HP NonStop SSL Reference Manual
HP NonStop SSL
Reference Manual
HP Part Number: 628203-007
Published: February 2013
Edition: HP NonStop SSL Reference Manual 1.6
H06.07 and subsequent H-series RVUs
J06.01 and subsequent J-series RVUs
Hewlett Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
© 2013 HP
All rights reserved
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor’s standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Export of the information contained in this publication may require authorization from the U.S.
Department of Commerce.
Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation.
Intel, Pentium, and Celeron are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
Java is a U.S. trademark of Sun Microsystems, Inc.
Motif, OSF/1, UNIX, X/Open, and the "X" device are registered trademarks, and IT DialTone and The
Open Group are trademarks of The Open Group in the U.S. and other countries.
Open Software Foundation, OSF, the OSF logo, OSF/1, OSF/Motif, and Motif are trademarks of the
Open Software Foundation, Inc. OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL
PROVIDED HEREIN, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. OSF shall not be liable for errors contained herein or for
incidental consequential damages in connection with the furnishing, performance, or use of this
material.
© 1990, 1991, 1992, 1993 Open Software Foundation, Inc. The OSF documentation and the OSF
software to which it relates are derived in part from materials supplied by the following:© 1987,
1988, 1989 Carnegie-Mellon University. © 1989, 1990, 1991 Digital Equipment Corporation. ©
1985, 1988, 1989, 1990 Encore Computer Corporation. © 1988 Free Software Foundation, Inc. © 1987,
1988, 1989, 1990, 1991 Hewlett-Packard Company. © 1985, 1987, 1988, 1989, 1990, 1991, 1992
International Business Machines Corporation. © 1988, 1989 Massachusetts Institute of Technology.
© 1988, 1989, 1990 Mentat Inc. © 1988 Microsoft Corporation. © 1987, 1988, 1989, 1990, 1991, 1992
SecureWare, Inc. © 1990, 1991 Siemens Nixdorf Informationssysteme AG. © 1986, 1989, 1996, 1997
Sun Microsystems, Inc. © 1989, 1990, 1991 Transarc Corporation.OSF software and documentation are
based in part on the Fourth Berkeley Software Distribution under license from The Regents of the
University of California.
OSF acknowledges the following individuals and institutions for their role in its development:
Kenneth C.R.C. Arnold, Gregory S. Couch, Conrad C. Huang, Ed James, Symmetric Computer Systems,
Robert Elz. © 1980, 1981, 1982, 1983, 1985, 1986, 1987, 1988, 1989 Regents of the University of
California.
Contents
Preface 7
Who Should Read This Gui de ................................................................................................... 7
Document History ...................................................................................................................... 7
Introduction 9
What is the Purpose of HP NonStop SSL? ................................................................................ 9
HP NonStop SSL Features ....................................................................................................... 10
Installation 15
Support of SSL and TLS Protocol Standards ............................................................ 10
Fault-Tolerance ......................................................................................................... 10
SSL-enabling for HP Client Components Running on Microsoft Windows Systems
................................................................................................................................... 10
IPv6 Support .............................................................................................................. 10
Secure Proxy for Telnet Access ................................................................................. 10
Secure Proxy for Generic TCP/IP Client/Server Protocols ....................................... 11
Secure FTP Proxy ...................................................................................................... 12
Secure Proxy for EXPAND-over-IP .......................................................................... 13
Secure Proxy for ODBC Drivers ............................................................................... 13
Limiting Remote IP Addresses .................................................................................. 14
General Considerations ............................................................................................................ 15
IPv6 Considerations ................................................................................................................. 16
Starting an HP NonStop SSL Process ...................................................................................... 17
Installing a Secure Telnet Server Proxy ................................................................................... 17
Installing a Secure FTP Server Proxy ...................................................................................... 18
Installing a Secure FTP Client Proxy ....................................................................................... 19
Installing a Secure Tunnel for RSC ......................................................................................... 21
Installing a Secure Tunnel for ODBC/MP ............................................................................... 23
Installing a Secure Tunnel for ODBC/MX .............................................................................. 26
Installing an SSL Tunnel for EXPAND-over-IP L ines ............................................................ 29
Configuration 31
Configuration Overview .......................................................................................................... 31
The Configuration Fil e .............................................................................................. 32
PARAM commands................................................................................................... 32
Startup Line Parameters ............................................................................................ 33
Parameter Reference ................................................................................................................ 33
Parameter Overview .................................................................................................. 33
ALLOWCERTERRORS ........................................................................................... 35
ALLOWIP ................................................................................................................. 37
AUDITASCIIONLY ................................................................................................. 38
AUDITASCIIDUMPLENIN ..................................................................................... 38
AUDITASCIIDUMPLENOUT ................................................................................. 38
AUDITCONSOLE .................................................................................................... 39
HP NonStop SSL Reference Manual Contents • iii
AUDITFILE .............................................................................................................. 39
AUDITFILERETENTION ........................................................................................ 40
AUDITFORMAT ...................................................................................................... 40
AUDITLEVEL .......................................................................................................... 41
AUDITMAXFILELENGTH ..................................................................................... 42
CACERTS ................................................................................................................. 42
CIPHERSUITES ....................................................................................................... 43
CLIENTAUTH .......................................................................................................... 47
CLIENTCERT ........................................................................................................... 47
CLIENTKEY ............................................................................................................. 48
CLIENTKEYPASS ................................................................................................... 49
CONFIG .................................................................................................................... 49
CONFIG2 .................................................................................................................. 50
CONNECTIONINFOFORMAT ............................................................................... 50
CONNECTIONINFOFORMATDETAILED ............................................................ 51
CONTENTFILTER ................................................................................................... 51
DENYIP .................................................................................................................... 53
DESTIPADDR, DESTIPPORT ................................................................................. 54
DONOTWARNONERROR ...................................................................................... 54
DYNAMICROUTINGENABLEIPV6 ...................................................................... 55
FTPALLOWPLAIN .................................................................................................. 55
FTPCALLOW200REPLY ........................................................................................ 55
FTPLOCALDATAPORT .......................................................................................... 56
FTPMAXPORT ......................................................................................................... 56
FTPMINPORT .......................................................................................................... 57
INTERFACE ............................................................................................................. 57
HASHALGORITHMS .............................................................................................. 58
KEEPALIVE ............................................................................................................. 59
LOGCONSOLE ........................................................................................................ 59
LOGEMS .................................................................................................................. 60
LOGFILE .................................................................................................................. 60
LOGFILERETENTION ............................................................................................ 61
LOGFORMAT .......................................................................................................... 61
LOGFORMATCONSOLE ........................................................................................ 62
LOGFORMATEMS .................................................................................................. 62
LOGFORMATFILE .................................................................................................. 63
LOGLEVEL .............................................................................................................. 64
LOGLEVELCONSOLE ............................................................................................ 64
LOGLEVELEMS ...................................................................................................... 65
LOGLEVELFILE ...................................................................................................... 65
LOGMAXFILELENGTH ......................................................................................... 65
LOGMEMORY ......................................................................................................... 66
MAXSESSIONS ....................................................................................................... 66
MAXVERSION ........................................................................................................ 67
MINVERSION .......................................................................................................... 67
PASSIVE ................................................................................................................... 68
PEERCERTCOMMONNAME ................................................................................. 68
