HP NonStop SSL, Reference Manual

Page 1: ... 628203 007 Published February 2013 Edition HP NonStop SSL Reference Manual 1 6 H06 07 and subsequent H series RVUs J06 01 and subsequent J series RVUs Hewlett Packard Company 3000 Hanover Street Palo Alto CA 94304 1185 2013 HP All rights reserved ...

Page 2: ...trademarks of the Open Software Foundation Inc OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing performance or use of this material 1...

Page 3: ...ODBC Drivers 13 Limiting Remote IP Addresses 14 Installation 15 General Considerations 15 IPv6 Considerations 16 Starting an HP NonStop SSL Process 17 Installing a Secure Telnet Server Proxy 17 Installing a Secure FTP Server Proxy 18 Installing a Secure FTP Client Proxy 19 Installing a Secure Tunnel for RSC 21 Installing a Secure Tunnel for ODBC MP 23 Installing a Secure Tunnel for ODBC MX 26 Inst...

Page 4: ...ABLEIPV6 55 FTPALLOWPLAIN 55 FTPCALLOW200REPLY 55 FTPLOCALDATAPORT 56 FTPMAXPORT 56 FTPMINPORT 57 INTERFACE 57 HASHALGORITHMS 58 KEEPALIVE 59 LOGCONSOLE 59 LOGEMS 60 LOGFILE 60 LOGFILERETENTION 61 LOGFORMAT 61 LOGFORMATCONSOLE 62 LOGFORMATEMS 62 LOGFORMATFILE 63 LOGLEVEL 64 LOGLEVELCONSOLE 64 LOGLEVELEMS 65 LOGLEVELFILE 65 LOGMAXFILELENGTH 65 LOGMEMORY 66 MAXSESSIONS 66 MAXVERSION 67 MINVERSION 67...

Page 5: ...OSS 89 Logfile Auditfile Rollover 89 SSLCOM Command Interface 91 Usage of SSLCOM a Sample Session 92 Supported Commands 93 The CONNECTION Commands 94 CONNECTIONS 94 CONNECTIONS DETAIL 95 INFO CONNECTION 96 RENEGOTIATE CONNECTION 96 SSLINFO Command 97 RELOAD CERTIFICATES Command 97 SSL Reference 99 Secure Sockets Layer 99 SSL Features 99 Further References 99 Implementation Overview 100 Cipher Suit...

Page 6: ...tion 111 To install RemoteProxy on a Client Workstation 111 RemoteProxy Configuration 112 General Configuration Considerations 112 The Main Configuration Screen 112 The Session Properties Window 113 Session Parameter List 114 Copying a Configuration to Other Workstations 115 Appendix 117 Log Messages and Warnings 117 Startup messages 117 Warning messages 119 Informational messages 123 Fatal Errors...

Page 7: ...ing parameters Version 1 4 This version clarifies the role of the remote proxy RemoteProxy in NonStop SSL It is only supported for selected HP NonStop products Version 1 3 This version documents the support for configuring all available CIPHERSUITES This feature is implemented starting with HP NonStop SSL version AAD The new parameter HASHALGORITHMS has been documented The changes in the TRUST par...

Page 8: ...8 Preface HP NonStop SSL Reference Manual This is the initial version of this manual ...

Page 9: ...s only including HP NonStop Remote Server Call RSC MP and HP NonStop ODBC MX Further note that the NonStop RemoteProxy component does not support being run as a Microsoft Windows service PROXYC Acting as a client proxy for plain TCP IP client programs to secure the communication between the NonStop Server and remote SSL enabled server programs FTPS Acting as a secure proxy server for plain FTP ser...

Page 10: ... Systems The RemoteProxy component included with HP NonStop SSL is used to enable SSL encryption for HP client components running on Microsoft Windows systems Usage of the RemoteProxy component is supported for selected HP NonStop products only including HP NonStop Remote Server Call RSC MP and HP NonStop ODBC MX Additionally the RemoteProxy can act as an SSL enabling LPD server proxy in order to ...

Page 11: ... port number and tunnels them to a single target port If multiple plain ports need to be secured such as multiple Telnet Servers a HP NonStop SSL process can be started for each plain TCP port Secure Proxy for Generic TCP IP Client Server Protocols HP NonStop SSL adds encryption not only for Telnet but for any Client Server protocol facilitating TCP sockets communicating over a single IP port HP N...

Page 12: ...cording to RFC 2228 SSL capable FTP clients are for example MR Win6530 or WS_FTP Pro from http www ipswitch com HP NonStop SSL secure FTP proxies front ending standard FTP and FTPSERV Acting as a proxy server HP NonStop SSL will use secure FTP connections with the FTP partner and tunnel them to a plain FTP client or server The HP NonStop SSL FTPS proxy will intercept the communication on the FTP c...

Page 13: ...em the two HP NonStop SSL processes create an SSL TCP session between the two systems to forward the traffic Secure Proxy for ODBC Drivers HP NonStop SSL can encrypt traffic between an ODBC driver ODBC MP OBDC MX JDBC MP and JDBC MX on client workstations and NonStop systems Since ODBC MP only uses a single TCPIP session it can be enabled for SSL as described under Secure Proxy for Generic TCP IP ...

Page 14: ...in ODBCMXS mode is currently only valid with IPMODE IPv4 Limiting Remote IP Addresses HP NonStop SSL can be configured to allow only certain remote IP addresses By default HP NonStop SSL will allow connections from any IP address this behavior can be changed by 1 Setting a black list of forbidden IP addresses or subnets using the DENYIP parameter 2 Setting a white list of allowed IP addresses or s...

Page 15: ...tem znsssl with production certificates they may be overwritten by DSM SCM and restored to the original ones Therefore it is recommended to place the production certificates in a separate volume and point to those files in a CONFIG2 configuration file The installation subvolume znsssl also contains a Tacl macro named CFWSADDR This macro provides the real client IP address of a Visual Inspect sessi...

