Presentation is loading. Please wait.

Presentation is loading. Please wait.

Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.

Published bySusan Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "Softsmith Infotech Secure Socket Layer (SSL) and Tomcat."— Presentation transcript:

1 Softsmith Infotech Secure Socket Layer (SSL) and Tomcat

2 Softsmith Infotech What is SSL SSL stands for Secure Socket Layer. Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection

3 Softsmith Infotech Secure Socket Layer (SSL) Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. Responsible for the emergence of e-commerce, other security sensitive services on the web

4 Softsmith Infotech The SSL Protocol The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP

5 Softsmith Infotech Why SSL SSL addresses the following important security considerations. Authentication: During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential. Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.

6 Softsmith Infotech What SSL Provides Confidentiality (Privacy) Data integrity (Tamper-proofing) Server authentication

7 Softsmith Infotech SSL KEY EXCHANGE STEPS SSL client connects to an SSL server Server then sends its own certificate that contains its public key Client then creates a random key (premaster key) and uses server's public key to encrypts it

8 Softsmith Infotech SSL KEY EXCHANGE STEPS (ctd..) Client then sends encrypted premaster key to the server Server then decrypts it and uses decrypted premaster key to create secret session key Now both client and server uses secret session key for further communication

9 Softsmith Infotech SSL and Authentication Server Authentication: Server needs to provide its own certificate to a client in order to authenticate itself to the client A Web server typically has a CA-signed certificate and it provides it to its clients Client Authentication: Client needs to provide its own certificate to a server in order to authenticate itself to the server Mutual Authentication

10 Softsmith Infotech SSL and Web-tier Security Encrypted password move from the browser to the web server Encrypted data move between the browser and the web server Server authentication – Done before encrypted data transfer occurs Client Authentication – Not used in most cases

11 Softsmith Infotech What is a Certificate (Ctd..) A certificate is cryptographically signed and is practically impossible for anyone else to forge A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign

12 Softsmith Infotech What is Server Certificate? A server certificate is a container that contains server's public key and other miscellaneous information Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections.This provides some kind of reasonable assurance that its owner is who you think it is

13 Softsmith Infotech Why Server Certificate is Needed? Server Certificate enables Server Authentication Server sends server certificate as part of SSL key handshake HTTPS service of Tomcat would not work unless a server certificate is installed Verifies the server's identity to the client, before receiving any sensitive information

14 Softsmith Infotech Creating a Server Certificate(ctd) To create a server certificate follow these steps: 1) Create the keystore. 2) Export the certificate from the keystore. 3) Sign the certificate. 4) Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate

15 Softsmith Infotech Generate the server certificate To generate the certificate, run the keytool utility as follows JAVA_HOME>\bin\ keytool -genkey -keyalg RSA -alias tomcat -keystore localhost.jks When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code

16 Softsmith Infotech Generate the server certificate(Ctd) Screen Display

17 Softsmith Infotech Export the certificate from the keystore. Export the generated server certificate in keystore.jks into the file server.cer. \bin\keytool -export -alias tomcat storepass changeit -file server.cer -keystore localhost.jks

18 Softsmith Infotech Export the certificate from the keystore(Ctd..) Screen Display

19 Softsmith Infotech Signing Digital Certificates After a digital certificate is created, they are signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte. If authentication is not really a concern,use the self-signed certificate

20 Softsmith Infotech Importing certificate into trust-store To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool with following parameters \bin\keytool -import -v -trustcacerts -alias server-alias -file server.cer - keystore cacerts.jks -keypass changeit - storepass changeit

21 Softsmith Infotech Importing certificate into trust-store Information on the certificate, such as that shown next, will display

22 Softsmith Infotech Programming with JSSE The Java Secure Socket Extension (JSSE) provides a framework and a Java implementation of the SSL and TLS protocols It provides mechanisms for data encryption, server authentication, message integrity, and optional client authentication. The JSSE APIs supplement the java.security and java.net packages by providing extended networking socket classes, trust and key managers, and a socket factory framework for encapsulating socket creation behavior. These classes are included in the packages javax.net and javax.net.ssl.

