|
|
HP WebWise MPE/iX Secure Web Server offers secure encrypted
communications between browser and server via the SSL and TLS protocols,
as well as strong authentication of both the server and the browsers
via X.509 digital certificates. HP WebWise MPE/iX Secure Web Server is:
NOT a substitute for a firewall (explicitly allow
acceptable connections, etc.)
NOT a substitute for good host security practices (change
default passwords, keep the OS up-to-date, etc.)
NOT a substitute for good application security practices
(use appropriate file and user security, carefully validate all input
data, etc.)
NOT a substitute for good human security practices
(communicate the importance of protecting sensitive or proprietary
data, no password sharing, etc.)
WebWise is just one component in a secure environment and
by itself does nothing to prevent the number one cause of web server
break-in events — poorly written CGI applications.
Well-written CGI applications must rigorously
validate every byte of data sent by a browser, and must refuse to
process any input data containing unexpected characters.
The security features of HP WebWise MPE/iX Secure Web Server are based on
mod_ssl which is not included in Apache for MPE/iX distributed
with MPE/iX 6.0 and later. Mod_ssl provides the following features:
These protocols lie between the HTTP and TCP/IP protocol layers
and provide secure, authenticated, encrypted communications between
the HP WebWise MPE/iX Secure Web Server server and browser clients.
Signed by external trusted Certificate Authorities, X.509
certificates provide authentication for both the HP WebWise MPE/iX
Secure Web Server and browser clients.
HP WebWise MPE/iX Secure Web Server permits you to configure
a wide variety of encryption ciphers, ranging from high-grade domestic-only
algorithms to algorithms suitable for export.
Two new log files, ssl_engine_log and ssl_request_log, allow
you to log various events associated with secure web requests.
Your existing non-secure Apache content
can be migrated without change to HP WebWise MPE/iX Secure Web Server
and the SSL/TLS protocols. This includes CGI applications, which
will have access to a wide variety of new security-related environment
variables under HP WebWise MPE/iX Secure Web Server that will permit
granular, custom security checking.
HP WebWise MPE/iX Secure Web Server is based on Apache 1.3.9
and introduces the following new Apache functionality that has either
been added to Apache since 1.3.4 or ported to MPE/iX for the first time:
- mod_digest
MD5 digest-based user authentication described in RFC2617.
- mod_proxy
Ftp and http proxies and caching. Support for forwarding to remote
proxies, cache size, and cache expiration configuration.
- mod_rewrite
Powerful regexp-based matching rules for rewriting an incoming browser
URL request to a different server URL or server file. Useful in large,
dynamic environments where content structure changes frequently. For
advanced users only.
- mod_so
Dynamic Shared Objects (DSOs). Allows add-on Apache modules to be
built in external NMXLs and loaded at HP WebWise MPE/iX Secure Web Server
startup time.
- mod_vhost_alias
Allows specification of flexible configuration directory names that
simplify hosting large numbers of virtual web servers on the same
machine.
The following modules are statically linked into HP WebWise MPE/iX Secure Web
Server (this list can be viewed by running HTTPDS with the -l option:
/APACHE/SECURE/HTTPDS -l):
mod_access
mod_actions
mod_alias
mod_asis
mod_auth
mod_auth_anon
mod_autoindex
mod_cern_meta
mod_cgi
mod_digest
mod_dir
mod_env
mod_expires
mod_headers
mod_imap
mod_include
mod_info
mod_log_agent
mod_log_config
mod_log_referer
mod_mime
mod_mime_magic
mod_negotiation
mod_proxy
mod_rewrite
mod_setenvif
mod_so
mod_speling
mod_ssl
mod_status
mod_unique_id
mod_userdir
mod_usertrack
mod_vhost_alias
The following modules are supplied as external DSOs:
Please note that HP does not support the use of any modules
other than those previously listed.
|