Page 16: ...he FOOBAR protocol LPSV LPRT is not supported IPMODE DUAL is not supported by design in runmode EXPANDS use either IPMODE IPv4 or IPMODE IPv6 instead By design when SSLOBJ is run in IPMODE DUAL the TCP IP stack must also support and be configured in DUAL mode Setting INTERFACE or TARGETINTERFACE is not valid in IPMODE DUAL since no bind address except the IPv6 ANY address can handle both IPv4 and ...

Page 17: ...dard NonStop TELSERV process and an SSL enabled Telnet client you will need to perform the following steps 1 On the NonStop server start a HP NonStop SSL telnet server TELNETS proxy for the target TELSERV process 2 On the workstation side re configure your telnet client to connect via SSL to the port number that the TELNETS proxy is listening on To install an HP NonStop SSL TELNETS proxy 1 Determi...

Page 18: ...port you will need to perform the following steps 1 On the NonStop server start an HP NonStop SSL ftp server FTPS proxy for the target FTP server 2 On the remote system configure your FTP client to connect via SSL to the port number that the FTPS proxy is listening on To install an HP NonStop SSL FTPS proxy 1 Determine the TCP IP process and port number the NonStop LISTNER process it is listening ...

Page 19: ...first connect to the HP NonStop SSL FTPC proxy Using an extended user id that includes information on the host address and port number of the remote FTP system you will instruct the FTPC proxy to connect securely to the remote FTP server From there on you may proceed as with normal plain FTP to list directories as well as to send or receive files To install an HP NonStop SSL FTPC proxy 1 Select a ...

Page 20: ...5 port is the port number the remote FTP server is listening on If omitted 21 is used as a default The connection should now be established allowing you to list directories and transfer files securely Name 127 0 0 1 user tb 172 24 91 233 331 original FTP server Welcome follows 331 220 NOTEBOOK_TB X2 WS_FTP Server 3 1 4 3995038631 331 original FTP server reply to USER command follows 331 Password r...

Page 21: ...rights reserved 1 open zrsc Current TDP is SUPPORT ZRSC T9711D430 05NOV96 2 status tcpipport Service Port Status Sessions Last Event RSCTEST1 2001 Started 0 TCPIPPORT started 6502 2 Select a port number that will be used for SSL RSC connections e g 7502 3 At your TACL prompt run the HP NonStop SSL SETUP macro VOLUME SYSTEM ZNSSSL RUN SETUP Select GENERIC SERVER as run mode and follow the installat...

Page 22: ...he View Log command To configure RSC to connect via the RemoteProxy 1 On the RSC workstation locate the PIPE INI file that is used by HP Piccolo 2 In the PIPE INI file add an entry for your relevant RemoteProxy session in the Resolver section The entry itself assigns an alias host name 1st argument for a connection over a specified protocol 2nd argument to a given peer To communicate with RemotePr...

Page 23: ...rocess for ODBC MP 1 Determine the ODBC MP server process you want to install the secure proxy for and find out the TCP IP process and port number it is listening on We assume 8889 as port number here 2 Select a port number that will be used for SSL ODBC MP connections e g 9889 3 At your TACL prompt run the HP NonStop SSL SETUP macro VOLUME SYSTEM ZNSSSL RUN SETUP Select GENERIC SERVER as run mode...

Page 24: ...s the listen port of your PROXYS process on the NonStop server 8 In the Local Accepting Port field enter the port number that RemoteProxy will use to listen for connections from your ODBC MP driver The port number must not be in use by any other program or service on your client PC For simplicity you may want to use the same port number that the ODBC MP server process is using on the NonStop serve...

Page 25: ...y by examining the messages with the View Log command in the Session Properties screen of the RemoteProxy To connect securely with your ODBC MP client 1 After you have correctly configured your ODBC driver use your ODBC client like you did before to connect to the NonStop system 2 You may check the successful creation of the session through the proxy by examining the messages with the View Log com...

Page 26: ...88 here 2 Select a port number that will be used for SSL ODBC MX connections e g 28888 3 At your TACL prompt run the HP NonStop SSL SETUP macro VOLUME SYSTEM ZNSSSL RUN SETUP 4 Select ODBC MX SERVER as run mode and follow the installation instructions Enter the TCPIP process name for the subnet the ODBC MX Association server runs on Note that the SUBNET and TARGETSUBNET parameters will be set to t...

Page 27: ...the Session menu The Session Properties dialog will be displayed 5 In the Protocol field select ODBC MX Client 6 In the Target Host field enter the IP address or host name where your ODBCMXS process is listening on your NonStop server 7 In the Target Port field enter the port number that you have specified as the listen port of your ODBCMXS process on the NonStop server e g 28888 8 In the Local Ac...

Page 28: ... by examining the messages with the View Log command in the Session Properties screen of the RemoteProxy To connect securely with your ODBC MX client 1 After you have correctly configured your ODBC MX driver use your ODBC client like you did before to connect to the NonStop system 2 You may check the successful creation of the session through the proxy by examining the messages with the View Log c...

Page 29: ...ure 2 At your TACL prompt run the HP NonStop SSL SETUP macro VOLUME SYSTEM ZNSSSL RUN SETUP Enter the name of the line handler when requested The SETUP macro will create a configuration file e g EXPSCF0 and an SCF IN file for the installation as persistent process e g EXPSIN0 3 Start the HP NonStop SSL EXPANDS persistent process e g SCF START PROCESS ZZKRN SSL EXPANDS 0 4 Check the log file config...

Page 30: ...30 Installation HP NonStop SSL Reference Manual ...

Page 31: ...process parameters with the following precedence highest to lowest 1 PARAM parameter 2 Configuration file parameter 3 Startup line parameter This means that a parameter given in the configuration file will override the value given for the same parameter on the startup line Likewise a parameter value given as PARAM command will override any value specified in the configuration file All parameters c...

Page 32: ... SSL emulator connections PORT 4023 TELSERV listening port the connections will be forwarded to TARGETPORT 23 log configuration set the level LOGLEVEL 50 enable console logging to 0 LOGCONSOLE 0 additionally log to file LOGFILE DATA1 SSL LOGTELS SSL configuration our server certificate and private key SERVCERT DATA1 SSL MYCERT SERVKEY DATA1 SSL PRIVKEY SERVKEYPASS myprivatepassword our server cert...

