This document provides an overview of how to use the Secure Sockets Layer (SSL) with your Java Web Server. It describes the features provided to you using SSL, and identifies some common administrative procedures:

• What SSL Provides Your Website
• Setting up the Secure Web Page Service

What SSL Provides to Your Website

When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).

The Secure Sockets Layer (SSL) is a general purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:

1. Your web server is authenticated to its clients, so that they can tell who you "really" are. Public Key Certificates are used to do this authentication.
2. All requests to your web server are encrypted so that client data (such as credit card data) is kept confidential. So are the responses from your web server.
3. The data is protected against being tampered with by a third party. This is called integrity protection.
4. When appropriate, clients can authenticate themselves to your server using their own Public Key Certificates.

There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.

Setting Up the Secure Web Page Service

To set up your secure web page service, do the following:

1. Set the server up to authenticate itself using one of the three methods listed below. Note that the use of a certificate authority is strongly encouraged; it is currently possible to get free short-lived "test certificates" from VeriSign(TM), Inc., for use with the Java Web Server:
   • Certificate Authority
   • Self-Certification
   • No authentication
2. Select the Secure Web Page service.>
3. Press the "Setup" button.
4. Select the "Basic" section.
5. Choose a Document Root Directory that is different from the one used for normal web page (HTTP) service. (The default for the Java Web Server Web Page service, running at port 8080, is /server_root/public_html).
6. If you wish to run this on the standard HTTPS port, change the port number to 443 from its default of 7070. Otherwise, clients will need to specify port numbers in their URLs.
7. Press the "Save" button.
8. Press the "Start" button.

Note that if your server is running on a UNIX system, and you choose the standard HTTPS port (443), you must start your server as root. After you have started the server, you may not want to continue to run server as root; for more information, see Installation and Startup to find out how to tell the server not to run as root.

Using a Certificate Authority

Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS) which are intended to support use of these certificates (with digital signatures) as evidence in court cases.

When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.

If you want to use SSL with a CA, do the following:

1. Use the authstore command to generate a self-signed certificate.
2. Then generate a "Certificate Signing Request" (CSR) using "authstore".
3. Get that CSR to your certificate authority, either through e-mail or through an on-line procedure from a certificate authority. Note that some web browsers, such as Internet Explorer, are extremely restrictive with respect to the certificate authorities which they support. Certificate Authorities you may wish to consult include:
   • VeriSign Inc. ... provides "Server" Digital IDs.
4. Note that you will need to provide the CA with proof that you have the right to use the name you provide to them. They will take time to verify this proof. You may be able to get the CA to respond in about a week.
5. The CA will respond with a "PEM encoded X.509 Certificate", which looks something like this:

       -----BEGIN CERTIFICATE-----
       MIICZTCCAdICBQL3AAC2MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
       HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
       IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NzAyMjAwMDAwMDBa
       Fw05ODAyMjAyMzU5NTlaMIGWMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
       cm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMR8wHQYDVQQKExZTdW4gTWljcm9zeXN0
       ZW1zLCBJbmMuMSEwHwYDVQQLExhUZXN0IGFuZCBFdmFsdWF0aW9uIE9ubHkxGjAY
       BgNVBAMTEWFyZ29uLmVuZy5zdW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
       iQKBgQCofmdY+PiUWN01FOzEewf+GaG+lFf132UpzATmYJkA4AEA/juW7jSi+LJk
       wJKi5GO4RyZoyimAL/5yIWDV6l1KlvxyKslr0REhMBaD/3Z3EsLTTEf5gVrQS6sT
       WMoSZAyzB39kFfsB6oUXNtV8+UKKxSxKbxvhQn267PeCz5VX2QIDAQABMA0GCSqG
       SIb3DQEBAgUAA34AXl3at6luiV/7I9MN5CXYoPJYI8Bcdc1hBagJvTMcmlqL2uOZ
       H9T5hNMEL9Tk6aI7yZPXcw/xI2K6pOR/FrMp0UwJmdxX7ljV6ZtUZf7pY492UqwC
       1777XQ9UEZyrKJvF5ntleeO0ayBqLGVKCWzWZX9YsXCpv47FNLZbupE=
       -----END CERTIFICATE-----
       

6. Import that with the "authstore" tool.
7. You will probably want to enable the HTTPS Service ("Secure Web Page Service") at this time.

Additional Certificate Authorities Support Support for additional Certificate Authorities (CA's) is now available. To use a CA other than the built-in VeriSign CA's:

1. Import the root certificate of the CA using the "Import CA" button in Authstore.
2. Import the certificate issued by that CA.

You need to generate a self-signed certificate for two reasons. One is if you do not intend to use a Certificate Authority; this option is strongly discouraged. The other is that it is part of the process currently used to get a certificate created by a certificate authority.

Note that not all web browsers currently support self signed certificates well. Netscape Navigator 3.0 does, as does HotJava, but Internet Explorer does not.

To create a self-signed certificate, do the following:

1. Use the authstore command to generate a self-signed certificate.
2. You will need to provide a passphrase for use whenever you decrypt the data in the keystore. Choose a multi-word phrase, with punctuation and mixed case.
3. If you are not using a CA, enable the HTTPS Service ("Secure Web Page Service") at this time.

Most web browsers do not support unauthenticated servers. This is intentional, since the unauthenticated flavors are open to "person in the middle" attacks. That is, since the server's public key is not authenticated, clients can't know if they're really talking to the server they think they are.

To set up your Secure Web Page Service to support these flavors, do the following:

1. Select the Secure Web Page service.
2. Press the "Security" button.
3. Select the "Ciphers" section.
4. You will see several ciphers with names starting SSL_DH_anon ... select these flavors.
5. Press the "Save" button.
6. If your server supports authenticated operation, you may need to re-enter your passphrase.
7. You will probably want to enable the HTTPS Service ("Secure Web Page Service") at this time.

Top java-server-feedback@java.sun.com

Copyright © 1997 Sun Microsystems, Inc. All Rights Reserved.