H. Settings for migration from older versions

When using the SSL features, you must change the following settings when migrating to V11 or later from an older version of HTTP Server.

No.	Item	Older version	V11 or later	Description
1	Default when neither `SSLEnable` nor `SSLDisable` is specified	SSL features enabled	SSL features disabled	To enable the SSL features, specify `SSLEngine` `On`. However, if you want to enable SSL in a `<VirtualHost>` block, specify `SSLEngine` `On` in that `<VirtualHost>` block.
2	Specification that disables the SSL features	SSLDisable	SSLEngine Off	Replace `SSLDisable` with `SSLEngine` `Off`. Note that in V11, even if the `SSLDisable` directive is specified, the system operates on the assumption that `SSLEngine` `Off` is specified. To disable the SSL features on the entire Web server, delete or comment out the specifications of other directives whose names begin with `SSL`.
3	Specification that enables the SSL features	SSLEnable	SSLEngine On	Replace `SSLEnable` with `SSLEngine` `On`. However, if you want to enable SSL in a `<VirtualHost>` block, specify `SSLEngine` `On` in that `<VirtualHost>` block. To start the Web server on which only SSL communication is enabled by using Management Server, change the operation check level of the Web server to `1` (only confirming the existence of processes).^#1
4	Specification of the encryption type to be used	SSLRequiredCiphers	SSLCipherSuite	Replace `SSLRequiredCiphers` with `SSLCipherSuite`.
5	Specification of the protocol to be used	SSLProtocol TLSv1 TLSv11 TLSv12	SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2	The coding method of the protocol is different. To add a protocol to be used, specify `+` before the protocol name.
6	Location where you can code `SSLRequireSSL`	httpsd.conf, <VirtualHost>, <Directory>, .htaccess	<Directory>, .htaccess	If the `SSLRequireSSL` directive is specified in `httpsd.conf` or `<VirtualHost>`, move the specified directive to a location in `<Directory>` or `.htaccess`.
7	Specification that prohibits requests of SSL features	SSLDenySSL	None	Delete the specification of `SSLDenySSL`. Consider a specification that, for example, disables all SSL features.
8	Specification of the CA certificate used for server authentication	SSLCACertificateFile	`SSLCertificateFile` Specify the file containing the server certificate combined with CA certificates.	From among the certificates in the file specified in the `SSLCACertificateFile` directive, add the certificates to be used for server authentication to the file specified in the `SSLCertificateFile` directive. At this time, add the certificates after the Web server certificate, in the order of intermediate CA certificate and root CA certificate. Note that in older versions, if the CA certificate to be used for server authentication was specified in the `SSLCACertificateFile` directive, that CA certificate was used for server authentication.
9	Specification of the password file for encryption private key	SSLCertificateKeyPassword, SSLECCCertificateKeyPassword	None	Delete the specifications of `SSLCertificateKeyPassword` and `SSLECCCertificateKeyPassword`.^#2
10	Specification of the CRL of the DER format	Use the `SSLCRLDERPath` directive to specify the directory that stores the file of the DER format.	The DER format cannot be used.	Specify a PEM formatted file converted from the DER format in the `SSLCARevocationFile` directive.^#3 To specify multiple files, combine them into one file.
11	Specification of the CRL of the PEM format	Use the `SSLCRLPEMPath` directive to specify the directory that stores the file of the PEM format.	Use the `SSLCARevocationFile` directive to specify the file that stores CRLs.	To specify multiple CRL files, combine them into one file and then specify it in the `SSLCARevocationFile` directive.
12	Specification of the basic authentication by using the client certificate	SSLFakeBasicAuth	SSLOptions +FakeBasicAuth	Specify `+FakeBasicAuth` in the `SSLOption`s directive.
13	Setting of the client certificate in the environment variable	SSLExportClientCertificates	SSLOptions +ExportCertData	Specify `+ExportCertData` in the `SSLOptions` directive. This sets the PEM format certificate in the environment variable. Note that this also sets the server certificate in the environment variable in addition to the client certificate.
14	Directives for specifying the certificate and private key for elliptic curve cryptography	SSLECCCertificateFile SSLECCCertificateKeyFile	SSLCertificateFile SSLCertificateKeyFile	Use the `SSLCertificateFile` directive to specify the certificate for elliptic curve cryptography. Use the `SSLCertificateKeyFile` directive to specify the private key for elliptic curve cryptography. Note that you can specify only one pair of server certificate and private key for RSA encryption and for elliptic curve cryptography.
15	Values specified in `SSLVerifyClient` directive for client authentication settings	0\|1\|2	none\|optional\|require	Change the values that can be specified in the `SSLVerifyClient` directive from numbers to character strings as follows: `0:none` `1:optional` `2:require`
16	Specification of the number of levels for client authentication in `SSLVerifyDepth`	Number of levels including the client certificate at the end of the chain (number of Certificate Authorities + 1)	Number of levels excluding the client certificate at the end of the chain (equal to the number of Certificate Authorities)	Revise the number of levels up to which the certificate chain is traced.
17	When environment variables for encrypted communication is used in CGI programs	--	--	The environment variable names have been changed.
18	Access control based on the encryption type	SSLBanCipher SSLRequireCipher	SSLBanCipher	If the permitted encryption type was specified in the `SSLRequireCipher` directive, use the `SSLBanCipher` directive to specify the encryption type to be denied. In addition, if the directive is specified in `httpsd.conf` or `<VirtualHost>`, move the specified directive to a location in `<Directory>` or `.htaccess`.
19	Protocol version output in the log format `%{version}c`	--	--	The notation of the output protocol version has been changed. Before change: `TLS1 TLS11 TLS12` After change: `TLSv1 TLSv1.1 TLSv1.2`
20	Distinguished Name of the subject of the client certificate output in the log format `%{clientcert}c`	--	--	The delimiting character of output information has been changed from a forward slash (`/`) to a comma (`,`). Before change: `/C=JP/ST=Kanagawa/L=Yokohama-shi/O=client/OU=client/CN=client` After change: `CN=client,OU=client,O=client,L=Yokohama-shi,ST=Kanagawa,C=JP`

#1

Management Server determines whether Web server is operating normally by confirming the existence of processes via Administration Agent and by accessing the Web server through HTTP.

If only SSL communication is enabled on the Web server, change the operation check level for the Web server (set adminagent.hws.watch.level=1) to only confirm the existence of processes.

For details, see 4.1.16 Information to be set for using Administration Agent in the uCosminexus Application Server System Setup and Operation Guide.

#2

In the SSLCertificateKeyFile directive, specify the file in which the password-protected private key has been changed to the private key with password protection disabled. You can delete the password of the private key by using the following commands:

For the private key that uses RSA encryption

openssl.bat rsa -in password-protected-private-key-file -out password-deleted-private-key-file
For the private key that uses elliptic curve cryptography:

openssl.bat pkcs8 -topk8 -in password-protected-private-key-file -out password-deleted-private-key-file -nocrypt

In UNIX, replace openssl.bat with openssl.sh to execute the command.

#3

Use the following command to convert the DER formatted file to the PEM format:

openssl.bat crl -inform DER -in input-file -outform PEM -out output-file

In UNIX, replace openssl.bat with openssl.sh to execute the command.

To Page Top