Page 33: ...MPLENIN AUDITASCIIDUMPLENOUT AUDITCONSOLE AUDITLEVEL AUDITFILE AUDITFILERETENTION AUDITFORMAT AUDITMAXFILELENGTH Control the creation of an audit file containing the remote FTP commands in run mode FTPS or the socket activities in run modes PROXYS PROXYC ODBCMXS CACERTS File names of a DER encoded X 509 CA certificates representing a certificate chain signing the certificate configured with the CL...

Page 34: ...e number of log files kept after rollover occurs LOGFORMAT Controls the format of the log messages that are written to the console or log file LOGFORMATCONSOLE Controls the format of the log messages that are written to the console LOGFORMATEMS Controls the format of the log messages that are written to EMS LOGFORMATFILE Controls the format of the log messages that are written to a log file LOGLEV...

Page 35: ...DEFINE TCPIP HOST FILE TCPIPNODEFILE Sets the DEFINE TCPIP NODE FILE TCPIPRESOLVERNAME Sets the DEFINE TCPIP RESOLVER NAME TCPNODELAY Activates RFC1323 on all sockets TRUST When running as SSL client list of trusted CA or server certificate files or fingerprints ALLOWCERTERRORS Use this parameter to allow selective overriding of certificate validation errors Parameter Syntax ALLOWCERTERRORS number...

Page 36: ...CERT_LOCALLY 20 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 X509_V_ERR_CERT_CHAIN_TOO_LONG 22 X509_V_ERR_CERT_REVOKED 23 X509_V_ERR_INVALID_CA 24 X509_V_ERR_PATH_LENGTH_EXCEEDED 25 X509_V_ERR_INVALID_PURPOSE 26 X509_V_ERR_CERT_UNTRUSTED 27 X509_V_ERR_CERT_REJECTED 28 X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 X509_V_ERR_AKID_SKID_MISMATCH 30 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 X509_V_ERR_KEYUSA...

Page 37: ... address Entries have to be separated by comma The network suffix can be left out for host entries 32 or 128 will be assumed then IPv6 DUAL entries have to be specified in square brackets Entry types and the corresponding CIDR format o IPv4 address 10 1 2 196 32 is assumed o IPv4 subnet 10 2 0 0 16 o IPv6 address abcd 1111 ab00 128 is assumed o IPv6 subnet abcd ef00 120 o DUAL address ffff 172 0 0...

Page 38: ...n the run mode see parameter AUDITLEVEL for details See also parameters AUDITASCIIDUMPLENIN and AUDITASCIIDUMPLENOUT to control how much data is dumped AUDITASCIIDUMPLENIN Use this parameter to define how many bytes of the incoming messages are written to the audit log when AUDITASCIIONLY is set to TRUE Parameter Syntax AUDITASCIIDUMPLENIN 1 n Arguments 1 means that each incoming message will be f...

Page 39: ...guments means that no audit messages are written to a console means that audit messages are written to the home terminal of the HP NonStop SSL process 0 audit messages are written to 0 auditdevice audit messages are written the given device Default By default audit messages will be not be written to a device Example AUDITCONSOLE DEV SUBDEV Considerations Audit messages will depend on the run mode ...

Page 40: ...TFILERETENTION Use this parameter to control how many audit files HP NonStop SSL keeps when audit file rollover occurs Parameter Syntax AUDITFILERETENTION n Arguments n number of audit files to keep Default By default 10 files are kept Considerations a minimum of 10 is enforced for that parameter See Logfile Auditfile Rollover in chapter Monitoring for details on logfile rollover See also AUDITMAX...

Page 41: ...esenting the detail level Default The default audit level is 50 Considerations Audit messages are written only for the following run modes PROXYS PROXYC ODBCMXS FTPS The following table describes how to set AUDITLEVEL for the various run modes Audit Level Run Modes TELNETS PROXYS PROXYC ODBCMXS Run Mode FTPS 10 Startup of HP NonStop SSL Startup of HP NonStop SSL 30 Logon of user 50 Network events ...

Page 42: ... kilobytes Max 40 000 40 MB Min 100 Default The default length is 20 000 KB Considerations After the current audit file reaches the maximum size a log rollover will occur Please see section Logfile Auditfile Rollover in chapter Monitoring for details on logfile rollover See also AUDITFILE AUDITLEVEL CACERTS Use this parameter to specify a certificate chain validating the server or client certifica...

Page 43: ...uite suite Arguments suite specifies a cipher suite Currently the following cipher suites can be explicitly configured Speci fier RFC Algo Name OpenSSL Name KEX Enc Mac 0 1 TLS_RSA_WITH_NULL_MD5 NULL MD5 RSA NULL MD5 0 2 TLS_RSA_WITH_NULL_SHA NULL SHA RSA NULL SHA 0 3 TLS_RSA_EXPORT_WITH_RC 4_40_MD5 EXP RC4 MD5 RSA_EXPORT RC4_40 MD5 0 4 TLS_RSA_WITH_RC4_128_M D5 RC4 MD5 RSA RC4_128 MD5 0 5 TLS_RSA...

Page 44: ...SHA DH_anon AES_128_CBC SHA 0 53 TLS_RSA_WITH_AES_256_CB C_SHA AES256 SHA RSA AES_256_CBC SHA 0 56 TLS_DHE_DSS_WITH_AES_25 6_CBC_SHA DHE DSS AES256 SHA DHE_DSS AES_256_CBC SHA 0 57 TLS_DHE_RSA_WITH_AES_2 56_CBC_SHA DHE RSA AES256 SHA DHE_RSA AES_256_CBC SHA 0 58 TLS_DH_anon_WITH_AES_256 _CBC_SHA ADH AES256 SHA DH_anon AES_256_CBC SHA 0 65 TLS_RSA_WITH_CAMELLIA_ 128_CBC_SHA CAMELLIA128 SHA RSA CAME...

