itp Secure WebServer System Administrator s Guide

iTP Secure WebServer

System Administrator’s

Guide

Abstract

This guide describes how to install, configure, and manage the iTP Secure WebServer. It also discusses how to develop and integrate Common Gateway Interface (CGI) applications and Java servlets and JSPs into an iTP Secure WebServer environment. This guide is intended for experienced NonStop HP system administrators and

operators who need to install, configure, and manage the iTP Secure WebServer on an HP NonStop system.

Product Version

iTP Secure WebServer (Release 6.0) Supported Release Version Updates (RVUs)

This guide supports D42, G03, and all subsequent RVUs until otherwise indicated in a new edition. For Parallel Library TCP/IP support you must be running G0608 or later. Part Number Published

Document History

Part Number Product Version Published

425144-001 iTP Secure WebServer D42 (Release 4.1) February 2000 427022-001 iTP Secure WebServer (Release 5.0) December 2000 429506-001 iTP Secure WebServer (Release 5.1) August 2001 522659-001 iTP Secure WebServer (Release 5.1) November 2001 523346-001 iTP Secure WebServer (Release 6.0) July 2002 523346-002 iTP Secure WebServer (Release 6.0) March 2003

iTP Secure WebServer System

Administrator’s Guide

Glossary Index Examples Figures Tables

What’s New in This Manual xxi Manual Information xxi

New and Changed Information xxi About This Guide xxv

Who Should Read This Guide xxv Organization of This Guide xxvi Related Manuals xxvii

Bibliography xxx

Reference Information on the Internet xxxi Your Comments Invited xxxii

Notation Conventions xxxii Abbreviations xxxvi

1. Introduction to the iTP Secure WebServer

Features and Standards Supported by iTP Secure WebServer 1-3 iTP Secure WebServer Architecture 1-6

Web Clients 1-8

TCP/IP Subsystem 1-8

iTP Secure WebServer httpd 1-9 PATHMON Process 1-9

WebSafe2 Interface Driver (WID) 1-9 Active Transaction Pages (ATP) 1-9 Pathway CGI Server 1-10

Generic Common Gateway Interface (CGI) Server 1-10 Servlet Server Class (SSC) 1-10

Resource Locator Service (RLS) 1-10 iTP Secure WebServer Admin httpd 1-10 Administration Server 1-10

Contents 1. Introduction to the iTP Secure WebServer (continued)

1. Introduction to the iTP Secure WebServer (continued)

iTP Secure WebServer Encryption 1-11

Secure Sockets Layer (SSL) and Private Communications Technology (PCT) Encryption 1-11

WebSafe2 Encryption 1-11

2. Installing the iTP Secure WebServer

iTP Secure WebServer System Requirements 2-1 Supported NonStop Systems 2-1

Required and Optional Software 2-2 Required Hardware 2-3

Preparing Your System for the iTP Secure WebServer 2-3 Event Management Service (EMS) Template Installation 2-6 Installing and Configuring the iTP Secure WebServer 2-7

Before You Begin the Installation 2-7 Begin the Installation 2-8

Run the IPSetup Program 2-8

Copy the iTP Secure WebServer Software From the Distribution Medium 2-9 Run the Setup Script 2-10

Setup for Parallel Library TCP/IP Support 2-11 Install a WISP 2-12

Install the Resource Locator 2-12 Installation Considerations 2-12 Verifying the Configuration 2-13 The Ninety-Day Test Certificate 2-13

Test-Starting the Administration Server and the iTP Secure WebServer 2-14 If You Plan to Use SSL or PCT Encryption 2-14

If You Plan to Use WebSafe2 Encryption 2-14 If You Are Using the Nonsecure Version 2-14

3. Planning the iTP Secure WebServer PATHMON Environment

Conventional TCP/IP: The Distributor Process 3-1 Parallel Library TCP/IP: The Auto Accept Feature 3-2

Migration Considerations For Parallel Library TCP/IP Support 3-2 Configuring the PATHMON Environment 3-4

Threading Considerations for the httpd Server 3-4 Security for the Server’s Pathway Environment 3-5

Who Can Modify the Configuration Files? 3-6

Contents 3. Planning the iTP Secure WebServer PATHMON Environment (continued)

3. Planning the iTP Secure WebServer PATHMON

Environment (continued)

What TCP/IP Port Is the Distributor Process Monitoring? 3-6

Common Gateway Interface (CGI) Application Security Considerations 3-7 Pathway CGI Server Class Considerations 3-7

Other Security Considerations 3-7

Protecting the Key Database File 3-7 Protecting the Server Password 3-8 Protecting Core Dumps 3-8

Protecting Transmission of Key Database Files and Core Dumps 3-9

4. Configuring for Secure Transport

Using the Administration Server Securely 4-2 Overview of Server Configuration 4-2

Keyadmin Utility Configuration 4-2 Server Configuration 4-3

Managing Certificates 4-4

Formatting Distinguished Names (DNs) 4-4

Support for International 128-Bit SSL Sessions Using VeriSign’s Global Server ID 4-5

Using the Keyadmin Utility to Manage Keys and Certificates 4-7 Using Server Certificate Chains With the iTP Secure WebServer 4-23 Managing Client Authentication 4-24

Using the -requireauth Option 4-25 Using the -requestauth Option 4-26 Updating SSL and PCT Configuration 4-27 Controlling Access and Privacy 4-28

Specifying Content Access Using the Region Command 4-28 Using SSL and PCT Environment Variables in CGI Programs 4-29 Controlling Encryption and Integrity Checking 4-30

Using Ciphers With the AcceptSecureTransport Directive 4-30 Constraints on Cipher Use 4-31

5. Integrating the WebSafe2 Internet Security Processor (WISP)

The Secure Configuration Terminal (SCT) 5-3 The WebSafe2 Interface Driver (WID) 5-3

How the iTP Secure WebServer Uses WebSafe2 Internet Security Processors (WISPs) 5-4

Contents 5. Integrating the WebSafe2 Internet Security Processor (WISP) (continued)

5. Integrating the WebSafe2 Internet Security Processor

(WISP) (continued)

How to Integrate WebSafe2 Internet Security Processors (WISPs) 5-5 If You Have Not Installed the iTP Secure WebServer 5-5

If You Are Migrating to WebSafe2 Encryption 5-5

If You Are Upgrading the WebSafe2 Internet Security Processor (WISP) From An Earlier Version 5-6

Installing the WebSafe2 Internet Security Processor (WISP) 5-6 Preparing a Distinguished Name (DN) for the Certificate 5-7 Installing the WebSafe2 Interface Driver (WID) 5-7

Configuring the iTP Secure WebServer for WebSafe2 Internet Security Processors (WISPs) 5-7

Generating the Public/Private Key Pair and Obtaining the Certificate 5-9 How to Use Server Certificate Chains With WebSafe2 Encryption 5-16

Configuration and Version Requirements for SSL 3.0 Hardware Encryption 5-17 Obtaining a New Certificate 5-17

Using Earlier Version Keys and Certificates 5-18

Using Appropriate WebSafe2 Internet Security Processor (WISP) Firmware 5-20 Installing the Latest WebSafe2 Interface Driver (WID) Software 5-20

Updating the WebSafe2 Interface Driver (WID) Configuration File 5-20 Configuring for Additional WebSafe2 Internet Security Processors (WISPs) 5-20 Switching From WebSafe2 to Software Encryption 5-20

Switching From Software to WebSafe2 (Hardware) Encryption 5-21 Where to Go From Here 5-21

6. Managing the iTP Secure WebServer Using Scripts

The httpd Command 6-1

Starting the iTP Secure WebServer Using the start Script 6-2 Stopping the iTP Secure WebServer Using the stop Script 6-3 Restarting the iTP Secure WebServer Using the restarth Script 6-3

