Your SlideShare is downloading. ×
Ssl Https Server
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ssl Https Server

992
views

Published on

Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server)

Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server)

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
992
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server) 2008/July/17 Multimedia Division
  • 2. Agenda
    • What is SSL
      • Secure Socket Layer (SSL)
      • The SSL Protocol
    • Why SSL
    • What SSL Provides
    • SSL and Authentication
    • SSL and Web-tier Security
    • What is a Certificate?
    • What is Server Certificate?
    • Why Server Certificate is Needed?
    • Verify/Demo SSL Support on Test server
    • Commercial for Certificate
    • SSL Drawbacks
    • What is next
    • References
  • 3. What is SSL
    • SSL stands for Secure Socket Layer.
    • Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection
  • 4. Secure Socket Layer (SSL)
    • Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.
    • Responsible for the emergence of
    • e-commerce, other security sensitive services on the web
  • 5. The SSL Protocol
    • The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP
  • 6. Why SSL
    • SSL addresses the following important security considerations.
    • Authentication : During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be.
    • Confidentiality : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
    • Integrity : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
  • 7. What SSL Provides
    • Confidentiality (Privacy)
    • Data integrity (Tamper-proofing)
    • Server authentication (Proving a server is what it claims it is)
    • Optional client authentication - Would be required in B2B/B2C (or Web services environment in which program talks to program
  • 8. SSL and Authentication
    • Server Authentication :
    • Server needs to provide its own certificate to a
    • client in order to authenticate itself to the client.
    • A Web server typically has a CA-signed certificate and it provides to its clients.
    • Client Authentication :
    • Client needs to provide its own certificate to a
    • server in order to authenticate itself to the server.
    • Mutual Authentication
  • 9. SSL and Web-tier Security
    • Encrypted password move from the browser
    • to the web server
    • Encrypted data move between the browser
    • and the web server
    • Server authentication
    • – Done before encrypted data transfer occurs
    • Client Authentication
    • – Not used in most cases
  • 10. What is a Certificate?
    • A certificate is a digitally-signed statement from one entity (person, company,
    • etc.), saying that the public key (and some other information) of some other
    • entity has a particular value. So in a sense, it is like digital version of your ID
    • card such as driver's license.
  • 11. What is a Certificate (Ctd..)
    • A certificate is cryptographically signed and is practically impossible for anyone else to forge
    • A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign
  • 12. What is a Certificate (Ctd..)
    • A certificate can be self-signed when
    • authentication over the internet is not really a concern for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, that is only data privacy and integrity are important
  • 13. What is Server Certificate?
    • A server certificate is a container that contains server's public key and other miscellaneous information
    • Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections. This provides some kind of reasonable assurance that its owner is who you think it is
  • 14. Why Server Certificate is Needed?
    • Server Certificate enables Server Authentication
    • Server sends server certificate as part of SSL key handshake
    • HTTPS service of Tomcat would not work unless a server certificate is installed
    • Verifies the server's identity to the client, before receiving any sensitive information
  • 15. Verify/Demo SSL Support on Test server
    • Screen Display
  • 16. Verify/Demo SSL Support on Test server
    • Screen Display
  • 17. Verify/Demo SSL Support on Test server
    • Screen Display of Certificate
  • 18. Verify/Demo SSL Support on Test server
    • Screen Display of Certificate
  • 19. Commercial for Certificate Budget Required (Tentative figure by Vendors) http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html $ 1499/Year Verisign 1 Remarks Budget Required Name of the Vendors Sr. No.
  • 20. SSL Drawbacks
    • The problems associated with SSL are
    • It prevents caching.
    • Using SSL imposes greater overheads on the server and the client.
    • Some firewalls and/or web proxies may not allow SSL traffic.
    • There is a financial cost associated with gaining a Certificate for the server/subject device
  • 21. What is next
    • Sign a CR
    • Send to YMC as a sample
    • Make Skill Matrix
    • Make Training Schedule
  • 22. References:
    • http://java.sun.com/developer/technicalArticles/Security/secureinternet/
    • http://cstsolaris.cst.nait.ab.ca/resources/ssl/
    • index.html
    • http://www.javapassion.com/j2ee/index.html
    • http://www.rhyshaden.com/ssl.htm
    • http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html