See Also: "Specifying Configuration Parameters in httpd.conf"on page 4-3 for general information about how to use these parameters in the main HTTP server configuration file.
Description: Specifies the location of the wallet with itsWRL.
Oracle Corporation recommends that you use wallets created with the Auto Login feature of Oracle Wallet Manager. Wallets that are created with the Auto Login feature do not require a password, so when they are used, the
SSLWalletPassword directive does not need to be set.
Syntax: SSLWallet wrl
The format ofwrl is: file:path to wallet Example: SSLWallet file:/etc/ORACLE/WALLETS/server
Other values of wrl may be used as permitted by the Oracle SSL product.
Default: None
Context: server configuration, virtual host
Caution: When Auto Login is enabled for a wallet, that wallet is only available to the operating system user who created it.
See Also: "Using Auto Login" on page 5-15 for information about using the Auto Login feature of Oracle Wallet Manager.
Using Secure Sockets Layer (SSL) to Authenticate Users
SSLWalletPassword
Description: Wallet password needed to access the wallet specified within the same context. You can choose either acleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tooliasobf
described below.
If you must use a regular wallet, Oracle Corporation
recommends that you use the obfuscated password instead of a cleartext password.
Syntax: SSLWalletPassword password
If no password is required do not set this directive.
Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.
Default: None
Context: server configuration, virtual host
See Also: "Using the iasobf Utility to Encrypt Wallet Passwords" on page 4-32
Using Secure Sockets Layer (SSL) to Authenticate Users
SSLPassPhraseDialog
Description: Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet.
Valid Values ■ builtin - when the server is started, mod_ossl prompts
for a password for each wallet.
■ exec:path/to/program - when the server is started,
mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments:
servername:portnumber andRSA orDSA.
Syntax: SSLPassPhraseDialog type
Example: SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter
Default: SSLPassPhraseDialog builtin
Using Secure Sockets Layer (SSL) to Authenticate Users
SSLCARevocationPath
SSLCARevocationFile
Description: Specifies the directory wherePEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
Syntax: SSLCARevocationPath path/to/CRL_directory/
Example: SSLCARevocationPath /ias2/Apache/conf/ssl.crl/
Default: None
Context: server config, virtual host
Description: Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) fromCAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to
SSLCARevocationPath.
Syntax: SSLCARevocationFile file_name
Example: SSLCARevocationFile /ias2/Apache/conf/ssl.crl/ca_bundle.crl
Default: None
Using Secure Sockets Layer (SSL) to Authenticate Users
SSLMutex
Description: Type of semaphore (lock) for SSL engine’s mutual exclusion of operations that have to be synchronized between HTTP Server processes.
Valid Values: ■ none - Uses no mutex at all
Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you don’t
configure a mutex, the session cache can become garbled.
■ file:path/to/mutex - Uses a file for locking. The
process ID (PID) of the HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (’/’), it is assumed to be relative to ServerRoot.
This setting is not available on Windows.
■ sem- Uses an operating system semaphore to synchronize
writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex.
This is the best choice, if the operating system supports it. Example: SSLMutex file:/usr/local/apache/logs/ssl_mutex
Syntax: SSLMutex type
Default: SSLMutex none
Using Secure Sockets Layer (SSL) to Authenticate Users
SSLSessionCache
SSLSessionCacheTimeout
Description: Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing.
Valid Values: ■ none - disables the global/interprocess session cache
Produces no impact on functionality, but produces a noticeable performance penalty.
■ shmht:/path/to/datafile[bytes] - Uses a
high-performance hash table (bytes specifies
approximate size) inside a shared memory segment in RAM, which is established by the/path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes.
■ shmcb:/path/to/datafile[bytes] - Uses a
high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes.
The performance ofshmcb is more uniform in all environments when compared toshmht.
Syntax: SSLSessionCache type
Examples: SSLSessionCache shmht:/iasv2/Apache/Apache/logs/ssl_scache(512000) SSLSessionCache shmcb:/iasv2/Apache/Apache/logs/ssl_scache(512000)
Default: SSLSessionCache none
Context: server configuration
Description: Number of seconds before an SSL session in the session cache expires.
Syntax: SSLSessionCacheTimeout seconds
Default: 300
Using Secure Sockets Layer (SSL) to Authenticate Users