|
|
|
Last updated May 25, 2004
Check here for the latest news about the HP WebWise MPE/iX Secure Web
Server! This product is based on our
Apache for MPE/iX web server, and adds
SSL/TLS encryption for reliable, secure communications between browsers and
the server.
Announcing WebWise A.04.00
Version A.04.00 of the HP WebWise MPE/iX Secure Web Server
is now available for MPE/iX 6.5, 7.0, and 7.5 via standard FOS patch processes.
This version fixes various bugs and security problems in Apache and the underlying
components. All customers running Apache on supported releases of MPE/iX are
encouraged to update to this new version of WebWise.
HP WebWise MPE/iX Secure Web Server version A.04.00 is based on Apache 1.3.31
and adds mod_ssl 2.8.17 to provide Secure Sockets Layer (SSL) encryption and
X.509 authentication using digital certificates.
System requirements and patches
- For MPE/iX 6.5: patch WBWHD95A
- For MPE/iX 7.0: patch WBWHD96A
- For MPE/iX 7.5: patch WBWHD97A
- HP also highly recommends installing the latest NSTxxxxx network transport
patch.
Note that the installation of WebWise A.04.00 will consume approximately
129,000 sectors of disk space, of which 50,000 sectors can be reclaimed afterwards by
optionally purging the bundled source code (see below).
Support
HP WebWise MPE/iX Secure Web Server A.04.00 is supported through the HP Response
Center as part of MPE/iX FOS support.
Product overview and feature set
HP WebWise MPE/iX Secure Web Server offers secure encrypted communications
between browser and server via the SSL and TLS protocols, as well as strong
authentication of both the server and the browsers via X.509 digital certificates.
The current release of the HP WebWise MPE/iX Secure Web Server is A.04.00
and is composed of:
- Apache 1.3.31
- Mod_ssl 2.8.17 SSL security add-ons for Apache
- MM 1.3.0 shared memory library
- Openssl 0.9.7d cryptographic/SSL library
HP WebWise MPE/iX Secure Web Server is NOT:
- a substitute for a firewall (explicitly allow acceptable
connections, etc.)
- a substitute for good host security practices (change default
passwords, keep the OS up-to-date, etc.)
- a substitute for good application security practices (use appropriate
file and user security, carefully validate all input data, etc.)
- a substitute for good human security practices (communicate the
importance of protecting sensitive or proprietary data, no
password sharing, etc.)
WebWise is just one component in a secure environment and by itself does
nothing to prevent the number one cause of web server break-in events --
poorly written CGI applications. Well-written CGI applications must rigorously
validate every byte of data sent by a browser, and must refuse to process
any input data containing unexpected characters.
New functionality since WebWise A.03.00 / Apache 1.3.22
Most of the Apache Software Foundation development work since 1.3.22 consists
of portability enhancements and bug fixes for various problems including
security issues. Some minor new functionality has also been added,
as partially listed below:
- A new IgnoreCase keyword for the IndexOptions directive to control
sort order for directory index listings.
- New ProtocolReqCheck directive to tell Apache to
check for a valid protocol string in the request (eg: HTTP/1.1)
and return HTTP_BAD_REQUEST if not valid. Versions of Apache
prior to 1.3.26 would silently ignore bad protocol strings, but
1.3.26 included a more strict check. This makes it runtime
configurable. The default is On.
- Add SERVER_ADDR special keyword for mod_setenvif to allow
environment variable setting according to the server IP address
which received the request.
SSLv2.0, SSLv3.0, and TLSv1.0 protocols
These protocols lie between the HTTP and TCP/IP protocol layers and provide
secure, authenticated, encrypted communications between the HP WebWise MPE/iX
Secure Web Server and web browser clients.
X.509 Digital certificates
Signed by external trusted Certificate Authorities, X.509 certificates provide
authentication for both the HP WebWise MPE/iX Secure Web Server and web browser
clients.
Flexible encryption cipher configuration
HP WebWise MPE/iX Secure Web Server permits you to configure a wide variety
of encryption ciphers, ranging from high-grade domestic-only algorithms to
algorithms suitable for export.
Additional log files
Two SSL-specific log files, ssl_engine_log and ssl_request_log, allow you to log various
events associated with secure web requests.
Source code and build documentation now included
You asked for it on the 2004 MPE System Improvement Ballot, you got it! The
A.04.00 version of WebWise now includes all of the source code, build scripts,
and documentation required to build this product yourself (gcc not included).
The addition of source code substantially increases
the amount of disk space consumed by the installation of WebWise A.04.00 to a grand
total of 129,000 sectors. If you have no plans to ever
build this product yourself, you can reclaim 50,000 sectors by purging the source
code with the following CI command:
:PURGEDIR /APACHE/A0400/src;TREE
Migrating from previous versions of Apache
The /APACHE/PUB/JHTTPD job stream file from previous versions of Apache is
not compatible with HP WebWise MPE/iX Secure Web Server. You must manually
create a new JHTTPD job stream file by using the WebWise /APACHE/PUB/JHTTPD.sample
template.
The /APACHE/PUB/conf/httpd.conf configuration file from previous versions
of Apache may or may not be compatible with WebWise depending on the previous
Apache version:
- 1.3.4 - NOT compatible; you MUST use /APACHE/PUB/conf/httpd.conf.sample
as a template to create a new httpd.conf file.
- 1.3.9 - compatible, but SSL functionality will not be enabled.
To enable SSL functionality, you MUST use
/APACHE/PUB/conf/httpd.conf.sample
as a template to create a new httpd.conf file.
- 1.3.14 - compatible, but SSL functionality will not be enabled.
To enable SSL functionality, you MUST use
/APACHE/PUB/conf/httpd.conf.sample
as a template to create a new httpd.conf file.
- 1.3.22 - fully compatible, no changes required.
In addition to updating /APACHE/PUB/conf/httpd.conf, it is strongly recommended
to update all of the other configuration files in the same directory by using
the corresponding *.sample files.
Several new configuration subdirectories have been created to contain additional
configuration files required by the SSL functionality. For complete
details about configuring the SSL functionality, please see the Configuring
& Managing MPE/iX Internet Services manual.
Migrating from WebWise A.01.00
HP WebWise MPE/iX Secure Web Server version A.04.00 was designed to be a
drop-in replacement for Apache as well as the previous A.03.00 version of
WebWise, and does not attempt to upgrade or migrate
any files from the WebWise A.01.00 /APACHE/SECURE directory tree.
You must manually use the A.04.00 *.sample files in the /APACHE/PUB/conf
directory tree to create new standard configuration files, and then propagate
any local customizations that you made in the A.01.00 /APACHE/SECURE/conf
directory tree.
You will need to copy your server key and certificate from the old A.01.00
locations of /APACHE/SECURE/conf/ssl.key/server.key and
/APACHE/SECURE/conf/ssl.crt/server.crt
to the new A.04.00 locations of /APACHE/PUB/conf/ssl.key/server.key and
/APACHE/PUB/conf/ssl.crt/server.crt.
Any A.01.00 CGI applications in /APACHE/SECURE/cgi-bin or any data content
in /APACHE/SECURE/htdocs can either be moved to the corresponding A.04.00
directories in /APACHE/PUB, or left in place after adjusting the new A.04.00
configuration files to refer to the old A.01.00 locations.
WebWise A.01.00 accessed web page content as the user SECURE.APACHE, but
WebWise A.04.00 accesses web page content as the user WWW.APACHE. This
is the same user as used by Apache A.02.00.
For further information
|