Page 2
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
Who Should Read This Guide ....................7 Document History ........................7 Introduction What is the Purpose of HP NonStop SSL? ................9 HP NonStop SSL Features ....................... 10 Support of SSL and TLS Protocol Standards ............10 Fault-Tolerance ......................10 SSL-enabling for HP Client Components Running on Microsoft Windows Systems ...........................
Page 5
Obtaining a Certificate from a Third Party CA ............102 Acting As Your Own CA ..................102 Example: How to Generate SSL Certificates Using OpenSSL........ 103 Requesting the SSL Client to Present a Client Certificate ........107 Contents • v HP NonStop SSL Reference Manual...
Page 6
Troubleshooting of Typical Errors ..................126 Address already in use ..................... 126 Could not open xxx file ................... 126 Decode Error ......................126 Handshake Error ...................... 126 Invalid address ......................127 Security violation (error 4013) ................127 vi • Contents HP NonStop SSL Reference Manual...
Preface Who Should Read This Guide This document is for system administrators who are responsible for configuring HP NonStop SSL to secure Telnet, FTP or middleware communication for ODBC, RSC and other protocols used by HP products. Document History Version 1.6 •...
Page 8
• This is the initial version of this manual. 8 • Preface HP NonStop SSL Reference Manual...
To support the above functions, HP NonStop SSL proxy processes can be started in different modes. These so-called "run modes" of a HP NonStop SSL proxy are listed in square brackets in the list above. Multiple HP NonStop SSL proxy processes can co-exist on a single NonStop system to support concurrent proxy services, as well as multiple TCP/IP processes.
HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server mode is supported in combination with the Microsoft Windows platform only.
Typically, a HP NonStop SSL proxy will reside on the same IP process on the same system as the TCP server it tunnels the session to, which allows to create a "local loopback" session (a connection to "127.0.0.1" for IPv4, respectively "::1"...
HP NonStop SSL secure FTP proxies front-ending standard FTP and FTPSERV Acting as a proxy server, HP NonStop SSL will use secure FTP connections with the FTP partner and "tunnel" them to a plain FTP client or server. The HP NonStop SSL FTPS proxy will intercept the communication on the FTP command socket to add encryption for both the command and data sockets.
SSL FTP partner the HP NonStop SSL proxy acts as a RFC-2228 compliant secure FTP server or client. Secure Proxy for EXPAND-over-IP HP NonStop SSL running in EXPANDS mode encrypts EXPAND over IP traffic between two NonStop systems. It does...
ODBCMXS mode is currently only valid with IPMODE IPv4. Limiting Remote IP Addresses HP NonStop SSL can be configured to allow only certain remote IP addresses. By default, HP NonStop SSL will allow connections from any IP address; this behavior can be changed by 1.
Installation General Considerations HP NonStop SSL is made available by HP with the purchase of the NonStop Operating System kernel for H Series and J Series NonStop platforms. The files of the package are located on $SYSTEM.ZNSSSL. HP NonStop SSL is not pre-installed or pre-configured. You have to install it depending on your requirements.
IPv6 Considerations With HP NonStop AAE, IPv6 support was introduced. The new parameter IPMODE was introduced for this purpose: IPMODE {IPv4|IPv6|DUAL} If not specified, the IPMODE parameter will default to IPv4. When IPMODE DUAL is specified, SSLOBJ will listen to both IPv4 and IPv6 with one single dual mode socket.
HP NonStop SSL configuration parameter settings as described in the "Parameter Reference". Note: When you start a HP NonStop SSL process in NOWAIT mode, make sure you have disabled logging to the home terminal. To do so, set the parameter LOGCONSOLE to *. Installing a Secure Telnet Server Proxy...
To create a secure connection with a secure Telnet client 1. Configure your SSL Telnet client to connect to the address and port number the HP NonStop SSL secure telnet proxy listens for incoming connections. Make sure that the client has the SSL protocol enabled for the session.