For Parallel Library TCP/IP Support: 6-3 For Classical TCP/IP Support: 6-4

Restarting the iTP Secure WebServer Using the restart Script 6-4 Using the httpd Command 6-4

Syntax 6-5 Description 6-5

PATHMON Environment’s Autorestart for the iTP Secure WebServer and Related Processes 6-7

Contents 7. Configuring the iTP Secure WebServer

7. Configuring the iTP Secure WebServer

Configuring Your Server 7-1

The httpd Configuration File 7-2

Configuring Your Server For Use With Parallel Library TCP/IP 7-6 The Secure Transport Configuration File (httpd.stl.config) 7-7 Configuring Global Session Key Caching 7-7

Other Configuration Files 7-9 Managing Server Contents 7-9

Understanding How URLs Work 7-10 Mapping Requests to Contents 7-10 Establishing User Directories 7-16 Using Guardian Files 7-17

Controlling File Caching 7-19 FileStatsCheckTime 7-19 CacheTime 7-20

MaxFileCacheEntries 7-20 MaxFileCacheContentSize 7-21 NoCache Region Command 7-22 Managing Log Files 7-23

Choosing a Log Format 7-23 Planning Space for Logs 7-24 Rotating Log Files 7-24 Setting Up Server Aliases 7-26

How Aliases Work 7-26 Why Aliases Are Useful 7-26 Setting Up an Alias 7-27

Controlling Access to the Server 7-27 Using Region Directives 7-28

Granting Access by Host Name/IP Address 7-29 Denying Access by Host Name/IP Address 7-30 Requiring Client Authentication 7-30

Administering Passwords 7-31 Redirecting Access 7-33

Enabling Automatic Directory Indexing 7-34 Disabling Logging 7-35

Using Multiple Region Commands 7-35 Using Pattern Variables (Lists) 7-37 Using Conditional Commands 7-38 Using Tcl Variables 7-38

Contents 7. Configuring the iTP Secure WebServer (continued)

7. Configuring the iTP Secure WebServer (continued)

Allowing Byte Ranges 7-41

Implementing Multiple-Host Support 7-41 Customizing Server Error Messages 7-45 Setting Up Clickable Images 7-46

Creating an Image Map File 7-46 Adding a HyperText Anchor 7-48 Testing the Image Setup 7-48

Setting Up a Server-Side Include (SSI) 7-49

Configuring Your Server for WebSafe2 Internet Security Processor (WISP) Use 7-55 Updating the WebSafe2 Interface Driver (WID) Configuration 7-55

Adding WebSafe2 Internet Security Processors (WISPs) to Your Configuration 7-55

The WID Configuration File 7-56 The WebSafe2 Configuration File 7-57

8. Using Common Gateway Interface (CGI) Programs

CGI Support in the iTP Secure WebServer Environment 8-2 Generic-CGI Server Class 8-2

Pathway CGI Server Classes 8-4 Servlet Server Class (SSC) 8-5 CGI Configuration and Programming 8-5 Configuring for CGI Programs 8-6

MIME Types 8-6

Mapping MIME Types to Server Classes 8-7 Server Class Configuration 8-10

Program Access Restrictions 8-11 Passing CGI Environment Variables 8-11 HTTP Header Variables 8-21

Passing Input 8-24 Command Line 8-24 Query Strings 8-24

Extra Path Information 8-25 HTML Forms 8-26

Returning Output 8-26 Response Headers 8-27 Server Headers 8-28 Nonparsed Headers 8-29 Logging Error Information 8-29

Contents 8. Using Common Gateway Interface (CGI) Programs (continued)

8. Using Common Gateway Interface (CGI) Programs (continued)

CGI Standard File Environment 8-30 Standard Input 8-30

Standard Output 8-30 Standard Error 8-30

Customizing the Standard File Environment 8-30 CGI Library 8-31

Pathway CGI Coding Considerations 8-33 Including the CGI Library 8-33

Design Guidelines 8-34

Examples of a Pathway CGI Implementation 8-35

9. Using NonStop Servlets for JavaServer Pages (NSJSP)

Overview 9-2

How To Map From URL To Servlet 9-4 Java 2 Enterprise Edition (J2EE) Overview 9-5

The Web Container 9-5 JavaServer Pages 9-7 The Web Application 9-8

The WEB-INF Subdirectory 9-8 The Deployment Descriptor 9-8 Web Archive (WAR) Files 9-9

NonStop Servlets for JavaServer Pages (NSJSP) Architecture 9-9 Installing NonStop Servlets for JavaServer Pages (NSJSP) 9-12

Before You Begin the Installation 9-12 Begin the Installation 9-13

Verify the Installation 9-17

Starting or Restarting NonStop Servlets for JavaServer Pages (NSJSP) 9-17 Possible Error Conditions 9-17

The Web Container and Web Application Environments 9-18 Configuring the Web Container 9-18

servlet.config 9-18 iTP_server.xml 9-21 web.xml 9-22

Configuring the Web Application 9-24 Add a New Web Application 9-25

Deploy an Existing Application WAR file 9-26 Create a New Application 9-26

Contents 9. Using NonStop Servlets for JavaServer Pages (NSJSP) (continued)

9. Using NonStop Servlets for JavaServer Pages

(NSJSP) (continued)

Deploy a Servlet 9-26

Map Requests to Applications and Servlets 9-28 Client Programming Considerations 9-29

Invoking a Servlet 9-29

Passing Request Information 9-29 Receiving Response Information 9-29 Servlet Programming Considerations 9-30

Servlet Programming Environment 9-30 NonStop Server for Java 9-30

Other Java Environments 9-31

Servlet and NSJSP Examples and References 9-31 Using the Servlet API 9-31

Classes that Facilitate Servlet Usage in an iTP Secure WebServer Environment 9-32

Obtaining Specific CGI Environment Variable Values 9-33 Context-Management 9-33

Multithreading - Spawning Java Threads 9-34 Request and Response Streams 9-34

Security Considerations 9-34

International Character Set Support 9-35 Reserved Cookie Name 9-35

JavaServer Pages 9-35

Model-View-Controller Designs 9-36 JSP Syntax Basics 9-38

An Example of JSP Code 9-39 How To Handle an HTML Form 9-39 How To Create a Form 9-40

Logs and Error Conditions 9-41 Servlet Logging 9-41

Configuration and Status Information 9-41 Exception Message Format 9-41

Error Messages 9-42

Migration From T0094 to T1222 9-43

Converting to a Web Application Directory Structure 9-44 Changing Your servlet.config File 9-44

Recreating Parameters in the web.xml File 9-44 Changing Your web.xml File 9-45

Contents 9. Using NonStop Servlets for JavaServer Pages (NSJSP) (continued)

9. Using NonStop Servlets for JavaServer Pages

(NSJSP) (continued)

Changing Your iTP_server.xml File 9-45 Reserved Cookie Name 9-46

Changes from Servlet Version 2.0 to 2.2 9-46 Changes from Servlet Version 2.1 to 2.2 9-47 Other Changes 9-47

10. Using the Resource Locator Service (RLS)

Resource Locator Service (RLS) Architecture 10-1 Configuring the Resource Locator Service (RLS) 10-2

Defining the Server Class 10-2 Creating the Database 10-3 Modifying the Database 10-5

Building and Installing the Resource Locator Service (RLS) 10-6

11. Administering Session Identifiers for Anonymous Sessions

Anonymous Ticketing 11-1 Tracking 11-2

Ticketing and Tracking Example 11-2 Configuring for Anonymous Ticketing 11-4

Enabling Session Identifiers 11-4 Advanced Configuration Options 11-6 Ticketing Strategies 11-11

Using Session Identifiers for Reporting 11-15 Using Tcl Variables for Anonymous Sessions 11-16

