SSL Directives: IBM HTTP Server

Using Secure Sockets Layer directives

This section provides information on using SSL directives. This information includes specific syntax, descriptions, scopes and associated notes Note: . Links to related topics appear at the end of this section.

Keyfile	SSLClientAuthRequire
LogLevel	SSLCRLHostname
SSLAcceleratorDisable	SSLCRLPort
SSLCacheDisable	SSLCRLUserID
SSLCacheEnable	SSLDisable
SSLCacheErrorLog	SSLEnable
SSLCachePath	SSLFakeBasicAuth
SSLCachePortFilename	SSLPKCSDriver
SSLCacheTraceLog	SSLServerCert
SSLCipherBan	SSLStashfile
SSLCipherRequire	SSLV2Timeout
SSLCipherSpec	SSLV3Timeout
SSLClientAuth	SSLVersion
SSLClientAuthGroup	Finding related information

Keyfile

Description: Sets the key file to use.
Default: No default
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: Global base and virtual host
Syntax: Keyfile /fully qualified path to key file/keyfile.kdb
Values: File name of the key file

LogLevel

Description: Adjusts the verbosity of the messages recorded in the error logs. When you specify a particular level, the server reports messages from all other levels of higher significance. For example, when you specify LogLevel info, the server reports messages with log levels of notice and warn. Specifying at least level crit is recommended.
Default: LogLevel error
Module: mod_ibm_ssl
Multiple instances in the configuration file: Allowed. Order of preference is top to bottom, first to last. If the client does not support cipher specifications, the connection closes.
Scope: Server configuration, virtual host
Syntax: LogLevel level

Values: The following available levels appear in order of decreasing significance:

Level	Description	Example
`emerg`	Emergencies: system rendered unusable.	"Child cannot open lock file. Exiting"
`alert`	Take immediate action.	"getpwuid: could not determine user name from uid"
`crit`	Critical conditions.	"socket: Failed to get a socket, exiting child"
`error`	Error conditions.	"Premature end of script headers"
`warn`	Warning conditions.	"child process 1234 did not exit, sending another SIGHUP"
`notice`	Normal, but significant condition.	"httpd: caught SIGBUS, attempting to dump core in ..."
`info`	Informational.	"Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..."
`debug`	Debug-level messages.	"Opening configuration file ..."

SSLAcceleratorDisable

Description: Disables the accelerator device.
Default: Accelerator device is enabled
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: Virtual and global
Syntax: SSLAcceleratorDisable
Values: None

Tips: Place this directive anywhere inside of the configuration file, including inside a virtual host. During initialization, if the system determines that an accelerator device is installed on the machine, the system uses that accelerator to increase number of secure transactions. This directive does not take arguments.

SSLCacheDisable

Description: Disables the external SSL session ID cache
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas
Syntax: SSLCacheDisable
Values: None

Note: Valid only in UNIX environments.

SSLCacheEnable

Description: Enables the external SSL session ID cache
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas
Syntax: SSLCacheEnable
Values: None

Note: Valid only in UNIX environments.

SSLCacheErrorLog

Description: Sets the file name for session ID cache error logging
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical server instance, allowed only outside of virtual host stanzas.
Syntax: SSLCacheErrorLog /usr/HTTPServer/log/sidd_log
Values: Valid file name

Note: Not valid on Windows NT operating system.

SSLCachePath

Description: Specifies the path to the session ID caching daemon executable.
Default: /usr/HTTPServer/bin/sidd
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical IBM HTTP Server
Syntax: SSLCachePath /usr/HTTPServer/bin/sidd
Values: Valid path name.

Note: Not valid on Windows NT operating system.

SSLCachePortFilename

Description: Sets the file name for the UNIX domain socket used for communication between the server instances and the session ID cache daemon.
Default: If this directive is not specified and the cache is enabled, then the server attempts to use the file: /usr/HTTPServer/logs/siddport
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical Apache server instance, allowed only outside of virtual host stanzas.
Syntax: SSLCachePortFilename /usr/HTTPServer/logs/siddport
Values: Valid file name. The Web server deletes this file during startup; do not use an existing file name.

Tips Valid only on UNIX platform.

SSLCacheTraceLog

Description: Specifies the trace log to which session ID trace messages log.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Not allowed
Scope: One per physical IBM HTTP Server
Syntax: SSLCacheTraceLog /usr/HTTPServer/log/sidd-trace.log
Values: Valid path name.

Note to Windows NT users: Not valid on Windows NT operating systems.