To create a secure connection with an FTP-TLS enabled FTP client 1. Configure your FTP client to connect to the address and port number the HP NonStop SSL secure FTPS proxy listens for incoming connections. Make sure that the client has the FTP-TLS protocol enabled for the session.
Page 20
TARGETHOST and TARGETPORT. The respective parameter values will be taken into account if the user does not specify the corresponding value - or - if HP NonStop SSL was configured to always use the values of TARGETHOST respectively TARGETPORT due to the additional parameter TARGETHOSTFORCE or TARGETPORTFORCE.
To install an SSL tunnel for Remote Server Call (RSC) communication, you will need to perform the following steps: 1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target TDP server process.
Page 22
To configure RSC to connect via the RemoteProxy 1. On the RSC workstation, locate the PIPE.INI file that is used by HP Piccolo. 2. In the PIPE.INI file, add an entry for your relevant RemoteProxy session in the [Resolver] section. The entry itself assigns an alias host name (1st argument) for a connection over a specified protocol (2nd argument) to a given peer.
To implement HP NonStop SSL to encrypt an Open Database Connectivity ODBC/MP connection, you will need to perform the following steps: 1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target ODBC server process.
Page 24
PROXY.EXE. 2. On the OCBC/MP client workstation, run PROXY.EXE to start the RemoteProxy installation program and follow the installation instructions. 3. Double-click on HP NonStop SSL RemoteProxy icon in your system tray. The "RemoteProxy" configuration window will be displayed.
Page 25
NonStop system. 2. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. Installation • 25 HP NonStop SSL Reference Manual...
Note 2: NonStop ODBC/MX uses multiple port numbers to create connections between the ODBC/MX clients and the NonStop server. HP NonStop SSL is aware of that and "multiplexes" many connections over a single IP connection between the clients and the NonStop server. That has two benefits: - only a single port needs to be open at the firewall.
Page 27
When logging with default log level 50, the last message of the log should then be similar to the following: $ODBS0|29Jul12 16:31:29.37|30|-- ODBCMXS setup completed, starting to listen... -- Note: Earlier versions of HP NonStop SSL might write out a "target port" with the above log message though it is not relevant for the setup.
Page 28
NonStop system. 2. You may check the successful creation of the session through the proxy by examining the messages with the "View Log" command in the "Session Properties" screen of the RemoteProxy. 28 • Installation HP NonStop SSL Reference Manual...
Creating an SSL tunnel for an EXPAND-over-IP line requires running a HP NonStop SSL process in EXPANDS mode for the line handler on both sides of the connection. The configuration of the HP NonStop SSL processes can be easily derived from the existing line handler configuration of EXPAND-over-IP line. To enable the tunneling, only a single line handler attribute needs to be changed.
Page 30
30 • Installation HP NonStop SSL Reference Manual...
On startup, HP NonStop SSL parses the given configuration parameters sources. A single parameter may be specified in multiple sources, e.g. in the configuration file and on the startup command line. In this case, HP NonStop SSL will process parameters with the following precedence (highest to lowest): 1.
The configuration file is an edit type file which can be created and modified with a standard NonStop editor such as TEDIT. The name of the file that a HP NonStop SSL process should use as configuration source is passed to the program during startup.
Startup Line Parameters HP NonStop SSL configuration parameters can be passed on the startup line as follows (for a complete description of the RUN SSLOBJ see section "Starting an HP NonStop SSL Process"): <parameter name> <parameter value>; <parameter name> <parameter value>; ...
Page 34
FTPMINPORT The minimum port number HP NonStop SSL will use for FTP data connections. INTERFACE Controls the IP address HP NonStop SSL will bind to for connections made to HP NonStop SSL. IPMODE Specifies the TCP/IP mode (IPv4/IPv6/Dual) HP NonStop SSL will run in.
Parameter Syntax ALLOWCERTERRORS number1 [, number2, ...] Arguments number comma-separated list of certificate errors which HP NonStop SSL should ignore. The error numbers are defined in the OpenSSL sources used for HP NonStop SSL (see Considerations). Considerations • Warning: The usage of this parameter may compromise the security of your configuration. Use only as workaround and with care.