12. Managing the iTP Secure WebServer From Your Browser

Administration Server Architecture 12-2 Installing the Administration Server 12-2 Invoking the Administration Server 12-2 Configuring the Administration Server 12-3

Defining the admin Server Class 12-3 Defining the admin httpd Server Class 12-3 Administration Server Screens 12-4

Welcome 12-5

Current Server Information 12-6 Server Control: Start 12-6 Server Control: Restart 12-7

Contents 12. Managing the iTP Secure WebServer From Your Browser (continued)

12. Managing the iTP Secure WebServer From Your

Browser (continued)

Server Control: Stop 12-8 View Configuration Files 12-9 Edit Configuration File 12-9 View EMS Logs 12-10 View Server Logs 12-13

Search Configuration Files 12-14 OSS Commands 12-14

A. Configuration Directives

Accept A-2 Syntax A-2 Description A-2

SCF TCP/IP Configuration A-4 Default A-4

Examples A-4

AcceptSecureTransport A-5 Syntax A-5

Description A-5

SCF TCP/IP Configuration A-9 Default A-10

Examples A-10

Examples of Secure Transport Protocol Support (Port 4430) A-11 Examples of Cipher Support A-11

AccessLog A-13 Syntax A-13 Description A-13 Default A-13 Example A-13 Browser A-13 Syntax A-13 Description A-13 Default A-14 Example A-14 CacheTime A-14 Syntax A-14 Description A-14 Default A-15

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Example A-15 DefaultType A-15 Syntax A-15 Description A-15 Default A-15 Example A-15 DNSCacheSize A-15 Syntax A-15 Description A-15 Default A-16 Example A-16 DNSExpiration A-16 Syntax A-16 Description A-16 Default A-16 Example A-16 EncodingType A-16 Syntax A-16 Description A-17 Default A-17 Example A-17 ErrorLog A-17 Syntax A-17 Description A-17 Default A-18 Example A-18 ExtendedLog A-18 Syntax A-18 Description A-18 Default A-18 Example A-18 Filemap A-18 Syntax A-18 Description A-18 Default A-20 Example A-20 FileStatsCheckTime A-20 Syntax A-20

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Description A-20 Default A-20 Example A-21 IndexFile A-21 Syntax A-21 Description A-21 Default A-21 Example A-21 InputTimeout A-22 Syntax A-22 Description A-22 Default A-22 Example A-22 KeepAliveTimeout A-22 Syntax A-22 Description A-22 Default A-23 Example A-23 KeepAliveMaxRequest A-23 Syntax A-23 Description A-23 Default A-23 Example A-23 KeyDatabase A-24 Syntax A-24 Description A-24 Example A-24 LanguagePreference A-24 Syntax A-24 Description A-24 Default A-25 Example A-25 LanguageSuffix A-25 Syntax A-25 Description A-25 Default A-25 Example A-25 MaxFileCacheContentSize A-26

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Syntax A-26 Description A-26 Default A-26 Example A-26 MaxFileCacheEntries A-27 Syntax A-27 Description A-27 Default A-27 Example A-27 MaxRequestBody A-27 Syntax A-27 Description A-27 Default A-28 Example A-28 Message A-28 Syntax A-28 Description A-28 Default A-30 Example A-30 MimeType A-30 Syntax A-30 Description A-31 Default A-31 Negotiation A-31 Syntax A-31 Description A-32 Default A-33 Example A-33 OutputTimeout A-33 Syntax A-33 Description A-33 Default A-34 Example A-34 Pathmon A-34 Syntax A-34 Description A-34 PathwayMimeMap A-37 Syntax A-37

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Description A-37 Examples A-37 Pidfile A-38 Syntax A-38 Description A-38 Default A-38 Example A-38 PutScript A-38 Syntax A-38 Description A-38 Region A-39 Syntax A-39 Description A-40

Region Commands A-41

Anonymous Ticket Attributes A-54 RegionSet A-58 Syntax A-58 Description A-58 Default A-58 Example A-58 ReverseLookup A-58 Syntax A-58 Description A-58 Default A-59 Example A-59 RMTServer A-59 Syntax A-59 Description A-59 Default A-59 Example A-59 ScriptTimeout A-59 Syntax A-59 Description A-60 Default A-60 Example A-60 Server A-60 Syntax A-60 Description A-60

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Server Commands A-61 ServerAdmin A-67 Syntax A-67 Description A-67 Default A-67 Example A-67 ServerPassword A-67 Syntax A-67 Description A-67 Default A-68 Examples A-68 ServerRoot A-68 Syntax A-68 Description A-68 Default A-69 Example A-69 SI_Default A-69 Syntax A-69 Description A-69 Default A-69 Example A-69 SI_Department A-69 Syntax A-69 Description A-69 Default A-70 Example A-70 SI_Enable A-70 Syntax A-70 Description A-70 Default A-70 Example A-70 SK_CacheExpiration A-70 Syntax A-70 Description A-70 Default A-71 Example A-71 SK_CacheSize A-71 Syntax A-71

Contents A. Configuration Directives (continued)

A. Configuration Directives (continued)

Description A-71 Default A-72 Example A-72 SK_GlobalCache A-72 Syntax A-72 Description A-72 Default A-72 Example A-72 SK_GlobalCacheTimeout A-72 Syntax A-72 Description A-72 Default A-72 Example A-73 User A-73 Syntax A-73 Description A-73 Default A-73 Example A-73 UserDir A-73 Syntax A-73 Description A-74 Default A-74 Example A-74 WidTimeout A-75 Syntax A-75 Description A-75 Default A-75 Example A-75

B. Error Messages

C. Server Log File Formats

Access Log Format C-1

Access Log Entry Format C-1 Example C-2

Error Log Format C-3

Contents C. Server Log File Formats (continued)

C. Server Log File Formats (continued)

Extended Log Format C-4

Extended Log Entry Format C-4 Example C-7

D. Security Concepts

Open Network Security D-1 Encryption D-1

Authentication D-2

Cryptographic Techniques D-3 Secret Key Systems D-3 Public Key Systems D-3 Managing Key Certificates D-5

Using Certificates D-6 Obtaining Certificates D-7 Secure Sockets Layer (SSL) D-7

What SSL Does D-7

SSL 3.0 Protocol Enhancements Over SSL 2.0 D-8 Deploying SSL D-8

Private Communications Technology (PCT) D-9 Comparing SSL and PCT D-9

Design Goals D-9

Relative Advantages D-9

E. Tool Command Language (Tcl) Basics

Tcl Syntax Rules E-1 Tcl Commands E-3 Script Commands E-4

F. HTTP/1.1 Feature List

Glossary

Index

Examples

Example 4-1. Sample Certificate in PKCS #7 Format 4-13 Example 4-2. Example Default Root Certificate 4-18

Example 4-3. Sample Secure Transport httpd.stl.config File 4-27 Example 5-1. Sample WebSafe2 install.WS Script 5-8

Contents Examples (continued)

Examples (continued)

Example 7-1. Sample httpd.config File 7-2 Example 7-2. Sample httpd.stl.config File 7-8 Example 7-3. Sample URL 7-10

Example 7-4. Sample Image Map 7-48

Example 7-5. Sample WID Configuration File 7-56 Example 7-6. Sample WebSafe2 Configuration File 7-57 Example 8-1. Server MIME Types 8-8

Example 8-2. Sample cgilib.h File 8-33

Example 8-3. Sample Pathway CGI Program 8-35 Example 9-1. Directory and Configuration Overview 9-3

Example 9-2. Use of getAttribute() Method to Obtain Environment Variables 9-33 Example 10-1. RLS Server Class Definition 10-2

Example 11-1. Sample Visit-Organized Report 11-15

Figures

Figure 1-1. iTP Secure WebServer Architecture 1-7

Figure 4-1. Cipher Negotiation Between Web Client and Server Lists 4-31 Figure 5-1. WebSafe2 Internet Security Processors (WISPS) in an iTP Secure

