[AIX HP-UX Linux Solaris Windows]This topic applies only on the z/OS operating system.

SSL directives

Secure Sockets Layer (SSL) directives are the configuration parameters that control SSL features in IBM® HTTP Server.

Most SSL directives in IBM HTTP Server have the same behavior. A directive specified for a given virtual host configuration overrides a directive specified in the base server configuration. Also, a directive specified for a child directory overrides a directive specified for its parent directory. However, there are exceptions.

For example, when no directive is specified for a virtual host, the directive specified in the base server configuration might be copied to the virtual host configuration. In this case, the directive in the base server configuration overrides the virtual host configuration.
Note: The SSLEnable directive should not be specified in the base server configuration if you do not want the directive automatically copied to a given virtual host configuration.

Also, a directive specified for a child directory might be appended to the directive specified for its parent directory. In this case, the directive for the parent directory does not override the directive for the child directory, but instead is appended to it and both directives are applied to the child directory.

The following list contains the SSL directives for IBM HTTP Server.

SSLOCSPResponderURL

Enables checking of client certificates through a statically configured online certificate status protocol (OCSP) responder.
Syntax

[AIX Solaris HP-UX Linux Windows] SSLOCSPResponderURL<URL>

Scope Virtual host
Default Disabled
Module mod_ibm_ssl
Multiple instances in the configuration file One per virtual host
Values A fully qualified URL that points to an OCSP responder, for example, http://hostname:2560/. The path portion of the URL is not used when submitting OCSP requests.

Even if CRL checking is configured, OCSP checking is performed before any CRL checking. CRL checking only occurs if the result of the CRL is unknown or inconclusive.

If SSLOCSPResponderURL is set, IHS uses the supplied URL to check for certificate revocation status when an SSL client certificate is provided.

If both SSLOCSPEnable and SSLOCSPResponderURL are configured, the responder defined by SSLOCSPResponderURL is checked first. If the revocation status is unknown or inconclusive, IHS checks OCSP responders as described above for SSLOCSPEnable.

Avoid trouble: In some cases IBM HTTP Server might not be able to determine the revocation status of a client certificate, because the backed server, which is the source of the revocation data, is not available. You should be aware that:
  • A static CRL repository (SSLCRLHost) must be configured to allow the checking of other URI forms in the CRLDistributionPoint fields.
  • If your certificates use the LDAP or HTTP URI forms of the CertificateDistributionPoint or AIA extensions, be sure that the IBM HTTP Server system can establish outgoing connections of this type; you might need to adjust the settings for your firewall.
  • [AIX Solaris HP-UX Linux Windows] The SSLUnknownRevocationStatus directive is provided for cases in which recoverable errors occur in IBM HTTP Server when it is communicating with the backend server, and the IBM HTTP Server cannot determine the revocation status of a certificate. The default behavior is to continue processing the handshake unless the backend server can successfully indicate that the certificate is revoked.
gotcha

SSLOCSPEnable

Enables checking of client certificates through OCSP responders defined in the Authority Information Access (AIA) extension of their certificate.
Syntax

[AIX Solaris HP-UX Linux Windows] SSLOCSPEnable

Scope Virtual host
Default Disabled
Module mod_ibm_ssl
Multiple instances in the configuration file One instance permitted for each virtual host
Values None
If SSLOCSPEnable is set, and an SSL client certificate chain contains an AIA extension, IHS contacts the OCSP responder indicated by the AIA extension to check revocation status of the client certificate. The path portion of the URL is ignored.

If both OCSP and CRL checking is configured, OCSP checking is performed before any CRL checking. CRL checking only occurs if the result of the OCSP checking is unknown or inconclusive.

If both SSLOCSPEnable and SSLOCSPResponderURL are configured, the responder defined by SSLOCSPResponderURL is checked first. If the revocation status is unknown or inconclusive, IHS checks OCSP responders as described above for SSLOCSPEnable.

