ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiemod_ibm_ssl.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="Module mod_ibm_ssl" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiemod_ibm_ssl" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Module mod_ibm_ssl</title>
</head>
<body id="rzaiemod_ibm_ssl"><a name="rzaiemod_ibm_ssl"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<!--Java sync-link--><h1 class="topictitle1">Module mod_ibm_ssl</h1>
<div><div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
 It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
<p><strong>Configuration details</strong></p>
<p>The module mod_ibm_ssl directives provide the server with information on
the extent of the SSL authentication required for access to the server by
the client. When configuring the server for SSL, it is best to use virtual
hosts if the server is to be both SSL and non-SSL. The default behavior for
SSL is SSLDisable, which causes the server to not do any SSL processing for
each server or virtual host which does not specify SSLEnable. If SSL processing
is required, then a SSL Virtual Host should be set up to handle this. The
SSL port should be specified on the &lt;Virtual Host&gt; directive, with the
SSLEnable and SSLAppName located inside the virtual host container. Each resource
for which SSL processing is desired should be located inside the SSL virtual
host container. This prevents the resource from being accessed through a non-SSL
port and served when SSL is not used. If the resource is located outside the
SSL virtual host container, and is located in the main server, it is still
possible to access the resource through SSL. Any SSL directives are handled
if the resource is requested on a SSL port, but the SSL directives, with the
exception of the SSLRequireSSL directive, are ignored if the resource is requested
on a non-SSL port. Unless the resource is configured to handle both SSL authentication
and non-SSL authentication, the results in this case may not be what is desired.
If a resource must be accessed only through a SSL port the SSLRequireSSL directive
can be placed in the resource container, and any request for that resource
that is received from a non_SSL port is rejected. </p>
<p>When configuring a resource for SSL authentication, the behavior of other
directives affects how the SSL directives behave. The primary concerns are
when SSLAuthType is configured. There are other directives that need to be
set in order for SSL to behave as expected. If SSLAuthType Cert is specified,
this tells the server to check for a certificate, and authenticate the user
based on the information in that certificate. This should be the only authentication
necessary for this resource. In order to ensure this, AuthType SSL and Satisfy
Any needs to be configured in the resource container. This results in the
desired behavior. </p>
<p>When configuring a resource for SSLAuthType CertOrBasic, this tells the
server to check for a certificate and authenticate the user based on the information
in that certificate. If this authentication fails, then the server authenticates
the user based on any other type of authentication that is configured for
that resource. In most cases, this is Basic authentication, which requests
a user ID and password from the client, and the user is authenticated based
on this information received from the client, but may also be LDAP authentication
if indicated in the configuration of that resource. In order for the SSLAuthType
CertOrBasic to function properly, Satisfy Any, AuthType Basic, and Require
needs to be configured in the resource container.</p>
<p>If there are CGI programs that will be using SSL, the environment variable
HTTPS_PORT must be set in the configuration file. The SetEnv HTTPS_PORT port-number
directive is used for this.</p>
<p><strong>Directives</strong></p>
<ul><li><a href="#sslappname">SSLAppName</a></li>
<li><a href="#sslauthtype">SSLAuthType</a></li>
<li><a href="#sslcachedisable">SSLCacheDisable</a></li>
<li><a href="#sslcacheenable">SSLCacheEnable</a></li>
<li><a href="#sslcipherban">SSLCipherBan</a></li>
<li><a href="#sslcipherrequire">SSLCipherRequire</a></li>
<li><a href="#sslcipherspec">SSLCipherSpec</a></li>
<li><a href="#sslclientauth">SSLClientAuth</a></li>
<li><a href="#sslclientauthgroup">SSLClientAuthGroup</a></li>
<li><a href="#sslclientauthrequire">SSLClientAuthRequire</a></li>
<li><a href="#sslclientcertdisable">SSLClientCertDisable</a></li>
<li><a href="#sslclientcertenable">SSLClientCertEnable</a></li>
<li><a href="#ssldenyssl">SSLDenySSL</a></li>
<li><a href="#ssldisable">SSLDisable</a></li>
<li><a href="#sslenable">SSLEnable</a></li>
<li><a href="#sslengine">SSLEngine</a></li>
<li><a href="#sslproxyappname">SSLProxyAppName</a></li>
<li><a href="#sslproxyengine">SSLProxyEngine</a></li>
<li><a href="#sslproxyverify">SSLProxyVerify</a></li>
<li><a href="#sslproxyversion">SSLProxyVersion</a></li>
<li><a href="#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="#sslupgrade">SSLUpgrade</a></li>
<li><a href="#sslversion">SSLVersion</a></li>
<li><a href="#sslv2timeout">SSLV2Timeout</a></li>
<li><a href="#sslv3timeout">SSLV3Timeout</a></li>
</ul>
</div>
<div class="hr" id="sslappname"><a name="sslappname"><!-- --></a><h2 class="topictitle2">SSLAppName</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLAppName <em>server_application_name</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslappname__sslappname_context"><a name="sslappname__sslappname_context"><!-- --></a>server config,
virtual host</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslappname__sslappname_origin"><a name="sslappname__sslappname_origin"><!-- --></a>iSeries™</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>:  LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLAppName QIBM_HTTP_SERVER_APACHE </td>
</tr>
</tbody>
</table>
</div>
<p>The SSLAppName directive is used for the following reasons:</p>
<ul><li>unique label to identify the server as an application that intends to
use SSL</li>
<li>to keep track of the registered name used by the server</li>
<li>to identify the server when association of a server certificate with a
secure application is done in the Digital Certificate Manager (DCM)</li>
<li>to identify the server to the SSL API's so that the SSL API's can use
the certificate that is associated with the server</li>
</ul>
<p>This registration of the secure application and the creation of the SSLAppName
is done automatically when the system administrator enables SSL for the server
using the <span>IBM<sup>®</sup> Web Administration for i5/OS™ interface</span>. The association
of a server certificate with the application is accomplished by the system
administrator using DCM. After a secure application is registered, and before
attempting to start the server with SSL enabled, the user must use DCM to
assign a server certificate to the corresponding secure application. Since
this directive is valid at the virtual host level, the server may have more
than one certificate assigned, with each virtual host having a different application