Page 36
X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION X509_V_ERR_KEYUSAGE_NO_CRL_SIGN X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION X509_V_ERR_APPLICATION_VERIFICATION Default If omitted, HP NonStop SSL will work normally (all certificate validation errors are treated as such and connection attempts will fail) Example ALLOWCERTERRORS 10 This will temporarily allow expired certificates. 36 • Configuration HP NonStop SSL Reference Manual...
Use this parameter to specify which remote IP addresses are to be allowed to establish sessions ("white list"). Note: With HP NonStop SSL AAE, the parameter syntax for specifying subnets has been changed to using Classless Interdomain Routing (CIDR) format in order to prevent ambiguous subnet specification and simplify usage, especially with IPv6 entries.
AUDITASCIIONLY Use this parameter to define how HP NonStop SSL writes raw data to the audit log. Parameter Syntax AUDITASCIIONLY TRUE | FALSE Arguments TRUE Data will be dumped in ASCII format; binary values with coded character will be represented as <hh> where hh is the hexadecimal representation of the binary value.
By default, a value of -1 will be used See also AUDITASCIIONLY AUDITCONSOLE Use this parameter to define if and to what console device HP NonStop SSL audit messages are written to. Parameter Syntax AUDITCONSOLE * | % | $0 | auditdevice Arguments...
Audit messages will depend on the run mode – see parameter AUDITLEVEL for details See also AUDITCONSOLE, AUDITLEVEL, AUDITFORMAT AUDITFILERETENTION Use this parameter to control how many audit files HP NonStop SSL keeps when audit file rollover occurs. Parameter Syntax AUDITFILERETENTION n Arguments...
Logon of user Network events (connect, disconnect) FTP operations Network events (connect, disconnect) Data flowing through HP NonStop SSL: byte count only Data flowing through HP NonStop SSL: full byte dump (see parameter AUDITASCIIONLY for details) • For PROXYS, PROXYC and ODBCMXS, we recommend 50 for basic auditing and 99 for extended auditing including full traffic log.
CACERTS file1 [, file2, ...] Arguments file1, file2, ... the designated files are DER encoded X.509 CA certificates. Default If omitted, HP NonStop SSL will search for a single "CACERT" file on the default subvolume. Example CACERTS $DATA1.SSL.MYCA, $DATA1.SSL.MYROOTCA Considerations 42 • Configuration...
If a value of * is used for CACERTS, it will be assumed that the client or server certificate is self-signed. • A CA certificate for testing purposes is delivered as CACERT file on the HP NonStop SSL installation subvolume to enable quick start installation. This test CA certificate signs the test server certificate contained in SERVCERT or CLIENTCERT.
Page 46
• When running as an SSL client, CIPHERSUITES specifies the cipher suites that should be allowed in order of preference (favorite choice first). During the SSL handshake, HP NonStop SSL will present the list of cipher 46 • Configuration HP NonStop SSL Reference Manual...
No certificate request will be sent to the client file1, file2, ... DER encoded X.509 CA certificate(s) which sign the certificate to be sent by the SSL client to HP NonStop SSL. If the SSL client cannot send such a certificate, the connection setup will fail.
This parameter only applies to the run modes PROXYC and FTPC, it will be ignored in other run modes • The private key data in the file is password encrypted. For HP NonStop SSL to be able to decrypt the file, the correct password must be specified by the CLIENTKEYPASS parameter.
The default password ("test") enables quick start installation with the "CLIENTKEY" public key file delivered with HP NonStop SSL. See also CLIENTCERT, CLIENTKEY CONFIG Use this parameter to specify a configuration file for a HP NonStop SSL process. Parameter Syntax CONFIG file Arguments file the name of the configuration file.
CSV : designates output as comma-separated values, primarily targeted to simplify automated parsing of the output. Default Starting with HP NonStop SSL AAE, the default format will be EXTENDED. Prior to that it was ORIGINAL, but not configurable. EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations 50 •...