PEERCERTFINGERPRINT ..................................................................................... 69
PORT ......................................................................................................................... 69
PTCPIPFILTERKEY ................................................................................................ 70
ROUTINGMODE ..................................................................................................... 70
SERVCERT............................................................................................................... 71
SERVKEY ................................................................................................................ 72
SERVKEYPASS ....................................................................................................... 72
SLOWDOWN ........................................................................................................... 73
SOCKSHOST, SOCKSPORT, SOCKSUSER .......................................................... 73
iv • Contents HP NonStop SSL Reference Manual
SRCIPADDR, SRCIPPORT ..................................................................................... 74
SUBNET ................................................................................................................... 75
SSLCOMSECURITY................................................................................................ 75
TARGETINTERFACE ............................................................................................. 76
TARGETHOST ......................................................................................................... 76
TARGETHOSTFORCE ............................................................................................ 77
TARGETPORT ......................................................................................................... 77
TARGETPORTFORCE ............................................................................................ 78
TARGETSUBNET .................................................................................................... 78
TCPIPHOSTFILE ..................................................................................................... 79
TCPIPNODEFILE ..................................................................................................... 79
TCPIPRESOLVERNAME ........................................................................................ 79
TCPNODELAY ........................................................................................................ 80
TRUST ...................................................................................................................... 80
Advanced Configuration Topics .............................................................................................. 82
Multiple SSL Tunnels in a Single Process ................................................................ 82
Fault-tolerant Configuration ...................................................................................... 82
Load Balancing and Fault-Tolerance of EXPAND over SSL ................................... 82
Monitoring 85
Overview ................................................................................................................................. 85
Log and Audit Level Recommendations ................................................................................. 86
Customizing the Log and Audit Format .................................................................................. 86
Using SHOWLOG to View a Log File .................................................................................... 86
Viewing File Contents from OSS ............................................................................................ 89
Logfile/Auditfile Rollover ....................................................................................................... 89
SSLCOM Command Interface 91
Usage of SSLCOM: a Sample Session .................................................................................... 92
Supported Commands .............................................................................................................. 93
The CONNECTION Commands ............................................................................................. 94
CONNECTIONS ....................................................................................................... 94
CONNECTIONS, DETAIL ...................................................................................... 95
INFO CONNECTION ............................................................................................... 96
RENEGOTIATE CONNECTION ............................................................................ 96
SSLINFO Command ............................................................................................................... 97
RELOAD CERTIFICATES Command ................................................................................... 97
SSL Reference 99
Secure Sockets Layer ............................................................................................................... 99
SSL Features .............................................................................................................. 99
Further References..................................................................................................... 99
Implementation Ove r view ..................................................................................................... 100
Cipher Suites ........................................................................................................... 100
Auditing ................................................................................................................... 100
X.509 Certificates .................................................................................................... 100
Configuring SSL for Production as SSL Server .................................................................... 101
Using Your Own Server Key and Certificate Files ................................................. 101
The Public/Private Key Pair .................................................................................... 102
The Certificate Signing Request .............................................................................. 102
Obtaining a Certificate from a Third Party CA ....................................................... 102
Acting As Your Own CA ........................................................................................ 102
Example: How to Generate SSL Certificates Using OpenSSL................................ 103
Requesting the SSL Client to Present a Client Certificate ....................................... 107
HP NonStop SSL Reference Manual Contents • v
Configuring SSL for Production as SSL Client ..................................................................... 107
Presenting a Client Certificate to the SSL server .................................................... 107
Security Considerations ......................................................................................................... 108
Protecting Against the Man-in-the-Middle Attack .................................................. 108
Protecting the Private Key File ................................................................................ 108
If the Private Key is Compromised ......................................................................... 108
TLS Alerts ............................................................................................................................. 109
Remote SSL Proxy 111
The RemoteProxy Component ............................................................................................... 111
RemoteProxy Installation ...................................................................................................... 111
To install RemoteProxy on a Client Workstation .................................................... 111
RemoteProxy Configuration .................................................................................................. 112
General Configuration Considerations .................................................................... 112
The Main Configuration Screen .............................................................................. 112
The Session Propertie s Window .............................................................................. 113
Session Parameter List ............................................................................................ 114
Copying a Configuration to Other Workstations ..................................................... 115
Appendix 117
Log Messages and Warnings ................................................................................................. 117
Startup messages ..................................................................................................... 117
Warning messages ................................................................................................... 119
Informational messages ........................................................................................... 123
Fatal Errors .............................................................................................................. 124
Troubleshooting of Typical Errors ......................................................................................... 126
Address already in use ............................................................................................. 126
Could not open xxx file ........................................................................................... 126
Decode Error ........................................................................................................... 126
Handshake Error ...................................................................................................... 126
Invalid address ......................................................................................................... 127
Security violation (error 4013) ................................................................................ 127
vi • Contents HP NonStop SSL Reference Manual
Preface
Who Should Read This Guide
This document is for system administrators who are responsible for configuring HP NonStop SSL to secure Telnet, FTP
or middleware communication for ODBC, RSC and other protocols use d by HP products.
Document History
Version 1.6
• Added explicit warnings for usage of unsecure CIPHERSUITES.
• Added description of paramete r DY NAMICROUTINGENABLEIPV 6.
Version 1.5
• This version document s the newly introduced IPv6 s upport and the corresponding parameters.
Version 1.4
• This version clarifies the role of the remote proxy (RemoteProxy) in NonStop SSL. It is only supported for
selected HP NonStop pr oducts.
Version 1.3
• This version documents the support for configuring all available CIPHERSUITES. This feature is implemented
starting with HP NonStop SSL version AAD.
• The new parameter HASHALGORITHMS has been documented.
• The changes in the TRUST parameter have been documented
Version 1.2
• The section about SSL Certificate Generation with OpenSSL was updated.
• The ODBC/MX install section was updated.
Version 1.1
• This version documents the change in the CIPHERSUITES parameter. Preliminary support for additional
ciphers was added and doc umented.
Version 1.0
HP NonStop SSL Reference Manual Preface • 7
• This is the initial version of this manual.
8 • Preface HP NonStop SSL Reference Manual
Introduction
What is the Purpose of HP NonStop SS L?
HP NonStop SSL provides encryption of data which is sent or received by programs on HP NonStop servers over
TCP/IP. It adds transport layer security to TCP/IP protocols without built-in support of SSL/TLS on HP NonStop, such
as Telnet, FTP or ODBC.
HP NonStop SSL will run as a proxy server supporting the fo llowing modes of operation:
• [TELNETS] Acting as a secure proxy server for the NonStop TELSERV, to secure the communication between
the NonStop system and a telnet client with built-in SSL, such as comForte's MR-Win6530, Crystal Point's
OutsideView or Cail CTT.
• [PROXYS] Acting as a secure proxy server for plain TCP/IP servers acting as Server Gateways for
Client/Server-Middleware, such as the HP N o nS top RSC product, to secure the communication between the HP
NonStop system and a client in conjunction with the RemoteProxy component included with HP NonStop SSL.