name. The specified value on this directive is the name of the application
that the server or virtual host is known as. If the server certificate association
for the application name is not configured through DCM, then the SSL connection
cannot be initialized and the server will not start.</p>
<div class="note"><span class="notetitle">Note:</span> There is a configured limit of 64 secure application environments (SSLAppName's)
that can be active at once. To increase this limit contact customer support. </div>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>server_application_name</em></dt>
<dd><ul><li>The <em>server_application_name</em> parameter value specifies the name
of the application that the server or virtual host.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="sslauthtype"><a name="sslauthtype"><!-- --></a><h2 class="topictitle2">SSLAuthType</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLAuthType <em>option</em></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslauthtype__sslauthtype_context"><a name="sslauthtype__sslauthtype_context"><!-- --></a>directory,
.htaccess</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslauthtype__sslauthtype_origin"><a name="sslauthtype__sslauthtype_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLAuthType cert</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLAuthType directive is used to specify the type certificate validation/authentication
required for access to a directory. This option is used to ensure that a certificate
received from the client is associated with a user ID or an Internet User
validation list. If this is not the case, the client may be prompted for the
user ID.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>option</em></dt>
<dd><ul><li>The <em>option</em> parameter value can be one of the following:<dl class="dlexpand"><dt class="dltermexpand"><em>Cert</em></dt>
<dd>This option indicates to the server that the certificate received from
the client must be in an Internet User list or be associated with an iSeries
user ID convention. Note : If SSLAuthType Cert is specified, then AuthType
should be set to SSL.</dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand"><em>CertOrBasic</em></dt>
<dd>This option indicates to the server that the certificate, if there is
one, that is received from the client may be associated with a user ID or
may be in an Internet User validation list. If it is not, then the client
is authenticated based on the value of HTTP Server AuthType directive. In
order to simulate HTTP Server (original) behavior of AuthType CertOrBasic
, HTTP Server (powered by Apache) AuthType directive must be Basic. This will
cause the client to be prompted for a user ID and password, and this provided
user ID and password will then be used to access the directory/file. If SSLAuthType
CertOrBasic is used, then AuthType should be set to Basic. </dd>
</dl>
</li>
</ul>
</dd>
</dl>
</blockquote>
<p>The certificate does not need to be valid. This directive only refers to
the existence of a certificate. If the certificate must be valid, then the
SSLClientCertEnable directive must also be specified.</p>
<p>There are no default values for this directive. If the directive is not
used, then if a certificate is present, association with a user ID or Internet
User validation list is not checked. This directive's scope is the directory
level. This directive is only to be specified once for a directory. Any subsequent
uses of this directive override any previously specified values.  </p>
<p>This directive may be used in conjunction with the SSLClientCertEnable
directive. This will cause very specific behavior to occur, depending on the
value specified on the SSLAuthType directive. If the SSLClientCert directive
is used in addition to SSLAuthType Cert, the certificate received from the
client must be valid, as well as associated with a user ID or in an Internet
User validation list. If the SSLClientCert directive is used in addition to
SSLAuthType CertOrBasic, a certificate must be received from the client, but
does not need to be associated with a user ID or in an Internet User validation
list. If the association is not present, the client will be authenticated
based on the protection setup (basic or ldap).</p>
<p>This directive also interacts with the PasswdFile directive. This directive
is used to help determine the type of certificate authentication to be used.
If the PasswdFile directive is set to %%SYSTEM%%, then the certificate received
from the client must be associated with an iSeries user profile in order for
it the client to be authenticated. If the PasswdFile directive is set to an
internet user list, then the certificate received must be in the internet
user list in order for the client to be authenticated. Again, this authentication
is only required if the Cert option is selected on the SSLAuthType directive.
Otherwise it is only optional.</p>
</div>
</div>
<div class="hr" id="sslcachedisable"><a name="sslcachedisable"><!-- --></a><h2 class="topictitle2">SSLCacheDisable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLCacheDisable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslcachedisable__sslcachedisable_context"><a name="sslcachedisable__sslcachedisable_context"><!-- --></a>server
config, virtual host</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslcachedisable__sslcachedisable_origin"><a name="sslcachedisable__sslcachedisable_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCacheDisable</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLCacheDisable directive will cause SSL session ID caching to be disabled.
 The effect of this directive will depend on the location of the directive.
 If the directive is located in the configuration file for the main server,
SSL session ID caching will not be done for the server.  If the directive
is located in a &lt;Virtual Host&gt; container, then SSL session ID caching will
not be done for the virtual host.  The directive located at the server level
can be overridden for a particular virtual host using the SSLCacheEnable directive.
Directives SSLV2Timeout and SSLV3Timeout will be ignored when SSLCacheDisable
is set.</p>
<div class="note"><span class="notetitle">Note:</span> This directive does not contain parameters.</div>
</div>
</div>
<div class="hr" id="sslcacheenable"><a name="sslcacheenable"><!-- --></a><h2 class="topictitle2">SSLCacheEnable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLCacheEnable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLCacheEnable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslcacheenable__sslcacheenable_context"><a name="sslcacheenable__sslcacheenable_context"><!-- --></a>server
config, virtual host </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslcacheenable__sslcacheenable_origin"><a name="sslcacheenable__sslcacheenable_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCacheEnable</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLCacheEnable directive will cause SSL session ID caching to be enabled.
 The effect of this directive will depend on the location of the directive.