CSV : designates output as comma-separated values, primarily targeted to simplify automated parsing of the output. Default Starting with HP NonStop SSL AAE, the default format will be EXTENDED. Prior to that it was ORIGINAL, but not configurable. EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations •...
Page 52
CONTENTFILTER CFILTER Considerations • The value of the parameter can be changed without stopping HP NonStop SSL using the SSLCOM command SET CONTENTFILTER file. • The following example shows the syntax of the filter rules. This example will only allow messages starting with "<A"...
Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP should be changed to using CIDR format. Default If omitted, HP NonStop SSL will use an empty entry, respectively *DEFAULT* to not forbid any remote IP addresses. Example DENYIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42 DENYIP A[abcd::ef00/120] , [abcd:1111::ab00] , [::ffff:172.1.1.0/104]...
Use this parameter to log selected errors with LOGLEVEL 20 rather than as WARNING. By default, all errors on sockets result in a WARNING being displayed in the HP NonStop SSL log. Using this parameter, a log message with LOGLEVEL 20 will be issued instead for the configured error numbers.
This parameter is relevant only if HP NonStop SSL is running in the FTPS mode. FTPCALLOW200REPLY Use this parameter to specify whether HP NonStop SSL will allow an illegal "200" response to the AUTH TLS command sent to the remote FTP/TLS server.
FTP/TLS server with HP NonStop SSL in FTPC mode. FTPLOCALDATAPORT Use this parameter to specify how HP NonStop SSL will pick the local data port for the data connection in FTPC mode with PASSIVE set to true.
You can change this value to make sure that the FTP data connections will not interfere with other TCP/IP services on your system. INTERFACE Use this parameter to specify the IP address HP NonStop SSL should use for local binding on incoming connections. Parameter Syntax INTERFACE ip-address...
NonStop FTP client) • Use this parameter to control which IP address HP NonStop SSL binds to for incoming connections. • If a host name rather than an IP address is used to configure INTERFACE, name resolution will take place only once during startup.
Default By default, keep alive messages are sent (1). LOGCONSOLE Use this parameter to define if and to what console device HP NonStop SSL log messages are written to. Parameter Syntax LOGCONSOLE * | % | $0 | logdevice Arguments...
Interface" for details. • If the EMS collector cannot be opened during startup, HP NonStop SSL will terminate. If the EMS collector cannot be opened after changing it through SSLCOM, the old collector will stay active See also LOGLEVELEMS, LOGFORMATEMS, LOGMAXFILELENGTH, LOGFILERETENTION LOGFILE Use this parameter to define if and to what file HP NonStop SSL log messages are written.
Rollover" in chapter "Monitoring" for details on logfile rollover. See also LOGLEVELFILE, LOGFORMATFILE, LOGMAXFILELENGTH, LOGFILERETENTION LOGFILERETENTION Use this parameter to control how many log files HP NonStop SSL keeps when logfile rollover occurs Parameter Syntax LOGFILERETENTION n Arguments number of log files to keep Default By default, 10 files are kept.
Display date, time only: LOGFORMATCONSOLE 5 See also LOGFORMAT, LOGFORMATEMS, LOGFORMATFILE LOGFORMATEMS Use this parameter to control the format of the log messages that are written to EMS. Parameter Syntax LOGFORMATEMS format Arguments format 62 • Configuration HP NonStop SSL Reference Manual...
7 (decimal 64) Log Level of Message Default If omitted, the file log format is derived from LOGFORMAT. Example Display date, time, and milliseconds only: LOGFORMATFILE 13 Display date, time only: LOGFORMATFILE 5 Configuration • 63 HP NonStop SSL Reference Manual...
Different log levels can be used for the outputs to LOGCONSOLE, LOGLEVELEMS, and LOGFILE. • The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. See also LOGCONSOLE, LOGLEVEL, LOGFORMATCONSOLE 64 • Configuration HP NonStop SSL Reference Manual...
The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface" for details. See also LOGFILE, LOGLEVEL, LOGMAXFILELENGTH, LOGFORMATFILE, LOGFILERETENTION LOGMAXFILELENGTH Use this parameter to control the maximum size of a log file. Parameter Syntax LOGMAXFILELENGTH length Configuration • 65 HP NonStop SSL Reference Manual...
