM.MYCERT.CACERT CLIENTKEY $SYSTEM.MYCERT.CLNTKEY CLIENTKEYPASS mysecret CLIENTCERT $SYSTEM.MYCERT.CLNTCERT Security Considerations While SSL is a very powerful and flexible protocol to encrypt TCP/IP traffic, it has to be used properly to be protected against some common attacks.

  • Page 109: Tls Alerts

    Note: If you authenticate the HP NonStop SSL server in your clients, you should consider basing trust on the Root CA certificate (e.g. check the Root CA fingerprint). In case the server certificate is compromised you can simply replace it without having to update your client configuration.
  • Page 110 110 • SSL Reference HP NonStop SSL Reference Manual...

  • Page 111: Remote Ssl Proxy

    HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server mode is supported in combination with the Microsoft Windows platform only.

  • Page 112: Remoteproxy Configuration

    The "HP NonStop SSL RemoteProxy" window will list all configured "proxy" sessions. After the installation the list will be empty. The example pictured above shows 2 configured "proxy" sessions (for ODBC/MX and RSC), with the following information: •...

  • Page 113: The Session Properties Window

    RemoteProxy connects for this session) must be entered into the field "Certificate Fingerprint". The fingerprint must be derived from the Root Certificate separately and calculated using the MD5 algorithm. Remote SSL Proxy • 113 HP NonStop SSL Reference Manual...

  • Page 114: Session Parameter List

    Session is configured for running as a client and SSL Client Authentication is to be used. Note: We strongly recommend not to rely on the default test certificates which are delivered with the HP NonStop SSL for testing purposes only! The "Advanced Tab"...

  • Page 115: Copying A Configuration To Other Workstations

    Options parameters for the proxy. You should only enter values when advised so by HP or comForte Support. Copying a Configuration to Other Workstations The RemoteProxy configuration is stored in the registry. Identical configuration of multiple targets PC's can be achieved as follows: 1.
  • Page 116 116 • Remote SSL Proxy HP NonStop SSL Reference Manual...

  • Page 117: Appendix

    Displays the name of the configuration file the HP NonStop SSL has been started with runtime args: '<list of runtime args> If HP NonStop SSL has been started with runtime arguments instead or in addition to the a configuration file or TACL PARAMs, those arguments are being displayed.
  • Page 118 FTP server proxy started on target host <hostname or ip address>, target port <port number>, source port <port number> Notification about the HP NonStop SSL being started in FTPS mode and connecting to target host, on target port while accepting connections on source port.

  • Page 119: Warning Messages

    HP NonStop SSL, see parameters ALLOWIP and DENYIP for details certificate not yet valid Warning that the certificate being currently processed by the HP NonStop SSL is not yet valid, i.e. has a "from date" starting in the future. certificate expired Warning that the certificate being currently processed by the HP NonStop SSL has expired i.e.
  • Page 120 "EPSV ALL" command and later tries to open up an FTP data connection with a command other than EPSV, this error message will be generated. If you see this error, please contact HP support of the FTP client vendor.
  • Page 121 AUTH SSL reply: '<reply>' This warning indicates that the FTP server sent an unexpected reply to the AUTH SSL command. Please contact HP support. reply to EPRT command from FTP server has error: '<detailed reason>' This warning indicates that the FTP server sent an unexpected reply to the ERPT command.
  • Page 122 This message occurs when a DNS host entry was specified, e.g. for TARGETHOST but the DNS resolution fails. HP NonStop SSL will resolve the hostname every time it connects and - to make sure that the DNS entry is valid initially - during startup.

  • Page 123: Informational Messages

    The process ran out of heap space and could not allocate further memory. Could not set cipher string \"ALL\" on dummySSLCtx in internal_set_cipher_list This message might indicate a bug, please contact HP support. Could not set cipherstring "HIGH:!ADH:!PSK:RC4" to main openssl_high context, using default ciphers <default_ciphers>...

  • Page 124: Fatal Errors

    Error condition which is caused either by another application listening on same port or by configuring the HP NonStop SSL with a PORT param less than 1024 while not starting the HP NonStop SSL under the SUPER user logon. The HP NonStop SSL terminates.
  • Page 125 Invalid IPMODE specified, ODBC/MX does only support IPv4 This error occurs when an IPMODE other than IPv4 was specified in run mode ODBC/MX. Although ODBC/MX supports IPv6 starting with release H06.26/J06.15, NonStop SSL currently only supports ODBCMXS mode for IPv4.

  • Page 126: Troubleshooting Of Typical Errors

    Decode Error If a message with a "Decode Error" occurs in the HP NonStop SSL log, a client may have tried to create a non-secure connection to a secure HP NonStop SSL server (FTPS, TELNETS, etc.).

  • Page 127: Invalid Address

    Security violation (error 4013) If HP NonStop SSL fails with a security violation, you may have attempted to start HP NonStop SSL to listen on a PORT smaller than 1024 without having a SUPER group user id.

Table of Contents