WebWise Replaces Apache in FOS

By Mark Bixby, Commercial Systems Division

The HP WebWise MPE/iX Secure Web Server version A.01.00 was first introduced as a separately purchasable add-on product for MPE/iX 6.5 or greater. But as of MPE/iX 7.5, the WebWise web server has been updated to version A.03.00 and replaces Apache in FOS as a no-extra-cost bundled product. Patch WBWGDT7A brings this same functionality to MPE/iX 7.0.

This is the second release of the HP WebWise MPE/iX Secure Web Server. It was labeled version A.03.00 because it is replacing the A.02.00 version of Apache. There was no A.02.00 version of WebWise.

HP WebWise MPE/iX Secure Web Server version A.03.00 is based on Apache 1.3.22 and adds mod_ssl 2.8.5 to provide Secure Sockets Layer (SSL) encryption and X.509 authentication using digital certificates.

Product Overview and Feature Set

HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via X.509 digital certificates. The current release of the HP WebWise MPE/iX Secure Web Server is A.03.00 and is composed of:

Apache 1.3.22
Mod_ssl 2.8.5 SSL security add-ons for Apache
MM 1.1.3 shared memory library
Openssl 0.9.6b cryptographic/SSL library
RSA BSAFE Crypto-C 5.2 cryptographic library (for the RC2, RC4, RC5, and RSA algorithms)

HP WebWise MPE/iX Secure Web Server is NOT:

a substitute for a firewall (explicitly allow acceptable connections, etc.)
a substitute for good host security practices (change default passwords, keep the OS up-to-date, etc.)
a substitute for good application security practices (use appropriate file and user security, carefully validate all input data, etc.)
a substitute for good human security practices (communicate the importance of protecting sensitive or proprietary data, no password sharing, etc.)

WebWise is just one component in a secure environment and by itself does nothing to prevent the number one cause of web server break-in events -- poorly written CGI applications. Well-written CGI applications must rigorously validate every byte of data sent by a browser, and must refuse to process any input data containing unexpected characters.

System Requirements and Patches

MPE/iX 7.0
HP highly recommends installing the latest NSTxxxxx network transport patch.

Support

HP WebWise MPE/iX Secure Web Server A.03.00 is supported through the HP Response Center as part of MPE/iX FOS support.

New Apache Functionality since 1.3.14

Most of the Apache Software Foundation development work since 1.3.14 consists of portability enhancements and bug fixes for various problems including security issues. Some minor new functionality has also been added, as partially listed below:

A new LogFormat directive of %c to display the connection status when each request is completed.
mod_auth has been enhanced to allow access to a document to be controlled based on the owner of the file being served. Require file-owner will only allow files to be served where the authenticated username matches the user that owns the document. Require file-group works in a similar way checking that the group matches.
The rotatelogs utility was enhanced to allow the logfile name to include customizable date stamps (using the standard strftime syntax) as well as the ability to specify the time offset from UTC.
The Apache manual web pages can now be installed to a location other than the htdocs DocumentRoot, and so starting with WebWise A.03.00 these pages have been relocated to the /APACHE/CURRENT/htmanual directory tree. The WebWise A.03.00 installation process replaces the old /APACHE/PUB/htdocs/manual directory with a symbolic link pointing to /APACHE/CURRENT/htmanual.

SSLv2.0, SSLv3.0, and TLSv1.0 Protocols

These protocols lie between the HTTP and TCP/IP protocol layers and provide secure, authenticated, encrypted communications between the HP WebWise MPE/iX Secure Web Server and web browser clients.

X.509 Digital Certificates

Signed by external trusted Certificate Authorities, X.509 certificates provide authentication for both the HP WebWise MPE/iX Secure Web Server and web browser clients.

Flexible Encryption Cipher Configuration

HP WebWise MPE/iX Secure Web Server permits you to configure a wide variety of encryption ciphers, ranging from high-grade domestic-only algorithms to algorithms suitable for export.

Additional Log Files

Two new log files, ssl_engine_log and ssl_request_log, allow you to log various events associated with secure web requests.

Migrating from Previous Versions of Apache

The /APACHE/PUB/JHTTPD job stream file from previous versions of Apache is not compatible with HP WebWise MPE/iX Secure Web Server. You must manually create a new JHTTPD job stream file by using the WebWise /APACHE/PUB/JHTTPD.sample template.

The /APACHE/PUB/conf/httpd.conf configuration file from previous versions of Apache may or may not be compatible with WebWise depending on the previous Apache version:

1.3.4 - NOT compatible; you MUST use /APACHE/PUB/conf/httpd.conf.sample as a template to create a new httpd.conf file.
1.3.9 - compatible, but SSL functionality will not be enabled. To enable SSL functionality, you MUST use /APACHE/PUB/conf/httpd.conf.sample as a template to create a new httpd.conf file.
1.3.14 - compatible, but SSL functionality will not be enabled. To enable SSL functionality, you MUST use /APACHE/PUB/conf/httpd.conf.sample as a template to create a new httpd.conf file.

In addition to updating /APACHE/PUB/conf/httpd.conf, it is strongly recommended to update all of the other configuration files in the same directory by using the corresponding *.sample files.

Several new configuration subdirectories have been created to contain additional configuration files required by the SSL functionality. For complete details about configuring the SSL functionality, please see the Configuring & Managing MPE/iX Internet Services manual.

Migrating from WebWise A.01.00

HP WebWise MPE/iX Secure Web Server version A.03.00 was designed to be a drop-in replacement for Apache, and does not attempt to upgrade or migrate any files from the WebWise A.01.00 /APACHE/SECURE directory tree.

You must manually use the A.03.00 *.sample files in the /APACHE/PUB/conf directory tree to create new standard configuration files, and then propagate any local customizations that you made in the A.01.00 /APACHE/SECURE/conf directory tree.

You will need to copy your server key and certificate from the old A.01.00 locations of /APACHE/SECURE/conf/ssl.key/server.key and /APACHE/SECURE/conf/ssl.crt/server.crt to the new A.03.00 locations of /APACHE/PUB/conf/ssl.key/server.key and /APACHE/PUB/conf/ssl.crt/server.crt.

Any A.01.00 CGI applications in /APACHE/SECURE/cgi-bin or any data content in /APACHE/SECURE/htdocs can either be moved to the corresponding A.03.00 directories in /APACHE/PUB, or left in place after adjusting the new A.03.00 configuration files to refer to the old A.01.00 locations.

WebWise A.01.00 accessed the web page content as the user SECURE.APACHE, but WebWise A.03.00 accesses web page content as the user WWW.APACHE. This is the same user as used by Apache A.02.00.

For Further Information

http://yourserver.yourdomain.com/manual/ (online documentation included with WebWise)
Configuring and Managing MPE/iX Internet Services Manual
http://jazz.external.hp.com/src/webwise/ (HP WebWise)
http://www.apache.org/ (Apache opensource project)
http://www.modssl.org/ (Mod_ssl opensource project)
http://www.engelschall.com/sw/mm/ (a library of shared memory functions)
http://www.openssl.org/ (OpenSSL opensource project)
http://www.rsasecurity.com/products/bsafe/cryptoc.html (RSA BSAFE Crypto-C commercial product)
The HP3000-L mailing list where you can talk with other users of WebWise on MPE/iX:
- The official HP3000-L web site of http://raven.utc.edu/Archives/hp3000-l.html
- The gatewayed Usenet newsgroup of comp.sys.hp.mpe