Installation; General Considerations - HP NonStop SSL Reference Manual

Installation

General Considerations

HP NonStop SSL is made available by HP with the purchase of the NonStop Operating System kernel for H Series and J
Series NonStop platforms. The files of the package are located on $SYSTEM.ZNSSSL.
HP NonStop SSL is not pre-installed or pre-configured. You have to install it depending on your requirements.
The main executable file is named SSLOBJ, which can be run to create an SSL proxy process running in a specific run
mode. While you can manually create SSL proxy processes with the TACL run command, it is recommended to create a
persistent process under control of the Kernel subsystem.
For convenience, HP NonStop SSL includes a SETUP macro, which helps you create an initial configuration for a
persistent proxy process in one of the available run modes. You may fine tune the configuration by editing the
configuration files created by the SETUP macro.
Note: Specific attention needs to be paid to a proper SSL configuration. HP NonStop SSL is delivered with a set of
sample SSL certificate and key files which are used by default. For a production installation, you should use your own
SSL server certificate. Please refer to the
When replacing the certificate files delivered in $system.znsssl with production certificates they may be overwritten by
DSM/SCM and restored to the original ones. Therefore it is recommended to place the production certificates in a
separate volume and point to those files in a CONFIG2 configuration file.
The installation subvolume znsssl also contains a Tacl macro named CFWSADDR. This macro provides the real client
IP address of a Visual Inspect session when connected to a NonStop SSL TELNETS process. The best way to install the
CFWSADDR macro is to include it in the TACLLOCL file so it gets executed for every new TACL session started:
LOAD/KEEP 1/$SYSTEM.ZNSSSL.CFWSADDR
WSADDR
Note that the invocation of this macro is WSADDR, not CFWSADDR. The macro searches all process occurrences of
the SSLOBJ file (NonStop SSL) and also the SWAP file (comForte SecurCS).
For securing some protocols, such as ODBC or RSC, you will also need to install the HP NonStop SSL RemoteProxy,
which will enable SSL for the HP components running on a remote user workstation.
Note that usage of the RemoteProxy component is supported for selected HP NonStop products only, including HP
NonStop Remote Server Call (RSC/MP) and HP NonStop ODBC/MX. Additionally, the RemoteProxy can act as an SSL
enabling LPD server proxy in order to secure LPD printing off the HP NonStop platform. Usage of the LPDS server
mode is supported in combination with the Microsoft Windows platform only. Further note that the HP NonStop SSL
RemoteProxy does not support being installed as a Windows service.
HP NonStop SSL Reference Manual
"SSL Reference" chapter for details.
Installation • 15