WebServer Environment 5-2

Figure 5-2. Setting Up Secure Communication Using a (WISP) 5-4 Figure 6-1. WebServer Management Processes 6-2

Figure 7-1. Image Map Areas 7-49 Figure 8-1. CGI Relationships 8-2

Figure 8-2. Generic-CGI Server class 8-3 Figure 8-3. Pathway CGI Interface 8-5

Figure 9-1. A J2EE Web Container With Two Applications 9-6 Figure 9-2. JSP Data Flows 9-7

Figure 9-3. iTP Secure WebServer Servlet Architecture 9-11 Figure 9-4. A Basic NSJSP Model 9-36

Figure 9-5. A Model-View-Controller Design 9-37

Figure 9-6. Requests and Responses in a JSP Application. 9-40 Figure 11-1. Requesting a Ticket 11-3

Figure 11-2. Using a Ticket 11-3 Figure 11-3. Proxies 11-10

Figure 11-4. Relative and Absolute References 11-12 Figure D-1. Basic Encryption D-2

Figure D-2. Public-Key Systems D-4 Figure D-3. Certificate Chain D-6

Contents Tables

Tables

Table 4-1. Common Distinguished Name (DN) Attributes 4-5 Table 7-1. Required Log-File Space 7-24

Table 7-2. Region Directive Variables 7-39 Table 7-3. SSI Environment Variables 7-54 Table 8-1. Environment Variables 8-11

Table 8-2. Pathway Specific Environment Variables 8-18 Table 8-3. Environment Variable Access Methods 8-21 Table 8-4. Sample HTTP Header Variables 8-22

Table 8-5. CGI Response Headers 8-27 Table 8-6. CGI Procedures 8-31

Table 11-1. Anonymous Ticketing Attributes 11-6

Table 11-2. Region Directive Variables for Anonymous Sessions 11-16 Table A-1. Directives That Have Been Replaced A-2

Table A-2. Cipher Pairs Supported (by Protocol) A-6 Table A-3. WebServer Actions Based on SSL Version A-8 Table A-4. Server Access Errors A-29

Table A-5. URL Pattern-Matching Characters A-41 Table A-6. URL Pattern-Matching Examples A-41 Table C-1. Access Log Fields C-2

Table C-2. HTTP Status Codes C-3 Table C-3. Extended Log Items C-5 Table E-1. Tcl Expression Operators E-5

What’s New in This Manual

Manual Information

iTP Secure WebServer System Administrator’s Guide Abstract

This guide describes how to install, configure, and manage the iTP Secure WebServer. It also discusses how to develop and integrate Common Gateway Interface (CGI) applications and Java servlets and JSPs into an iTP Secure WebServer environment. This guide is intended for experienced NonStop HP system administrators and

operators who need to install, configure, and manage the iTP Secure WebServer on an HP NonStop system.

Product Version

iTP Secure WebServer (Release 6.0) Supported Release Version Updates (RVUs)

This guide supports D42, G03, and all subsequent RVUs until otherwise indicated in a new edition. For Parallel Library TCP/IP support you must be running G0608 or later.

Document History

New and Changed Information

This edition of the manual includes the changes, as follows (also marked in the manual with revision bars):

•

This publication has been updated to reflect new product names:

°

Since product names are changing over time, this publication might contain both HP and Compaq product names.

Part Number Published

523346-002 March 2003

Part Number Product Version Published

425144-001 iTP Secure WebServer D42 (Release 4.1) February 2000 427022-001 iTP Secure WebServer (Release 5.0) December 2000 429506-001 iTP Secure WebServer (Release 5.1) August 2001 522659-001 iTP Secure WebServer (Release 5.1) November 2001 523346-001 iTP Secure WebServer (Release 6.0) July 2002 523346-002 iTP Secure WebServer (Release 6.0) March 2003

What’s New in This Manual Changes for the Original 523346-001 Version 6.0

°

Product names in graphic representations are consistent with the current

product interface.

•

In this edition of the current manual, Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP) documents the NSJSP 1.0 version of this product. Subsequent versions of NonStop Servlets for JavaServer Pages (NSJSP), starting with NSJSP 2.0, are in a separate manual, the NonStop Servlets for JavaServer

Pages (NSJSP) System Administrator’s Guide.

•

Made miscellaneous modifications to Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP), as indicated by revision bars.

•

Added new hypertext URLs for the new Java specifications to Reference Information on the Internet on page -xxxi.

•

Removed references to Certificate Revocation List (CRL) support since WebServer does not support it at this time.

•

Modified information in the Threading Considerations for the httpd Server on page 3-4 to indicate that TANDEM_RECEIVE_DEPTH can also apply to a servlet server class.

•

Corrected a directory path under Mapping Requests to Contents on page 7-10.

•

Changed all occurrences of ZNSJSP back to ZOSSUTL.

Changes for the Original 523346-001 Version 6.0

With the 6.0 release, the iTP Secure WebServer is a separate product that does not contain servlets. Since Servlets 2.0 is now no longer a part of the iTP Secure

WebServer base application, you can do a clean install of NonStop Servlets for JavaServer Pages (NSJSP) and thus eliminate any potential installation conflicts that might arise from installing NSJSP on top of a WebServer that has the older version of servlets included.

The following list includes specific changes are made to the documentation in the iTP Secure WebServer 6.0 update.

•

Added the text “Secure HTTP supports the simultaneous use of both the SSL and HTTP protocols” to Encryption and authentication flexibility on page 1-1.

•

Added “The Secure HyperText Transfer Protocol (Secure HTTP)” to Features and Standards Supported by iTP Secure WebServer on page 1-3.

•

Changed the list of Required and Optional Software on page 2-2.

•

Added information in IPSetup to Section 2, Installing the iTP Secure WebServer and Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP) and made other changes to the installation procedures in both sections.

•

Changed references to T1222 to NonStop Servlets for JavaServer Pages in Section 2, Installing the iTP Secure WebServer.

What’s New in This Manual Changes for the Original 523346-001 Version 6.0

•

Changed occurrences of ZOSSUTL to ZWEB in Section 2, Installing the iTP Secure WebServer and to ZNSJSP in Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP).

•

Added information on Secure HTTP to Section 4, Configuring for Secure Transport.

•

Added caution note to the The WID Configuration File on page 7-56 to state that the wid configuration file used by keyadmin should not include extra white space characters at the end of configuration parameters and should appear as in the sample file.

•

Modified text under Location Header on page 8-28 to indicate that the Resource Locator Service (RLS) passes the Location header sent by the remote server unaltered to the client server; the RLS is not designed to modify the Location header from the remote server. Accordingly, you should configure the remote webserver to either

°

not send redirect location headers or

°

send a redirect location that properly refers to the DNS name (or IP address) and port of the iTP WebServer front-end server.

•

Added notes in various subsections of Section 8, Using Common Gateway Interface (CGI) Programs, to indicate that the CGI environment changes on each invocation of CGI_main and that, to access your environment variables, you must use CGI_initialize(). See the following references:

°

Design Guidelines on page 8-34.

°

Pathway CGI Server Classes on page 8-4 (Caution box).

°

Passing CGI Environment Variables on page 8-11 (Caution box).

°

CGI Procedures on page 8-31.

•

Changed Table 8-1, Environment Variables, on page 8-11 to show all environment variables for both secure and nonsecure versions of the iTP Secure WebServer. Added text stating that the SSL, session identifier, and Secure HTTP environment variables apply only to secure versions of the iTP Secure WebServer.

•

Added note under servlet.config on page 9-18 that you cannot configure and manage multiple instances of the servlet server class.

•

Changed instances of JavaServer Pages (JSP) to NonStop Servlets for JavaServer Pages (NSJSP) in the following places:

°

About This Guide

°

Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP).