Page 45: ...DHE_RSA_WITH_SEED_ CBC_SHA DHE RSA SEED SHA DHE_RSA SEED_CBC SHA 0 155 TLS_DH_anon_WITH_SEED_C BC_SHA ADH SEED SHA DH_anon SEED_CBC SHA 192 1 TLS_ECDH_ECDSA_WITH_N ULL_SHA ECDH ECDSA NULL SHA ECDH_ECDSA NULL SHA 192 2 TLS_ECDH_ECDSA_WITH_RC 4_128_SHA ECDH ECDSA RC4 SHA ECDH_ECDSA RC4_128 SHA 192 3 TLS_ECDH_ECDSA_WITH_3D ES_EDE_CBC_SHA ECDH ECDSA DES CBC3 SHA ECDH_ECDSA 3DES_EDE_CB C SHA 192 4 TLS_...

Page 46: ...TLS_ECDH_anon_WITH_AES_ 256_CBC_SHA AECDH AES256 SHA ECDH_anon AES_256_CBC SHA Default If omitted NonStop SSL will use the high security ciphers and the RC4 ciphers i e currently ECDHE RSA AES256 SHA ECDHE ECDSA AES256 SHA DHE RSA AES256 SHA DHE DSS AES256 SHA DHE RSA CAMELLIA256 SHA DHE DSS CAMELLIA256 SHA AECDH AES256 SHA ECDH RSA AES256 SHA ECDH ECDSA AES256 SHA AES256 SHA CAMELLIA256 SHA ECDHE...

Page 47: ... 0 2 will NOT encrypt the traffic they will only authenticate the partners and provide message integrity checking Please only use if encryption is not required CLIENTAUTH Use this parameter to enforce SSL client authentication when running as SSL server The CLIENTAUTH parameter specifies a file or a set of files containing certificates The certificate s will be sent to the client during connection...

Page 48: ...lient to Present a Client Certificate in chapter SSL Reference CLIENTKEY Use this parameter to specify the file containing the private key associated with the public key contained in the client certificate configured by CLIENTCERT Parameter Syntax CLIENTKEY file Arguments file file name of a DER encoded PKCS 8 encrypted private key file with PKCS 5 algorithm identifiers Default If omitted HP NonSt...

Page 49: ...rations This parameter only applies to the run modes PROXYC and FTPC it will be ignored in other run modes The default password test enables quick start installation with the CLIENTKEY public key file delivered with HP NonStop SSL See also CLIENTCERT CLIENTKEY CONFIG Use this parameter to specify a configuration file for a HP NonStop SSL process Parameter Syntax CONFIG file Arguments file the name...

Page 50: ...ation file can be overwritten by PARAM or startup line settings CONNECTIONINFOFORMAT Use this parameter to specify the output format for the SSLCOM command connections Parameter Syntax CONNECTIONINFOFORMAT format Arguments format specifies the format to be used Valid values are o EXTENDED designates the new default output format introduced with HP NonStop SSL AAE for connection info not exceeding ...

Page 51: ...exceeds the usually available window width o CSV designates output as comma separated values primarily targeted to simplify automated parsing of the output Default Starting with HP NonStop SSL AAE the default format will be EXTENDED Prior to that it was ORIGINAL but not configurable EXAMPLE CONNECTIONINFOFORMAT ORIGINAL Considerations Both the ORIGINAL and the EXTENDED format are primarily targete...

Page 52: ...ages CCC does not start with A or B text does not start with msg delimiters required used to define a message as part of the byte stream all bytes are ASCII values represented as decimal numbers start with sign 3C hex 60 dec msgstartbyte 60 end with sign 3E hex 62 dec msgendbyte 62 list of regular expressions in double quotes at least one required note that the engine implements traditional unix r...

Page 53: ...e to be specified in square brackets Entry types and the corresponding CIDR format o IPv4 address 10 1 2 196 32 is assumed o IPv4 subnet 10 2 0 0 16 o IPv6 address abcd 1111 ab00 128 is assumed o IPv6 subnet abcd ef00 120 o DUAL address ffff 172 0 0 28 128 is assumed o DUAL subnet ffff 172 1 1 0 104 Considerations See section Limiting Remote IP Addresses in chapter Introduction for the concept of ...

Page 54: ... by the SCF INFO LINE DETAIL command The parameters are ignored with any run mode other than EXPANDS See also SRCIPADDR SRCIPPORT DONOTWARNONERROR Use this parameter to log selected errors with LOGLEVEL 20 rather than as WARNING By default all errors on sockets result in a WARNING being displayed in the HP NonStop SSL log Using this parameter a log message with LOGLEVEL 20 will be issued instead f...

Page 55: ...N Use this parameter to specify whether HP NonStop SSL will allow unencrypted FTP sessions when running in FTPS mode Parameter Syntax FTPALLOWPLAIN boolean Arguments boolean If set to TRUE or 1 or Yes HP NonStop SSL will allow unencrypted traffic Default If omitted HP NonStop SSL will not allow unencrypted traffic Example FTPALLOWPLAIN TRUE Considerations This parameter is relevant only if HP NonS...

Page 56: ...ntax FTPLOCALDATAPORT number Arguments number 0 for pick a random port or any specific port number Default If omitted a value of 0 will be used Example FTPLOCALDATAPORT 20 Considerations This parameter is relevant only if HP NonStop SSL is running in the FTPC mode with PASSIVE set to TRUE Choosing a value other than zero will be firewall friendly However this can result in errors if the remote FTP...

Page 57: ...ns Default If omitted HP NonStop SSL will use a value of 40000 Example FTPMINPORT 20000 Considerations This parameter is relevant only if HP NonStop SSL is running in the FTPS or FTPC mode Together with the parameter FPTMAXPORT it controls the values HP NonStop SSL assigns for the FTP data sockets You can change this value to make sure that the FTP data connections will not interfere with other TC...

Page 58: ...d when verifying the SSL server side based on its fingerprint Parameter Syntax HASHALGORITHMS hashAlgorithm hashAlgorithm Arguments hashAlgorithm Name of hash algorithm that should be used If the parameter is explicitly set at least one hash algorithm has to be given Valid hash algorithms names are MD5 SHA1 RIPEMD160 SHA256 SHA384 SHA512 WHIRLPOOL You should not use this algorithm since it was cry...