Keyfile directive

The keyfile directive sets the key file to use.
Note: This directive might be overridden by the base server configuration.
Syntax
[AIX] [Solaris] [Linux] [Windows] Keyfile [/prompt] /fully qualified path to key file/keyfile.kdb
[z/OS] Note: The /prompt function is only supported when running from a USS shell, not from a JCL started job. If you attempt to use the /prompt function from a JCL started job, then a configuration error occurs.
[z/OS] You can use a keyring stored in the Hierarchical File System (HFS) or in the System Authorization Facility (SAF). To use a keyring stored in HFS:
  • Keyfile /fully qualified path to key file/keyfile.kdb
To use a keyring stored in SAF:
  • Keyfile /saf WASKeyring
    Note: With SAF keyrings:
    • There is no stash file when using SAF, and access is controlled by SAF rules. Therefore, if you attempt to use the Keyfile/prompt/saf argument, the argument is not supported. An attempt to use this argument results in a configuration error.
    • The ID that is used to start IBM HTTP Server must have access to the keyring named in this directive. If the ID does not have access, SSL initialization fails.
Scope Global base and virtual host
Default None
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server
Values File name of the key file.

[AIX Solaris HP-UX Linux Windows] Use the prompt option to enable the HTTP server to prompt you for the Key file password during start up.

[z/OS] File system protection can be used to limit access. Use the SAF (System Authorization Facility) keyrings for limiting access to SSL certificates.

[z/OS] Important: The z/OS® system does not support key database files created on other platforms. Key database files used for z/OS systems must be created on the z/OS platform.
[may2010] You can only use one of the following configurations for the key file type:
  • [AIX Solaris HP-UX Linux Windows] Certificate Management Services (CMS)
  • [z/OS] CMS or Resource Access Control Facility (RACF®)
[may2010]
may2010

SSLAcceleratorDisable directive

The SSLAcceleratorDisable directive disables the accelerator device.
Syntax SSLAcceleratorDisable
Scope Virtual and global
Default Accelerator device is enabled
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host.
Values None. Place this directive anywhere inside of the configuration file, including inside a virtual host. During initialization, if the system determines that an accelerator device is installed on the machine, the system uses that accelerator to increase number of secure transactions. This directive does not take arguments.

SSLAllowNonCriticalBasicConstraints directive [AIX Solaris HP-UX Linux Windows]

The SSLAllowNonCriticalBasicConstraints directive allows compatibility with one aspect of the GPKI specification from the government of Japan that conflicts with RFC3280.
Syntax SSLAllowNonCriticalBasicConstraints on|off
Scope Global server or virtual host
Default Off
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server
Values None. This directive changes the behavior of the certificate validation algorithm such that a non-critical Basic Constraints extension on an issuer Certificate Authority (CA) certificate will not cause a validation failure. This allows compatibility with one aspect of the GPKI specification from the government of Japan that conflicts with RFC3280.
Note: RFC3280 states that this extension must appear as a critical extension in all CA certificates that contain public keys used to validate digital signatures on certificates.

SSLCacheDisable directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCacheDisable directive disables the external SSL session ID cache.
Syntax SSLCacheDisable
Scope One per physical Apache server instance, allowed only outside of virtual host stanzas.
Default None
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values None.

SSLCacheEnable directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCacheEnable directive enables the external SSL session ID cache.
Syntax SSLCacheEnable
Scope One per physical Apache server instance, allowed only outside of virtual host stanzas.
Default None
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values None.

SSLCacheErrorLog directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCacheErrorLog directive sets the file name for session ID cache.
Syntax SSLCacheErrorLog /usr/HTTPServer/logs/sidd_logg
Scope Server configuration outside of virtual host.
Default None
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values Valid file name.

SSLCachePath directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCachePath directive specifies the path to the session ID caching daemon.
Syntax SSLCachePath /usr/HTTPServer/bin/sidd
Scope Server configuration outside of virtual host.
Default <server-root>/bin/sidd
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values Valid path name.

SSLCachePortFilename directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCachePortFilename directive sets the file name for the UNIX® domain socket that is used for communication between the server instances and the session ID cache daemon. You must set this directive if you run two instances of IBM HTTP Server from the same installation directory and both instances are configured for SSL. Otherwise, you do not need to set this directive.
Syntax SSLCachePath /usr/HTTPServer/logs/sidd
Scope Server configuration outside of virtual host.
Default If this directive is not specified and the cache is enabled, the server attempts to use the <server-root>/logs/siddport file.
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values Valid path name. The Web server deletes this file during startup; do not name.