 If the directive is located in the configuration file for the main server,
SSL session ID caching will be done for the server.  If the directive is located
in a &lt;Virtual Host&gt; container, then SSL session ID caching will be done
for the virtual host.  The directive located at the server level can be overridden
for a particular virtual host using the SSLCacheDisable directive. A abbreviated
handshake will be done whenever a handshake is necessary.  Directives SSLV2Timeout
and SSLV3Timeout will be ignored.</p>
<div class="note"><span class="notetitle">Note:</span> This directive does not contain parameters.</div>
</div>
</div>
<div class="hr" id="sslcipherban"><a name="sslcipherban"><!-- --></a><h2 class="topictitle2">SSLCipherBan</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLCipherBan <em>string</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslcipherban__sslcipherban_context"><a name="sslcipherban__sslcipherban_context"><!-- --></a>directory,
.htaccess</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslcipherban__sslcipherban_origin"><a name="sslcipherban__sslcipherban_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCipherBan 3A </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCipherBan SSL_RSA_WITH_3DES_EDE_CBC_SHA </td>
</tr>
</tbody>
</table>
</div>
<p>The SSLCipherBan directive allows for banning access to a directory based
on the cipher that is negotiated during the SSL handshake.  A set of ciphers
can either be defaulted or specified using the SSLCipherSpec directive. The
cipher list then can be shortened for a specific directory.  This directive
will enforce a greater level of security through the use of cipher specs.</p>
<p>The SSLCipherBan directive will directly interact with the SSLCipherRequire
directive.  If a negotiated cipher is listed on the ban list, then the request
will be rejected, even if the cipher is also on the require list.   </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>string</em></dt>
<dd><ul><li>The <em>string</em> parameter value specifies the cipher to be used. Either
the short name or the long name in the table below may be specified.
<div class="tablenoborder"><a name="sslcipherban__v2ciphers"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="sslcipherban__v2ciphers" frame="border" border="1" rules="all"><caption>Table 1. Version 2 ciphers</caption><thead align="left"><tr><th valign="top" width="76.0204081632653%" id="d0e546">Long name</th>
<th valign="top" width="23.97959183673469%" id="d0e548">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_WITH_3DES_EDE_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">27</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_WITH_RC4_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">21</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_WITH_RC2_CBC_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">23</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_WITH_DES_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">26</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">22</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e546 ">SSL_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e548 ">24</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><a name="sslcipherban__v3tlsciphers"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="sslcipherban__v3tlsciphers" frame="border" border="1" rules="all"><caption>Table 2. Version 3 and TLS
ciphers</caption><thead align="left"><tr><th valign="top" width="78.64583333333334%" id="d0e589">Long name</th>
<th valign="top" width="21.354166666666664%" id="d0e591">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_3DES_EDE_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">3A</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_RC4_128_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">35</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_RC4_128_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">34</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_DES_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">39</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">33</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">36</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_NULL_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">32</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e589 ">SSL_RSA_WITH_NULL_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e591 ">31</td>
</tr>
</tbody>
</table>
</div>
</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="sslcipherrequire"><a name="sslcipherrequire"><!-- --></a><h2 class="topictitle2">SSLCipherRequire</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLCipherRequire <em>string</em></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslcipherrequire__sslcipherrequire_context"><a name="sslcipherrequire__sslcipherrequire_context"><!-- --></a>directory,
.htaccess</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslcipherrequire__sslcipherrequire_origin"><a name="sslcipherrequire__sslcipherrequire_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCipherRequire "27"</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCipherRequire SSL_WITH_3DES_EDE_CBC_MD5</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLCipherRequire directive allows for the user to require that certain
ciphers to be negotiated with the client during the SSL handshake.  Specifying
that a subset of ciphers are required will force a greater level of security
for a particular directory which may not be required for all directories.
 The ciphers listed here may or may not be listed using the SSLCipherSpec
directive.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>string</em></dt>
<dd><ul><li>The <em>string</em> parameter value specifies the cipher to be used. Either
the short name or the long name in the table below may be specified.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 3. Version 2 ciphers</caption><thead align="left"><tr><th valign="top" width="76.0204081632653%" id="d0e729">Long name</th>
<th valign="top" width="23.97959183673469%" id="d0e731">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_WITH_3DES_EDE_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">27</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_WITH_RC4_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">21</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_WITH_RC2_CBC_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">23</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_WITH_DES_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">26</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">22</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e729 ">SSL_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e731 ">24</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 4. Version 3 and TLS
ciphers</caption><thead align="left"><tr><th valign="top" width="78.64583333333334%" id="d0e772">Long name</th>
<th valign="top" width="21.354166666666664%" id="d0e774">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_3DES_EDE_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">3A</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_RC4_128_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">35</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_RC4_128_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">34</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_DES_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">39</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">33</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">36</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_NULL_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">32</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e772 ">SSL_RSA_WITH_NULL_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e774 ">31</td>
</tr>
</tbody>
</table>
</div>
</li>
</ul>
</dd>
</dl>
</blockquote>
<div class="note"><span class="notetitle">Note:</span> The short and long names can be quoted. For example,  SSLCipherRequire
"SSL_WITH_3DES_EDE_CBC_MD5".</div>
</div>
</div>
<div class="hr" id="sslcipherspec"><a name="sslcipherspec"><!-- --></a><h2 class="topictitle2">SSLCipherSpec</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLCipherSpec <em>string</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslcipherspec__sslcipherspec_context"><a name="sslcipherspec__sslcipherspec_context"><!-- --></a>server config,
virtual host</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslcipherspec__sslcipherspec_origin"><a name="sslcipherspec__sslcipherspec_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLCipherSpec "3A"</td>
