Secure communications using SSL

The SSL protocol provides transport layer security including authenticity, data signing, and data encryption to ensure a secure connection between a client and server that uses WebSphere Application Server. The foundation technology for SSL is public key cryptography, which guarantees that when an entity encrypts data using its public key, only entities with the corresponding private key can decrypt that data.

WAS uses JSSE as the SSL implementation for secure connections. JSSE is part of the Java 2 Standard Edition (J2SE) specification and is included in the IBM implementation of the Java Runtime Extension (JRE). JSSE handles the handshake negotiation and protection capabilities provided by SSL to ensure secure connectivity exists across most protocols. JSSE relies on X.509 certificate-based asymmetric key pairs for secure connection protection and some data encryption. Key pairs effectively encrypt session-based secret keys that encrypt larger blocks of data. The SSL implementation manages the X.509 certificates.

WAS ships Java SE7. By default Java SE 7 enables Server Name Indication (SNI). SNI is an extension to the TLS protocol. SNI allows a client to specify the hostname it is attempting to connect to. Exceptions are thrown if the certificate returned does not match the expected hostname.

In some proxy environments this will cause errors. The client is expecting to receive the proxy's certificate, but instead receives the certificate of endpoint server.

See also: WebSphere SSL Video Tutorials.

Manage X.509 certificates

Secure communications for WAS require digitally-signed X.509 certificates. The contents of an X.509 certificate, such as its distinguished name and expiration, are either...

• signed by a certificate authority (CA)
• signed by a root certificate in NodeDefaultRootStore or DmgrDefaultRootStore
• self-signed

When a trusted CA signs an X.509 certificate, WAS identifies the certificate and freely distributes it. A certificate must be signed by a CA because the certificate represents the identity of an entity to the general public. Server-side ports that accept connections from the general public must use CA-signed certificates. Most clients or browsers already have the signer certificate that can validate the X.509 certificate so signer exchange is not necessary for a successful connection.

We can trust the identity of a self-signed X.509 certificate only within a peer in a controlled environment, such as internal network communications, accepts the signer certificate. To complete a trusted handshake, first send a copy of the entity certificate to every peer that connects to the entity.

CA, chained, and self-signed X.509 certificates reside in Java keystores. JSSE provides a reference to the keystore in which a certificate resides. We can select from many types of keystores, including Java Cryptographic Extension (JCE)-based and hardware-based keystores. Typically, each JSSE configuration has two Java keystore references: a keystore and a truststore. The keystore reference represents a Java keystore object that holds personal certificates. The truststore reference represents a Java keystore object that holds signer certificates.

A personal certificate without a private key is an X.509 certificate that represents the entity that owns it during a handshake. Personal certificates contain both public and private keys. A signer certificate is an X.509 certificate that represents a peer entity or itself. Signer certificates contain just the public key and verify the signature of the identity that is received during a peer-to-peer handshake.

See Add the correct SSL Signer certificates to the plug-in keystore

For more information about keystores, see Keystore configurations for SSL.

Signer exchange

When we configure an SSL connection, we can exchange signers to establish trust in a personal certificate for a specific entity. Signer exchange enables us to extract the X.509 certificate from the peer keystore and add it into the truststore of another entity so that the two peer entities can connect. The signer certificate also can originate from a CA as a root signer certificate or a chained certificate's root signer certificate or an intermediate signer certificate. We can also extract a signer certificate directly from a self-signed certificate, which is the X.509 certificate with the public key.

Figure 1 illustrates a hypothetical keystore and truststore configuration. An SSL configuration determines which entities can connect to other entities, and the peer connections that are trusted by an SSL handshake. If we do not have the necessary signer certificate, the handshake fails because the peer cannot be trusted.

Figure 1. Signer exchange

In this example, the truststore for Entity A contains three signers. Entity A can connect to any peer as long as one of the three signers validates its personal certificate. For example, Entity A can connect to Entity B or Entity C because the signers can trust both signed personal certificates. The truststore for Entity-B contains one signer. Entity B is able to connect to Entity C only, and only when the peer endpoint is using certificate Entity-C Cert 1 as its identity. The ports that use the other personal certificate for Entity C are not trusted by Entity B. Entity C can connect to Entity A only.

In the example, the self-signed configuration seems to represent a one-to-one relationship between the signer and the certificate. However, when a CA signs a certificate, it typically signs many at a time. The advantage of using a single CA signer is that it can validate personal certificates generated by the CA for use by peers. However, if the signer is a public CA, the signed certificates might have been generated for another company other than your target entity. For internal communications, private CAs and self-signed certificates are preferable to public CAs because they allow us to isolate the connections to occur and prevent those that we do not want to occur.