Note: The usage of the NonStop SSL Re moteProxy component is supported for select e d HP N onStop products
only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX.
Further note that the NonStop RemoteProxy component does not support being run as a Microsoft Windows
service.
• [PROXYC] Acting as a client proxy for plain TCP/IP client programs, to secure the communication between
the NonStop Server and remote SSL-enabled server programs.
• [FTPS] Acting as a secure proxy server for plain FTP servers, such as the NonStop FTPSERV, to secure the
communication between the NonStop system and a secure FTP client, such as MR-Win6530 or WS_FTP.
• [FTPC] Acting as a client proxy for the NonStop FTP client program, to secure the communication between the
NonStop system and a SSL-enabled FTP server, such as the WS_FTP Server.
• [EXPANDS] Creating an SSL tunnel to secure EXPAND over IP lines.
• [ODBCMXS] Acting as a secure server proxy for the ODBC/MX protocol.
To support the above functions, HP NonStop SSL proxy processes can be started in different modes. These so-called
"run modes" of a HP NonStop SSL proxy are listed in square brackets in the list above. Multiple HP NonStop SSL proxy
processes can co-exist on a single NonStop system to support concurrent proxy services, as well as multiple TCP/IP
processes.
The following table lists all run modes of a HP NonStop SSL proxy:
HP NonStop SSL Reference Manual Introduction • 9
Run Mode Usage
FTPC FTP client proxy
FTPS FTP server proxy
PROXYC Generic SSL client proxy
PROXYS Generic SSL server proxy
TELNETS Secure Telnet proxy
EXPANDS Secure EXPAND proxy
ODBCMXS Secure ODBC/MX proxy
HP NonStop SSL Features
Support of SSL and TLS Protocol Standards
HP NonStop SSL uses SSL (Secure Socket Layer) in the TLS (Transport Layer Security) variant as standardized by the
IETF in RFC 2246, to secure an application on the transport layer. SSL 2.0, SSL 3.0 and TLS 1.0 (SSL 3.1) are
supported. It offers multiple configurable cipher suites with RSA key exchange with public key lengths up to 8192 bit
(client authentication with max. 4096 bit RSA) and up to 256 bit AES for bulk encryption. Additionally Elliptic Curve
Cryptography (ECC) with various available curves is supported.
Fault-Tolerance
HP NonStop SSL proxies can be configured as persistent processes, enabling automatic recovery from failures, such as
CPU outages.
SSL-enabling for HP Client Components Running on Microsoft
Windows Systems
The RemoteProxy component included with HP NonStop SSL is used to enable SSL encryption for HP client
components running on Microsoft Windows systems. Usage of the RemoteProxy component is supported for selected
HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX.
Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to secure LPD printing off the HP
NonStop platform. Usage of the LPDS server mode is supported in combination with the Microsoft Windows platform
only. Further note that the HP NonStop SSL RemoteProxy does not support being installed as a Windows service.
IPv6 Support
With HP NonStop SSL AAE, IPv6 support was introduced for the run mode s w ho s e plai n c ou nterpart protocols d o
support IPv6, in particular the PROXY and the FTP run modes. Please see section "IPv6 considerations" for details.
Secure Proxy for Telnet Access
HP NonStop SSL can be run as a proxy process to front-end TCP/IP servers accepting plain TCP connections, such as
the NonStop TELSERV process, enabling secure communication to clients, which also support the SSL protocol. SSL
capable clients are, for example, comForte's MR-Win6530 and J6530, Crystal Point's OutsideView and Cail's CTT.
10 • Introduction HP NonStop SSL Reference Manual
HP NonStop SSL proxy front-ending the NonStop TELVERV process
The HP NonStop SSL proxy will accept SSL connections from the network and "tunnel" them to a plain TCP server.
Encrypted data received from the SSL client will be decrypted and forwarded to the server. Plain data received from
plain TCP server will be encrypted and sent to the SSL client. For example, from the Telnet server's point of view, the
proxy acts as a normal Telnet client, while from an SSL telnet client the HP NonStop SSL proxy authenticates the Telnet
server and encrypts/decrypts the session's payload.
Typically, a HP NonStop SSL proxy will reside on the same IP process on the same system as the TCP server it tunnels
the session to, which allows to create a "local loopback" session (a connection to "127.0.0.1" for IPv4, respectively "::1"
for IPv6) for the unencrypted data. This avoids that any unencrypted data has to traverse the network. For a local
loopback, the data is only being passed within the local TCP/IP stack.
One instance of a HP NonStop SSL proxy handles multiple SSL connections received on a single IP process and port
number and tunnels them to a single target port. If multiple plain ports need to be secured, such as multiple Telnet
Servers, a HP NonStop SSL process can be started for each plain TCP port.
Secure Proxy for Generic TCP/IP Client/Server Protocols
HP NonStop SSL adds encryption not only for Telnet but for any Client/Server protocol facilitating TCP sockets
communicating over a single IP port. HP NonStop SSL can act as a secure proxy for the server or client side of the
client/server communication. If required, the RemoteProxy c omponent included wit h HP N o nS top SSL can be used to
enable SSL encryption for HP client components running on Microsoft Windows systems. Usage of the RemoteProxy
component is supported for selected HP NonStop products only, including HP NonStop Remote Server Call (RSC/MP)
and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL enabling LPD server proxy in order to
secure LPD printing off the HP NonStop platform. Usage of the LPDS server mode is supported in combination with the
Microsoft Windows pla t form only. Further note that the HP NonStop SSL RemoteProxy does not s u pport being installed
as a Windows service. For details regarding the differences between the HP NonStop SSL and comForte SecurCS please
see HP SAW document "Differences between HP NonStop SSL (T0910) and SecurCS. " (mmr_ns-0102006).
HP NonStop SSL Reference Manual Introduction • 11
HP NonStop SSL securing Remote Server Call (RSC) communication
Secure FTP Proxy
HP NonStop SSL can be run as a proxy process to front-end the No nSto p FTPSERV or FTP process. With its SSL
support, HP NonStop SSL will enable secure communication to FTP clients or servers, which support FTP over
SSL/TLS according to RFC-2228. SSL capable FTP clients are, for example, MR-Win6530 or WS_FTP Pr o from
http://www.ipswitch.com/.
HP NonStop SSL secure FTP proxies front-ending standard FTP and FTPSERV
Acting as a proxy server, HP NonStop SSL will use secure FTP connections with the FTP partner and "tunnel" them to a
plain FTP client or server.
The HP NonStop SSL FTPS proxy will intercept the communication on the FTP command socket to add encryption for
both the command and data sockets. From the FTP server's or client's point of view the proxy acts as a normal FTP
12 • Introduction HP NonStop SSL Reference Manual
partner, while for the remote SSL FTP partner the HP NonStop SSL proxy acts as a RFC-2228 compliant secure FTP
server or client.
Secure Proxy for EXPAND-over-IP
HP NonStop SSL running in EXPANDS mode encrypts EXPAND over IP traffic between two NonStop systems. It does
so by creating a secure SSL session between the two systems as depicted in the following diagram:
HP NonStop SSL as a proxy for EXPAND over IP traffic
The EXPAND line handler will exchange UDP traffic with an instance of HP NonStop SSL running on the same
NonStop system; the two HP NonStop SSL processes create an SSL TCP session between the two systems to forward
the traffic.