SSLCacheTraceLog directive [AIX] [HP-UX] [Linux] [Solaris] [z/OS]

The SSLCacheTraceLog directive specifies the file to which the session ID trace messages are written. Without this directive, tracing is disabled.
Syntax SSLCacheTraceLog /usr/HTTPServer/logs/sidd-trace.log
Scope Server configuration outside of virtual host.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file Not permitted.
Values Valid path name.

SSLCipherBan directive

The SSLCipherBan directive denies access to an object if the client has connected using one of the specified ciphers. The request will fail with a 403 status code.
Note: This directive, when specified for a child directory, does not override the directive specified for the parent directory. Instead, both directories are applied to the child directory.
Syntax SSLCipherBan <cipher_specification>
Scope Multiple instances per directory stanza.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file Permitted per directory stanza. Order of preference is top to bottom.
Values See SSL Version 2 cipher specifications and SSL Version 3 and TLS Version 1.0 cipher specifications.

SSLCipherRequire directive

The SSLCipherRequire directive restricts access to objects to clients that have connected using one of the specified ciphers. If access is denied, the request will fail with a '403' status code.
Note: This directive, when specified for a child directory, does not override the directive specified for the parent directory. Instead, both directories are applied to the child directory.
Syntax SSLCipherRequire <cipher_specification>
Scope Multiple instances per directory stanza.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file Permitted per directory stanza.
Values See SSL Version 2 cipher specifications and SSL Version 3 and TLS Version 1.0 cipher specifications.

SSLCipherSpec directive

If you specify V3 or TLS ciphers and no SSL V2 ciphers SSL V2 support is disabled. Also, if you specify SSL V2 ciphers and no SSL V3 or TLS ciphers SSL V3 and TLS support is disabled.
Syntax SSLCipherSpec short name or SSLCipherSpec long name
Scope Virtual host.
Default If nothing is specified, the server uses all of the cipher specifications available from the installed GSK library.
Module mod_ibm_ssl
Multiple instances in the configuration file Permitted. Order of preference is top to bottom, first to last. If the client does not support the cipher specifications, the connection closes.
Values See SSL Version 2 cipher specifications and SSL Version 3 and TLS Version 1.0 cipher specifications.

SSLClientAuth directive

The SSLClientAuth directive sets the mode of client authentication to use (none (0), optional (1), or required (2)).
Syntax SSLClientAuth <level required> [crl]
Scope Virtual host.
Default SSLClientAuth none
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host.
Values
  • 0/None: No client certificate requested.
  • 1/Optional: Client certificate requested, but not required.
  • 2/Required: Valid client certificate required.
  • Required_reset: The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. This option requires GSKit version 7.0.4.19 or later, or z/OS V1R8 or later.
    Important: No numeric option is provided so it will not look like the existing options.
  • CRL: Turns crl on and off inside an SSL virtual host. If you use certificate revocation list (CRL), you need to specify crl as a second argument for SSLClientAuth. For example: SSLClientAuth 2 crl. If you do not specify crl, you cannot perform CRL in an SSL virtual host.

If you specify the value 0/None, you cannot use the CRL option.

Required_reset The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. This option requires GSKit version 7.0.4.19 or later, or z/OS V1R8 or later.
Avoid trouble: In some cases IBM HTTP Server might not be able to determine the revocation status of a client certificate, because the backed server, which is the source of the revocation data, is not available. You should be aware that:
  • A static CRL repository (SSLCRLHost) must be configured to allow the checking of other URI forms in the CRLDistributionPoint fields.
  • If your certificates use the LDAP or HTTP URI forms of the CertificateDistributionPoint or AIA extensions, be sure that the IBM HTTP Server system can establish outgoing connections of this type; you might need to adjust the settings for your firewall.
  • [AIX Solaris HP-UX Linux Windows] The SSLUnknownRevocationStatus directive is provided for cases in which recoverable errors occur in IBM HTTP Server when it is communicating with the backend server, and the IBM HTTP Server cannot determine the revocation status of a certificate. The default behavior is to continue processing the handshake unless the backend server can successfully indicate that the certificate is revoked.
gotcha

SSLClientAuthGroup directive

The SSLClientAuthGroup directive defines a named expression group that contains a set of specific client certificate attribute and value pairs. This named group can be used by the SSLClientAuthRequire directives. A certificate must be provided by the client, which passes this expression, before the server will allow access to the protected resource.