SSL configurations

An SSL configuration comprises a set of configuration attributes that we can associate with an endpoint or set of endpoints in the WAS topology. The SSL configuration enables us to create an SSLContext object, which is the fundamental JSSE object that the server uses to obtain SSL socket factories. We can manage the following configuration attributes:

• An alias for the SSLContext object
• A handshake protocol version
• A keystore reference
• A truststore reference
• A key manager
• One or more trust managers
• A security level selection of a cipher suite grouping or a specific cipher suite list
• A certificate alias choice for client and server connections

To understand the specifics of each SSL configuration attribute, see SSL configurations.

WebSphere does not allow the RC4 cipher suites in the HIGH cipher list to keep the server more secure by default. It is possible an RC4 cipher was being used by default in SSL handshakes before this change. With the removal of the RC4 ciphers, it is likely an AES cipher is used instead. Users can experience a decrease in performance with the use of more secure AES ciphers.

Select SSL configurations

Programmatic selection

We can set an SSL configuration on the running thread prior to an outbound connection. WAS ensures that most system protocols, including Internet Inter-ORB Protocol (IIOP), Java Message Service (JMS), Hyper Text Transfer Protocol (HTTP), and LDAP, accept the configuration.

Dynamic selection

We can associate an SSL configuration dynamically with a specific target host, port, or outbound protocol using a predefined selection criteria. When it establishes the connection, WAS checks to see if the target host and port match a predefined criteria that includes the domain portion of the host. Additionally, we can predefine the protocol for a specific outbound SSL configuration and certificate alias selection. See Dynamic outbound selection of Secure Sockets Layer configurations for more information.

Dynamic outbound selection of Secure Sockets Layer configurations is based on connection information being available for the server so that the server can match up the outbound protocol, host, or port when the creation of the client socket takes place in com.ibm.websphere.ssl.protocol.SSLSocketFactory. For WebSphere admin connectors like SOAP and RMI, connection information is placed on the thread and is available for dynamic outbound selection to take place. The dynamic outbound selection process replies on connection information being setup when SSL properties are retrieved similar to what is described in Programmatically specifying an outbound SSL configuration using JSSEHelper API.

When the outbound connection is being made from customer written applications, parts of the connection information may not be available. Some of these applications make API calls to a protocol to make the connection. The API ultimately then calls one of the createSocket() methods in com.ibm.websphere.ssl.protocol.SSLSocketFactory to complete the process. All of the connection information for dynamic outbound selection might not be available, and we may have to adjust the dynamic outbound selection connection filter and fill in an asterisk (*) for the missing part of the connection information. As an example, the openConnection() call on a URL object ultimately calls createSocket(java.net.Socket socket, String host, int port, boolean autoClose). The connection information can be built with the host and port provided, but there is no protocol provided. In this case, a wild card, asterisk (*), should be used for the protocol part of the dynamic selection connection information.

Most of the createSocket() methods take a host or IP address and a port as parameters. The dynamic outbound selection connection filter can be built with the host and port. The default method, createSocket(), without any parameters does not contain any information to build the outbound selection connection filter unless the socket factory was instantiated with connection information, If no connection information is available, then we should consider using one of the other methods of selecting an SSL configuration describes in this topic, "Programmatic selection" can be good choice.

WAS relies on host, port, and protocol information that is passed to the WAS SSL socket factory. The WAS SSL socket factory can be bypassed by configuration settings or by the application, that is:

1. The java.security file does not contain the specification for the WAS socket factory.

2. The application directly calls another socket factory.

If either (1) or (2) is the case, then the dynamic SSL outbound selection process is bypassed and the connection is not made.

Direct selection

We can select an SSL configuration using a specific alias, as in past releases. This method of selection is maintained for backwards compatibility because many applications and processes rely on alias references.

Scope selection

We can associate an SSL configuration and its certificate alias, located in the keystore associated with that SSL configuration, with a WAS management scope. This approach is recommended to manage SSL configurations centrally. We can manage endpoints more efficiently because they are located in one topology view of the cell. The inheritance relationship between scopes reduces the number of SSL configuration assignments that we must set.

