Chapter 6   SSL


SSL Configuration allows you to define parameters that determine security while messages are being transported over the network. Configuration options include:

• How to change the number of connections and port settings of the proxy

• How to change the SSL protocol settings

• How to change the certificate store used by the SSL proxy

• How to redirect the SSL proxy to use a different Web server

Overview

---

The Proxy may be configured using the security user logon.

Figure 6-1    SSL Main Menu

• The SSL Proxy selections take you to the SSLProxy configuration home page.

Figure 6-2    SSL Proxy Settings

The SSL proxy options are all contained on the SSL Proxy configuration main page. Selecting the links at the top of the page moves it to individual sections. The details of the input required in these sections are outlined below under the specific task headings.

Any number of modifications may be made prior to submitting the form using the button at the bottom of the page. If the update fails on validation the values that have failed change are reported back. If all of the updates succeed then the operation is reported as successful.

---

Note

At the end of this screen, there is an expert settings section that enable iPlanet employees to diagnose problems with the SSL proxy. This should not be used during the normal configuration of the SSL proxy. See also Chapter 2 Architectural Configuration for more information on how to install the SSLProxy on a separate machine.

---

Changing incoming connection information

---

Incoming connection information is changes under the following options from the SSL proxy configuration page:

• Proxy settings

• System wide settings

• Server Settings

The SSL proxy listens for incoming connections on a particular TCP/IP port on the local machine. This is generally port 443 and is set during the installation to this default. In order to modify the port the proxy listens on the change must be made under the Proxy Settings option, and the proxy re-started.

• SSL Listener port - This is the port on which the server will wait for requests - if you are using HTTPS then the default port should be 443.

  
  

  ---

  Note

  Port 443 is the designated SSL port and changes to the port number will require clients to know the new setting. In the iPlanet Trustbase Transaction Manager the port number the client uses is encoded into the certificate AIA. Changing the SSL proxy port number will cause clients or other Transaction Coordinators to fail in contacting the Identrus Transaction Co-ordinator.

  ---

  
  

One of the main administration requirements for the SSL proxy is to ensure that the load on the proxy machine does not cause the incoming connections to be dropped. Each SSL connection requires significant CPU to negotiate the session parameters (Handshake), and allowing a large number of SSL negotiations at a single time may cause clients to time out. To avoid this situation the SSL proxy may be configured to reject new connections when it is already loaded.

System wide settings

Figure 6-3    SSL Proxy System Wide Settings

The options provided under the configuration headings above are:

• Maximum number of proxy connections - The maximum number of connections the proxy will allow. This is a combination of handshaking sessions and sessions in progress, and is generally up to 80 connections depending upon the configuration of the host machine.

• Maximum number of proxy connectors - The maximum number of connections undergoing handshaking at a single point in time. This is generally up to 40 depending upon the configuration of the host machine.

Server Settings

• HTTPS Connectors - This should be set to the same value as maximum number of proxy connections

• Maximum number of connections - This should be set to maximum number of proxy connectors

  
  

  ---

  Note

  Multiple instances of the SSL proxy are capable of being run in the same JVM for different purposes. The iPlanet Trustbase Transaction Manager does not run the SSL proxy in this mode, therefore the server settings must be set to reflect the system wide settings otherwise the minimum values found in either will be used.

  ---

  
  

SSL protocol & authentication settings

---

The SSL protocol has a large number of parameters that affect its performance and use. These parameters are may be changed in the SSL settings page.

Figure 6-4    SSL Settings

The settings may be grouped into:

Protocol settings

• Listener compression - Reserved for future use. Currently set to NULL

• Listener accept V2 client - The SSL proxy implements SSLV3.0. By setting this value to True the proxy will also accept clients using SSLV2.0 hello requests. This provides compatibility for certain types of browser.

• Listener asymmetric provider - The asymmetric provider to use. By default this is NCIPHER for iPlanet Trustbase Transaction Manager installations using the nCipher HSM

• Listener cipher suite - The cipher suite to use during SSL Handshake negotiation. By default this is SSL_RSA_WITH_NULL_MD5 for iPlanet Trustbase Transaction Manager installations.

Authentication settings

• Listener require client certificate - Set to True for client authenticate SSL sessions.

• Listener abort on bad client certificate - By default set to True to terminate the SSL handshake if the client presents a certificate with an unknown root or an invalid certificate chain.

• Listener abort on no client certificate - Set to True to ensure that the SSL proxy should abort the handshake if the client does not provide a certificate for authentication.

Changing the Certificate Store location

---

The certificate store used by the SSL proxy is by default the same certificate store used by the iPlanet Trustbase Transaction Manager. During the installation process the path to the Oracle database is loaded from the proxy initialisation file into the configuration database, and these value may be changed to allow a proxy to use a local Oracle certificate database rather than the shared certificate database.

In most installations there will be no requirement to use a local database, as this will require the management of certificates and keys in two different locations. In some situations, in particular when an organisation does not wish to open the secondary firewall, these settings may be changed to allow a local certificate database for the SSL proxy.

In order to use a Local certificate store the Oracle user must be known, and the SQL scripts for generating the certificate store tables must have been executed (See Installation guide). The following items may then be changed to point to the new certificate store:

• Listener certstore password - The password to use to unlock the certstore.

• Listener authenticated certificates purpose ID - The purpose ID of set of authenticated certificates.

• Listener server certificates ID - The ID of the server certificate to use.

• Listener cerstore path - The path to the certstore. This is normally set to an Oracle database.

Figure 6-5    Certificate Store Settings

Re-directing the proxy to a web server

---

The SSL Proxy forwards HTTP data to a Web server located behind the secondary firewall. In some situations it may be necessary to change the location of the Web server (Machine failure etc). When this occurs, the SSL proxy must be re-directed to the location of the new Web server.

This is achieved using the following settings:

• Server address - The name of the machine to forward all received requests too. If the SSL proxy and Web server are located on the same machine then Localhost may be used.

• Server port - The port number of the socket used by the Web server.