Page 59: ...and to what console device HP NonStop SSL log messages are written to Parameter Syntax LOGCONSOLE 0 logdevice Arguments means that no log messages are written to a console means that log messages are written to the home terminal of the HP NonStop SSL process 0 log messages are written to 0 logdevice log messages are written the given device e g DEV SUBDEV Considerations The LOGLEVEL parameter cont...

Page 60: ...Command Interface for details If the EMS collector cannot be opened during startup HP NonStop SSL will terminate If the EMS collector cannot be opened after changing it through SSLCOM the old collector will stay active See also LOGLEVELEMS LOGFORMATEMS LOGMAXFILELENGTH LOGFILERETENTION LOGFILE Use this parameter to define if and to what file HP NonStop SSL log messages are written Parameter Syntax...

Page 61: ...number of log files to keep Default By default 10 files are kept Considerations a minimum of 10 is enforced for that parameter See section Logfile Auditfile Rollover in chapter Monitoring for details on logfile rollover See also LOGMAXFILELENGTH LOGFILE LOGFORMAT Use this parameter to control the default format the log messages Parameter Syntax LOGFORMAT format Arguments format a number representi...

Page 62: ...GFORMATCONSOLE format Arguments format a number representing a bit mask controlling the following format options bit 1 decimal 1 Date bit 2 decimal 2 header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 16 Process ID name or PIN bit 7 decimal 64 Log Level of Message Default If omitted the console log format is derived from LOGFORMAT Example Displ...

Page 63: ...ly LOGFORMATEMS 5 See also LOGFORMAT LOGFORMATCONSOLE LOGFORMATFILE LOGFORMATFILE Use this parameter to control the format of the log messages that are written to the log file Parameter Syntax LOGFORMATFILE format Arguments format a number representing a bit mask controlling the following format options bit 1 decimal 1 Date bit 2 decimal 2 header log messages a pre fixed with log bit 3 decimal 4 T...

Page 64: ...EVELCONSOLE LOFLEVELEMS and LOGLEVELFILE are all set with a value the parameter of LOGLEVEL becomes meaningless See also LOGLEVELCONSOLE LOGLEVELEMS LOGLEVELFILE LOGLEVELCONSOLE Use this parameter to control what messages are written to the log console Parameter Syntax LOGLEVELCONSOLE detail Arguments detail a number representing the detail level Default If omitted the console log level is derived...

Page 65: ...s See also LOGEMS LOGLEVEL LOGFORMATEMS LOGLEVELFILE Use this parameter to control what messages are written to the log file Parameter Syntax LOGLEVELFILE detail Arguments detail a number representing the detail level Default If omitted the console file level is derived from LOGLEVEL Considerations Different log levels can be used for the outputs to LOGCONSOLE LOGLEVELEMS and LOGFILE The parameter...

Page 66: ..._of_io s a number representing after how many I O operations HP NonStop SSL will send its memory usage to the log output Default The default is 0 meaning that memory usage will not be logged Considerations Use to have an easy correlation between memory usage of HP NonStop SSL and events in the log output Do not use if memory usage of HP NonStop SSL is not of interest for you The parameter can be c...

Page 67: ...L TLS version number Currently the supported values are 2 0 SSL 2 0 3 0 SSL 3 0 3 1 SSL 3 1 TLS 1 0 Default The default for this parameter is 3 1 i e SSL 3 1 TLS 1 0 See also MINVERSION MINVERSION Use this parameter to define the minimum admissible SSL TLS protocol version Parameter Syntax MINVERSION version Arguments version an SSL TLS version number Currently supported values are 2 0 SSL 2 0 3 0...

Page 68: ...ract with HP NonStop SSL in FTPS mode make sure to set the PASSIVE parameter to 1 for HP NonStop SSL running in FTPC mode PEERCERTCOMMONNAME Use this parameter to enforce verification of the content of remote certificates presented to HP NonStop SSL Parameter Syntax PEERCERTCOMMONNAME commonname Arguments commonname the expected common name of the remote certificate Default The default for this pa...

Page 69: ...3ee5e6b4b0d3255bfef95601890afd80709 Considerations This parameter does not adhere to the HASHALGORITHMS parameter yet instead fingerprints should be given in SHA1 format This parameter should not be used together with the parameter PEERCERTCOMMONNAME as behavior may be unpredictable then If other than the actual fingerprint of the remote server certificate will be compared against the value of the...

Page 70: ...s in a Single Process for details PTCPIPFILTERKEY Use this parameter to specify a filter key to enable round robin filtering with Parallel Library TCP IP or TCP IPV6 Parameter Syntax PTCPIPFILTERKEY password Arguments password a password serving as a key to enable round robin filtering for multiple instances of HP NonStop SSL servers listening on the same port The password will override the value ...

Page 71: ...TRUE D10 0 0 198 8888 binary zero respectively Dfe80 abcd 4711 8888 binary zero In this case the address will be taken as the target to which the connection shall be forwarded This dynamic routing feature is only needed in really rare cases so usually there is no need to touch this parameter Parameter Syntax ROUTINGMODE S D Arguments S Static routing is used D Dynamic routing is used Default If om...

Page 72: ...SL MYKEY Considerations The private key data in the file is password encrypted For HP NonStop SSL to be able to decrypt the file the correct password must be specified by the SERVKEYPASS parameter A private key file for testing purposes is delivered as SERVKEY file on the HP NonStop SSL installation subvolume to enable quick start installation This private key file matches the test server certific...

Page 73: ...th the FTPC or FTPS modes of HP NonStop SSL Setting SLOWDOWN to values between 1 and 5 will significantly reduce CPU usage but will also make the time a file transfer will take higher The impact of HP NonStop SSL high volume data encryption decryption can also be influenced by the priority of the HP NonStop SSL process However if it is desirable to run HP NonStop SSL at a higher priority than the ...

Page 74: ...f TARGETPORT will still be required to determine the final host to connect to In run modes FTPC the final host to connect to will be configured by adding it to the user name just as when not using SOCKS SRCIPADDR SRCIPPORT Use these parameters to for the configuration of an HP NonStop SSL EXPANDS process Parameter Syntax SRCIPADDR ip address SRCIPPORT port Arguments ip address specifies the IP add...