Parameter Syntax LOGMEMORY number_of_io’s Arguments number_of_io’s a number representing after how many I/O operations HP NonStop SSL will send its memory usage to the log output Default The default is 0 meaning that memory usage will not be logged Considerations •...
The default for this parameter is "3.1" Considerations • For security reasons, it is recommended to use the latest version of the TLS protocol as standardized by the IETF (3.1). This requires setting MINVERSION to "3.1". Configuration • 67 HP NonStop SSL Reference Manual...
• HP NonStop SSL in FTPS mode currently only supports passive mode, therefore to interact with HP NonStop SSL in FTPS mode, make sure to set the PASSIVE parameter to 1 for HP NonStop SSL running in FTPC mode. PEERCERTCOMMONNAME Use this parameter to enforce verification of the content of remote certificates presented to HP NonStop SSL.
Fingerprints will be compared both as MD5 and SHA1 hashes, however for security reasons you should not use MD5 anymore. • If the matching fails, the session will be rejected. PORT Use this parameter to specify the port number a HP NonStop SSL server should listen for incoming connections. Parameter Syntax PORT number Arguments number the decimal number of a TCP/IP port.
Arguments password a password serving as a key to enable round robin filtering for multiple instances of HP NonStop SSL servers listening on the same port. The password will override the value of the DEFINE =PTCPIP^FILTER^KEY, which may have been passed to HP NonStop SSL at startup.
The second possible value for ROUTINGMODE is "D" which stands for dynamic routing. In that case the first network packet sent to HP NonStop SSL needs to contain the destination IP address and port on the NonStop system in dotted decimal notation, preceded by a "D"...
SERVKEY $DATA1.SSL.MYKEY Considerations • The private key data in the file is password encrypted. For HP NonStop SSL to be able to decrypt the file, the correct password must be specified by the SERVKEYPASS parameter. • A private key file for testing purposes is delivered as "SERVKEY" file on the HP NonStop SSL installation subvolume to enable quick start installation.
The impact of HP NonStop SSL high volume data encryption/decryption can also be influenced by the priority of the HP NonStop SSL process. However, if it is desirable to run HP NonStop SSL at a higher priority than the target plain servers/clients, the SLOWDOWN can be used to limit the impact of the cryptographic operations.
SOCKS user name to be used to authenticate against the SOCKS server. Default If omitted, HP NonStop SSL will use a value of * for SOCKSHOST meaning the SOCKS protocol will not be used. Example SOCKSHOST 172.3.5.99 SOCKSPORT 1911...
• If you use TCPIPV6 and want to share identical ports across multiple HP NonStop SSL processes, you need to add an identical DEFINE to all instances sharing that port as in the following example (please refer to the HP NonStop manual "...
The following commands are considered sensitive: all SET commands LOGMESSAGE, ROLLOVER LOGFILE and RELOAD CERTIFICATES TARGETINTERFACE Use this parameter to specify the IP address HP NonStop SSL should use for local binding of outgoing connections. Parameter Syntax TARGETINTERFACE ip-address Arguments ip-address the IP address to bind to or “*”...
This FTPC only parameter can be used in combination with TARGETHOST to force the override of the targethost in the FTPC user command. HP NonStop SSL will use the TARGETHOST (if set) in FTPC to default to a certain host if none is given in the actual user command.
This FTPC only parameter can be used in combination with TARGETPORT to force the override of the target port in the FTPC user command. HP NonStop SSL will use the TARGETPORT (if set) in FTPC to default to a certain port if none is given in the actual user command.
DNS name resolution. The node file will override the value of the DEFINE =TCPIP^NODE^FILE, which may have been passed to HP NonStop SSL at startup. No node file will be set. However, any DEFINE =TCPIP^NODE^FILE passed to HP NonStop SSL at startup will remain in effect.
