Ssl Https Server
Upcoming SlideShare
Loading in...5
×
 

Ssl Https Server

on

  • 1,506 views

Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server)

Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server)

Statistics

Views

Total Views
1,506
Views on SlideShare
1,500
Embed Views
6

Actions

Likes
1
Downloads
74
Comments
0

2 Embeds 6

http://www.slideshare.net 5
http://smtpsslport.me 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Ssl Https Server Ssl Https Server Presentation Transcript

  • Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server) 2008/July/17 Multimedia Division
  • Agenda
    • What is SSL
      • Secure Socket Layer (SSL)
      • The SSL Protocol
    • Why SSL
    • What SSL Provides
    • SSL and Authentication
    • SSL and Web-tier Security
    • What is a Certificate?
    • What is Server Certificate?
    • Why Server Certificate is Needed?
    • Verify/Demo SSL Support on Test server
    • Commercial for Certificate
    • SSL Drawbacks
    • What is next
    • References
  • What is SSL
    • SSL stands for Secure Socket Layer.
    • Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection
  • Secure Socket Layer (SSL)
    • Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.
    • Responsible for the emergence of
    • e-commerce, other security sensitive services on the web
  • The SSL Protocol
    • The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP
  • Why SSL
    • SSL addresses the following important security considerations.
    • Authentication : During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be.
    • Confidentiality : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
    • Integrity : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
  • What SSL Provides
    • Confidentiality (Privacy)
    • Data integrity (Tamper-proofing)
    • Server authentication (Proving a server is what it claims it is)
    • Optional client authentication - Would be required in B2B/B2C (or Web services environment in which program talks to program
  • SSL and Authentication
    • Server Authentication :
    • Server needs to provide its own certificate to a
    • client in order to authenticate itself to the client.
    • A Web server typically has a CA-signed certificate and it provides to its clients.
    • Client Authentication :
    • Client needs to provide its own certificate to a
    • server in order to authenticate itself to the server.
    • Mutual Authentication
  • SSL and Web-tier Security
    • Encrypted password move from the browser
    • to the web server
    • Encrypted data move between the browser
    • and the web server
    • Server authentication
    • – Done before encrypted data transfer occurs
    • Client Authentication
    • – Not used in most cases
  • What is a Certificate?
    • A certificate is a digitally-signed statement from one entity (person, company,
    • etc.), saying that the public key (and some other information) of some other
    • entity has a particular value. So in a sense, it is like digital version of your ID
    • card such as driver's license.
  • What is a Certificate (Ctd..)
    • A certificate is cryptographically signed and is practically impossible for anyone else to forge
    • A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign
  • What is a Certificate (Ctd..)
    • A certificate can be self-signed when
    • authentication over the internet is not really a concern for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, that is only data privacy and integrity are important
  • What is Server Certificate?
    • A server certificate is a container that contains server's public key and other miscellaneous information
    • Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections. This provides some kind of reasonable assurance that its owner is who you think it is
  • Why Server Certificate is Needed?
    • Server Certificate enables Server Authentication
    • Server sends server certificate as part of SSL key handshake
    • HTTPS service of Tomcat would not work unless a server certificate is installed
    • Verifies the server's identity to the client, before receiving any sensitive information
  • Verify/Demo SSL Support on Test server
    • Screen Display
  • Verify/Demo SSL Support on Test server
    • Screen Display
  • Verify/Demo SSL Support on Test server
    • Screen Display of Certificate
  • Verify/Demo SSL Support on Test server
    • Screen Display of Certificate
  • Commercial for Certificate Budget Required (Tentative figure by Vendors) http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html $ 1499/Year Verisign 1 Remarks Budget Required Name of the Vendors Sr. No.
  • SSL Drawbacks
    • The problems associated with SSL are
    • It prevents caching.
    • Using SSL imposes greater overheads on the server and the client.
    • Some firewalls and/or web proxies may not allow SSL traffic.
    • There is a financial cost associated with gaining a Certificate for the server/subject device
  • What is next
    • Sign a CR
    • Send to YMC as a sample
    • Make Skill Matrix
    • Make Training Schedule
  • References:
    • http://java.sun.com/developer/technicalArticles/Security/secureinternet/
    • http://cstsolaris.cst.nait.ab.ca/resources/ssl/
    • index.html
    • http://www.javapassion.com/j2ee/index.html
    • http://www.rhyshaden.com/ssl.htm
    • http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html