Java Server

Using Secure Sockets Layer (SSL) with Java Server (Beta)


Documentation

This document provides an overview of how to use the Secure Sockets Layer (SSL) with your Java Server. It describes the features provided to you using SSL, and identifies some common administrative procedures:

What SSL Provides to Your Website

When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).

The Secure Sockets Layer (SSL) is a general purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:

  1. Your web server is authenticated to its clients, so that they can tell who you "really" are. Public Key Certificates are used to do this authentication.
  2. All requests to your web server are encrypted so that client data (such as credit card data) is kept confidential. So are the responses from your web server.
  3. The data is protected against being tampered with by a third party. This is called integrity protection.
  4. When appropriate, clients can authenticate themselves to your server using Public Key Certificates.

There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.

Setting Up the Secure Web Page Service

You have three main ways to configure your secure web page service.

You need to choose one of those configuration techniques, in addition to enabling your secure web page service.

Enabling Your Secure Web Page Service

To enable your secure web page service, do the following:

  1. Select the Secure Web Page service.
  2. Press the "Setup" button.
  3. Select the "Basic" section.
  4. If you wish to run this on the standard HTTPS port, change the port number to 443 from its default of 7070. Otherwise, clients will need to specify port numbers in their URLs.
  5. Choose the "Always Run" option.
  6. You should choose a Document Root Directory that is different from the one used for normal web page (HTTP) service. (The default for the Java Server Web Page service, running at port 8080, is /server_root/public_html). Otherwise, you will have no way to distinguish web pages which are being transferred securely from those being transferred in "eavesdroppable" mode.
  7. Press the "Save" button.

Note that if your server is running on a UNIX system, and you choose the standard HTTPS port (443), you must start your server as root. After you have started the server, you may not want to continue to run server as root; for more information, see Installation and Startup to find out how to tell the server not to run as root.

Self Certification

You need to generate a self-signed certificate for two reasons. One is if you do not intend to use a Certificate Authority; this option is strongly discouraged. The other is that it is part of the process currently used to get a certificate created by a certificate authority.

Note that not all web browsers currently support self signed certificates well. Netscape Navigator 3.0 does, as does HotJava, but Internet Explorer does not.

To create a self-signed certificate, do the following:

  1. Use the authstore command to generate a self-signed certificate.
  2. You will need to provide a passphrase for use whenever you decrypt the data in the keystore. Choose a multi-word phrase, with punctuation and mixed case.
  3. If you are not using a CA, enable the secure web page service at this time.

Using a Certificate Authority

Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS) which are intended to support use of these certificates (with digital signatures) as evidence in court cases.

When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.

If you want to use SSL with a CA, do the following:

  1. Use the authstore command to generate a self-signed certificate (see above).
  2. Then generate a "Certificate Signing Request" (CSR) using "authstore".
  3. Get that CA to your certificate authority, either through e-mail or through an on-line procedure:
  4. Note that you will need to provide the CA with proof that you have the right to use the name you provide to them. They will take time to verify this proof. You may be able to get the CA to respond in about a week.
  5. The CA will respond with a "PEM encoded X.509 Certificate", which looks something like this:
        -----BEGIN CERTIFICATE-----
        ...lots of BASE64 encoded stuff...
        -----END CERTIFICATE-----
        
  6. Import that with the "authstore" tool.
  7. Enable the secure web page service by connecting to the Java Server Administration at http://Server_Host_Name:9090, selecting the Secure Web Page service, and displaying the Basic Configuration page.

Unauthenticated Service

Most web browsers do not support unauthenticated servers. This is intentional, since the unauthenticated flavors are open to "person in the middle" attacks. That is, since the server's public key is not authenticated, clients can't know if they're really talking to the server they think they are.

The current release of HotJava supports such "anonymous" SSL flavors. To set up your Secure Web Page Service to support these flavors, do the following:

  1. Select the Secure Web Page service.
  2. Press the "Security" button.
  3. Select the "Ciphers" section.
  4. You will see several ciphers with names starting SSL_DH_anon ... select these flavors.
  5. Press the "Save" button.
  6. If your server supports authenticated operation, you may need to re-enter your passphrase.

This change will not take effect unless you have enabled the Secure Web Page Service, as described above.


Top
java-server-feedback@java.sun.com