Considerations • See the HP NonStop manual for details of the usage of the DEFINE =TCPIP^RESOLVER^NAME. TCPNODELAY Use this parameter to specify whether RFC1323 will be activated on all sockets which HP NonStop SSL controls. Parameter Syntax TCPNODELAY boolean Arguments boolean If set to TRUE or 1 or Yes, HP NonStop SSL will activate RFC1323.
Page 81
CA certificate in PKCS-8 DER encoded format Default If omitted, HP NonStop SSL will not check the TLS/SSL partner’s certificate chain. Examples TRUST WHIRLPOOL:85A8DAF0D76139154335C46E5E53C5A175CC1BDB8B7D80716CF19A93EDB75046F4BDD9BCDC005DAA5433D2D BCE47AF0D4A2C9EB6DDBD1F94EF166308EA47FE73, SHA256:1F4F7E0A6E1E92DDD6D5411C371C100B74DD7D32EAE7F447486AA4DAC5F43056 TRUST rootcert Considerations • The TRUST parameter can be specified in two ways: either by specifying the fingerprints of the CA certificates or by specifying a filename containing the full certificate in DER encoding.
Multiple SSL Tunnels in a Single Process A single HP NonStop SSL process can listen on multiple ports at once and forward them to different IP addresses/port numbers. The following parameters are global to a single HP NonStop SSL instance: •...
Page 83
EXPAND. Load will also be re-distributed dynamically and transparently, if a CPU of a HP NonStop SSL EXPANDS process is heavily loaded by processes with a higher priority. Hence, bandwidth can be preserved, even if the HP NonStop SSL processes run at a low priority to avoid impact on critical application processes.
Page 84
The SSL tunnel was associated to the line using the same SRCIPPORT and DESTIPPORT parameters as in the line configuration. • The DESTIPADDR parameter of the HP NonStop SSL EXPANDS processes was set to the remote system's IP address. 84 • Configuration...
Monitoring Overview HP NonStop SSL writes log and audit messages to a terminal, to a file, or to EMS. This is controlled by the parameters LOGCONSOLE, LOGFILE and LOGEMS for log messages and AUDITCONSOLE, AUDITFILE and AUDITEMS for audit messages. Messages can be written to any combination of those three “targets” (i.e. a single one, two of them, all of them, none of them).
Customizing the Log and Audit Format HP NonStop SSL allows customizing the appearance of the log or audit messages to a certain extent. For example, you may add the current date to the log message header. Please refer to the AUDITFORMATEMS, AUDITFORMATCONSOLE, AUDITFORMATFILE, LOGFORMATCONSOLE, LOGFORMATEMS, and LOGFORMATFILE parameter descriptions for details.
Page 87
3> SHOWLOG FTPCLOG comForte SHOWLOG log file converter Version T9999A05_16Apr2009_comForte_SHOWLOG_0022 starting at binary offset 0 ---processing in-file 'ftpclog' $FCMH |23Jun10 12:43:09.91| 5|HP SSLOBJ version T0910H01_15Jun2010_HP_1059 $FCMH |23Jun10 12:43:09.92|10|using OpenSSL 1.0.0 29 Mar 2010 - see http://www.o penssl.org $FCMH |23Jun10 12:43:09.92|10|config file: '$DATA1.T0910.FCMHCF'...
Page 88
Note: By using '*' as the second runtime argument the output is written to the home terminal. When using the byte offset parameter or the byte offset parameter and length parameter, the out file parameter must be entered as well. 88 • Monitoring HP NonStop SSL Reference Manual...
Logfile/Auditfile Rollover When logging to a file, HP NonStop SSL uses round-robin to switch to a new file. Logfile rollover applies both to auditing (to the file configured with the AUDITFILE parameter) as logging (to the file configured with the LOGFILE parameter).
Page 90
90 • Monitoring HP NonStop SSL Reference Manual...
SSLCOM Command Interface Using SSLCOM, you can: • get an overview of the status of a HP NonStop SSL process • list sessions which are currently open and obtain detailed information about single sessions (limited to certain run modes) •...