•

Added trademark (™) symbol to NonStop Servlets for JavaServer Pages™ (NSJSP™) in Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP), where its functionality is discussed.

What’s New in This Manual Changes for the Original 523346-001 Version 6.0

•

Changed the subtitle, Changes from Servlet Version 2.0 to 2.1, to Changes from Servlet Version 2.0 to 2.2 on page 9-46.

•

Removed the batch translator (also called ahead-of-time (AOT) compilation) from NonStop Server for Java on page 9-30 because the NonStop Java development team says this feature is not supported.

About This Guide

This guide describes the installation, configuration, and management of the Internet Transaction Processing (iTP) Secure WebServer. It covers the nonsecure version (iTP WebServer) along with the exportable and nonexportable versions of the iTP Secure WebServer. For simplicity, all three versions are referred to as iTP Secure WebServer throughout the guide.

This guide provides an overview of the iTP Secure WebServer environment and World Wide Web concepts. It describes how to set up the iTP Secure WebServer, create and modify configuration files, and start the required processes. It also describes the

Common Gateway Interface (CGI), NonStop Servlets for JavaServer Pages (NSJSP), and Servlets 2.2 support for the iTP Secure WebServer environment.

This section includes the following information:

•

Who Should Read This Guide

•

Organization of This Guide on page xxvi

•

Related Manuals on page xxvii

•

Bibliography on page xxx

•

Reference Information on the Internet on page xxxi

•

Your Comments Invited on page xxxii

•

Notation Conventions on page xxxii

•

Abbreviations on page xxxvi

Who Should Read This Guide

The iTP Secure WebServer System Administrator’s Guide is intended for experienced HP system administrators and operators who need to install, configure, and manage the iTP Secure WebServer on a NonStop system.

The guide assumes the following:

•

You are an experienced user of HP products and are specifically familiar with the Open System Services (OSS) environment and the PATHCOM interface of NonStop TS/MP.

•

You have access to and are familiar with the World Wide Web.

•

You are familiar with the Common Gateway Interface (CGI/1.1) standard and the HyperText Transfer Protocol (HTTP/1.0).

•

You are familiar with the Java language and tools (if you plan to use Java servlets).

Note. This product uses Secure WebServer technology from Open Market, Inc. and secure

About This Guide Organization of This Guide

•

You are familiar with writing and using configuration scripts.

•

You are familiar with the TCP/IP family of protocols.

•

You are familiar with network security and authentication techniques.

This guide also assumes that you have experience operating a secure computing system. For an introduction to basic network security concepts, refer to Appendix D, Security Concepts.

If you need more information about NonStop systems, you should consult the following publications before reading this guide:

•

Introduction to the NonStop Himalaya K100 and K1000/K2000 or Introduction to the NonStop Himalaya K10000/K20000 if you use an operating system RVU

starting with “D,” for example, D43.

•

G-Series Highlights and Migration Planning Guide if you use an operating system

RVU starting with “G,” for example, G04.

Organization of This Guide

Section 1, Introduction to the iTP Secure WebServer, describes the iTP Secure WebServer in relation to the NonStop Kernel operating system and other HP data-communications subsystems.

Section 2, Installing the iTP Secure WebServer, describes the basic steps for installing the iTP Secure WebServer and lists the software and hardware requirements.

Section 3, Planning the iTP Secure WebServer PATHMON Environment, describes the steps for configuring the Pathway environment.

Section 4, Configuring for Secure Transport, describes the configuration of the Secure Sockets Layer (SSL) within the iTP Secure WebServer environment.

Section 5, Integrating the WebSafe2 Internet Security Processor (WISP), explains how to integrate an Atalla WebSafe2 unit into the iTP Secure WebServer environment. Section 6, Managing the iTP Secure WebServer Using Scripts, describes how to manage the iTP Secure WebServer using scripts provided with the product. It also describes httpd, the command used to manage the iTP Secure WebServer.

Section 7, Configuring the iTP Secure WebServer, describes the steps for configuring the iTP Secure WebServer.

Section 8, Using Common Gateway Interface (CGI) Programs, explains how to use existing Common Gateway Interface (CGI) programs with the iTP Secure WebServer. It also discusses how to develop CGI applications with much better scalability and performance than conventional CGI.

Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP), describes how to develop NonStop Servlets for JavaServer Pages (NSJSP) and use them with the iTP Secure WebServer.

About This Guide Related Manuals

Section 10, Using the Resource Locator Service (RLS), describes how to use RLS to implement replicated web servers.

Section 11, Administering Session Identifiers for Anonymous Sessions, describes how to use the ticketing services of the iTP Secure WebServer.

Section 12, Managing the iTP Secure WebServer From Your Browser, describes how to use the iTP Secure WebServer Administration Server to establish and modify configurations, monitor errors and other events, start and stop the iTP Secure WebServer environment, and perform other administrative tasks.

Appendix A, Configuration Directives, describes the syntax of each configuration directive and its associated commands and arguments you can specify in iTP Secure WebServer configuration files.

Appendix B, Error Messages, provides general information about iTP Secure

WebServer error reporting. The messages themselves are described in the iTP Secure

WebServer Operator Messages Manual.

Appendix C, Server Log File Formats, describes the formats used in the log files generated by the server.

Appendix D, Security Concepts, introduces basic concepts relevant to setting up and administering a secure web server.

Appendix E, Tool Command Language (Tcl) Basics, describes basic Tcl concepts and language elements.

Appendix F, HTTP/1.1 Feature List, lists HTTP/1.1 features that the iTP Secure WebServer supports.

Abbreviations (in this section) defines abbreviations and acronyms used in this guide. The Glossary contains definitions of iTP Secure WebServer terms.

The Index contains references and cross-references to all major topics in this guide.

Related Manuals

The iTP Secure WebServer Operator Messages Manual describes the operator messages reported by components of the iTP Secure WebServer and related products. The audience for this manual is system managers and operators who will monitor and control the operations of an iTP Secure WebServer environment.

The following manuals contain additional information about installing, configuring, and managing HP NonStop systems or other products you can use with the iTP Secure WebServer.

About This Guide TCP/IP Manuals

TCP/IP Manuals

For information specific to managing the TCP/IP subsystem, refer to the following manuals:

•

TCP/IP Configuration and Management Manual describes the installation,

configuration, and management of the NonStop TCP/IP subsystem. It is for system managers, operators, and others who require a basic understanding of the HP TCP/IP implementation.

•

TCP/IP (Parallel Library) Configuration and Management Manual describes how to configure and manage the Parallel Library TCP/IP subsystem. Use this manual to configure Parallel Library TCP/IP on your system in conjunction with the TCP/IP

(Parallel Library) Migration Guide. The TCP/IP (Parallel Library) Migration Guide

lists migration considerations that could affect your configuration.

•

TCP/IP and IPX/SPX Programming Manual (formerly the Tandem NonStop TCP/IP and IPX/SPX Programming Manual) describes the programmatic interface to the

TCP/IP data communications software.

Open System Services (OSS) Manuals

For information specific to the OSS environment, refer to the following manuals:

•

Open System Services User’s Guide describes the Open System Services (OSS)

environment: the shell, file-system, and user commands.

•

Open System Services Installation Guide describes how to install and configure the

NonStop Kernel OSS environment.

•

Open System Services Management and Operations Guide describes how to

manage and operate the NonStop Kernel OSS environment.

NonStop Transaction Services/MP (NonStop TS/MP) Manuals

For information specific to managing PATHMON environments, refer to the following manuals:

•

TS/MP System Management Manual discusses the PATHCOM and TACL

commands used to configure and manage PATHMON environments. This manual also includes manageability guidelines, information about monitoring and tuning a PATHMON environment to optimize performance, and methods for diagnosing and correcting problems.