23 Softsmith Infotech Programming with JSSE(Ctd.) SSLSocket and SSLServerSocket The javax.net.ssl.SSLSocket is a subclass of the java.net.Socket class. Therefore, it supports all the standard Socket methods and adds additional methods specific to secure sockets. The javax.net.ssl.SSLServerSocket class is analogous to the SSLSocket class except that it is used to create server sockets. Creating an instance of SSLSocket can be done in two ways: 1. As an instance of SSLSocketFactory by invoking one of the createSocket methods on that class 2. Through the accept method on the SSLServerSocket

24 Softsmith Infotech Programming with JSSE(Ctd..) SSLSocketFactory and SSLServerSocketFactory The javax.net.ssl.SSLSocketFactory class is an object factory for creating secure sockets, and the javax.net.ssl.SSLServerSocketFactory is an object factory for creating server sockets. An SSLSocketFactory instance can be obtained in two ways 1.Get the default factory by calling SSLSocketFactory.getDefault. 2. Construct a new factory with specified configured behavior

25 Softsmith Infotech Making Existing Client/Server Applications Secure Incorporating SSL into existing client/server applications to make them secure can be easily done using a few lines of JSSE code. The lines highlighted in bold in the following example show the code necessary to make a server secure : import java.io.*; import javax.net.ssl.*; public class Server { int port = portNumber; SSLServerSocket server; try { SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber); SSLSocket client = (SSLSocket) server.accept(); // Create input and output streams as usual // send secure messages to client through the // output stream // receive secure messages from client through // the input stream } catch(Exception e) { } }

26 Softsmith Infotech Making Existing Client/Server Applications Secure The lines highlighted in bold in the following example show the code necessary to make a client secure import java.io.*; import javax.net.ssl.*; public class Client {. try { SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber); SSLSocket client = (SSLSOcket) factory.createSocket(serverHost, port); // Create input and output streams as usual // send secure messages to server through the // output stream receive secure // messages from server through the input stream } catch(Exception e) { } }

27 Softsmith Infotech SSL Support inTomcat To implement SSL on Tomcat you need the following installed : - JSSE (Java Secure Socket Extension). package installed – Server certificate keystore – An HTTPS connector

28 Softsmith Infotech Configure SSL Connector After the Server certificate is generated using keytool as shown above,Tomcat needs to be configured for SSL By default, an SSL HTTPS Connector is not enabled in Tomcat. SSL HTTPS Connector on port 8443 can be enabled & configured in one of two methods – via Admintool – Modify server.xml Restart Tomcat

29 Softsmith Infotech Verify SSL Support The next step is verifying if SSL is configured correctly. For testing purposes, and to verify that SSL support has been correctly installed on Tomcat, load the default Tomcat introduction page with the following URL: https://localhost:8443/ The https in this URL indicates that the browser should be using the SSL protocol. The port of 8443 is where the SSL Connector was configured in the previous step

30 Softsmith Infotech Verify SSL Support Screen Display

31 Softsmith Infotech Verify SSL Support Screen Display of Certificate

32 Softsmith Infotech Tips on running SSL The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint. It is not necessary to run an entire web application over SSL, Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted

33 Softsmith Infotech SSL Drawbacks The problems associated with SSL are It prevents caching. Using SSL imposes greater overheads on the server and the client. Some firewalls and/or web proxies may not allow SSL traffic. There is a financial cost associated with gaining a Certificate for the server/subject device

34 Softsmith Infotech Common Security Problems Unvalidated Parameters.: –Information from web request is not validated before used by a web application.Attackers can use these flaws to attack backend components through a web application.

35 Softsmith Infotech Common Security Problems Broken Access Control: –Restriction on what authenticated users allowed to do are not properly enforced. –Attackers can exploit these flaws to access other users accounts view sensitive files, or use unauthorized functions.

36 Softsmith Infotech Common Security Problems Broken Account and session Management. Cross-Site scripting Flaws –The web application can be used as a mechanism to transport an attack to an end user’s browsers.

37 Softsmith Infotech Common Security Problems Buffer Overflows: –Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of process. –These components can include CGI,libraries,drivers and web application server components.

38 Softsmith Infotech Common Security Problems Error Handling Problems: –Error Conditions that occur during normal operation are not handled properly. –If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information,deny service, cause security mechanisms to fail, or crash the server.

39 Softsmith Infotech Common Security Problems Remote Administration Flaws: –Many web application allow administrators to access the site using a web interface. –If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.

40 Softsmith Infotech Using a Firewall A firewall can be software,hardware or a combination of both. They are different types: proxy servers, packet filters. Play a key role in protecting Tomcat.

Download ppt "Softsmith Infotech Secure Socket Layer (SSL) and Tomcat."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL (Secure Socket Layer)

SSL (Secure Socket Layer)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
1 Internet and Intranet Protocols and Applications Lecture 9b: How Java Supports SSL March, 2004 Arthur Goldberg Computer Science Department New York University.

1 Internet and Intranet Protocols and Applications Lecture 9b: How Java Supports SSL March, 2004 Arthur Goldberg Computer Science Department New York University.

Similar presentations

Ads by Google