Syntax SSLClientAuthGroup group name attribute expression
Scope Server config, virtual host.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file Permitted.
Override None.
Values Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses. For example:
SSLClientAuthGroup IBMUSpeople (Org =
 IBM) AND (Country = US)

Description of valid logical expressions. The following section provides a description of examples with valid logical expressions. For example: SSLClientAuthGroup ((CommonName = "Fred Smith") OR (CommonName = "John Deere")) AND (Org = IBM) means that the object is not served, unless the client certificate contains a common name of either Fred Smith or John Deere and the organization is IBM. The only valid comparisons for the attribute checks, are equal and not equal (= and !=). You can link each attribute check with AND, OR, or NOT (also &&, ||, and !). Any comparisons that you link with AND, OR, or NOT must be contained within parentheses. If the value of the attribute contains a non-alphanumeric character, you must delimit the value with quotation marks.

The following is a list of the attribute values that you can specify for this directive:
Long name Short name
CommonName CN
Country C
Email E
IssuerCommonName ICN
IssuerEmail IE
IssuerLocality IL
IssuerOrg IO
IssuerOrgUnit IOU
IssuerPostalCode IPC
IssuerStateOrProvince IST
Locality L
Org O
OrgUnit OU
PostalCode PC
StateOrProvince ST

The long name or the short name can be used in this directive.

The user specifies a logical expression of specific client certificate attributes. You can logically use AND , OR, or NOT for multiple expressions if you need to specify groupings of client certificate attribute values. Any comparisons that are linked with AND, OR, or NOT must be contained within parentheses. Valid operators include '=' and '!='. For example:
SSLClientAuthGroup IBMpeople Org = IBM)
or
SSLClientAuthGroup NotMNIBM (ST != MN) && (Org = IBM) 

A group name cannot include spaces. See SSLClientAuthRequire directive for more information.

SSLClientAuthRequire directive

The SSLClientAuthRequire directive specifies attribute values, or groups of attribute values, that must be validated against a client certificate before the server will allow access to the protected resource.

Syntax SSLClientAuthRequire attribute expression
Scope server config, virtual host
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file Permitted. The function joins these directives by "AND".
Override AuthConfig
Values Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses. For example:
SSLClientAuthRequire (group != IBMpeople) 
&& (ST = M)

If the certificate you received does not have a particular attribute, then there is no verification for an attribute match. Even if the specified matching value is " ", this may still not be the same as not having the attribute there at all. Any attribute specified on the SSLClientAuthRequire directive that is not available on the certificate, causes the request to be rejected.

The following is a list of the attribute values that you can specify for this directive:
Long name Short name
CommonName CN
Country C
Email E
IssuerCommonName ICN
IssuerEmail IE
IssuerLocality IL
IssuerOrg IO
IssuerOrgUnit IOU
IssuerPostalCode IPC
IssuerStateOrProvince IST
Locality L
Org O
OrgUnit OU
PostalCode PC
StateOrProvince ST

The long name or the short name can be used in this directive.

The user specifies a logical expression of specific client certificate attributes. You can logically use AND , OR, or NOT for multiple expressions if you need to specify groupings of client certificate attribute values. Any comparisons that are linked with AND, OR, or NOT must be contained within parentheses. Valid operators include '=' and '!='. The user can also specify a group name, that is configured using the SSLClientAuthGroup directive, to configure a group of attributes.

You can specify multiple SSLClientAuthRequire directives within the same scope. The logical expressions for each directive are used to evaluate access rights for each certificate, and the results of the individual evaluations are logically ANDed together. For example:
SSLClientAuthRequire ((CommonName="John Doe") || (StateOrProvince=MN)) && (Org !=IBM) 
or
SSLClientAuthRequire (group!=IBMpeople) && (ST=MN)
You can put quotes around the short and long names. For example:
SSLClientAuthRequire (group != IBMpeople) && ("ST= MN")
See SSLClientAuthGroup directive for more information.

