| |  | Turning SSL On 
Summary of SSL Information | SSL Information in Detail
From a web browser: Go to the Configure TCP Sockets configuration form and use the add or change option to add or modify a TCP socket. VM:Webgateway displays the View, Change, Delete, or Add TCP Socket Definitions configuration form. Provide SSL information on that configuration form. From a VM userid: Use the CONFIG SOCKET command to specify the IP address, TCP port, server root domain, and SSL information.
Note: After you turn SSL on, you must use the HTTPS protocol rather than the HTTP protocol. Use https:// when you enter a URL at your web browser to ask VM:Webgateway for data or online documentation.
Note: If you have CPUIDs that allow SSL and CPUIDs that do not allow SSL, and the CPUIDs that allow SSL expire, VM:Webgateway will stop serving data from TCP sockets configured to use SSL. If you want VM:Webgateway to resume serving data from those sockets, you must either obtain a new VM:Webgateway SSL Feature CPUID or turn SSL off.
Optionally, update the TCP port to 443 (the default for SSL). Indicate that you want to use SSL. Optionally, exempt the cipher suites you do not want to use. Specify the server certificates you want VM:Webgateway to send to a web browser to attest to the identity of your organization. Optionally, allow VM:Webgateway to use client certificates to authenticate your web browser users. - Optionally, update the TCP port to 443 (the default for SSL).
If the TCP port is not 443, web browser users will have to specify the TCP port in URLs. The following shows a URL for a web server using SSL and for which the TCP port is 80: https://www.company.com:80/ Using the View, Change, Delete, or Add TCP Socket Definitions form: Type 443 for the TCP port. Using the CONFIG SOCKET ADD command: Specify an IP address. Specify the value 443 for the TCP port.
Note: To update a TCP socket to turn on SSL and also update the TCP port number for the socket, you must first delete the TCP socket and then add a new one.
- Indicate that you want to use SSL.
Using the View, Change, Delete, or Add TCP Socket Definitions form: Select Yes in response to the question Do you want to use SSL? Using the CONFIG SOCKET command: Specify the SSL parameter. - Optionally, exempt the cipher suites you do not want to use.
Each version of SSL supports a set of cipher suites. To exempt cipher suites, identify the version of SSL and the cipher suites to exempt. VM:Webgateway supports only SSL version 3 (represented by SSLV3). If you learn that a cipher suite has been compromised, you might want to exempt that cipher suite. If you want to force VM:Webgateway to use a particular cipher suite, exempt all cipher suites except the one you want to use. Using the View, Change, Delete, or Add TCP Socket Definitions form: Remove the checks next to the cipher suites you do not want to use. Using the CONFIG SOCKET command: Specify the EXEMPT parameter followed by SSLV3 to indicate SSL version 3 and the cipher suites you do not want to use.
Note: Do not exempt all cipher suites; VM:Webgateway requires at least one cipher suite in common with the web browser.
- Specify the certificates you want VM:Webgateway to send to a web browser to attest to the identity of your organization.
If you are turning SSL on to test SSL for your site, create a self-signed certificate and specify the self-signed certificate as your server certificate. If you are putting SSL into production, you should have already requested a server certificate from a certifcate authority. The certificate authority will return either a single server certificate or a certificate chain. If you received a single server certificate, specify the server certificate. If you received a certificate chain, specify all certificates in the chain. Using the View, Change, Delete, or Add TCP Socket Definitions form: Select the server certificate or certificate chain you want to use from the dropdown. Using the CONFIG SOCKET command: If you are identifying a single server certificate, specify the CERTIFICATE parameter followed by the name of a server certificate. If you are identifying a certificate chain, specify the CERTIFICATE parameter followed by the names of the certificates in the certificate chain. Specify the certificates in the order they were returned by the certificate authority starting with the server certificate. - Optionally, allow VM:Webgateway to use client certificates to authenticate your web browser users.
To enable VM:Webgateway to use client certificates to authenticate browser users on a TCP socket, you must specify the client CA certificates to be used for the validation process. You can specify client CA certificates through a form on your browser or by entering a command on VM. Using the View, Change, Delete, or Add TCP Socket Definitions form: On the Configure TCP Sockets form, click the Change or Add check-box, type the TCP socket you want to authenticate, and click Display Next Form. Change or add the TCP socket defintion, including the client CA certificates, and click SUBMIT. Using the CONFIG SOCKET command: Enter a variation of the following command at the VM Ready prompt: CONFIG SOCKET ADD * 981 ROOT SFS vma:vmuserid (SSL CERTIFICATE (certname) CLIENTCACERTIFICATE (ccc1 ccc2 ccc3) where ccc1, ccc2, ccc3 are any number of client CA certificates that VM:Webgateway will use to validate the client certificates of browser users being served through this TCP socket.
Note: After enabling a TCP socket to be able to use client certificates to authenticate users (using either of the above two methods), you must add access control records to DIRMAP or ACCESS files before authentication or authorization using client certificates can actually occur. For instructions on authenticating users, see Authenticating Web Browser Users. For instructions on authorizing users, see Determining How to Control Access.
|