Each time we associate an SSL configuration with a cell scope, the node scope within the cell automatically inherits the configuration properties. However, when we assign an SSL configuration to a node, the node configuration overrides the configuration that the node inherits from the cell. Similarly, all of the application servers for a node automatically inherit the SSL configuration for that node unless we override these assignments. Unless we override a specific configuration, the topology relies on the rules of inheritance from the cell level down to the endpoint level for each application server.

If the applications are relying on SSL configurations set as individual settings for each SSL configuration in the topology, but the application servers have inherited the SSL configuration as deployed from the cell level down to the endpoint level, then there is the possibility of communication errors occurring among servers (for example, handshake errors). We need to ensure that the applications are operating consistent with the central management of SSL configurations.

The topology view displays an inbound tree and outbound tree. We can make different SSL configuration selections for each side of the SSL connection based on what that server connects to as an outbound connection and what the server connects to as an inbound connection. See Central management of SSL configurations for more information.

The runtime uses an order of precedence for determining which SSL configuration to choose because we have many ways to select SSL configurations. Consider the following order of precedence when we select a configuration approach:

1. Programmatic selection. If an application sets an SSL configuration on the running thread using the com.ibm.websphere.ssl.JSSEHelper API, the SSL configuration is guaranteed the highest precedence.
2. Dynamic selection criteria for outbound host and port or protocol.
3. Direct selection.
4. Scope selection. Scope inheritance guarantees that the endpoint selected is associated with an SSL configuration and is inherited by every scope beneath it that does not override this selection.

Default chained certificate configuration

By default, WAS creates a unique chained certificate for each node. The chained certificate is signed with a root, a self-signed certificate stored in the DmgrDefaultRootStore or NodeDefaultRootStore. WAS no longer relies on a self-signed certificate or the default or dummy certificate shipped with the product. The key.p12 default keystore and the trust.p12 truststore are stored in the configuration repository within the node directory. The default root certificate is stored in the root-key.p12 in the configuration repository under the node directory.

All of the nodes put their signer certificates from the default root certificate in this common truststore (trust.p12). Additionally, after federating a node, the default SSL configuration is automatically modified to point to the common truststore, located in the cell directory. The node can now communicate with all other servers in the cell.

All default SSL configurations contain a keystore with the name suffix DefaultKeyStore, a truststore with the name suffix DefaultTrustStore and a rootstore with the name suffix DefaultRootStore. These default suffixes instruct the WAS runtime to add the root signer of the personal certificate to the common truststore. If a truststore name does not end with DefaultKeyStore, the keystores root signer certificates are not added to the common truststore when we federate the server. We can change the default SSL configuration, but ensure that the correct trust is established for administrative connections, among others.

See Default chained certificate configuration in SSL (Dist) and (Dist) Web server plug-in default configuration in SSL.

Certificate expiration monitoring

Certificate monitoring ensures that the default chained certificate for each node is not allowed to expire. The certificate expiration monitoring function issues a warning before certificates and signers are set to expire. Those certificates and signers located in keystores managed by the WAS configuration can be monitored. We can configure the expiration monitor to automatically replace a certificate. A chained certificate will be recreated based on the same data used for the initial creation and sign it with the same root certificate that signed the original certificate. A self-signed certificate or chained certificate is also recreated based upon the same data used for the initial creation.

The monitor also can automatically replace old signers with the signers from the new chained or self-signed certificates in keystores managed by WAS. The existing signer exchanges that occurred by the runtime during federation and by administration are preserved. See Certificate expiration monitoring in SSL.

The expiration monitor is configured to replace chained personal certificates signed by a root certificate in DmgrDefaultRootStore or NodeDefaultRootStore. The certificate is renewed using the same root certificate used to sign the original certificate.

The monitor also can automatically replace old signers with the signers from the new self-signed certificates in keystores managed by WAS. The existing signer exchanges that occurred by the runtime during federation and by administration are preserved. See Certificate expiration monitoring in SSL.

WAS clients: signer-exchange requirements

A new chained certificate is generated for each node during its initial startup. To ensure trust, clients must be given the root signers to establish a connection. The introduction of chained certificates in the current release makes this process simpler. Rather than exchanging the signer of a short lived self-signed certificate, we can exchange the long lived root signer which will allow for preserved trust across personal certificate renewals. In addition, we can gain access to the signer certificates of various nodes to which the client must connect with any one of the following options (for more information, see Secure installation for client signer retrieval in SSL):

• A signer exchange prompt enables us to import signer certificates that are not yet present in the truststores during a connection to a server.