</tr>
</tbody>
</table>
</div>
<p>Text</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>string</em></dt>
<dd><ul><li>The <em>string</em> parameter value specifies the cipher to be used. Either
the short name or the long name in the table below may be specified.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 5. Version 2 ciphers</caption><thead align="left"><tr><th valign="top" width="76.0204081632653%" id="d0e909">Long name</th>
<th valign="top" width="23.97959183673469%" id="d0e911">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_WITH_3DES_EDE_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">27</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_WITH_RC4_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">21</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_WITH_RC2_CBC_128_MD5</td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">23</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_WITH_DES_CBC_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">26</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">22</td>
</tr>
<tr><td valign="top" width="76.0204081632653%" headers="d0e909 ">SSL_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="23.97959183673469%" headers="d0e911 ">24</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 6. Version 3 and TLS
ciphers</caption><thead align="left"><tr><th valign="top" width="78.64583333333334%" id="d0e952">Long name</th>
<th valign="top" width="21.354166666666664%" id="d0e954">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_3DES_EDE_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">3A</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_RC4_128_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">35</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_RC4_128_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">34</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_DES_CBC_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">39</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_EXPORT_WITH_RC4_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">33</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">36</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_NULL_SHA </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">32</td>
</tr>
<tr><td valign="top" width="78.64583333333334%" headers="d0e952 ">SSL_RSA_WITH_NULL_MD5 </td>
<td valign="top" width="21.354166666666664%" headers="d0e954 ">31</td>
</tr>
</tbody>
</table>
</div>
</li>
</ul>
</dd>
</dl>
</blockquote>
<p>The order of the SSLCipherSpec directives is important.  The cipher suite
list passed to SSL is created by putting the first cipher listed in the configuration
file at the top of the cipher suite list.  SSL uses this list as the preferred
order of ciphers.</p>
<p>This directive works in conjunction with the SSLVersion directive during
the SSL handshake.  The values specified for the SSLCipherSpec directive must
correspond with the value specified on the SSLVersion directive. If this directive
is not used, a default cipher suite list is used.</p>
<div class="note"><span class="notetitle">Note:</span> The short and long names can be quoted. For example,  SSLCipherSpec
"3A".</div>
</div>
</div>
<div class="hr" id="sslclientauth"><a name="sslclientauth"><!-- --></a><h2 class="topictitle2">SSLClientAuth</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLClientAuth <em>type</em></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLClientAuth none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslclientauth__sslclientauth_context"><a name="sslclientauth__sslclientauth_context"><!-- --></a>server config,
virtual host </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslclientauth__sslclientauth_origin"><a name="sslclientauth__sslclientauth_origin"><!-- --></a>iSeries </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLClientAuth 2</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLClientAuth directive is used to indicate the type of client-side
SSL certificate validation is required for the server.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>type</em></dt>
<dd><ul><li>The <em>type</em> parameter value specifies the client-side SSL certificate
validation required for the server. Valid values include:<dl class="dlexpand"><dt class="dltermexpand"><em>0</em> or <em>none</em></dt>
<dd>No client certificate is required.</dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand"><em>1</em> or <em>optional</em></dt>
<dd>The client may present a valid certificate. </dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand"><em>2</em> or <em>required</em></dt>
<dd>The client must present a valid certificate.</dd>
</dl>
</li>
</ul>
</dd>
</dl>
</blockquote>
<p>The default value of this directive is <em>0</em>, or <em>none</em>, indicating
that no certificate is requested or required from the client. If an incorrect
value is specified, an error message is issued and the server will not start.
A value of <em>1</em>, or <em>optional</em>, will cause the server to request
a certificate from the client, and the SSL connection will be made even if
a certificate is not received. A value of <em>1</em> does not require the certificate
received from the client to be valid. A value of <em>2</em>, or <em>required</em>,
will cause the server to request a certificate from the client. If a valid
certificate is not received, the client request will be rejected.  </p>
</div>
</div>
<div class="hr" id="sslclientauthgroup"><a name="sslclientauthgroup"><!-- --></a><h2 class="topictitle2">SSLClientAuthGroup</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLClientAuthGroup <em>groupname attribute-expression</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="sslclientauthgroup__sslclientauthgroup_context"><a name="sslclientauthgroup__sslclientauthgroup_context"><!-- --></a>server
config, virtual host </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslclientauthgroup__sslclientauthgroup_origin"><a name="sslclientauthgroup__sslclientauthgroup_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLClientAuthGroup IBMpeople Org = IBM</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLClientAuthGroup directive is used to define a group name to a set
of specific client certificate attributes to be used on the SSLClientAuthRequire
directive. To indicate the attributes, a validated certificate must be presented
before the server will allow access to the directory. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>groupname</em></dt>
<dd><ul><li>The <em>groupname</em> parameter value specifies the group name for the
client certificate. A group name cannot include spaces.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>attribute-expression</em></dt>
<dd><ul><li>The attribute-expression parameter value specifies the attribute for a
validated certificate to be used for client authentication. Either the long
name or the short name may be used in this directive.  Valid values include:
<div class="tablenoborder"><a name="sslclientauthgroup__attributexpression"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="sslclientauthgroup__attributexpression" frame="border" border="1" rules="all"><caption>Table 7. Attribute values</caption><thead align="left"><tr><th valign="top" width="60.40609137055838%" id="d0e1241">Long name</th>
<th valign="top" width="39.59390862944163%" id="d0e1243">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerStateOrProvince </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IST</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerCommonName </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">ICN </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerOrgUnit </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IOU</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerCountry </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IC </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerLocality </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IL </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerOrg </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IO </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerEmail</td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IE</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">IssuerPostalCode </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">IPC</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">StateOrProvince </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">ST</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">CommonName </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">CN</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">OrgUnit </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">OU </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">Country </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">C</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">Locality </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">L </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">Org </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">O </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">PostalCode </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">PC </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1241 ">SerialNumber </td>