Secure Proxy for ODBC Drivers
HP NonStop SSL can encrypt traffic between an ODBC driver (ODBC/MP, OBDC/MX, JDBC/MP and JDBC/MX) on
client workstations and NonStop systems.
Since ODBC/MP only uses a single TCPIP session, it can be enabled for SSL as described under "Secure Proxy for
Generic TCP/IP Client/Server Protocols".
In contrast, ODBC/MX, JDBC/MP and JDBC/MX use multiple TCP/IP sessions with different port numbers between a
single client and the NonStop system. However in conjunction with the RemoteProxy component on the Windows client,
HP NonStop SSL "tunnels" multiple sessions over a sing le on e as shown in the following diagram:
HP NonStop SSL as a proxy for ODBC/MX traffic
HP NonStop SSL Reference Manual Introduction • 13
The "tunneling" appr oa ch has the following benefits:
• It is firewall-friendly, as only a single port needs to be opened between the workstations and the clients.
• The configuration both of the HP NonStop SSL ODBCMXS process and the RemoteProxy is independent of
the number of ports used by ODBC/MX.
Note: The ODBC/MX protocol supports IPv6 starting with release H06.26/J06.15, but running HP NonStop SSL in
ODBCMXS mode is currently only valid with IPMODE IPv4.
Limiting Remote IP Addresses
HP NonStop SSL can be configured to allow only certain remote IP addresses. By default, HP NonStop SSL will allow
connections from any IP address; this behavior can be changed by
1. Setting a "black list" of forbidden IP addresses or subnets using the DENYIP parameter.
2. Setting a "white list" of allowed IP addresses or subnets using the ALLOWIP parameter.
Note: the black list will take precedence over the white list: if an IP address is matching both lists, it will NOT be
allowed.
For details, please refer to parameters "DENYIP" and "ALLOWIP" in the "Parameter Reference".
14 • Introduction HP NonStop SSL Reference Manual
Installation
General Considerations
HP NonStop SSL is made available by HP with the purchase of the NonStop Operating System kernel for H Series and J
Series NonStop platforms. The files of the package are located on $SYSTEM.ZNSSSL.
HP NonStop SSL is not pre-installed or pre-configured. You have to install it depending on your requirements.
The main executable file is named SSLOBJ, which can be run to create an SSL proxy process running in a specific run
mode. While you can manually create SSL proxy processes with the TACL run command, it is recommended to create a
persistent process under control of the Kernel subsystem.
For convenience, HP NonStop SSL includes a SETUP macro, which helps you create an initial configuration for a
persistent proxy process in one of the available run modes. You may fine tune the configuration by editing the
configuration files created by the SETUP macro.
Note: Specific attention needs to be paid to a proper SSL configuration. HP NonStop SSL is delivered with a set of
sample SSL certificate and key files which are used by default. For a production installation, you should use your own
SSL server certificate. Please refer to the "SSL Reference" chapter for details.
When replacing the certificate files delivered in $system.znsssl with production certificates they may be overwritten by
DSM/SCM and restored to the original ones. Therefore it is recommended to place the production certificates in a
separate volume and point to those files in a CONFIG2 configuration file.
The installation subvolume znsssl also contains a Tacl macro named CFWSADDR. This macro provides the real client
IP address of a Visual Inspect session when connected to a NonStop SSL TELNETS process. The best way to install the
CFWSADDR macro is to include it in the TACLLOCL file so it gets executed for every new TACL session started:
LOAD/KEEP 1/$SYSTEM.ZNSSSL.CFWSADDR
WSADDR
Note that the invocation of this macro is WSADDR, not CFWSADDR. The macro searches all process occurrences of
the SSLOBJ file (NonStop SSL) and also the SWAP file (comForte SecurCS).
For securing some protocols, such as ODBC or RSC, you will also need to install the HP NonStop SSL RemoteProxy,
which will enable SSL for the HP components running on a remote user workstation.
Note that usage of the RemoteProxy component is supported for selected HP NonStop products only, including HP
NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL
enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server
mode is supported in combination with the Microsoft Windows platform only. Further note that the HP NonStop SSL
RemoteProxy does not support being installed as a Windows service.
HP NonStop SSL Reference Manual Installation • 15
IPv6 Considerations
With HP NonStop AAE, IPv6 support was introduced. The new parameter IPMODE was introduced for this purpose:
IPMODE {IPv4|IPv6|DUAL}
If not specified, the IPMODE parameter will default to IPv4. When IPMODE DUAL is specified, SSLOBJ will listen to
both IPv4 and IPv6 with one s i ngle dual mode socket. In I P M O D E DUAL, IPv4 addresses will be shown as mapped IP
addresses with the corresponding prefix "::ffff :" for this purpose, e.g. "::ffff:10.10.10.110".
Note the following considerations in respect to IPv6 support:
• The ODBC/MX protocol supports IPv6 starting with release H06.26/J06.15, but running HP NonStop SSL in
ODBCMXS mode is currently only valid with IPMODE IPv4.
• The SOCKS4 protocol does not support IPv6 by des ign, thus specifying SOCKS4 protocol parameter
(SOCKSHOST, SOCKSPORT, SOCKSUSER) is only valid in IPMODE IPv4.
• Following recommendation of the IETF, IPv6 support for FTP was implemented according to RFC 2428
(EPSV, EPRT). The FOOBAR protocol (LPSV, LPRT) is not supported.
• IPMODE DUAL is not supported by design in runmode EXPANDS (use either IPMODE IPv4 or IPMODE
IPv6 instead)
• By design when SSLOBJ is run in IPMODE DUAL, the TCP/IP stack must also support and be configured in
DUAL mode.
• Setting INTERFACE or TARGETINTERFACE is not valid in IPMODE DUAL, since no bind address except
the IPv6 ANY address '::' can handle both IPv4 and IP v6.
• IP version transition (4to6 or 6to4) is *not* one of the main intended application areas of SSLOBJ. Although IP
version transition is partially possible with IPMODE DUAL, support for it is limited. Contact HP support for
further information on supported setups.
• When specifying an IP address in IPv6 representation followed by a port number, the IPv6 address must be
embraced by square brackets to avoid ambiguity. E.g. in FTPC mode the user name has to be specified as
follows:
john@[2001:db9::1421:51ab]:11013
• Same requirement for enclosing the IPv6 address with square brackets applies to specification of DENYIP and
ALLOWIP values in CIDR format in order to avoid ambiguity with the potentially leading direction character
(See parameter description of ALLOWIP/DENYIP for more details)
16 • Installation HP NonStop SSL Reference Manual
Starting an HP NonStop SSL Process
You can start a HP NonStop SSL process by issuing a TACL RUN command using the following syntax:
RUN SSLOBJ / runoptions / mode [ ; paramname paramvalue; ... ]
where
• runoptions are the standard Guardian RU N o ptions, such as IN, CPU or T ERM
• mode defines the run mode of the HP NonStop SSL process wit h the fol lowing valid keywords :
FTPC FTP client proxy
FTPS FTP server proxy
PROXYS Generic SSL server proxy
PROXYC Generic SSL client proxy
TELNETS Secure Telnet proxy
EXPANDS Secure EXPAND over IP proxy
ODBCMXS Secure Proxy for ODBC/MX
• paramname paramvalue; ...
is a list of HP NonStop SSL configuration parameter settings as described in the "Parameter Reference".