  By default, this prompt is enabled for administrative connections and can be enabled for any client SSL configuration. When this prompt is enabled, any connection made to a server where the signer is not already present offers the signer of the server along with the certificate information and a Secure Hash Algorithm (SHA) digest of the certificate for verification. The user is given a choice whether to accept these credentials. If the credentials are accepted, the signer is added to the truststore of the client until the signer is explicitly removed. The signer exchange prompt does not occur again when connecting to the same server unless the personal certificate changes.

  It is unsafe to trust a signer exchange prompt without verifying the SHA digest. An unverified prompt can originate from a browser when a certificate is not trusted.

• We can run a retrieveSigners administrative script from a client prior to making connections to servers.

  To download signers, no administrative authority is required. To upload signers, we must have Administrator role authority. The script downloads all of the signers from a specified server truststore into the specified client truststore and can be called to download only a specific alias from a truststore. We can also call the script to upload signers to server truststores. When we select the CellDefaultTrustStore truststore as the specified server truststore and common truststore for a cell, all of the signers for that cell are downloaded to the specified client truststore, which is typically ClientDefaultTrustStore.

• We can physically distribute to clients the trust.p12 common truststore located in the cell directory of the configuration repository.

  When doing this distribution, however, ensure that the correct password has been specified in the ssl.client.props client SSL configuration file. The default password for this truststore is WebAS. Change the default password prior to distribution. Physical distribution is not as effective as the previous options. When changes are made to the personal certificates on the server, automated exchange can fail.

Dynamic SSL configuration changes

The SSL runtime for WAS maintains listeners for most SSL connections. A change to the SSL configuration causes the inbound connection listeners to create a new SSLContext object. Existing connections continue to use the current SSLContext object. Outbound connections automatically use the new configuration properties when they are attempted.

Make dynamic changes to the SSL configuration during off-peak hours to reduce the possibility of timing-related problems and to prevent the possibility of the server starting again. If we enable the runtime to accept dynamic changes, then change the SSL configuration and save the security.xml file. Your changes take effect when the new security.xml file reaches each node.

If configuration changes cause SSL handshake failures, administrative connectivity failures also can occur, which can lead to outages. In this case, re-configure the SSL connections then perform manual node synchronization to correct the problem. We must carefully complete any dynamic changes. IBM recommends that we perform changes to SSL configurations on a test environment prior to making the same changes to a production system. See Dynamic configuration updates in SSL.

Built-in certificate management

Certificate management that is comparable to iKeyMan functionality is now integrated into the keystore management panels of the administrative console. Use built-in certificate management to manage personal certificates, certificate requests, and signer certificates located in keystores. Additionally, we can remotely manage keystores. For example, we can manage a file-based keystore located outside the configuration repository on any node from the deployment manager. We also can remotely manage hardware cryptographic keystores from the deployment manager.

With built-in certificate management, we can replace a chained or self-signed certificate along with all of the signer certificates scattered across many truststores and retrieve a signer from a remote port by connecting to the remote SSL host and port and intercepting the signer during the handshake. The certificate is first validated according to the certificate SHA digest, then the administrator must accept the validated certificate before it can be placed into a truststore.

When we make a certificate request, we can send it to a certificate authority (CA). When the certificate is returned, we can accept it within the administrative console. See Certificate management in SSL.

Tip: Although iKeyMan functionality still ships with WAS, configure keystores from the administrative console using the built-in certificate management functionality. iKeyMan is still an option when it is not convenient to use the administrative console. See Certificate management using iKeyman prior to SSL.

AdminTask configuration management

The SSL configuration management panels in the administrative console rely primarily on administrative tasks, which are maintained and enhanced to support the administrative console function. Use wsadmin commands from a Java console prompt to automate the management of keystores, SSL configurations, certificates, and so on.

Subtopics

• SSL configurations
  
• Keystore configurations for SSL
  
• Dynamic outbound selection of Secure Sockets Layer configurations
  
• Central management of SSL configurations
  
• Secure Sockets Layer node, application server, and cluster isolation
  
• Certificate options during profile creation
  
• Default chained certificate configuration in SSL
  
• Dynamic configuration updates in SSL
  
• Management scope configurations
  
• Certificate management using iKeyman prior to SSL
  
• Certificate management in SSL
  
• Use the retrieveSigners command in SSL to enable server to server trust
  

Related:

Trust manager control of X.509 certificate trust decisions

Key manager control of X.509 certificate identities

Programmatically specifying an outbound SSL configuration using JSSEHelper API