This document provides an overview of how to use the Secure Sockets Layer (SSL) with your Java Server. It describes the features provided to you using SSL, and identifies some common administrative procedures:
When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).
The Secure Sockets Layer (SSL) is a general purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:
There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.
You have three main ways to configure your secure web page service.
You need to choose one of those configuration techniques, in addition to enabling your secure web page service.
To enable your secure web page service, do the following:
/server_root/public_html
). Otherwise,
you will have no way to distinguish web pages which are being
transferred securely from those being transferred in
"eavesdroppable" mode.
Note that if your server is running on a UNIX system,
and you choose the standard HTTPS port (443), you must start
your server as root. After you have started the server, you
may not want to continue to run server as root; for more information,
see Installation and Startup
to find out how to tell the server not to run as root.
Self Certification
You need to generate a self-signed certificate for two reasons. One is if you do not intend to use a Certificate Authority; this option is strongly discouraged. The other is that it is part of the process currently used to get a certificate created by a certificate authority.
Note that not all web browsers currently support self signed certificates well. Netscape Navigator 3.0 does, as does HotJava, but Internet Explorer does not.
To create a self-signed certificate, do the following:
authstore
command to generate a
self-signed certificate.
Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS) which are intended to support use of these certificates (with digital signatures) as evidence in court cases.
When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.
If you want to use SSL with a CA, do the following:
authstore
command to generate a
self-signed certificate (see above).
-----BEGIN CERTIFICATE----- ...lots of BASE64 encoded stuff... -----END CERTIFICATE-----
http://Server_Host_Name:9090
,
selecting the Secure Web Page service, and displaying
the Basic
Configuration page.
Most web browsers do not support unauthenticated servers. This is intentional, since the unauthenticated flavors are open to "person in the middle" attacks. That is, since the server's public key is not authenticated, clients can't know if they're really talking to the server they think they are.
The current release of HotJava supports such "anonymous" SSL flavors. To set up your Secure Web Page Service to support these flavors, do the following:
This change will not take effect unless you have enabled the Secure Web Page Service, as described above.