Note: When you start a HP NonStop SSL process in NOWAIT mode, make sure you have disabled logging to the home
terminal. To do so, set the parameter LOGCONSOLE to *.
Installing a Secure Telnet Server Proxy
To encrypt Telnet sessions with the standard NonStop TELSERV process and an SSL-enabled Telnet client, you will
need to perform the following steps:
1. On the NonStop server, start a HP NonStop SSL telnet server (TELNETS) proxy for the target TELSERV
process.
2. On the workstation si de , re-configure your telnet client to connect via SSL to the port number that the
TELNETS proxy is listening on.
To install an HP NonStop SSL TELNETS proxy
1. Determine the Telnet server you want to install the secure proxy for and find out the TCP/IP process and port
number it is listening on (usually 23).
2. Select a port number that will be used for SSL telnet connections (e.g. 8423).
3. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Select "TELNET SERVER" as run mode and follow the installation instructions. Enter the port number of the
TELSERV listening port as target port (e.g. 23) and the selected SSL telnet port as listening port (e.g. 8423).
The SETUP macro will create a configuration file (e.g. TLNSCF0) and an SCF IN file for the installation as
persistent process (e.g. TLNSIN0).
4. Edit the HP NonStop SSL TELNETS configuration file (e.g. TLNSCF0) to configure any additional
parameters, if desired.
HP NonStop SSL Reference Manual Installation • 17
5. Install the TELNETS proxy persistent process, e.g.
> SCF /IN TLNSIN0/
6. Start the TELNETS proxy persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-TELNETS-0
7. Check the log file (configured in the configuration file) to verify the TELNETS proxy has started correctly, e.g.
> SHOWLOG TLNSLOG *
Verify that the log contains a message of the following pattern:
$TLNS0|06Jun10 21:42:15.82|20|secure-to-plain proxy started on target host 127.0.0.1,
target port 23, source port 8423
When logging with default log level 50, the last message of the log should then be similar to the following:
$ZTLNS0|29Jul12 16:31:29.37|30|-- PROXYS setup completed, starting to listen... --
To create a secure connection with a secure Telnet client
1. Configure your SSL Telnet client to connect to the address and port number the HP NonStop SSL secure telnet
proxy listens for incoming connections. Make sure that the client has the SSL protocol enabled for the session.
Installing a Secure FTP Server Proxy
To encrypt FTP sessions with the standard NonStop FTP server and an FTP client with FTP-TLS (SSL) support, you will
need to perform the following steps:
1. On the NonStop server, st a rt an HP NonStop SSL ftp server (FTPS) proxy for the t a r ge t FTP server.
2. On the remote system, configure your FTP client to connect via SSL to the port number that the FTPS proxy is
listening on.
To install an HP NonStop SSL FTPS proxy
1. Determine the TCP/IP process and port number the NonStop LISTNER process it is listening for FTP sessions
(usually 21).
2. Select a port number that will be used for FTP-TLS connections (e.g. 8421).
3. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Select "FTP SERVER" as run mode and follow the installation instructions. Enter the port number of the FTP
listening port as target port (e.g. 21) and the selected FTP-TLS port as listening port (e.g. 8421).
The SETUP macro will create a configuration file (e.g. FTPSCF0) and an SCF IN file for the installation as
persistent process (e.g. FTPSIN0).
4. Edit the HP NonStop SSL FTPS configuration file (e.g. FTPSCF0) to configure any additional parameters, if
desired.
5. Install the FTPS proxy persistent process, e.g.
> SCF /IN FTPSIN0/
6. Start the FTPS proxy persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-FTPS-0
7. Check the log file (configured in the configuration file) to verify the FTPS proxy has started correctly, e.g.
> SHOWLOG FTPSLOG *
18 • Installation HP NonStop SSL Reference Manual
Verify that the log contains a message of the following pattern:
$FTPS0|18May10 20:22:51.63|20|FTP server proxy started on target host 127.0.0.1, target
port 21, source port 8421
When logging with default log level 50, the last message of the log should then be similar to the following:
$FTPS0|27Jul12 16:14:55.41|30|-- FTPS setup completed, starting to listen... --
To create a secure connection with an FTP-TLS enabled FTP client
1. Configure your FTP client to connect to the address and port number the HP NonStop SSL secure FTPS proxy
listens for incoming connections. Make sure that the client has the FTP-TLS protocol enabled for the session.
Installing a Secure FTP Client Proxy
To encrypt FTP sessions with the standard NonStop FTP client and a FTP server, you will need to perform the following
steps:
1. On the NonStop server, start a HP NonStop SSL ftp client (FTPC) proxy.
2. On the partner system, use a "FTP-TLS" compliant server to receive connections from the FTPC proxy, such as
the WS-FTP Server from Ipswitch, Inc.
To send or receive files securely to/from the remote system, you will use the standard NonStop FTP client. You may also
use an application that uses the NonStop FTP client API. Instead of connecting directly to the remote system, you will
first connect to the HP NonStop SSL FTPC proxy. Using an extended user id that includes information on the host
address and port number of the remote FTP system you will ins tru ct th e FTPC prox y to connect securely to the remote
FTP server. From there on, you may proceed as with normal plain FTP to list directories, as well as to send or receive
files.
To install an HP NonStop SSL FTPC proxy
1. Select a port number that the HP NonStop SSL FTPC proxy will use for plain connections from local FTP
clients (e.g. 8021).
2. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Select "FTP CLIENT" as run mode and follow the installation instructions. Enter the selected port number as
listening port (e.g. 84 21).
The SETUP macro will create a configuration file (e.g. FTPCCF0) and an SCF IN file for the installation as
persistent process (e.g. FTPCIN0).
3. Edit the HP NonStop SSL FTPC configuration file (e.g. FTPCCF0) to configure any additional parameters, if
desired.
4. Install the FTPC proxy persistent process, e.g.
> SCF /IN FTPCIN0/
5. Start the FTPC proxy persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-FTPC-0
6. Check the log file (configured in the configuration file) to verify the FTPC proxy has star ted correc tly, e.g .
> SHOWLOG FTPCLOG *
Verify that the log contains a message of the following pattern:
$FTPC0|18May10 20:22:51.63|20|FTP client proxy started on source port 8021
When logging with default log level 50, the last message of the log should then be similar to the following:
HP NonStop SSL Reference Manual Installation • 19
$FTPC0|29Jul12 16:38:40.45|30|-- FTPC setup completed, starting to listen... --
To create a secure FTP connection to a remote FTP-TLS server
1. Issue the following command at the command prompt:
> FTP localhost 8021
where
• the first parameter denotes the local loopback address
• the second parameter specifies the port number the HP NonStop SSL FTPC proxy is listening on
The HP NonStop SSL FTP client mode welcome message will now be displayed. You will be prompted for
user-id and password:
FTP Client - T9552H02 - (10JUL2009) - COPYRIGHT TANDEM COMPUTERS INCORPORATED 20
09
Connecting to 127.0.0.1.........Established.