Page 75: ...ical ports across multiple HP NonStop SSL processes you need to add an identical DEFINE to all instances sharing that port as in the following example please refer to the HP NonStop manual TCP IPv6 Configuration and Management Manual section 3 subsection Monolithic Listening Model for more details ADD DEFINE PTCPIP FILTER KEY class map file A1234 If running in IPMODE DUAL the specified subnet must...

Page 76: ... following run modes PROXYS outgoing socket PROXYC outgoing socket FTPS control socket connecting to FTPSERV FTPC control socket connecting to remote FTP server Use this parameter to control which IP address HP NonStop SSL binds to for outgoing connections If a host name rather than an IP address is used to configure TARGETINTERFACE name resolution will take place only once during startup If name ...

Page 77: ...s See also TARGETHOSTFORCE TARGETHOSTFORCE This FTPC only parameter can be used in combination with TARGETHOST to force the override of the targethost in the FTPC user command HP NonStop SSL will use the TARGETHOST if set in FTPC to default to a certain host if none is given in the actual user command If TARGETHOSTFORCE is specified in addition the value of TARGETHOST will always be taken as host ...

Page 78: ...r command If TARGETPORTFORCE is specified in addition the value of TARGETPORT will always be taken as port to connect to no matter what the user actually specifies in the FTPC user command Parameter Syntax TARGETPORTFORCE TRUE FALSE Default FALSE Example TARGETPORTFORCE TRUE See also TARGETPORT TARGETHOSTFORCE TARGETSUBNET Use this parameter to specify the TCP IP process a HP NonStop SSL process s...

Page 79: ...or this parameter is Considerations See the HP NonStop manual for details of the usage of the DEFINE TCPIP HOST FILE TCPIPNODEFILE Use this parameter to specify the value of the DEFINE TCPIP NODE FILE value Parameter Syntax TCPIPNODEFILE nodefile Arguments nodefile a node file to be used for DNS name resolution The node file will override the value of the DEFINE TCPIP NODE FILE which may have been...

Page 80: ...vated on all sockets which HP NonStop SSL controls Parameter Syntax TCPNODELAY boolean Arguments boolean If set to TRUE or 1 or Yes HP NonStop SSL will activate RFC1323 Default If omitted HP NonStop SSL will not activate RFC1323 Example TCPNODELAY TRUE Considerations If this parameter is set to true HP NonStop SSL sets a socket option TCP_NODELAY when initializing sockets This can help speed up th...

Page 81: ...hain the two forms of specifying the trusted CAs do not differ in functionality Some SSL servers do not send the complete certificate chain during the handshake for those servers the missing signing certificate s should be specified with the certificate syntax of the parameter The parameter can be changed at run time using SSLCOM please see chapter SSLCOM Command Interface for details Due to the e...

Page 82: ...ecovery from failures such as CPU outages The SETUP macro included with the package will guide you through the process of creating a persistent process see chapter Installation for details Note HP NonStop SSL cannot be run as a non stop process However this is not required to achieve non stop availability Running as a non stop process would not add value as TCP sessions are reset upon CPU takeover...

Page 83: ... Throughput The highest maximum throughput can be achieved with Multi CPU paths Measurements showed a throughput of up to 1 5 MB s per CPU for FESA 100Mbit connected systems with a linear scalability for multiple requestor server pairs running in different CPUs e g 6MB s 1with 4 pairs Multi line paths have a lesser maximum throughput as all traffic is handled by a single LH process Measurements ha...

Page 84: ...ue port number was selected for each line SRCIPPORT and DESTIPPORT can be identical DESTIPADDR of all lines was set to the loopback address 127 0 0 1 2 Six HP NonStop SSL EXPANDS persistent processes were created on both systems A different CPU was selected for each SSL process The SSL tunnel was associated to the line using the same SRCIPPORT and DESTIPPORT parameters as in the line configuration...

Page 85: ... corrected automatically What is an audit message A audit message is issued by HP NonStop SSL for security relevant events such as network event connect disconnect or FTP operations Why are there three different target devices There are three different devices which to messages can be logged i e a terminal a file or EMS Operators may choose their favorite location for being alerted For productive ...

Page 86: ...it messages to a certain extent For example you may add the current date to the log message header Please refer to the AUDITFORMATEMS AUDITFORMATCONSOLE AUDITFORMATFILE LOGFORMATCONSOLE LOGFORMATEMS and LOGFORMATFILE parameter descriptions for details Using SHOWLOG to View a Log File HP NonStop SSL processes may be configured to write log files to disk see parameter LOGFILE For performance reasons...

Page 87: ...l for console is 50 FCMH 23Jun10 12 43 09 96 10 log level for logfile is 50 FCMH 23Jun10 12 43 09 96 10 log level for EMS is 10 FCMH 23Jun10 12 43 09 97 10 global log max level is 50 FCMH 23Jun10 12 43 09 97 10 global trace max level is 1 FCMH 23Jun10 12 43 09 98 30 starting collecting of random data FCMH 23Jun10 12 43 13 12 10 collection of 64 bytes random data finished FCMH 23Jun10 12 43 13 14 3...

Page 88: ...e which is converted This is helpful for the viewing large log files The following example shows dumping a large log file Only a limited number of log messages totaling 10000 bytes after a given offset 5000000 are shown 33 run showlog telslog 5000000 10000 comForte SHOWLOG log file converter Version T9999A05_16Apr2009_comForte_SHOWLOG_ 0022 dumping at most 10000 bytes processing in file telslog ou...

Page 89: ... parameter A logfile rollover occurs when the logfile is greater than the size configured in the parameter LOGMAXFILELENGTH or when the audit file is greater than the size configured in the parameter AUDITMAXFILELENGTH HP NonStop SSL will round robin over at least 10 files The number of files can be configured using the LOGFILERETENTION or AUDITFILERETENTION parameter Archive files created during ...

Page 90: ...90 Monitoring HP NonStop SSL Reference Manual ...

