Thanks to everyone for your help so far. I still haven't figured out why it is not working out of the box, but I kluged the BEGIN block that gets executed at server startup time to hardcode the name of the secretkeyfile. All else seems fine in the browser after that. I guess that is how it has to be for now because I have to move on.
My question today is - is there a way to do a command line test of a pretected web page now? With Basic authentication I could use lwp-rget and wget etc, but those return "403 forbidden" now, even when passing the username/pw. Thanks in advance for any thoughts or comments - GV