<td valign="top" width="39.59390862944163%" headers="d0e1243 ">SN</td>
</tr>
</tbody>
</table>
</div>
<div class="note"><span class="notetitle">Note:</span> The short and long names can be quoted. For example,  SSLClientAuthGroup
IBMpeople "Org = IBM".</div>
</li>
</ul>
</dd>
</dl>
<p>The user specifies a logic string of specific client certificate
attributes and a group name is assigned to these attributes.  Multiple subexpressions
can be logically ANDed , ORed, or NOTed to configure the desired group of
client certificate attributes.  Valid equalities include '=' and '!='.  </p>
<dl><dt class="dlterm"><strong>Example One</strong></dt>
<dd><pre>SSLClientAuthGroup IBMpeople Org=IBM</pre>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Example Two</strong></dt>
<dd><pre>SSLClientAuthGroup MNIBM ST=MN &amp;&amp; Org=IMB</pre>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="sslclientauthrequire"><a name="sslclientauthrequire"><!-- --></a><h2 class="topictitle2">SSLClientAuthRequire</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLClientAuthRequire attribute-expression </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslclientauthrequire__sslclientauthrequire_origin"><a name="sslclientauthrequire__sslclientauthrequire_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLClientAuthRequire group != IBMpeople &amp;&amp;
ST= MN </td>
</tr>
</tbody>
</table>
</div>
<p>The SSLClientAuthRequire directive is used to provide a specific client
certificate attributes, or groups of attributes, that must be validated before
the server will allow access to the directory. If the certificate received
does not have a particular attribute, then we do not check for an attribute
match.  Even if the matching value is " ", this may still not be the same
as not having the attribute there at all.  Any attribute specified on the
SSLClientAuthRequire and not available on the certificate causes the request
to be rejected.   </p>
<p>The following is a list of the attribute values that may be specified on
this directive: </p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 8. Attribute values</caption><thead align="left"><tr><th valign="top" width="60.40609137055838%" id="d0e1417">Long name</th>
<th valign="top" width="39.59390862944163%" id="d0e1419">Short name</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerStateOrProvince </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IST</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerCommonName </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">ICN </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerOrgUnit </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IOU</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerCountry </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IC </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerLocality </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IL </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerOrg </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IO </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerEmail</td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IE</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">IssuerPostalCode </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">IPC</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">StateOrProvince </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">ST</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">CommonName </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">CN</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">OrgUnit </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">OU </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">Country </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">C</td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">Locality </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">L </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">Org </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">O </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">PostalCode </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">PC </td>
</tr>
<tr><td valign="top" width="60.40609137055838%" headers="d0e1417 ">SerialNumber </td>
<td valign="top" width="39.59390862944163%" headers="d0e1419 ">SN</td>
</tr>
</tbody>
</table>
</div>
<p> Either the long name or the short name may be used in this directive.</p>
<p> The user specified a logic string of specific client certificate attributes.
 Multiple subexpressions can be logically ANDed , ORed, or Noted to configure
the desired client certificate attributes.  Valid logical symbols include
'=' and '!='.  The user may also specify a group name, configured on the SSLClientAuthGroup,
that allows a group of attributes to be configured.</p>
<p> Multiple SSLClientAuthRequire directives may be specified for each directory,
and each attribute specified is used to check the attributes in the client
certificate.  Multiple directives place a logical AND on the attributes specified
with the directives.</p>
<div class="note"><span class="notetitle">Example 1:</span> SSLClientAuthRequire (CommonName="John
Doe" || StateOrProvince=MN) &amp;&amp; Org !=IBM</div>
<div class="note"><span class="notetitle">Example 2:</span> SSLClientAuthRequire group!=IBMpeople &amp;&amp;
ST=MN<var class="varname"></var></div>
<div class="note"><span class="notetitle">Note:</span> The short and long names can be quoted. For example,  SSLClientAuthRequire
group != IBMpeople &amp;&amp; "ST= MN"</div>
</div>
</div>
<div class="hr" id="sslclientcertdisable"><a name="sslclientcertdisable"><!-- --></a><h2 class="topictitle2">SSLClientCertDisable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLClientCertDisable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</samp> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLClientCertDisable</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLClientCertDisable directive indicates to the server that a valid
certificate is not required in order to access this directory. </p>
<p> This directive may be used in conjunction with the  SSLAuthType directive.
If specified in addition to the  SSLAuthTypeCert  directive, the certificate
received only needs to be associated with a user ID or an Internet user.</p>
<p> This directive negates the SSLClientCertEnable directive.</p>
</div>
</div>
<div class="hr" id="sslclientcertenable"><a name="sslclientcertenable"><!-- --></a><h2 class="topictitle2">SSLClientCertEnable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLClientCertEnable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLClientCert Enable</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLClientCertEnable directive indicates to the server that a valid
certificate is required in order to access this directory.   </p>
<p>This directive may be used in conjunction with the SSLAuthType directive.
 </p>
<p>If specified in addition to the SSLAuthTypeCert directive, the certificate
received needs to be valid, as well as associated with a user ID or an Internet
user.  This directive is negated by the SSLClientCertDisable directive. </p>
</div>
</div>
<div class="hr" id="ssldenyssl"><a name="ssldenyssl"><!-- --></a><h2 class="topictitle2">SSLDenySSL</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLDenySSL</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthConfig</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLDenySSL </td>
</tr>
</tbody>
</table>
</div>
<p> The SSLDenySSL directive will deny access to the directory when SSL is
used for the request.   This directive interacts somewhat with the SSLRequireSSL
directive. If a directory has both the SSLRequireSSL and the SSLDenySSL directives
specified, then the last directive in the directory scope will take effect.