Page 91: ... change the following parameters please refer to the Parameter Reference for the meaning of the parameters o ALLOWCERTERRORS o ALLOWIP o CONTENTFILTER o DENYIP o LOGCONSOLE o LOGEMS o LOGFILE o LOGFORMATCONSOLE o LOGFORMATFILE o LOGFORMATEMS o LOGLEVELFILE o LOGLEVELCONSOLE o LOGLEVELEMS o LOGMEMORY o MAXSESSIONS only in applicable run modes o TRUST only in run modes ending with a C and in run mod...

Page 92: ...LEVEL parameter 15 SSLCOM TELS GFTCOM H16 06FEB03 OPEN TELS status status HP NonStop SSLOBJ version T9999G06_15Sep2003_comForte_SSLD_S40_1031 Startup configuration def ALLOWIP def CACERTS CACERT def CIPHERSUITES 0 4 0 10 0 5 def DELAYRECEIVE 0 def DENYIP def LICENSE LICENSE par LOGCONSOLE run LOGFILE lproxysl def LOGFORMAT 76 def LOGLEVEL 50 def LOGMAXDUMP 100 def LOGMAXFILELENGTH 20000 def LOGMEM...

Page 93: ... the CPU ms used by HP NonStop SSL will be displayed SHOW shows current values of parameters which can be altered using SSLCOM SET parameter value changes a parameter SSLINFO displays the local certificate chain when HP NonStop SSL is running as SSL server RELOAD CERTIFICATES changes the server certificate chain at run time CONNECTIONS DETAIL display on overview of the current open connections of ...

Page 94: ...tgoing peer 127 0 0 1 23 6829 Incoming peer 192 168 113 4 37640 Incoming local 10 0 0 194 11011 Outgoing local 127 0 0 1 6829 Outgoing peer 127 0 0 1 23 6830 Incoming peer 192 168 113 4 37641 Incoming local 10 0 0 194 11011 Outgoing local 127 0 0 1 6830 Outgoing peer 127 0 0 1 23 END CONNECTIONINFOFORMAT ORIGINAL default before HP NonStop SSL AAE connections connections Port remote connection loca...

Page 95: ... EXTENDED format can be viewed with the common width of 80 characters on the terminal emulator CONNECTIONINFOFORMATDETAILED ORIGINAL default before HP NonStop SSL AAE Note The output of the command is best viewed with a terminal emulator displaying 132 characters per line connections detail connections detail Port remote connection local connection HS First Handshake Last Handshake 6843 10 0 0 194...

Page 96: ...onnects to the target application In TELNETS mode that is the connection to TELSERV Peer certificate information if the accepting socket in TELNETS or PROXYS mode has sent a client certificate the contents are displayed here See section Requesting the SSL Client to Present a Client Certificate for details on enforcing client authentication SSL handshake information displays the number of SSL hands...

Page 97: ...been configured for startup the command will fail 2 If used with an additional parameter containing the filename of a configuration file in double quotes the new values will be loaded from that file Some considerations for the command The success or failure of the command will be returned to SSLCOM If the command fails the prior certificate chain will remain active HP NonStop SSL does some limited...

Page 98: ...98 SSLCOM Command Interface HP NonStop SSL Reference Manual ...

Page 99: ...ublic key cryptography and digital signatures the SSL protocol allows to authenticate the server or client before exchanging confidential data Session Integrity SSL ensures the integrity of the messages exchanged allowing client and server to verify if it has been modified by an attacker using a Message Authentication Code MAC Example MAC algorithms are MD5 or SHA Further References For more infor...

Page 100: ...r block chaining mode CBC in 3 DES guarantees the utmost security against replay insertion as well as brute force attacks At the current state of computer technology triple encryption is no longer a speed obstacle The authenticity of messages is granted by the 160 bit SHA hash algorithm HMAC SHA or by the 128 bit MD5 hash algorithm HMAC MD5 Modulus lengths of up to 8192 bits are supported for publ...

Page 101: ...n installation it is mandatory to configure HP NonStop SSL to use your own certificate and key files Using the default files and settings for a production installation may compromise the security of the system OpenSSL toolkits available as shareware can help you generate your own SSL certificate This section will describe how to generate your own certificates It also explains how HP NonStop SSL is...

Page 102: ...ivate key and a PKCS 10 CSR You will then submit the CSR to the CA typically by pasting it in BASE64 encoded format to the CA s web site or sending it via email The CA will then return the signed certificate to you typically also in BASE64 encoded format attached to an email The BASE64 encoded certificate can then be converted to binary certificate file which is passed to HP NonStop SSL with the S...

Page 103: ...ommands shown apply for Unix Linux systems as well 2 Create a directory OpenSSL_certificates and within it directories ca server and newcerts 3 All OpenSSL commands shown in this example except the genrsa command require a configuration file By default a file named openssl cfg is expected in the directory where the OpenSSL binary resides A different filename and location can be specified with the ...

Page 104: ...format openssl pkcs8 topk8 outform DER in server servkey pem out server servkey der If the signing request will be submitted to a CA authority skip to step 6 after having received the signed server certificate from the CA and placed it in directory server as servcert pem assuming it was returned in PEM format The CA root certificate received should be placed in directory ca as cacert pem and then ...

Page 105: ...cakey pem C Comforte OpenSSL_certificates openssl req out ca cacert pem new key ca cakey pem x509 days 365 Enter pass phrase for ca cakey pem Loading screen into random state done You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can l...

Page 106: ...y_anything keyfile ca cakey pem cert ca cacert pem in server csr pem out server servcert pem Using configuration from C OpenSSL Win32 bin openssl cfg Loading screen into random state done Enter pass phrase for ca cakey pem Check that the request matches the signature Signature ok Certificate Details Serial Number 1 0x1 Validity Not Before Oct 13 20 03 52 2011 GMT Not After Oct 12 20 03 52 2012 GMT...

Page 107: ... may compromise the security of the system To Configure HP NonStop SSL to verify the remote certificate 1 Obtain the root CA certificate that signed the server certificate of the target SSL server 2 If required convert the root CA certificate into the DER format e g with OpenSSL 3 Upload the DER encoded root CA certificate file to your NonStop server in binary mode 4 Configure the TRUST parameter ...