SSLCRLHostname directive

The SSLCRLHostname directive specifies the TCP/IP name or address of LDAP server where the Certificate Revocation List (CRL) database resides.

Syntax <SSLCRLHostName <TCP/IP name or address>
Scope Global server or virtual host.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values TCP/IP name or address of the LDAP Server

Use the SSLCRLHostname directive, along with SSLCRLPort, SSLCRLUserID, and SSLStashfile directives, for static configuration of an LDAP-based CRL repository. It is only necessary to use these directives to query the LDAP-based CRL repository if an explicit CRLDistributionPoint X.509v3 certificate extension is absent or the server specified in the extension is unresponsive (unavailable).

If a CRLDistributionPoint extension is present in the certificate and the server specified in the extension is responsive (available), then the LDAP server specified in the CRLDistributionPoint is queried anonymously, without using these directives.

SSLCRLPort directive

The SSLCRLPort directive specifies the port of the LDAP server where the Certificate Revocation List (CRL) database resides.

Syntax SSLCRL<port>
Scope Global server or virtual host.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values Port of LDAP server; default = 389.

Use the SSLCRLPort directive, along with SSLCRLUserID, SSLCRLHostname, and SSLStashfile directives, for static configuration of an LDAP-based CRL repository. It is only necessary to use these directives to query the LDAP-based CRL repository if an explicit CRLDistributionPoint X.509v3 certificate extension is absent or the server specified in the extension is unresponsive (unavailable).

If a CRLDistributionPoint extension is present in the certificate and the server specified in the extension is responsive (available), then the LDAP server specified in the CRLDistributionPoint is queried anonymously, without using these directives.

SSLCRLUserID directive

The SSLCRLUserID directive specifies the user ID to send to the LDAP server, where the Certificate Revocation List (CRL) database resides.

Syntax SSLCRLUserID <[prompt] <userid>
Scope Global server or virtual host.
Default Defaults to anonymous if you do not specify a user ID.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values User ID of LDAP server. Use the prompt option to enable the HTTP server to prompt you for the password needed to access the LDAP server during start up.

Use the SSLCRLUserID directive, along with SSLCRLPort, SSLCRLHostname, and SSLStashfile directives, for static configuration of an LDAP-based CRL repository. It is only necessary to use these directives to query the LDAP-based CRL repository if an explicit CRLDistributionPoint X.509v3 certificate extension is absent or the server specified in the extension is unresponsive (unavailable).

If a CRLDistributionPoint extension is present in the certificate and the server specified in the extension is responsive (available), then the LDAP server specified in the CRLDistributionPoint is queried anonymously, without using these directives.

SSLDisable directive

The SSLDisable directive disables SSL for the virtual host.
Syntax SSLDisable
Scope Global server or virtual host.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values None.

SSLEnable directive

The SSLEnable directive enables SSL for the virtual host.
Note: This directive should not be specified in the base server configuration if you do not want the directive automatically copied to a given virtual host configuration.
Syntax SSLEnable
Scope Global server or virtual host.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values None.

SSLFakeBasicAuth directive

The SSLFakeBasicAuth directive enables the fake basic authentication support.

This support enables the client certificate distinguished name to become the user portion of the user and password basic authentication pair. Use password for the password.
Note: This directive might be overridden by the base server configuration.
Syntax SSLFakeBasicAuth
Scope Within a directory stanza, used along with AuthName, AuthType, and require directives.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per directory stanza.
Values None.

SSLFIPSDisable directive [AIX Solaris HP-UX Linux Windows]

The SSLFIPSDisable directive disables Federal Information Processing Standards (FIPS).
Syntax SSLFIPSDisable
Scope Virtual and global.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values None.

SSLFIPSEnable directive [AIX Solaris HP-UX Linux Windows]

The SSLFIPSEnable directive enables Federal Information Processing Standards (FIPS).
Syntax SSLFIPSEnable
Scope Virtual and global.
Default Disabled by default.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values None.

SSLPKCSDriver directive [AIX Solaris HP-UX Linux Windows]

The SSLPKCSDriver directive identifies the fully qualified name to the module, or driver used to access the PKCS11 device.