 Since this directive is scoped to a directory, a server or a virtual host
may also have SSLRequireSSL for some directories, but SSLDenySSL for other
directories.  Also, more specific directory container directives will override
previously specified directives for a less specific directory.</p>
<div class="note"><span class="notetitle">Example:</span> <pre>&lt;Directory /ABC&gt;
 SSLRequireSSL
&lt;/Directory&gt;
&lt;Directory /ABC/DEF&gt;
 SSLDenySSL
&lt;/Directory&gt;</pre>
<p> This example will require SSL for directory
/ABC, but deny SSL for directory /ABC/DEF.</p>
</div>
</div>
</div>
<div class="hr" id="ssldisable"><a name="ssldisable"><!-- --></a><h2 class="topictitle2">SSLDisable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLDisable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLDisable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config,  virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="ssldisable__directiveName_origin"><a name="ssldisable__directiveName_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLDisable</td>
</tr>
</tbody>
</table>
</div>
<p>  The SSLDisable directive causes SSL to be disabled for the server or
virtual host.  The effect of this directive will depend on the location of
the directive.  If the directive is located in the configuration file for
the main server, SSL will not be allowed for the server. If the directive
is located in a &lt;Virtual Host&gt; container, then SSL will not be allowed
for the virtual host.  The directive located at the server level can be overridden
for a particular virtual host using the  SSLEnable directive.</p>
</div>
</div>
<div class="hr" id="sslenable"><a name="sslenable"><!-- --></a><h2 class="topictitle2">SSLEnable</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLEnable</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config, virtual host </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLEnable </td>
</tr>
</tbody>
</table>
</div>
<p> The SSLEnable directive will cause SSL to be enabled. The effect of this
directive will depend on the location of the directive. If the directive is
located in the configuration file for the main server, SSL will be required
for the server. If the directive is located in a &lt;Virtual Host&gt; container,
then SSL will be required for the virtual host. The directive, located at
the server level, can be overridden for a particular virtual host using the
SSLDisable directive. This directive requires that the directive SSLAppName
be set.</p>
<div class="note"><span class="notetitle">Note:</span> Some applications need SetEnv HTTPS_PORT &lt;port&gt; configured when SSLEnable
is configured.</div>
</div>
</div>
<div class="hr" id="sslengine"><a name="sslengine"><!-- --></a><h2 class="topictitle2">SSLEngine</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SLEngine <var class="varname">On | Off | Optional</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLEngine Off</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Apache</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: The server must be restarted
prior to using the directive. A LoadModule is required in the configuration
file prior to using the directive. The statement should be as follows:   <samp class="codeph">LoadModule
ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLEngine On</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLEngine directive toggles the usage of SSL processing. If SSLEngine <var class="varname">On</var> is
specified, SSL processing is enabled.  If SSLEngine <var class="varname">Off</var> is
specified, SSL processing is disabled.  If SSLEngine <var class="varname">Optional</var> is
specified, SSL processing is turned on to handle upgrading a non-SSL connection
to an SSL connection.  The effect of this directive depends on the location
of the directive. If the directive is located in the configuration file for
the main server, the type of SSL processing is set for the entire server.
 If the directive is located in a &lt;VirtualHost&gt; container, then the type
of SSL processing is set for only that virtual host.  If this directive is
set at the server level, it can be overridden for a particular virtual host
by specifying the other allowed option.  SSLEngine <var class="varname">On</var> is
equivalent to SSLEnable, SSLEngine <var class="varname">Off</var> is equivalent to
SSLDisable, and SSLEngine Optional is equivalent to SSLUpgrade.  These directives
can be used interchangeably.  The SSLEngine directive is being added in order
to be compatible with Apache's mod_ssl. </p>
<p>If SSLEngine <var class="varname">On</var> or SSLEngine <var class="varname">Optional</var> is
configured, the directive SSLAppName must also be configured.</p>
<p>See also SSLEnable, SSLDisable, SSLUpgrade, and SSLAppName.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds </em></dt>
<dd><ul><li> The <var class="varname">seconds</var> parameter has a valid value range of 1
to 86400 seconds.  If the value specified is greater than 86400, or less than
1, then the default value of 86400 seconds will be used as the timeout value.
This value is used for negotiated SSLVersion 3, or TLS Version 1, sessions.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="sslproxyappname"><a name="sslproxyappname"><!-- --></a><h2 class="topictitle2">SSLProxyAppName</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLProxyAppName <var class="varname">server_application_name</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: The server must be restarted
prior to using the directive.</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLProxyAppName QIBM_HTTP_CLIENT_APACHE</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLProxyAppName directive is used to:</p>
<ul><li>to uniquely label the proxy server as a client application that intends
to use SSL to a remote content server.</li>
<li>to keep track of the registered name used by the proxy server. </li>
<li>to identify the server when association of a client certificate with a
secure application is done in the Digital Certificate Manager (DCM).</li>
<li>to identify the server to the SSL API's so that the SSL API's can use
the certificate that is associated with the server.</li>
</ul>
<p> The registration of the secure client application and the creation of
the SSLProxyAppName is done automatically when the system administrator enables
the SSL Proxy engine for the server using the HTTP Server configuration GUI.