•

TS/MP Management Programming Manual describes how to start, configure, and

manage PATHMON environments programmatically and describes the event messages that report errors and other occurrences of interest to operators.

About This Guide WebSafe2 Manuals

WebSafe2 Manuals

For detailed information about WebSafe2, refer to the following Atalla manuals:

•

WebSafe2 Internet Security Processor Installation and Operations Manual

(domestic edition)

•

WebSafe2 Internet Security Processor Installation and Operations Manual

(export edition)

NonStop Java Manuals

For information about the features of the NonStop Server for Java, refer to the following HP manual:

•

NonStop Server for Java (NSJ) Programmer’s Guide

And the following JavaSoft manuals:

•

JavaSoft Java Development Kit 1.1.6

•

JavaSoft Java Language Specification 1.1

If you plan to use NonStop Server for Java with NonStop SQL/MP, you should refer to the current NonStop SQL/MP manual set.

iTP WebReporter Manual

For information about the WebReporter, refer to the iTP Secure WebServer

WebReporter User’s Guide.

Other Related Manuals

The following manuals contain additional information about NonStop systems:

•

Introduction to the NonStop Himalaya K100 and K1000/K2000 describes the

NonStop K100, K1000, and K2000 servers. It is for managers, nontechnical personnel, and others who need an overview of the system and its capabilities.

•

Introduction to the NonStop Himalaya K10000/K20000 describes the K10000 and

K20000 servers. It is for managers, nontechnical personnel, and others who need an overview of the systems and their capabilities.

•

G-Series Highlights and System Migration Guide provides an overview of the

hardware and software supported for G-series systems and describes how to plan for the migration to a G-series system. It is for system managers or anyone who needs to understand how migrating or upgrading to a G-series RVU affects

installation, configuration, operations, system management, maintenance, and the migration of applications, networks, and database files.

About This Guide Bibliography

•

HP NonStop S-Series Planning and Configuration Guide describes how to plan

and configure a NonStop S-series server and provides a case study documenting a sample system. This guide describes the ServerNet system area network

(ServerNet SAN), the available hardware and software configurations for NonStop S-series servers, site planning and preparation, creating the operational

environment, and making hardware and software configuration changes to an existing server. This guide is for the personnel responsible for planning the installation, configuration, and maintenance of the server and the software environment at a particular site.

•

iTP Active Transaction Pages (iTP ATP) Programmer’s Guide describes how to

use iTP Active Transaction Pages (iTP ATP), a server-side JavaScript environment for NonStop Servers. The manual includes instructions for installing iTP ATP and for using ATP objects to provide web-based interfaces to existing NonStop TS/MP, NonStop TUXEDO, NonStop SQL/MP, and sockets applications.

Bibliography

The following publications are useful sources of information about web-related technology and usage issues:

•

Albitz, Paul, and Liu, Cricket. DNS and BIND. Sebastopol, CA: O’Reilly & Associates, 1998.

This book provides useful information about working with the Domain Name Server (DNS).

•

Cheswick, William R., and Bellovin, Steven M. Firewalls and Internet Security:

Repelling the Wily Hacker. Reading, MA: Addison-Wesley, 1994.

This books offers practical information about running a secure Internet site.

•

Garfinkel, Simson, and Spafford, Gene. Practical UNIX and Internet Security. Sebastopol, CA: O’Reilly & Associates, 1996.

This book offers practical information about running a secure UNIX site.

•

Hunt, Craig. TCP/IP Network Administration. Sebastopol, CA: O’Reilly & Associates, 1998.

This book is useful for anyone who has to administer a UNIX system attached to a TCP/IP network.

•

Liu, Cricket et al. Managing Internet Information Services. Sebastopol, CA: O’Reilly & Associates, 1994.

This book describes how to set up Internet servers for the World Wide Web, Gopher, FTP, Finger, WAIS, or e-mail services.

About This Guide Reference Information on the Internet

•

Ousterhout, John K. Tcl and the Tk Toolkit. Reading, MA: Addison-Wesley, 1994. This book provides a complete description of the Tcl language. The author of the book is also the creator of the language.

•

Wrox Press, Ltd. Professional Java Server Programming (J2EE Edition)

Provides useful information about the Servlet API and servlets/JSP programming. The following publication is a useful source of information about programming Java Servlets and the J2EE environment, which is discussed in Section 9, Using NonStop Servlets for JavaServer Pages (NSJSP):

•

Subrahmanyam Allamaraju, et al. Professional Java Server Programming (J2EE

Edition). Wrox Press Ltd, 2000.

Reference Information on the Internet

The following URL references are available and can be retrieved by using standard web clients over the Internet:

•

General references: http://www.w3.org

•

HyperText Transfer Protocol (HTTP) references: http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt

•

Common Gateway Interface (CGI) references: http://hoohoo.ncsa.uiuc.edu/cgi/

•

Network and firewall security reference:

http://www.nai.com/nai_labs/asp_set/network_security.asp

•

Digital ID from VeriSign reference:

http://www.verisign.com/idcenter/new/idplus1.html

•

Request for Comments (RFC) reference:

http://www.cis.ohio-state.edu/cs/Services/rfc/index.html

•

Java Servlet reference:

http://java.sun.com/products/servlet/download.html

•

Java Servlet Specification Version 2.3: http://java.sun.com/products/servlet/

•

JavaServer Pages API Specification Version 1.2: http://java.sun.com/products/jsp/

•

J2EE Platform 1.3 Specification: http://java.sun.com/j2ee

•

Refer to the Bibliography on page xxx for a list of books that can help you become more familiar with web technology.

About This Guide Your Comments Invited

Your Comments Invited

After using this manual, please take a moment to send us your comments. You can do this by:

•

Completing the online Contact NonStop Publications form if you have Internet access.

•

Faxing or mailing the form, which is included as a separate file in Total Information Manager (TIM) collections and located at the back of printed manuals. Our fax number and mailing address are included on the form.

•

Sending an e-mail message to the address included on the form. We will immediately acknowledge receipt of your message and send you a detailed response as soon as possible. Be sure to include your name, company name, address, and phone number in your message. If your comments are specific to a particular manual, also include the part number and title of the manual.

Many of the improvements you see in manuals are a result of suggestions from our customers. Please take this opportunity to help us improve future manuals.

Notation Conventions

Hypertext Links

Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example:

This requirement is described under Backup DAM Volumes and Physical Disk Drives on page 3-2.

General Syntax Notation

The following list summarizes the notation conventions for syntax presentation in this manual.

UPPERCASE LETTERS. Uppercase letters indicate keywords and reserved words; enter these items exactly as shown. Items not enclosed in brackets are required. For example:

MAXATTACH

lowercase italic letters. Lowercase italic letters indicate variable items that you supply. Items not enclosed in brackets are required. For example:

About This Guide General Syntax Notation

computer type. Computer type letters within text indicate C and Open System Services (OSS) keywords and reserved words; enter these items exactly as shown. Items not enclosed in brackets are required. For example:

myfile.c

italic computer type. Italic computer type letters within text indicate C and Open System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example:

pathname

[ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\system-name.]$terminal-name

INT[ERRUPTS]

A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list may be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example:

FC [ num ] [ -num ] [ text ]

K [ X | D ] address

{ } Braces. A group of items enclosed in braces is a list from which you are required to choose one item. The items in the list may be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines. For example:

LISTOPENS PROCESS { $appl-mgr-name } { $process-name } ALLOWSU { ON | OFF }

| Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example:

INSPECT { OFF | ON | SAVEABEND }

… Ellipsis. An ellipsis immediately following a pair of brackets or braces indicates that you can repeat the enclosed sequence of syntax items any number of times. For example: M address [ , new-value ]…

[ - ] {0|1|2|3|4|5|6|7|8|9}…

An ellipsis immediately following a single syntax item indicates that you can repeat that syntax item any number of times. For example:

About This Guide Notation for Messages

Punctuation. Parentheses, commas, semicolons, and other symbols not previously described must be entered as shown. For example:

error := NEXTFILENAME ( file-name ) ;

LISTOPENS SU $process-name.#su-name

Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must enter as shown. For example:

"[" repetition-constant-list "]"

Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example:

CALL STEPMOM ( process-id ) ;

If there is no space between two items, spaces are not permitted. In the following example, there are no spaces permitted between the period and any other items: $process-name.#su-name

Line Spacing. If the syntax of a command is too long to fit on a single line, each

continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example:

ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]…

Notation for Messages

The following list summarizes the notation conventions for the presentation of displayed messages in this manual.