SSLCipherBan

Description: Denies access to an object, if the client attempts the specified cipher.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Allowed per directory stanza. Order of preference is top to bottom.
Scope: Multiple instances per directory stanza
Syntax: SSLCipherBan <cipher specification>
Values: See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications

SSLCipherRequire

Description: Allows limited access to objects according to specified ciphers.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Allowed per directory stanza. Order of preference is top to bottom.
Scope: Multiple instances per directory stanza
Syntax: SSLCipherRequire <cipher specification>
Values: See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications

SSLCipherSpec

Description: Specifies a cipher specification that you can use in a secure transaction.
Default: If nothing is specified, the server uses all cipher specifications available from the installed GSK library.
Module: mod_ibm_ssl
Multiple instances in the configuration file: Allowed. Order of preference is top to bottom, first to last. If the client does not support the cipher specifications, the connection closes.
Scope: Virtual host
Syntax: SSLCipherSpec shortname or
SSLCipherSpec longname
Values: See SSL Version 2 Cipher Specifications, SSL Version 3 and TLS Version 1 Cipher Specifications

**Version 2 Cipher Specifications**
Short name	Long name	Description
27	SSL_DES_192_EDE3_CBC_WITH_MD5	Triple-DES (168-bit)
21	SSL_RC4_128_WITH_MD5	RC4 (128-bit)
23	SSL_RC2_CBC_128_CBC_WITH_MD5	RC2 (128-bit)
26	SSL_DES_64_CBC_WITH_MD5	DES (56-bit)
22	SSL_RC4_128_EXPORT40_WITH_MD5	RC4 (40-bit)
24	SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5	RC2 (40-bit)

**SSL Version 3 and TLS Version 1 Cipher Specifications**
Short name	Long name	Description
3A	SSL_RSA_WITH_3DES_EDE_CBC_SHA	Triple-DES SHA (168-bit)
33	SSL_RSA_EXPORT_WITH_RC4_40_MD5	RC4 SHA (40-bit)
34	SSL_RSA_WITH_RC4_128_MD5	RC4 MD5 (128-bit)
39	SSL_RSA_WITH_DES_CBC_SHA	DES SHA (56-bit)
35	SSL_RSA_WITH_RC4_128_SHA	RC4 SHA (128-bit)
36 (See	SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	RC2 MD5 (40-bit)
32	SSL_RSA_WITH_NULL_SHA
31	SSL_RSA_WITH_NULL_MD5
30	SSL_NULL_WITH_NULL_NULL
62	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA	RC4 SHA Export 1024 (56-bit)
64	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA	DES SHA Export 1024 (56-bit)

Tip Cipher specification 36 requires Netscape Navigator V4.07; it does not work on earlier versions of Netscape browsers.

SSLClientAuth

Description: Sets the mode of client authentication to use (none (0), optional (1), or required (2)).
Default: SSLClientAuth none
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host
Scope: Virtual host
Syntax: SSLClientAuth <level required> [crl]
Values:
- 0/None: No client certificate requested.
- 1/Optional: Client certificate requested, but not required.
- 2/Required: Valid client certificate required.
- CRL: Turns crl on and off inside an SSL virtual host. If you use certificate revocation list (CRL), you need to specify crl as a second argument for SSLClientAuth. For example: SSLClientAuth 2 crl. If you do not specify crl, you cannot perform CRL in an SSL virtual host.
If you specify the value 0/None, you cannot use the CRL option.

SSLClientAuthGroup

Description: Enables you to group client certificate attributes together for use in the SSLClientAuthRequire directive.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: Allowed. The function joins these directives by "AND".
Scope: Multiple instances per directory stanza
Syntax: <SSLClientAuthGroup group name> <logic string>
Values: Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses.

Description of valid logical expressions

The following section provides a description of examples with valid logical expressions. For example:

SSLClientAuthGroup (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM

means that the object is not served, unless the client certificate contains a common name of either Fred Smith, or John Deere and the organization is IBM. The only valid comparisons for the attribute checks, are equal and not equal (= and !=). You can link each attribute check with AND, OR, or NOT (also &&, ||, and !). Use parentheses to group comparisons. If the value of the attribute contains a nonalphanumeric character, you must delimit the value with quotes.

A listing of valid attributes follows:

CommonName
Country
Email
Group
IssuerCommonName
IssuerCountry
IssuerEmail
IssuerLocality
IssuerOrg
IssuerOrgUnit
IssuerStateOrProvince
Locality
Org
OrgUnit
StateOrProvince

A listing of valid short names follows:

     CN, C, E, G, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST

SSLClientAuthRequire

Description: Enables extensive validation of client certificate information before serving an object
Default: None
Module: mod_ibm_ssl
Multiple instances in a configuration file: Allowed. The function joins these directives by "AND".
Scope: Directory
Syntax: SSLClientAuthRequire CommonName = Richard
Values: Logical expression consisting of attribute checks linked with AND, OR, NOT, and parentheses.

Description of valid logical expressions

For example:

SSLClientAuthRequire (CommonName = "Fred Smith" OR CommonName = "John Deere") AND Org = IBM

means that the object is not served unless the client certificate contains a common name of either Fred Smith, or John Deere, and the organization is IBM. The only valid comparisons for the attribute checks are equal, and not equal (= and !=). You can link each attribute check with AND, OR, or NOT (also &&, ||, and !). Use parentheses to group comparisons. If the value of the attribute contains a nonalphanumeric character, you must delimit the value with quotes.