The association of a client certificate with the application is accomplished
by the system administrator using DCM: after a secure client application is
registered, and before attempting to start the server with the SSL proxy engine
enabled and SSLProxyAppName configured, the user must use DCM to assign a
client certificate to the corresponding secure application. Since this directive
is valid at the virtual host level, the server may have more than one certificate
assigned, with each virtual host having a different application name. The
specified value on this directive is the name of the application that the
server or virtual host is known as.   If both the SSLProxyAppName directive
and the SSLProxyMachineCertificateFile directive are configured for the server,
then the SSLProxyAppName directive is used to identify the client certificate
and the handshake processing.</p>
</div>
</div>
<div class="hr" id="sslproxyengine"><a name="sslproxyengine"><!-- --></a><h2 class="topictitle2">SSLProxyEngine</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLProxyEngine <var class="varname">On | Off</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLProxyEngine Off</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Apache</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: The server must be restarted
prior to using the directive. This directive requires that either the SSLProxyAppName
directive or the SSLProxyMachineCertificateFile be configured.  Use of the
SSLProxyMachineCertificateFile directive is required if the remote content
server does not require a client certificate to be sent by the proxy server
during the handshake process.  If a certificate will be required by the remote
content server, then the SSLProxyAppName should be used to identify the client
certificate to use on the handshake.  </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLProxyEngine On</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLProxyEngine directive toggles the usage of SSL connections to be
used by the proxy to connect to the content server.  This is usually used
inside a &lt;VirtualHost&gt; section to enable SSL/TLS for proxy usage in a particular
virtual host.  </p>
<p></p>
</div>
</div>
<div class="hr" id="sslproxyverify"><a name="sslproxyverify"><!-- --></a><h2 class="topictitle2">SSLProxyVerify</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLProxyVerify   <var class="varname">| 1 | Optional
| 2 |  Required</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLProxyVerify <var class="varname">Required</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Apache</td>
</tr>
<tr><td colspan="2" valign="top">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: <ol><li>SSLProxyVerify <var class="varname">2</var> </li>
<li>SSLProxyVerify <var class="varname">Required</var></li>
</ol>
</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLProxyVerify directive is used to indicate the type of server-side
SSL certificate validation is required by the proxy server.  The following
values are valid for the SSLProxyVerify directive:</p>
<div class="p"><ul><li>(1 or Optional) - The content server may present a valid certificate.</li>
<li>(2 or Required) - The content server must present a valid, trusted certificate.</li>
</ul>
</div>
<p> The default value of this directive is 2 or Required, indicating that
the content server certificate must be valid and have a trusted root.  If
an incorrect value is specified, an error message is issued and the server
will not start.  </p>
<p>The proxy server requires a certificate to be received from the content
server.   However, this certificate may be expired, or not be trusted by the
server CA, as configured on the SSLProxyAppName directive or the SSLProxyMachineCertificatePath
directive.  This will result in a handshake failure if 2  or Required is configured.
 </p>
<p>A value of 1 or Optional, will cause the proxy server to allow for an expired
content server certificate, or allow for the consent server certificate to
not be trusted by the server application ID configured.  This will result
in the handshake completing successfully. </p>
</div>
</div>
<div class="hr" id="sslproxyversion"><a name="sslproxyversion"><!-- --></a><h2 class="topictitle2">SSLProxyVersion</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLProxyVersion <var class="varname">SSLV2 | SSLV3 
 | TLSV1  | TLSV1_SSLV3  |  ALL </var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLProxyVersion ALL</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Modified</td>
</tr>
<tr><td colspan="2" valign="top">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLVersion TLSV1</td>
</tr>
</tbody>
</table>
</div>
<p> </p>
<p>The SSLProxyVersion directive specifies the SSL version that is negotiated
with the remote content server during the SSL agreement that takes place when
connecting the Apache proxy server to the content server via the SSL protocol.
 The version specified must be negotiated or access to content server is denied.</p>
<p>There are five possible values for this directive:</p>
<dl><dt class="dlterm">SSLV2</dt>
<dd>SSL Version 2.0 only</dd>
<dt class="dlterm">SSLV3</dt>
<dd>SSL Version 3.0 only</dd>
<dt class="dlterm">TLSV1</dt>
<dd>TLS Version 1.0 only</dd>
<dt class="dlterm">TLSV1_SSLV3</dt>
<dd>TLS Version 1.0 with SSL V3.0 compatibility</dd>
<dt class="dlterm">ALL (default)</dt>
<dd>TLS Version 1.0 with SSLV2.0 &amp; SSL V3.0 compatibility</dd>
</dl>
<p>The server defaults to ALL indicating that the server accepts any version
that is negotiated.</p>
</div>
</div>
<div class="hr" id="sslrequiressl"><a name="sslrequiressl"><!-- --></a><h2 class="topictitle2">SSLRequireSSL</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLRequireSSL</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none ( if neither SSLRequireSSL or SSLDenySSL
are configured, the client may access the container using a secure or non-secure
connection)</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLRequireSSL </td>
</tr>
</tbody>
</table>
</div>
<p> The SSLRequireSSL directive will deny access to the directory whenever
SSL is not used for the request.  This is used to ensure that the client uses
the SSL protocol to access a directory, and helps protect the resources in
the directory from being accessed, even though there may be errors in the
server configuration.</p>
<p> This directive interacts with the SSLDenySSL  directive.  If a directory
has both the SSLRequireSSL and the SSLDenySSL directives specified, the last
directive in the directory scope will take effect.  Since this directive is
scoped to a directory, a server or a virtual host may also have SSLRequireSSL
for some directories, but SSLDenySSL for other directories.  Also, more specific
directory container directives will override previously specified directives
for a less specific directory. </p>
<div class="note"><span class="notetitle">Example:</span> <pre>&lt;Directory /ABC&gt;
 SSLRequireSSL
&lt;/Directory&gt;
&lt;Directory /ABC/DEF&gt;
 SSLDenySSL
&lt;/Directory&gt;</pre>
</div>
<p> This example will require SSL for directory /ABC, but deny SSL for directory
/ABC/DEF.</p>
</div>
</div>
<div class="hr" id="sslupgrade"><a name="sslupgrade"><!-- --></a><h2 class="topictitle2">SSLUpgrade</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLUpgrad</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLUpgrade</td>
</tr>
</tbody>
</table>
</div>