Bold Text. Bold text in an example indicates user input entered at the terminal. For example:

ENTER RUN CODE ?123

CODE RECEIVED: 123.00

The user must press the Return key after typing the input.

Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example:

About This Guide Notation for Messages

lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example:

p-register process-name

[ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed. For example:

Event number = number [ Subject = first-subject-value ] A group of items enclosed in brackets is a list of all possible items that can be

displayed, of which one or none might actually be displayed. The items in the list might be arranged either vertically, with aligned brackets on each side of the list, or

horizontally, enclosed in a pair of brackets and separated by vertical lines. For example:

proc-name trapped [ in SQL | in SQL file system ]

{ } Braces. A group of items enclosed in braces is a list of all possible items that can be displayed, of which one is actually displayed. The items in the list might be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines. For example:

obj-type obj-name state changed to state, caused by

{ Object | Operator | Service }

process-name State changed from old-objstate to objstate

{ Operator Request. } { Unknown. }

| Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example:

Transfer status: { OK | Failed }

% Percent Sign. A percent sign precedes a number that is not in decimal notation. The % notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number. For example:

%005400 %B101111 %H2F

About This Guide Notation for Management Programming Interfaces

Notation for Management Programming Interfaces

The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual.

UPPERCASE LETTERS. Uppercase letters indicate names from definition files; enter these names exactly as shown. For example:

ZCOM-TKN-SUBJ-SERV

lowercase letters. Words in lowercase letters are words that are part of the notation, including Data Definition Language (DDL) keywords. For example:

token-type

Change Bar Notation

Change bars are used to indicate substantive differences between this edition of the manual and the preceding edition. Change bars are vertical rules placed in the right margin of changed portions of text, figures, tables, examples, and so on. Change bars highlight new or revised information. For example:

The message types specified in the REPORT clause are different in the COBOL85 environment and the Common Run-Time Environment (CRE).

The CRE has many new message types and some new message type codes for old message types. In the CRE, the message type SYSTEM includes all messages except LOGICAL-CLOSE and LOGICAL-OPEN.

Abbreviations

The following list defines abbreviations and acronyms used in this guide. Both industry-standard terms and HP terms are included.

AOT. Ahead Of Time

APKB. Atalla Public Key Block AWT. Abstract Windows Toolkit

ARPA. Advanced Research Project Agency ATP. Active Transaction Pages

BSD. Berkeley Software Distribution C. Country

CA. Certificate Authority CBC. Cipher Block Chaining

About This Guide Abbreviations

CCITT. Consultative Committee for International Telegraph and Telephone CGI. Common Gateway Interface

CN. Common Name

CWD. Current Working Directory DES. Data Encryption Standard DN. Distinguished Name DNS. Domain Name Server

EMS. Event Management Service (HP) FBA. Forms Based Administration FTP. File Transfer Protocol

GIF. Graphics Interchange Format GUI. Graphical User Interface

HTML. HyperText Markup Language HTTP. HyperText Transfer Protocol

HTTPD. HyperText Transfer Protocol Daemon

IEEE. Institute of Electrical and Electronics Engineers IEN. Internet Engineering Note

IP. Internet Protocol

JDBC. Java Data Base Connectivity JDK. Java Development Kit

JIT. Just-In-Time (Java compiler) JNI. Java Native Interface

JSP. JavaServer Pages JVM. Java Virtual Machine KEK. Key Exchange Key L. Locality

About This Guide Abbreviations

LAN. Local Area Network

MAC. Message Authentication Code MD5. Message Digest

MFK. Master File Key

MIME. Multiple Internet Mail Extensions

NCSA. National Center for Supercomputing Applications NSJSP. NonStop Servlets for JavaServer Pages

O. Organization

OLTP. Online Transaction Processing OSS. Open System Services

OU. Organizational Unit PAID. Process Accessor ID

PCT. Private Communication Technology PDF. Portable Document Format

PEM. Privacy Enhanced Message PKS. Public Key Certificate Standard PPP. Point to Point Protocol

QIO. Queued Input Output RFC. Request for Comments RLS. Resource Locator Service RSA. Rivest, Shamir, and Adelman SCF. Subsystem Control Facility SCT. Secure Configuration Terminal

SGC. Server Gated Cryptography (Microsoft) SGML. Standard Generalized Markup Language SHA1. Secure Hash Algorithm

About This Guide Abbreviations

SI. Session Identifier SLIP. Serial Line IP

SMTP. Simple Mail Transfer Protocol SSC. Servlet Server Class (for Java) SSI. Server Side Include

SSL. Secure Sockets Layer ST. State

TACL. Tandem Advanced Command Language TAL. Transaction Application Language

Tcl. Tool Command Language

Tcl/CGI. Tool Command Language/Common Gateway Interface TCP/IP. Transmission Control Protocol/Internet Protocol

TS/MP. Transaction Services/Massively Parallel URL. Uniform Resource Locator

WID. WebSafe2 Interface Driver

WISP. WebSafe2 Internet Security Processor

1

Introduction to the iTP Secure

WebServer

The iTP Secure WebServer provides a full range of services for running an online commercial or informational enterprise on the Web. In addition to basic web-related services, the iTP Secure WebServer provides other important services including access control, enhanced logging, customized error messaging, and automatic directory indexing.

Topics discussed in this section include:

•

Features and Standards Supported by iTP Secure WebServer on page 1-3

•

iTP Secure WebServer Architecture on page 1-6

•

iTP Secure WebServer Encryption on page 1-11 The iTP Secure WebServer’s key features are as follows:

•

High performance

The iTP Secure WebServer’s high-performance, multithreaded architecture provides low-latency response to multiple clients simultaneously. Persistent connections can provide significant performance gains in comparison with a separate connection for each request.

•

Caching at several levels

To improve performance, the iTP Secure WebServer caches files it accesses. Disk file access is one of the most common and expensive operations in a web server. Therefore keeping these files in memory will save a lot of CPU utilization, and improve overall performance. In addition to file opens, already cached, the file information as well as the actual file content can also be cached.

•

Encryption and authentication flexibility

The iTP Secure WebServer supports the use of the HTTP, SSL, PCT, and

hardware-based cryptography provided by WebSafe2 units. Secure HTTP supports the simultaneous use of both the SSL and HTTP protocols. These options give you maximum flexibility in protecting the privacy and integrity of your server’s

interactions with clients. The iTP Secure WebServer implements both encryption and digital signatures.

•

Flexible access control

You can control access to the iTP Secure WebServer on the basis of such factors as host name, time of day, user name, browser type and version, and

Introduction to the iTP Secure WebServer

•

High availability

The iTP Secure WebServer uses HP NonStop TS/MP to ensure high availability. NonStop TS/MP lets you run, as a server class, several instances of the same process. You can configure NonStop TS/MP to create new processes as workload increases and to restart any process that fails.