220 HP NonStop SSL version T0910H01_19JUL2010 running in encrypting FTP client m
ode
Name (127.0.0.1:user):
2. At the user id prompt, enter the following data:
<user id>@<remote address>[:<port>]
where
• <user id> is the user name valid to login to the remote secure FTP server.
• <remote address> is the IP address or DNS name of the remote system where the secure FTP server is
running on.
Note: if the remote address is an IPv6 address it has to be surrounded by square brackets. (E.g.
john@[fe80:aa::bb42]:12345)
• <port> is the port number the remote FTP server is listening on. If omitted, 21 is used as a default.
The connection should now be established, allowing you to list directories and transfer files securely:
Name (127.0.0.1:user): tb@172.24.91.233
331- original FTP server Welcome follows
331- 220 NOTEBOOK_TB X2 WS_FTP Server 3.1.4 (3995038631)
331- original FTP server reply to USER command follows
331 Password required
Password:*****
230 user logged in
ftp> dir
200 command successful
150 Opening ASCII data connection for directory listing
drwxr-x--- 2 tb System 0 Oct 1 19:17 .
drwxr-x--- 2 tb System 0 Oct 1 19:17 ..
-rwxr-x--- 1 tb System 161 Dec 12 12:17 l1
-rwxr-x--- 1 tb System 161 Dec 12 12:17 l2
-rwxr-x--- 1 tb System 161 Dec 12 12:17 l3
-rwxr-x--- 1 tb System 1447718 Dec 12 12:20 testfile
226 transfer complete
496 bytes received in 0.07 seconds ( 6.92 Kbytes/s)
ftp>
Note: Starting HP NonStop SSL vers ion AAE, an FTPC defaul t hos t and FTPC default port can be specified by using
the parameters TARGETHOST and TARGETPORT. The respective parameter values will be taken into account if the
user does not specify the corresponding value - or - if HP NonStop SSL was configured to always use the values of
TARGETHOST respectively TARGETPORT due to the additional parameter TARGETHOSTFORCE or
TARGETPORTFORCE. Please see corresponding parameter description for details.
20 • Installation HP NonStop SSL Reference Manual
Installing a Secure Tunnel for RSC
To install an SSL tunnel for Remote Server Call (RSC) communication, you will need to perform the following steps:
1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target TDP
server process.
2. On the workstation, install the HP NonStop SSL RemoteProxy and configure it to route plain connections to the
PROXYS process on the NonStop server.
3. Re-configure RSC to connect to the local RemoteProxy.
The following implementation instructions assume that you have RSC installed on your target NonStop system and
workstation.
To install a HP NonStop SSL PROXYS process for RSC
1. Determine the RSC Transaction Delivery Process (TDP) you want to install the secure proxy for and find out
the TCP/IP process and port number it is listening on. You may do this by examining the TDPCFG file for SET
TCPIPPORT PROCESSNAME and ADD TCPIPPORT commands. You may also check the TCPIPPORT
object with RSCCOM as in the following example:
53> RSCCOM
RSCCOM - TDP Configuration Manager - T9711D43 - (05NOV96) – System \SUPPORT
Tandem TM Remote Server Call using technology from Cornerstone Software, Inc.
Copyright (c) Cornerstone Software, Inc. 1991 - 1995. All rights reserved.
1 (( open $zrsc
Current TDP is \SUPPORT.$ZRSC - T9711D430 - (05NOV96)
2 (( status tcpipport *
Service (Port) Status Sessions Last Event
------------------------------------------------------------------RSCTEST1 (2001) Started 0 TCPIPPORT started. [ 6502 ]
2. Select a port number that will be used for SSL RSC connections (e.g. 7502)
3. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Select "GENERIC SERVER" as run mode and follow the installation instructions. Enter the port number of the
TDP server as target port (e.g. 6502) and the selected SSL RSC port as SSL listening port (e.g. 7502).
The SETUP macro will create a configuration file (e.g. PXYSCF0) and an SCF IN file for the installation as
persistent process (e.g. PXYSIN0).
4. Edit the HP NonStop SSL PROXYS configuration file (e.g. PXYSCF0) to configure any additional parameters,
if desired.
5. Install the PROXYS proxy persistent process, e.g.
> SCF /IN PXYSIN0/
6. Start the HP NonStop SSL PROXYS persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-PROXYS-0
7. Check the log file (configured in the configuration file) to verify the PROXYS process has started correctly, e.g.
> SHOWLOG PXYSLOG *
Verify that the log contains a message of the following pattern:
$PXYS0|06Jun10 21:42:15.82|20|secure-to-plain proxy started on target host 127.0.0.1,
target port 6502, source port 7502
When logging with default log level 50, the last message of the log should then be similar to the following:
$PXYS0|29Jul12 16:31:29.37|30|-- PROXYS setup completed, starting to listen... --
HP NonStop SSL Reference Manual Installation • 21
To install and configure RemoteProxy for RSC
1. Download $SYSTEM.ZNSSSL.PROXYEXE in binary format to your RSC workstation, renaming it to
PROXY.EXE.
2. On the RSC workstation, run PROXY.EXE to start the RemoteProxy installation program and follow the
installation instructions.
3. Double-click on HP NonStop SSL Rem oteProxy icon in your system tray. The "RemoteProxy"
configuration window will be displayed.
4. Select "New" from the "Session" menu. The "Session Properties" dialog will be displayed.
5. In the "Protocol" field, select "Generic TCP/IP".
6. In the "Target Host" field, enter the IP address or host name where your PROXYS process is listening on your
NonStop server.
7. In the "Target Port" field, enter the port number, you have specified as the listen port of your PROXYS process
on the NonStop server.
8. In the "Local (Accepting) Port" field, enter the port number that RemoteProxy will use to listen for connections
from your RSC client. The port number must not be in use by any other program or service on your client PC.
For simplicity, you may want to use the same port number that the plain TDP server process is using on the
NonStop server side, e.g. "6502" in the example above.
9. Start the RemoteProxy session by clicking on the "Start" button
10. If the start is successful, check the startup messages with the "View Log" command.
To configure RSC to connect via the RemoteProxy
1. On the RSC workstation, locate the PIPE.INI file that is used by HP Piccolo.
2. In the PIPE.INI file, add an entry for your relevant RemoteProxy session in the [Resolver] section. The entry
itself assigns an alias host name (1st argument) for a connection over a specified protocol (2nd argument) to a
given peer. To communicate with RemoteProxy "ip" has to be used as the protocol (2nd argument), followed by
the local host name and the value you specified as "Local Port" in the "Session Properties" of the relevant
RemoteProxy Session. For example, a valid entry (with local port = 6502) could be:
[Resolver]
myhost=ip:127.0.0.1.6502
3. To prevent that both RemoteProxy and Piccolo are using the same port (configured in step 2), add an additional
entry in PIPE.INI in which you specify an unused port (e.g. 1277) to be used by Piccolo on the client. For
instance, as follows:
[NIF-mynifsock]
ProgramFile=nifsock
ServicePort=1277
4. On the RSC workstation, locate the RSC.INI file that is used by the RSC transport process.
5. Edit the RSC.INI file, add a "host_pipename" entry referring to the alias host name you chose in PIPE.INI in
step 2. For example, a valid entry could be:
host_pipename = RSC@myhost
6. Restart the RSC Transport Process.
7. You may use the RSCTEST program to test the secure RSC connection to the NonStop system.
8. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of the RemoteProxy.