Syntax Fully qualified name to module used to access PKCS11 device>. If the module exists in the user's path, then specify just the name of the module.
Scope Global server or virtual host.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values Path and name of PKCS11 module or driver.
The default locations of the modules for each PKCS11 device follow, platform:
  • nCipher
    • AIX®: /opt/nfast/toolkits/pkcs11/libcknfast.so
    • HP: /opt/nfast/toolkits/pkcs11/libcknfast.sl
    • Solaris: /opt/nfast/toolkits/pkcs11/libcknfast.so
    • Windows®: c:\nfast\toolkits\pkcs11\cknfast.dll
  • IBM 4758
    • AIX: /usr/lib/pkcs11/PKCS11_API.so
    • Windows: $PKCS11_HOME\bin\nt\cryptoki.dll
  • IBM e-business Cryptographic Accelerator
    • AIX: /usr/lib/pkcs11/PKCS11_API.so

SSLProtocolDisable directive

The SSLProtocolDisable directive allows you to specify one or more SSL protocols which cannot be used by the client for a specific virtual host. This directive must be located in a <VirtualHost> container.

Supported protocols for a virtual host are supported separately. If all supported protocols are disabled, clients cannot complete an SSL handshake.
Syntax SSLProtocolDisable <protocolname>
Scope Virtual host
Default Disabled
Module mod_ibm_ssl
Multiple instances in the configuration file Multiple instances permitted per virtual host.
Values The following possible values are available for this directive.
  • SSLv2
  • SSLv3
  • TLSv1
The following example disables support for multiple protocols on a virtual host.
<VirtualHost	*:443>
SSLEnable
SSLProtocolDisable	SSLv2 SSLv3
(any other directives)
</VirtualHost>
Note: SSL0230I is logged for each SSL connection attempt if the client and server do not share at least one protocol and cipher combination.

SSLProxyEngine directive

The SSLProxyEngine toggles whether the server will use SSL for proxied connections. SSLProxyEngine on is required if your server is acting as a reverse proxy for an SSL resource.
Syntax SSLProxyEngine on|off
Scope IP-based virtual hosts
Default Off
Module mod_ibm_ssl
Multiple instances in the configuration file One per virtual host and global server
Values on|off

SSLRenegotiation directive [Fix Pack 9 or later]

The SSLRenegotiation directive determines whether, SSL renegotiation, as defined by the pertinent public standards, is permitted on existing SSL connections.

When on is specified, SSL renegotiation is permitted on existing SSL connections. When off is specified, SSL renegotiation requests are aborted.

Syntax SSLRenegotiation directive on|off
Scope Virtual hosts
Default off
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server
Values on|off

SSLServerCert directive

The SSLServerCert directive sets the server certificate to use for this virtual host.
Syntax SSLServerCert [prompt] my_certificate_label; on PKCS11 device - SSLServerCert mytokenlabel:mykeylabel
Scope IP-based virtual hosts.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values Certificate label. Use the /prompt option to enable the HTTP server to prompt you for the Crypto token password during start up. Use no delimiters around the certificate label. Ensure that the label is contained on one line; leading and trailing white space is ignored.

SSLStashfile directive

The SSLStashfile directive indicates path to file with file name containing the encrypted password for opening the PKCS11 device.

Syntax SSLStashFile /usr/HTTPServer/mystashfile.sth
Scope Virtual host and global server.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values File name of an LDAP and/or PKCS11 stash file that is created with the sslstash command.

The SSLStashFile does not point to a stash file for the KeyFile in use, as that is calculated automatically based on the name of the KeyFile, and is a different type of stashfile.

Use the sslstash command, located in the bin directory of IBM HTTP Server, to create your CRL password stash file. The password you specify using the sslstash command should equal the one you use to log in to your LDAP server.

Usage: sslstash [-c] <directory_to_password_file_and_file_name> <function_name> <password>

where:
  • -c: Creates a new stash file. If not specified, an existing file updates.
  • File: Represents the fully qualified name of the file to create, or update.
  • Function: Indicates the function for which to use the password. Valid values include crl, or crypto.
  • Password: Represents the password to stash.

