Set advanced SSL options
We can enable advanced security options such as: client authentication, setting and viewing cipher specifications, defining SSL for multiple-IP virtual hosts, and setting up a reverse proxy configuration with SSL.
About this task
After setting up secure connections, follow these instructions to enable advanced security options:Procedure
- Enable client authentication. If you enable client authentication, the server validates clients by checking for trusted certificate authority (CA) root certificates in the local key database.
- Set and view cipher specifications. Important: If you specify V3 or TLS ciphers and no SSL V2 ciphers, SSL V2 support is disabled. Also, if you specify SSL V2 ciphers and no SSL V3 or TLS ciphers, SSL V3 and TLS support is disabled.
- Define Secure Sockets Layer (SSL) for multiple-IP virtual hosts.
- Choosing the level of client authentication
If you enable client authentication, the server validates clients by requesting a certificate from the client and verifying that is signed by a trusted certificate authority (CA) root certificate in the server key database. - Server Name Indication
We can configure a separate certificate label with Server Name Indication (SNI) support for IBM HTTP Server, based on the hostname requested by the client. The configuration can be done either by defining name-based SSL virtual hosts or by using the SSLSNIMap directive. We cannot use other handshake-related settings from a name-based virtual host with SNI. - Viewing cipher specifications
This section describes viewing cipher specifications for secure transactions and for a specific HTTP request. - SSL cipher specifications
When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in the list that is supported by the client is selected. - Choosing the type of client authentication protection
If you enable client authentication, the server validates clients by checking for trusted certificate authority (CA) root certificates in the local key database. - Defining SSL for multiple-IP virtual hosts
We can define different Secure Sockets Layer (SSL) options for various virtual hosts, or multiple servers running on one machine. In the configuration file, define each SSL directive in the stanza for the virtual host to which the directive applies. When you do not define an SSL directive on a virtual host, the server uses the directive default. - Set up a reverse proxy configuration with SSL
This topic describes how to set up a site to act as a reverse proxy for a resource that is hosted on a secure site.
Related concepts
Related tasks
- Secure IBM HTTP Server
- Configure SSL between the IBM HTTP Server Administration Server and the deployment manager
- Secure with SSL communications
- Manage keys with the IKEYMAN graphical interface (Distributed systems)
- Manage keys from the command line (Distributed systems)
- Manage keys with the native key database gskkyman (z/OS systems)
- Getting started with the cryptographic hardware for SSL (Distributed systems)
- Authenticating with LDAP on IBM HTTP Server using mod_ldap
- Authenticating with SAF on IBM HTTP Server (z/OS systems)