Usage of SSLCOM: a Sample Session The usage of SSLCOM is similar to the HP PATHCOM program. You connect to an existing HP NonStop SSL instance using the OPEN command, then you issue commands against that instance of HP NonStop SSL. The HELP command will give you a brief overview of the supported commands.
SET commands have been used from within SSLCOM to change values. In run modes ending with an "S", the fingerprint of the root certificate will be displayed. The number of sockets as well as the CPU ms used by HP NonStop SSL will be displayed. •...
The CONNECTION Commands In the run modes TELNETS, PROXYS, PROXYC, FTPS and FTPC, HP NonStop SSL will have a set of TCP/IP connections open during normal operation. The number of open connections can vary between zero and several hundred. With the commands described in the following sections, HP NonStop SSL can display information about the connections.
Note: The first column contains the local port of the connection. This number is used to access an individual session with the INFO CONNECTION or RENEGOTIATE CONNECTION commands. CONNECTIONS, DETAIL The CONNECTIONS, DETAIL command displays the list of connection with some additional information to each line. CONNECTIONINFOFORMATDETAILED EXTENDED (default since HP NonStop SSL AAE): % connections, detail connections, detail +-----+-----------------------------------------------------------------------+...
The SSL protocol allows both parties to initiate a new SSL handshake to refresh the session keys. The RENEGOTIATE CONNECTION command lets HP NonStop SSL do that from the server side. The following two log messages show that a renegotiation has been successful.
• HP NonStop SSL does some limited tests on the new certificate chain. However, some errors in the certificate chain cannot be detected by merely loading the certificates. It is thus recommended to immediately check the new certificate chain with the SSLINFO command as well as with creating a new client connection.
Cipher Suites HP NonStop SSL uses the SSL protocol - as used in standard browsers and servers - for session security. It supports SSL 2.0, SSL 3.0 and the latest version SSL 3.1, which has been standardized by the IETF as Transport Layer Security (TLS) protocol.
If HP NonStop SSL is running as SSL server (run modes FTPS, TELNETS, PROXYS, EXPANDS) HP NonStop SSL will send the configured server certificates to the client. It is up to the client to check for the proper server certificates. The certificates are configured using the parameters SERVKEY, SERVKEYPASS, SERVCERT and CACERTS;...
CA certificate to HP NonStop SSL with the CACERTS parameter, the root CA certificate file need to be uploaded to the system you have HP NonStop SSL installed on. If you received the root CA certificate in BASE64-encoded format, you may convert for HP NonStop SSL usage just like the BASE64-encoded server certificate.
This example shows how to create a self-signed CA certificate and a server certificate signed by the CA certificate, and how to convert the certificates into the format used by HP NonStop SSL, as well as setting the appropriate configuration parameters.
Page 104
Note that the private key file SERVKEY must NOT be transferred over a plain connection such as FTP. If NonStop SSL is not already installed, it is recommended to use SFTP for certificate/key transfers. 104 • SSL Reference...
Page 105
SERVKEY put ca\cacert.der CACERT Note: the NonStop SSL installation subvolume $system.znsssl contains a set of test certificates that should not be used in production systems. Unless the configuration file contains parameter settings pointing to a different set of certificates, the default certificates in znsssl will be used.
Page 106
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Comforte\OpenSSL_certificates>openssl x509 -inform PEM -outform DER -in server\servcert.pem -out server\servcert.der C:\Comforte\OpenSSL_certificates> 106 • SSL Reference HP NonStop SSL Reference Manual...
If the client sends no certificate or an invalid one, the connection will be rejected. Configuring SSL for Production as SSL Client In run modes PROXYC and FTPC, HP NonStop SSL will be an SSL client. This section only is relevant for those run modes.
3. If CACERTS contain the signing certificate(s), HP NonStop SSL will sent the whole certificate chain to the server. CACERTS $SYSTEM.MYCERT.CACERT CLIENTKEY $SYSTEM.MYCERT.CLNTKEY CLIENTKEYPASS mysecret CLIENTCERT $SYSTEM.MYCERT.CLNTCERT Security Considerations While SSL is a very powerful and flexible protocol to encrypt TCP/IP traffic, it has to be used properly to be protected against some common attacks.