•

Extensibility

You can enrich your WebServer environment by creating applications that use CGI, Java Servlets and JavaServer Pages. The iTP Secure WebServer supports both conventional CGI applications and persistent applications by using the parallel processing benefits of NonStop TS/MP. You can write applications in any of several popular programming languages, including Java. With the companion product iTP Active Transaction Pages (ATP), you can also use server-side JavaScript to develop web-based interfaces for NonStop TS/MP (Pathway), NonStop SQL/MP, NonStop TUXEDO, and TCP/IP sockets applications.

•

Enhanced logging facilities

The iTP Secure WebServer provides an Extended Log Format (ELF) that includes the access, error, and security information of each request. ELF also provides fields for logging the web client type, the referring URL, and the request begin and end times. The fields are all labelled, making the fields easy to parse and new fields easy to add. The server also supports the Common Log Format (CLF) widely used by other web servers.

The iTP Secure WebServer does not support the PTrace utility.

•

Enhanced event reporting

The iTP Secure WebServer and many related components report events to the HP Event Management Service (EMS). Messages identify the iTP Secure WebServer subsystem, PATHMON name, and the type of event that occurred.

•

Resource Locator Service (RLS)

This service lets you define multiple web servers to be used interchangeably for access to the same URLs. The requester need not know which server handled a request.

Introduction to the iTP Secure WebServer Features and Standards Supported by iTP Secure WebServer

Features and Standards Supported by iTP

Secure WebServer

•

Standards compliance

The iTP Secure WebServer complies fully with:

°

Common Gateway Interface (CGI/1.1)

°

Java Servlets 2.2 and JavaServer Pages 1.1 APIs

°

HyperText Transfer Protocol (HTTP/1.0 and required features of HTTP/1.1)

°

The Secure HyperText Transfer Protocol (Secure HTTP)

°

Secure Sockets Layer (SSL 2.0 and SSL 3.0)

°

Support for the SSL 3.0 Secure Transport Protocol includes support for

user-specified combinations of encryption and integrity checking. Webmasters can specify the security algorithms (ciphers) that they want the iTP Secure WebServer to use.

°

Microsoft Private Communications Technology (PCT version 1) protocol The set of protocols that can be supported by a single instance of the iTP Secure WebServer now consists of HTTP, SSL, and PCT.

•

Caching of session keys, encompassing all the secure transport protocols, including PCT, SSL 2.0, and SSL 3.0.

•

Global session key caching provides increased overall SSL performance by allowing a cache of SSL session keys to be shared amongst all instances of the httpd serverclass, thereby maximizing the cache hits and minimizing the CPU and network resources required for establishing SSL connections to the NonStop platform.

•

X509 version 3.0 certificates

•

Client authentication in SSL 3.0 and PCT

SSL request handling has been enhanced and PCT request handling has been added to support client authentication. The server can request or require a web client to authenticate itself and can restrict access based on client-authentication information by using region commands or CGI variables.

•

Digest access authentication

Provides a challenge/response authentication mechanism for additional security; the user’s password is not sent over the network.

Introduction to the iTP Secure WebServer Features and Standards Supported by iTP Secure WebServer

•

VeriSign’s Global Server ID

The iTP Secure WebServer (domestic-secure version) supports VeriSign's Global Server ID, which enables 128-bit SSL sessions with browsers that offer

Step-Up/Server Gated Cryptography (SGC) capability. The Global Server ID assures your visitors of your site's legitimacy. For more information about using VeriSign’s Global Server ID with the iTP Secure WebServer, see Support for International 128-Bit SSL Sessions Using VeriSign’s Global Server ID on page 4-5. The iTP Secure WebServer also provides hardware support of 1024 bit key-length certificates that you can use with Atalla’s WebSafe2 Internet Security Processors (WISPS), including Global Server ID.

•

Certificate chains

The iTP Secure WebServer uses the SSL 3.0 protocol to allow you to send

certificate chains to and from clients. By using certificate chains, you can establish a certificate hierarchy that is more than two certificates deep. Certificate chains can be used by the iTP Secure WebServer for hardware encryption (using the

WebSafe2 unit) or for software encryption.

•

Session tracking and authentication

The iTP Secure WebServer includes built-in support for ticketing, a technique for user-session tracking. The iTP Secure WebServer issues anonymous tickets. You can use the iTP WebReporter log-analysis tool to generate reports detailing user-access patterns.

•

Virtual hosts

The iTP Secure WebServer supports multiple domains within a single instance of the iTP Secure WebServer, including the ability to return customized content based on the destination domain name. Several configuration directives and configuration directives options (for example, Region).are provided to support this capability (for example, Accept).

•

Built-in clickable images

You can create image maps for clickable images, enabling users to easily navigate to other pages.

•

National Center for Supercomputing Applications (NCSA) format in image maps The iTP Secure WebServer supports NCSA-formatted image-map files in addition to the CERN format. The iTP Secure WebServer also provides support for the point directive in NCSA-formatted image maps.

Introduction to the iTP Secure WebServer Features and Standards Supported by iTP Secure WebServer

•

Byte-range protocol

The iTP Secure WebServer supports the proposed Byte Range Retrieval

Extension to HTTP. This means, for example, that the iTP Secure WebServer can send Adobe Portable Document Format (PDF) documents one page at a time, rather than an entire document at once, to users of the Adobe Acrobat Reader version 3.0 or later. This method permits high-quality PDF documents to be displayed like HTML documents.

•

Content encoding (compression) types

This feature allows the iTP Secure WebServer to return the proper encoding type for compressed files.

•

Administration server

The iTP Secure WebServer Administration Server provides a web-browser interface for defining the iTP Secure WebServer configuration, starting and stopping the iTP Secure WebServer, and monitoring noteworthy events such as errors.

•

PUT, OPTIONS, and TRACE request methods

A browser or web client (using HTTP/1.1) uses the PUT request method to replace or create the content at a specified location. The iTP Secure WebServer accepts PUT requests and lets you specify a script to perform validation before permitting an update.

A browser or web client uses the OPTIONS request method to determine the options and/or requirements associated with a resource, or the capabilities of a server, without necessarily retrieving or acting on the resource.

A browser or web client uses the TRACE method to see the data that is being received at the other end of the request chain. The data can then be used for testing or diagnostic information.

•

Persistent connections

Rather than establish a new TCP/IP connection for each URL (for instance a new connection to retrieve an embedded graphic) the iTP Secure WebServer allows the establishment of a persistent connection for a set of related requests; you can set a timeout or specify the maximum number of requests per connection.

•

Chunked-transfer encoding

When a browser or web client cannot anticipate the length of a request, it can transmit the data in chunks to the iTP Secure WebServer. The iTP Secure WebServer reassembles the request and processes it.

Introduction to the iTP Secure WebServer iTP Secure WebServer Architecture

•

Content negotiation

When a page is available in multiple representations (for example, if the text is available in multiple languages, or a file is available in different character sets or compression formats), the iTP Secure WebServer can select among those representations on the basis of information transmitted with each request or specified in the iTP Secure WebServer configuration.

iTP Secure WebServer Architecture

Descriptions of the major components shown in Figure 1-1 follow the figure. For information about other products you can use in the iTP Secure WebServer environment, see Other Products for the iTP Secure WebServer Environment on page 1-10.

Figure 1-1 shows the architecture for a conventional TCP/IP environment.

If you use the new Parallel Library TCP/IP product, the architectural environment changes slightly. Running with the Auto-Accept feature, an iTP WebServer no longer needs the Distributor component.The httpd servers will assume the listening as well as the distributing functions of the Distributor. The Distributor server class will be

completely removed from the PATHWAY environment. All the necessary process hops will be removed, resulting in a far superior performance.

Introduction to the iTP Secure WebServer iTP Secure WebServer Architecture

Figure 1-1. iTP Secure WebServer Architecture

WebSafe2 Internet Security Processors (WISPs)

CDT001.CDD

Administration Server PATHMON Environment

iTP Secure WebServer PATHMON Env