A listing of valid attributes follow:

CommonName
Country
Email
IssuerCommonName
IssuerCountry
IssuerEmail
IssuerLocality
IssuerOrg
IssuerOrgUnit
IssuerStateOrProvince
Locality
Org
OrgUnit
StateOrProvince

A listing of valid short names follows:

     CN, C, E, ICN, IC, IE, IL, IO, IOU, IST, L, O, OU, ST

SSLCRLHostname

Description: TCP/IP name, or address of LDAP server, where CRL database resides.
Default: SSLCRLHostname is disabled by default.
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global server or virtual host
Syntax: SSLCRLHostname <TCP/IP name or address>
Values: TCP/IP name or address of LDAP server

SSLCRLPort

Description: Port of LDAP server, where CRL database resides.
Default: SSLCRLPort is disabled by default.
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global server or virtual host
Syntax: SSLCRLPort <port number>
Values: Port of LDAP server; default=389

SSLCRLUserID

Description: User ID to send to the LDAP server, where CRL database resides.
Default: Defaults to anonymous, if you do not specify a user ID
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global server or virtual host
Syntax: SSLCRLUserID <userid>
Values: User ID of LDAP server

SSLDisable

Description: Disables SSL for this virtual host.
Default: SSL is disabled by default.
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global server or virtual host
Syntax: SSLDisable
Values: None

SSLEnable

Description: Enables SSL for this virtual host.
Default: SSL is disabled by default.
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server>
Scope: Global server or virtual host
Syntax: SSLEnable
Values: None

SSLFakeBasicAuth

Description: Enables the fake basic authentication support. This support enables the client certificate distinguished name to become the user portion of the user and password basic authentication pair. Use the password password.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Within a directory stanza, used along with AuthName, AuthType, and require directives.
Syntax: SSLFakeBasicAuth
Values: None

SSLPKCSDriver

Description: Identifies the fully qualified name to the module, or driver used to access the PKCS11 device
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global server, or virtual host
Syntax: <Fully qualified name to module used to access PKCS11 device> If the module exists in the user's path, then specify just the name of the module.
Values: Path and name of PKCS11 module, or driver.

The default locations of the modules for each PKCS11 device follow, by platform:

nCipher

AIX: /opt/nfast/toolkits/pkcs11/libcknfast.so
HP: /opt/nfast/toolkits/pkcs11/libcknfast.sl
Solaris: /opt/nfast/toolkits/pkcs11/libcknfast.so
Windows NT and Windows 2000: c:\nfast\toolkits\pkcs11\cknfast.dll

IBM 4758

AIX: /usr/lib/pkcs11/PKCS11_API.so
Windows NT and Windows 2000: $PKCS11_HOME\bin\nt\cryptoki.dll

IBM e-business Cryptographic Accelerator

AIX: /usr/lib/pkcs11/PKCS11_API.so
Linux: Refer to: http://www.ibm.com/developerworks/oss/icadd/index.html

SSLServerCert

Description: Sets the server certificate to use for this virtual host
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host
Scope: IP-based virtual hosts
Syntax: SSLServerCert my_certificate_label; on PKCS11 device - SSLServerCert mytokenlabel:mykeylabel
Values: Certificate label

Tips Use no delimiters around the certificate label. Ensure that the label is contained on one line; leading and trailing white space is ignored.

SSLStashfile

Description: Indicates path to file with file name, containing the encrypted password for opening the PKCS11 device.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Virtual host and global server
Syntax: sslstash [-c] <file> <function> <password>, where:
- -c = Create a new stash file. If not specified, the server updates an existing stash file
- File = Fully qualified name of the file to create or update
- Function = Function with which to use the password Valid values include crl or crypto
- Password = The password to stash
- Usage - sslstash -c conf\pkcs11.passwd crypto pkcs11
Values: Path with file name

Tip Locate an sslstash command in the bin directory of the IBM HTTP Server, for UNIX, and the server installation root for the Windows platform. Use this command to store the password for the PKCS11 device. The stash file created after using the sslstash command can hold two different passwords for two different functions: crl and cryptography.

SSLV2Timeout

Description: Sets the timeout for SSL Version 2 session IDs
Default: 40
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global base and virtual host
Syntax: SSLV2Timeout 60
Values: 0 to 100 seconds

SSLV3Timeout

Description: Sets the timeout for SSL Version 3 session IDs
Default: 120
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: Global base and virtual host
Syntax: SSLV3Timeout 1000
Values: 0 to 86400 seconds

SSLVersion

Description: Enables object access rejection, if the client attempts to connect with an SSL protocol version other than the one specified.
Default: None
Module: mod_ibm_ssl
Multiple instances in the configuration file: One instance per virtual host and global server
Scope: One per directory stanza
Syntax: SSLVersion ALL
Values: SSLV2|SSLV3|TLSV1|ALL

Finding related information

     (Back to the top)