22 • Installation HP NonStop SSL Reference Manual
To connect securely with your RSC client
1. After you have correctly configured the RSC.INI file and started the RemoteProxy session for RSC, use your
RSC client like you did before to connect to the NonStop system.
2. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of RemoteProxy.
Installing a Secure Tunnel for ODB C/ MP
Note: The configuration of HP NonStop SSL for ODBC/MX differs from the configuration for ODBC/MP. This section
describes the configuration of HP NonStop SSL for ODBC/MP; please see the next section for the ODBC/MX
configuration.
To implement HP NonStop SSL to encrypt an Open Database Connectivity ODBC/MP connection, you will need to
perform the following steps:
1. On the NonStop server, install an HP NonStop SSL generic server proxy (PROXYS) process for the target
ODBC server process.
2. On the workstation, install RemoteProxy and configure it to route plain ODBC/MP connections to the HP
NonStop SSL PROXYS process.
3. Re-configure the ODBC/MP driver o n your workstation to connect to RemoteProxy.
To install an HP NonStop SSL PROXYS process for ODBC/MP
1. Determine the ODBC/MP server process you want to install the secure proxy for and find out the TCP/IP
process and port number it is listening on. We assume 8889 as port number here.
2. Select a port number that will be used for SSL ODBC/MP connections (e.g. 9889).
3. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Select "GENERIC SERVER" as run mode and follow the installation instructions. Enter the port number of the
ODBC/MP server as target port (e.g. 8889) and the selected SSL ODBC/MP port as SSL listening port (e.g.
9889).
The SETUP macro will create a configuration file (e.g. PXYSCF0) and an SCF IN file for the installation as
persistent process (e.g. PXYSIN0).
4. Edit the HP NonStop SSL PROXYS configuration file (e.g. PXYSCF0) to configure any additional parameters,
if desired.
5. Install the PROXYS proxy persistent process, e.g.
> SCF /IN PXYSIN0/
6. Start the HP NonStop SSL PROXYS persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-PROXYS-0
7. Check the log file (configured in the configuration file) to verify the PROXYS process has started correctly, e.g.
> SHOWLOG PXYSLOG *
Verify that the log contains a message of the following pattern:
$PXYS0|06Jun10 21:42:15.82|20|secure-to-plain proxy started on target host 127.0.0.1,
target port 8889, source port 9889
When logging with default log level 50, the last message of the log should then be similar to the following:
HP NonStop SSL Reference Manual Installation • 23
$PXYS0|29Jul12 16:31:29.37|30|-- PROXYS setup completed, starting to listen... --
To install and configure RemoteProxy for ODBC/MP
1. Download $SYSTEM.ZNSSSL.PROXYEXE in binary format to your OCBC/MP client workstation, renaming
it to PROXY.EXE.
2. On the OCBC/MP client workstation, run PROXY.EXE to start the RemoteProxy installation program and
follow the installation instructions.
3. Double-click on HP NonStop SSL Rem oteProxy icon in your system tray. The "RemoteProxy"
configuration window will be displayed.
4. Select "New" from the "Session" menu. The "Session Properties" dialog will be displayed.
5. In the "Protocol" field, select "Generic TCP/IP".
6. In the "Target Host" field, enter the IP address or host name where your PROXYS process is listening on the
NonStop server.
7. In the "Target Port" field, enter the port number you have specified as the listen port of your PROXYS process
on the NonStop server.
8. In the "Local (Accepting) Port" field, enter the port number that RemoteProxy will use to listen for connections
from your ODBC/MP driver. The port number must not be in use by any other program or service on your
client PC. For simplicity, you may want to use the same port number that the ODBC/MP server process is using
on the NonStop server side, e.g. "8889" in this example.
9. Start the RemoteProxy session by clicking on the "Start" button.
10. If the start is successful, check the startup messages with the "View Log" command.
To configure the ODBC/MP driver to connec t via the RemoteProxy
1. Navigate to the ODBC driver configuration dialog.
2. Reconfigure the Host Name to the local host address, e.g. "localhost", or "127.0.0.1"
3. Reconfigure the "Port" field to the port number you specified as "Local Port" in the "Session Properties" of the
relevant RemoteProxy Session.
4. Assuming you used "8889" as "Local (Accepting) Port" in the RemoteProxy session configuration, your ODBC
driver configuration dialog should look as follows:
24 • Installation HP NonStop SSL Reference Manual
Confirm the changes by clicking "OK".
5. You may use the NonStop Connectivity Tool to test the secure ODBC connection to the NonStop system.
6. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of the RemoteProxy.
To connect securely with your ODBC/MP c lient
1. After you have correctly configured your ODBC driver, use your ODBC client like you did before to connect to
the NonStop system.
2. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of the RemoteProxy.
HP NonStop SSL Reference Manual Installation • 25
Installing a Secure Tunnel for ODB C/ MX
Note 1: The configuration for ODBC/MX differs from the configuration for ODBC/MP. This section describes the
configuration for ODBC/MX; please see the prior section for the configuration for ODB C/MP.
Note 2: NonStop ODBC/MX uses multiple port numbers to create connections between the ODBC/MX clients and the
NonStop server. HP NonStop SSL is aware of that and "multiplexes" many connections over a single IP connection
between the clients and the NonStop server. That has two benefits:
- only a single port needs to be open at the firewall.
- the configuration of HP NonStop SSL becomes easier.
To install HP NonStop SSL to encrypt an Open Database Connectivity ODBC/MX connection, you will need to perform
the following steps:
1. On the NonStop server, install an HP NonStop SSL ODBC/MX server proxy (ODBCMXS) process for the
target ODBC/MX server proce s s.
2. On the workstation, install RemoteProxy and configure it to route plain ODBC/MX connections to the HP
NonStop SSL ODBCMXS process.
3. Re-configure the ODBC/MX driver on your workstat ion to connect to Rem ot e P roxy.
To Install an HP NonStop SSL ODBCMXS process for ODBC/MX
1. Determine the ODBC/MX server process you want to install the secure proxy for and find out the TCP/IP
process and port number it is listening on. Note that ODBC/MX consists of multiple server processes; you
should look for the port number of the ODBC/MX Association server. This is the MXCS port number you
configure in the ODBC/MX client configuration (only!). We will assume a value of 18888 here.
2. Select a port number that will be used for SSL ODBC/MX connections, e.g. 28888
3. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
4. Select "ODBC/MX SERVER" as run mode and follow the installation instructions.
Enter the TCPIP process name for the subnet the ODBC/MX Association server runs on. Note that the
SUBNET and TARGETSUBNET parameters will be set to the process name you provided here. Next, e nter the
listening port num be r as de t e rmined in (2) above for incoming SSL-encrypted ODBC/MX client connections.