Use the SSLStashFile directive, along with SSLCRLPort, SSLCRLHostname, and SSLCRLUserID directives, for static configuration of an LDAP-based CRL repository. It is only necessary to use these directives to query the LDAP-based CRL repository if an explicit CRLDistributionPoint X.509v3 certificate extension is absent or the server specified in the extension is unresponsive (unavailable).

If a CRLDistributionPoint extension is present in the certificate and the server specified in the extension is responsive (available), then the LDAP server specified in the CRLDistributionPoint is queried anonymously, without using these directives.

SSLTrace directive

The SSLTrace directive enables debug logging in mod_ibm_ssl. It is used in conjunction with the LogLevel directive. To enable debug logging in mod_ibm_ssl, set LogLevel to debug and add the SSLTrace directive to global scope in the IBM HTTP Server configuration file, after the LoadModule directive for mod_ibm_ssl. This directive is typically used at the request of IBM support while investigating a suspected problem with mod_ibm_ssl. We do not recommend enabling this directive under normal working conditions.

Syntax SSLTrace
Scope Global
Default mod_ibm_ssl debug logging in not enabled
Module mod_ibm_ssl
Multiple instances in the configuration file Ignored
Values None
Note: See also LogLevel Directive.

SSLUnknownRevocationStatus [AIX Solaris HP-UX Linux Windows]

The SSLUnknownRevocationStatus directive specifies how IBM HTTP Server will react when IBM HTTP Server cannot readily determine the revocation status, which is coming through CRL or OCSP.

Syntax SSLUnknownRevocationStatus ignore | log | log_always | deny
Scope Virtual host
Default ignore
Module mod_ibm_ssl
Multiple instances in the configuration file One instance permitted for each virtual host
Values
ignore
Specifies that a debug level message is issued when a handshake completes and the revocation status is not known. This message is not re-issued when the SSL session is resumed.
log
Specifies that a notice-level message is issued when a handshake completes and the revocation status is not known. This message is not re-issued when the SSL session is resumed.
log_always
Specifies that a notice-level message is issued when a handshake completes and the revocation status is not known. IBM HTTP Server will issue the same message for subsequent handshakes.
deny
Specifies that a notice-level message is issued when a handshake completes, the revocation status is not known, the session is not resumable, and the HTTPS connection is immediately closed. IBM HTTP Server will report the same message for subsequent handshakes.
Supported configurations: Whenever a message is logged for UnknownRevocationStatus, the SSL_UNKNOWNREVOCATION_SUBJECT variable, an internal SSL environment variable, is set. You can log this variable with the following syntax:
%{SSL_UNKNOWNREVOCATION_SUBJECT}e
You could also use the variable in mod_rewrite expressions when the SSLUnknownRevocationStatus directive has any value other than deny. Use the following variable name:
%{ENV:SSL_UNKNOWNREVOCATION_SUBJECT}
sptcfg

SSLV2Timeout directive

The SSLV2Timeout directive sets the timeout for SSL Version 2 session IDs.

Syntax SSLV2Timeout 60
Scope Global base and virtual host.
Default 40
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values 0 to 100 seconds.

SSLV3Timeout directive

The SSLV3Timeout directive sets the timeout for SSL Version 3 and TLS session IDs.

Syntax SSLV3Timeout 1000
Scope Global base and virtual host.

[Windows] The virtual host scope or global scope are applicable.

[AIX] [HP-UX] [Linux] [Solaris] The virtual host scope is applicable if the SSLCacheDisable directive is also being used. Otherwise, only the global scope is allowed.

Default 120
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per virtual host and global server.
Values 0 to 86400 seconds.

SSLVersion directive

The SSLVersion directive enables object access rejection, if the client attempts to connect with an SSL protocol version other than the one specified.

Syntax SSLVersion ALL
Scope One per directory stanza.
Default None.
Module mod_ibm_ssl
Multiple instances in the configuration file One instance per <Directory> or <Location> stanza.
Values SSLV2|SSLV3|TLSV1|ALL



Related concepts
SSL certificate revocation list
Related tasks
Choosing the level of client authentication
Choosing the type of client authentication protection
Securing with SSL communications
Reference topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 11:50:03 AM CDT
File name: rihs_ssldirs.html