<p>The SSLUpgrade directive enables a server to support a client request to
upgrade a normal non-SSL connection to a Transport Layer Security (TLS) connection
(for a single request). This directive's effectiveness will depend on the
directive location. If the directive is located in the main server configuration
file, any connection to the server will be eligible for a TLS upgrade.  If
the directive is located in a &lt;Virtual Host&gt; container, only the connection
to that virtual host will be eligible for the upgrade. The directive, located
at the server level, can be overridden for a particular virtual host using
the SSLDisable or SSLEnable directives. SSLUpgrade requires that the directive
SSLAppName is defined.</p>
<p>The SSLVersion directive is affected by SSLUpgrade. If SSLUpgrade is configured,
the SSLVersion that is negotiated on the handshake will only be TLS. The SSLVersion
specified in the configuration file will be ignored.</p>
<p>The SSLCipherSpec directive is also affected by SSLUpgrade. If SSLUpgrade
is configured, only SSLV3/TLS ciphers are allowed. If SSLCipherSpec specifies
SSL version 2 ciphers, these ciphers will be ignored, and only configured
SSLV3/ TLS ciphers will be allowed. If there are no SSLV3/TLS ciphers configured,
the defined default system cipher list will be used.  </p>
<p>The SSLRequireSSL directive may be configured for a resource that is accessed
through an upgraded connection. If the upgrade is requested as a part of the
request through the use of the upgrade header, the SSLRequireSSL directive
will be enforced before the connection is upgraded. This will allow the request
to be processed, since the connection will be upgraded to SSL before the request
has been handled, and the reply has been sent.  </p>
<p>The SSLDenySSL directive will be enforced in the same manner as the SSLRequireSSL
directive. If the request for the resource is received along with the upgrade
header request, the request will be denied with a 403, Forbidden, response
returned to the client, since the request will be processed after the connection
has been upgraded.</p>
</div>
</div>
<div class="hr" id="sslversion"><a name="sslversion"><!-- --></a><h2 class="topictitle2">SSLVersion</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLVersion <var class="varname">version</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLVersion ALL</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config, virtual host </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLVersion TLSV1</td>
</tr>
</tbody>
</table>
</div>
<p>he SSLVersion directive specifies the SSL version that will be negotiated
with the client during the SSL handshake.  The version specified must be negotiated
or access to specified resource will be denied.  </p>
<p>There are five possible values for this directive: </p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 9. Directive values</caption><thead align="left"><tr><th valign="top" width="30.456852791878177%" id="d0e2456">Value</th>
<th valign="top" width="69.54314720812182%" id="d0e2458">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="30.456852791878177%" headers="d0e2456 ">SSLV2</td>
<td valign="top" width="69.54314720812182%" headers="d0e2458 ">SSL Version 2.0 only</td>
</tr>
<tr><td valign="top" width="30.456852791878177%" headers="d0e2456 ">SSLV3</td>
<td valign="top" width="69.54314720812182%" headers="d0e2458 ">SSL Version 3.0 only</td>
</tr>
<tr><td valign="top" width="30.456852791878177%" headers="d0e2456 ">TLSV1</td>
<td valign="top" width="69.54314720812182%" headers="d0e2458 ">TLS Version 1.0 only</td>
</tr>
<tr><td valign="top" width="30.456852791878177%" headers="d0e2456 ">TLSV1_SSLV3</td>
<td valign="top" width="69.54314720812182%" headers="d0e2458 ">TLS Version 1.0 with SSL Version 3.0 compatibility</td>
</tr>
<tr><td valign="top" width="30.456852791878177%" headers="d0e2456 ">ALL</td>
<td valign="top" width="69.54314720812182%" headers="d0e2458 ">TLS Version 1.0 with SSL Version 2.0 and SSL Version
3.0 compatability</td>
</tr>
</tbody>
</table>
</div>
<p> The server will default to ALL indicating that the server will accept
any version that is negotiated.</p>
</div>
</div>
<div class="hr" id="sslv2timeout"><a name="sslv2timeout"><!-- --></a><h2 class="topictitle2">SSLV2Timeout</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLV2Timeout <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLV2Timeout 100</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config, virtual host </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="sslv2timeout__directiveName_origin"><a name="sslv2timeout__directiveName_origin"><!-- --></a>iSeries</span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLV2Timeout 32</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLV2Timeout directive specifies the timeout value for the session
ID caching done by sockets that will be used on the SSL session.  This directive
indicates the number of seconds in which the internal SSL session identifier
will expire. The session identifier is maintained by sockets. It allows caching
of handshake information in order to allow for a shortened handshake to be
done if the timeout value has not been reached. Lower values are safer but
slower, because the complete handshake will be done after each timeout. If
client certificates are being requested by the server, they will also be required
to be represented at each timeout.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt>
<dd><ul><li> The <var class="varname">seconds</var> parameter has a valid value range of 1
to 100 seconds. If the value specified is greater than 100, or less than 1,
then the default value of 100 seconds will be used as the timeout value. This
value is used for negotiated SSL Version 2 sessions.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="sslv3timeout"><a name="sslv3timeout"><!-- --></a><h2 class="topictitle2">SSLV3Timeout</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ssl</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: SSLV3Timeout <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: SSLV3Timeout 86400</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: server config, virtual host</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM </samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: SSLV3Timeout 32</td>
</tr>
</tbody>
</table>
</div>
<p> The SSLV3Timeout directive specifies the timeout value for the session
ID caching done by sockets that will be used on the SSL session. This directive
indicates the number of seconds in which the internal SSL session identifier
will expire. The session identifier is maintained by sockets, and allows caching
of handshake information in order to allow for a shortened handshake to be
done if the timeout value has not been reached. Lower values are safer, but
also slower, as the complete handshake will be done after each timeout.  If
client certificates are being requested by the server, they will also be required
to be represented at each timeout.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds </em></dt>
<dd><ul><li> The <var class="varname">seconds</var> parameter has a valid value range of 1
to 86400 seconds.  If the value specified is greater than 86400, or less than
1, then the default value of 86400 seconds will be used as the timeout value.
This value is used for negotiated SSLVersion 3, or TLS Version 1, sessions.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>

</body>
</html>