Scribd Logo
Importer

Bienvenue sur Scribd !

  • SSL

    Transféré par

    oopop
    116 vues29 pages
    ssl

    Titre original

    ssl

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    ssl

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    116 vues29 pages

    SSL

    Transféré par

    oopop
    ssl

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 29

    SSL

    WAS ND 8.0 Administration

    This PDF is a full example of one of the many PPT theory packs included in the course.

    Brought to you by TheMiddlewareshop.com

    WAS ND 8.0 Administration Essentials is a course available for purchase from the Middleware Shop.
    http://www.themiddlewareshop.com

    Only $99.95
    Contains over 850 pages of How-to guides and over 350 PPT slides. Written by: Steve Robinson

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Objectives
    In this module the student will be able to understand
    SSL Concepts Configuring SSL between IHS and WAS General steps involved in configuring SSL for any product Inbound and Outbound SSL configuration in WAS

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Outline
    Part I - SSL Concepts
    Data encryption, Symmetric Cryptography, Asymmetric Cryptography, Message Digests, Authentication, Cipher Suites, SSL Handshake, Digital Certificates, CSR, Key Database

    Part II Configuring SSL between IHS and WAS Part III Configuring SSL in WAS

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    SSL Concepts
    Part I

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    SSL Introduction
    SSL Stands for Secure Sockets Layer To secure communication the following objectives are to be met
    Privacy Data Integrity Authentication

    SSL helps achieve these objectives


    The Middleware Shop This content is copyright
    http://www.themiddlewareshop.com

    Data Encryption
    Data can be encrypted and sent to maintain the privacy of a conversation Encryption is the process of converting plaintext to encrypted data using a key and an algorithm
    Plain Text Encrypt 010 110

    Key
    Agree on Key and Cipher

    Cipher

    Key

    Cipher 010 110

    Plain Text

    Decrypt

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Symmetric Cryptography
    Key used for encryption is used to decrypt Problem is in sharing the key to the other party Algorithms RC4, 3DES

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Asymmetric Cryptography
    Plain Text Encrypt 010 110

    Private Key and Public Key form a key pair. Data encrypted with one can only be decrypted with the other.

    Private Key

    Cipher

    Public Key Cipher Plain Text 010 110

    Decrypt

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Message Digests
    Generate Message Digest Plain Text Encrypt 010 110 101

    Key

    Cipher

    Key

    Cipher 010 110 101

    Plain Text

    Message Digest is like a finger print. If Message Digests match, then the data is not tampered with

    Decrypt Generate Message Digest

    101

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Establishing Trust
    TrustStore
    Server cert

    TrustStore
    Client Cert

    3. Verifies server certificate

    5. Verifies client certificate

    Client

    Server
    1. Requests a protected resource 2. Presents server certificate

    4. Presents client certificate

    6. Access protected resource

    Client KeyStore
    Client Cert

    Server KeyStore
    Server cert

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Cipher Suites
    A Cipher suite is a set of algorithms used for completing the initial handshake and performing bulk encryption Example: SSL_RSA_WITH_RC4_128_MD5

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    SSL Handshake

    But what is a Digital Certificate?

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Digital Certificates
    A Digital certificate can be used to verify the identity. It contains
    Subject (Common Name, Organization etc) Public Key Expiry Date (Validity period) Issuer (CA) Signature
    Trust Chain Self-signed Digital Certificate of a trusted CA like Verisign

    Digital Certificate Of SomeParty (CA) Signed by Verisign

    Digital Certificate (ours) Signed by SomeParty

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Digital Certificates - Terminology


    Signer Certificate
    Certificate of the Issuer (or CA)

    Self-Signed certificate
    Certificate not signed by a CA, self-signed Usually such certificates are not trusted (except trusted CAs self-signed Certs)

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Self-signed Certificate Typical browser response

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Certificate Signing Request (CSR)


    CSR is a file sent to the CA for signing Contains information that identifies the applicant like
    DN (Distinguished Name) Public Key of the applicant Email Address

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Key Database
    A key database is used to hold the digital certificates and key pairs in a secure manner. The key database is protected by a password Every entry in the database is accessed through an alias name Some key database types like JKS, protects each entry with a separate password

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Configuring SSL between IHS and WAS


    Part II

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Configuring SSL between IHS and WAS


    Port 9443 WebSphere Plug-in Web sever definition WebSphere Application Server
    Propagate keyring file

    IBM HTTP Server key.kdb


    Create Identity

    Plugin-key.kdb 1

    Plugin-key.kdb

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Configuring Browsers Trust database

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    SSL Configuration in a nutshell


    The identity database contains the Signed Certificate, Signer Certificate and the keys

    Identity Personal Cert Signer Cert

    Trust CA Cert1 CA Cert2

    The trust database contains the certificates of the CAs that the party is willing to trust

    Jupiter: Party Communicating over SSL

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    The ikeyman tool


    This tool provides the following features
    Create a key database Create a self-signed personal certificate Create a CSR Receive the signed certificate Recreate CSR and receive the renewal certificate (in case of an expiry)

    Comes bundled with IHS and WAS


    The Middleware Shop This content is copyright
    http://www.themiddlewareshop.com

    Configuring SSL in WAS


    Part III

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Inbound SSL
    Called Inbound because WAS acts as the server SSL Configuration object can be created and then attached at any point in the tree The one at the lowest level overrides and is used
    But what is a SSL Configuration Object?

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    SSL Configuration object


    Essentially determines What cert is to be produced to client as a server, and to server as a client Issuer Certs to use for verifying a cert produced by another party How the handshake should be done Cipher to use Is Client Authentication required?
    The Middleware Shop This content is copyright
    http://www.themiddlewareshop.com

    Outbound SSL
    Here Outbound means that WAS acts as the client WAS supports dynamic selection of SSL configuration based on
    Protocol-host-port combination Configured through Dynamic outbound endpoint SSL Configuration object which provides a mapping between protocol-host-port combinations and a SSL Configuration
    The Middleware Shop This content is copyright
    http://www.themiddlewareshop.com

    Monitoring Certificate Expiry


    Certificates have validity period. One fine day it can expire, resulting in an outage. WAS provides a feature to monitor certificate expiry. This feature allows configuration of
    Expiration notification threshold Frequency Automatic Replacement of expired self-signed certs
    The Middleware Shop This content is copyright
    http://www.themiddlewareshop.com

    Whats in the official course?


    The Gold package download includes the following modules: WebSphere Application Server Overview WAS Installation Cells & Profiles JEE Overview & Packaging Application Deployment JDBC & JNDI Configuration & Logs IHS & Plugin Installation Administrative Security Administration Tools & Support Tools Administrative Agent and Job Manager Administrative Scripting Clustering & High Availability Workload Management & Session Affinity JMS and MQ Messaging Maintenance & Backups SSL Part 1 SSL Part 2 Monitoring & Tuning Part 1 Monitoring & Tuning Part 2

    The Middleware Shop This content is copyright


    http://www.themiddlewareshop.com

    Vous aimerez peut-être aussi