Note that you will not be prompted for a TARGETPORT because it will be determined automatically based on
the client side configuration.
Finally the SETUP macro will create a configuration file (e.g. ODBSCF0) and an SCF IN file for the
installation as persistent process (e.g. ODBSIN0).
5. Edit the HP NonStop SSL ODBCMXS configuration file (e.g. ODBSCF0) to configure any additional
parameters, if desired. Be careful with the additional parameter "TARGETHOST" that can be used to route
outgoing traffic to another host.
For security reasons, you should specify the "local loopback address" (127.0.0.1) as TARGETHOST since this
avoids that unencrypted data traverses the network. The TARGETHOST parameter will default to "127.0.0.1" if
omitted. In some cases it might be desired to handle incoming connections (originating e.g. from RemoteProxy)
on a specific subnet and route the outgoing connections (to the ODBC/MX Association server) to another
subnet. In that case you can set the SUBNET (incoming) and TARGETSUBNET (outgoing) parameter value to
the respective process name. If TARGETSUBNET is omitted it defaults to the value of SUBNET.
6. Install the ODBCMXS proxy persistent process, e.g.
> SCF /IN ODBSIN0/
7. Start the HP NonStop SSL ODBCMXS persistent process, e.g.
26 • Installation HP NonStop SSL Reference Manual
> SCF START PROCESS $ZZKRN.#SSL-ODBCMXS-0
8. Check the log file (configured in the configuration file) to verify the ODBCMXS process has started correctly,
e.g.
> SHOWLOG ODBSLOG *
Verify that the log contains a message of the following pattern:
$ODBS0|01Sep11 09:48:04.64|20|ODBC/MX server proxy started on target host 127.0.0.1,
source port 28888, target port will be passed dynamically within client request.
When logging with default log level 50, the last message of the log should then be similar to the following:
$ODBS0|29Jul12 16:31:29.37|30|-- ODBCMXS setup completed, starting to listen... --
Note: Earlier versions of HP NonStop SSL might write out a "target port" with the above log message though it is not
relevant for the setup.
To install and configure the RemotePr oxy for ODBC/MX
1. Download $SYSTEM.ZN S SSL.PROXYEXE in bina ry format to your OCBC/MX client workstation, renaming
it to PROXY.EXE.
2. On the OCBC/MX client workstation, run PROXY.EXE to start the RemoteProxy installation program and
follow the installation instructions.
3. Double-click on HP NonStop SSL Rem oteProxy icon in your system tray. The "RemoteProxy"
configuration window will be displayed.
4. Select "New" from the "Session" menu. The "Session Properties" dialog will be displayed.
5. In the "Protocol" field, select "ODBC/MX Client".
6. In the "Target Host" field, enter the IP address or host name where your ODBCMXS process is listening on
your NonStop server.
7. In the "Target Port" field, enter the port number that you have specified as the listen port of your ODBCMXS
process on the NonStop server, (e.g. 28888).
8. In the "Local (Accepting) Port" field, enter the port number that RemoteProxy will use to listen for connections
from your ODBC/MX driver. The port number must not be in use by any other program or service on your
client PC. It must be the same port that the ODBC/MX server process is using on the NonStop server side, e.g.
"18888" in this example.
9. Start the RemoteProxy session by clicking on the "Start" button
10. If the start is successful, check the startup messages with the "View Log" command.
To configure the ODBC/MX driver to connect via the RemoteProxy
1. Navigate to the ODBC/MX driver configuration dialog.
2. Navigate to the "Network" Tab within the dialog
3. Reconfigure the MXCS IP Address to the local host address, e.g. "localhost", or "127.0.0.1"
4. Reconfigure the "Port" field to the port number you specified as "Local Port" in the "Session Properties" of the
relevant RemoteProxy Session.
5. Assuming you used "18888" as "Accepting Port" in the RemoteProxy session configuration, your ODBC driver
configuration dialog should look as follows:
HP NonStop SSL Reference Manual Installation • 27
Confirm the changes by clicking "OK".
6. You may use the NonStop Connectivity Tool to test the secure ODBC connection to the NonStop system.
7. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of the RemoteProxy.
To connect securely with your ODBC/MX c lient
1. After you have correctly configured your ODBC/MX driver, use your ODBC client like you did before to
connect to the NonStop system.
2. You may check the successful creation of the session through the proxy by examining the messages with the
"View Log" command in the "Session Properties" screen of the RemoteProxy.
28 • Installation HP NonStop SSL Reference Manual
Installing an SSL Tunnel for EXPAND-over-IP Lines
Creating an SSL tunnel for an EXPAND-over-IP line requires running a HP NonStop SSL process in EXPANDS mode
for the line handler on both sides of the connection. The configuration of the HP NonStop SSL processes can be easily
derived from the existing line handler configuration of E XPAND-over-IP line. To enable the tunneling, only a single line
handler attribute needs to be changed.
To install an SSL tunnel process for an EXPAND-over-IP line handler, you will need to perform the following steps on
both NonStop servers c o nnected by the line:
1. Install a HP NonStop SSL EXPAND proxy (EXPANDS) proxy process for the EXPAND line.
2. Reconfigure your EXPAND line configuration to activate the SSL tunnel for the EXPAND line.
Note: This section lists the basic installation instructions. For a production installation, please refer to "Load Balancing
and Fault-Tolerance of EXPAND over SSL" in chapter "Configuration".
To install the HP NonStop SSL EXPANDS pr oxy
1. Determine the name of the EXPAND-over-IP line handler you want to secure .
2. At your TACL prompt, run the HP NonStop SSL SETUP macro:
> VOLUME $SYSTEM.ZNSSSL
> RUN SETUP
Enter the name of the line handler when requested.
The SETUP macro will create a configuration file (e.g. EXPSCF0) and an SCF IN file for the installation as
persistent process (e.g. EXPSIN0).
3. Start the HP NonStop SSL EXPANDS persistent process, e.g.
> SCF START PROCESS $ZZKRN.#SSL-EXPANDS-0
4. Check the log file (configured in the configuration file) to verify the EXPANDS process has started correctly,
e.g.
> SHOWLOG EXPSLOG *
Verify that the log contains a message of the following pattern:
$EXPS1|19May10 17:48:47.04|20|EXPAND proxy started (10.0.0.196:1280 <- 10.0.0.198:1280)
Note: These steps need to be performed on both systems connected over the EXPAND-over-IP line.
To activate the SSL tunnel for the EXPAND line
5. Using SCF, alter the configuration of the EXPAND line as follows:
> ASSUME LINE <line>
> ABORT
> ALTER, DESTIPADDR 127.0.0.1
> START
6. After the tunnel is properly configured on both sides, the HP NonStop SSL log file should contain messages of
the following pattern:
$EXPS |27Apr05 12:31:41.01|50|E1| tunnel connect succeeded, tunnel ready
or
$EXPS |27Apr05 12:37:26.78|50|E1| accepted tunnel connection, tunnel ready
The EXPAND line should then show the "READY" state.
Note: Again, that change in the SCF configuration has to be done on both systems.
HP NonStop SSL Reference Manual Installation • 29
30 • Installation HP NonStop SSL Reference Manual
Loading...