Page 108: ...roduction as SSL Client Make sure to generate your own certificates for production and to configure all your SSL clients to verify the certificates used by the SSL server Protecting the Private Key File If an attacker gets access to the private key file he can attack the SSL protocol in various ways Therefore it is important that you protect the private key file residing on your NonStop system The...

Page 109: ...ket resulting in a TLS alert 50 DecodeError 13 37 18 53 30 TLS Alert 50 The following table contains the TLS alert numbers for TLS 1 0 For more information about the individual alerts please refer to the TLS specification RFC 2246 available under http www ietf org TLS Alert Number TLS Alert name 0 close_notify 10 unexpected_message 20 bad_record_mac 21 decryption_failed 22 record_overflow 30 decom...

Page 110: ...110 SSL Reference HP NonStop SSL Reference Manual ...

Page 111: ...ote that the HP NonStop SSL RemoteProxy does not support being installed as a Windows service RemoteProxy Installation HP NonStop SSL is shipped with a RemoteProxy InstallShield installation package PROXYEXE that can be downloaded and executed on the target Windows workstation The HP NonStop SSL RemoteProxy setup program does the following It moves the files to the target PC It installs shortcuts ...

Page 112: ...t all configured proxy sessions After the installation the list will be empty The example pictured above shows 2 configured proxy sessions for ODBC MX and RSC with the following information Target Information shows either the host name or the IP address of the host to which the RemoteProxy connects for the depicted session This could be a remote host see last session or the local host see first se...

Page 113: ...ped separately If this is required they need to be configured as separate sessions i e using the NEW button in the configuration main window for each separate session Note RemoteProxy uses a Java Virtual Machine JVM to execute proxy sessions Each proxy session is executed in a separate JVM instance whereas multiple proxy session instances configured for a single proxy session are all executed with...

Page 114: ... as with most protocols all data is transferred via a single TCP IP session Some protocols such as ODBC MX use multiple sessions and negotiate ports to be used Generic TCP IP Target Host General The address of the target computer to which RemoteProxy should connect for the session referenced by the current table entry None Target Port General The port under which the target application is listenin...

Page 115: ...ession secrets from previous sessions Turn SSL session resumption off only for testing purposes not checked Initialize secure random seeding on startup Advanced If you check this option the SSL proxy will generate random data at session startup time Otherwise it will generate the random data when required during the first connection request The random data generation process will take a few second...

Page 116: ...116 Remote SSL Proxy HP NonStop SSL Reference Manual ...

Page 117: ...ed with runtime args list of runtime args If HP NonStop SSL has been started with runtime arguments instead or in addition to the a configuration file or TACL PARAMs those arguments are being displayed log level is log level Informs about the log level the HP NonStop SSL has been started with your system number is system number The system number of the NonStop system on which the HP NonStop SSL ha...

Page 118: ...port while accepting connections on source port FTP client proxy started on source port port number Notification about the HP NonStop SSL being started in FTPC mode and accepting connections on source port dumping configuration config setting Displays the settings of the configuration params loading Server Certificate from file filename Notification that the server certificate is being loaded from...

Page 119: ...ed by ip address attempted an unsecured login on a secured port The login was rejected TLS Alert TLS alert number Warning about an TLS alert received within current session TLS Exception Warning about a TLS exception received in current TLS session Watch for message which come along with this and which give additional information remote fingerprint fingerprint rejected Warning that a certificate r...

Page 120: ...ither specify a mapped IPv4 address in the TARGETHOST e g ffff 127 0 0 1 or set up one process for each IPMODE IPv4 and IPMODE IPv6 AUTH command AUTH_command from client not understood This message indicates that a client sent an unsupported authentication command Please contact HP support Protection level indicated by command PROT_command not supported This message indicates that a request for a ...

Page 121: ... Watch for other message which come along with this one in order to determine the reason of the error condition unexpected AUTH SSL reply reply This warning indicates that the FTP server sent an unexpected reply to the AUTH SSL command Please contact HP support reply to EPRT command from FTP server has error detailed reason This warning indicates that the FTP server sent an unexpected reply to the...

Page 122: ...ease watch for messages that come along with this one to resolve the error condition As a result of this message the HP NonStop process will sleep for the value specified in LISTENRETRYINTERVAL default 10 sec accepting tunnel connection failed reinitializing This message indicates that the HP NonStop SSL process is currently in the handshake phase When the Expand lines and the HP NonStop SSL proce...

Page 123: ... bug please contact HP support adding client CA file filename failed This message is displayed when a client CA file configured via the CLIENTAUTH parameter could not be processed Please view the prior log messages for detailed error information server fingerprint invalid session rejected PEERCERTFINGERPRINT fingerprint MD5 actual_md5_fingerprint SHA1 actual_sha1_fingerprint This message is displa...

Page 124: ...r messages surrounding this one Fatal SSL error error number exiting A fatal error during SSL processing has occurred which causes SSLOBJ to terminate Watch for earlier message which give additional information illegal parameter param value for MINVERSION needs to be one of 2 0 3 0 3 1 Warning about an invalid setting of param MINVERSION The allowed settings are being displayed with the message Th...

Page 125: ...configuration not valid for EXPANDS mode This error occurs when you try to specify a multi tunnel configuration by passing multiple entries in at least one of PORT TARGETPORT TARGETHOST unused parameters for EXPANDS anyway Remove any of PORT TARGETPORT TARGETHOST to resolve the error condition Invalid Multi Proxy configuration given detailed reason This error indicates that one or more values give...

Page 126: ...information to resolve the error condition Also see parameter description for ALLOWIP DENYIP for further information Troubleshooting of Typical Errors Address already in use If the message Fatal error Could not listen on socket Address already in use appears please check whether the Source Port which you assigned as PORT parameter is not in use by any other process Could not open xxx file If the m...

Page 127: ...listen on a PORT smaller than 1024 without having a SUPER group user id Excerpt from the Tandem TCP IP programming manual EACCES 4013 Cause A call to bind or bind_nw specified an address or port number that cannot be assigned to a non privileged user Only applications whose process access ID is in the SUPER group user ID 255 n can bind a socket to a well known port Effect The bind or bind_nw call ...