Note: If you authenticate the HP NonStop SSL server in your clients, you should consider basing trust on the Root CA certificate (e.g. check the Root CA fingerprint). In case the server certificate is compromised you can simply replace it without having to update your client configuration.
HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server mode is supported in combination with the Microsoft Windows platform only.
The "HP NonStop SSL RemoteProxy" window will list all configured "proxy" sessions. After the installation the list will be empty. The example pictured above shows 2 configured "proxy" sessions (for ODBC/MX and RSC), with the following information: •...
RemoteProxy connects for this session) must be entered into the field "Certificate Fingerprint". The fingerprint must be derived from the Root Certificate separately and calculated using the MD5 algorithm. Remote SSL Proxy • 113 HP NonStop SSL Reference Manual...
Session is configured for running as a client and SSL Client Authentication is to be used. Note: We strongly recommend not to rely on the default test certificates which are delivered with the HP NonStop SSL for testing purposes only! The "Advanced Tab"...
Options parameters for the proxy. You should only enter values when advised so by HP or comForte Support. Copying a Configuration to Other Workstations The RemoteProxy configuration is stored in the registry. Identical configuration of multiple targets PC's can be achieved as follows: 1.
Displays the name of the configuration file the HP NonStop SSL has been started with runtime args: '<list of runtime args> If HP NonStop SSL has been started with runtime arguments instead or in addition to the a configuration file or TACL PARAMs, those arguments are being displayed.
Page 118
FTP server proxy started on target host <hostname or ip address>, target port <port number>, source port <port number> Notification about the HP NonStop SSL being started in FTPS mode and connecting to target host, on target port while accepting connections on source port.
HP NonStop SSL, see parameters ALLOWIP and DENYIP for details certificate not yet valid Warning that the certificate being currently processed by the HP NonStop SSL is not yet valid, i.e. has a "from date" starting in the future. certificate expired Warning that the certificate being currently processed by the HP NonStop SSL has expired i.e.
Page 120
"EPSV ALL" command and later tries to open up an FTP data connection with a command other than EPSV, this error message will be generated. If you see this error, please contact HP support of the FTP client vendor.
Page 121
AUTH SSL reply: '<reply>' This warning indicates that the FTP server sent an unexpected reply to the AUTH SSL command. Please contact HP support. reply to EPRT command from FTP server has error: '<detailed reason>' This warning indicates that the FTP server sent an unexpected reply to the ERPT command.
Page 122
This message occurs when a DNS host entry was specified, e.g. for TARGETHOST but the DNS resolution fails. HP NonStop SSL will resolve the hostname every time it connects and - to make sure that the DNS entry is valid initially - during startup.
The process ran out of heap space and could not allocate further memory. Could not set cipher string \"ALL\" on dummySSLCtx in internal_set_cipher_list This message might indicate a bug, please contact HP support. Could not set cipherstring "HIGH:!ADH:!PSK:RC4" to main openssl_high context, using default ciphers <default_ciphers>...
Error condition which is caused either by another application listening on same port or by configuring the HP NonStop SSL with a PORT param less than 1024 while not starting the HP NonStop SSL under the SUPER user logon. The HP NonStop SSL terminates.
Page 125
Invalid IPMODE specified, ODBC/MX does only support IPv4 This error occurs when an IPMODE other than IPv4 was specified in run mode ODBC/MX. Although ODBC/MX supports IPv6 starting with release H06.26/J06.15, NonStop SSL currently only supports ODBCMXS mode for IPv4.
Decode Error If a message with a "Decode Error" occurs in the HP NonStop SSL log, a client may have tried to create a non-secure connection to a secure HP NonStop SSL server (FTPS, TELNETS, etc.).
Security violation (error 4013) If HP NonStop SSL fails with a security violation, you may have attempted to start HP NonStop SSL to listen on a PORT smaller than 1024 without having a SUPER group user id.