The Secure Sockets Layer (SSL) protocol provides transport layer
security with authenticity, integrity, and confidentiality, for a secure connection between a client and server in WebSphere Application Server. The protocol runs above TCP/IP and below application protocols such as Hypertext Transfer Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), and Internet Inter-ORB Protocol (IIOP), and provides trust and privacy for the transport data.
Depending upon the SSL configurations of both the client and server, various levels of trust, data integrity, and privacy can be established. Understanding the basic operation of SSL is very important to proper configuration and to achieve the required protection level for both client and application data.
Some of the security features that are provided by SSL are data encryption to prevent the exposure of sensitive information while data flows. Data signing prevents unauthorized modification of data while data flows. Client and server authentication ensures that you talk to the appropriate person or machine. SSL can be effective in securing an enterprise environment.
SSL is used by multiple components within WebSphere Application Server to provide trust and privacy. These components are the built-in HTTP transport, the Object Request Broker (ORB), and the secure LDAP client.
Figure 1. SSL and WebSphere Application Server In this figure:
WebSphere Application Server and the IBM Java Secure Socket Extension (IBMJSSE and IBMJSSE2) providers The SSL implementations that are used by WebSphere Application Server are the IBM Java Secure Sockets Extension (IBMJSSE) and the IBM Java Secure Sockets Extension 2 (IBMJSSE2). The IBMJSSE and IBMJSSE2 providers contain a reference implementation supporting SSL and Transport Layer Security (TLS) protocols and an application programming interface (API) framework. The IBMJSSE and IBMJSSE2 providers also come with a standard provider, which supplies Rivest Shamir Adleman (RSA) support for the signature-related J2EE Connector Architecture (J2CA) features of the Java 2 Platform, common SSL and TLS cipher suites, hardware cryptographic token device, X.509-based key and trust managers, and PKCS12 implementation for a J2CA keystore. A graphical tool called Key Management Tool (iKeyman) also is provided to manage digital certificates. With this tool, you can create a new key database or a test digital certificate, add certificate authority (CA) roots to the database, copy certificates from one database to another as well as request and receive a digital certificate from a CA.
Important: The HTTP and JMS transports utilize the transport channel service for asynchronous I/O. This framework requires the use of IBMJSSE2 provider for SSL. Any provider you specify other than the IBMJSSE2 provider in the SSL repertoire is ignored and the IBMJSSE2 provider is used. Other SSL transports such as IIOP over SSL and LDAP over SSL utilize the provider you specify in the SSL repertoire configuration. Configuring the JSSE provider is very similar to configuring most other SSL implementations (for example, GSKit); however, a couple of differences are worth noting.
Certain limitations exist with the Java Secure Socket Extension (JSSE) provider:
Tested for SSL clients | Tested for SSL clients or servers |
---|---|
IBM Security Kit Smartcard | IBM 4758-23 |
GemPlus Smartcards | IBM 4758-23 |
Rainbow iKey 1000/2000(USB "Smartcard" device) | IBM 4758-23 |
WebSphere Application Server and the Federal Information Processing Standards for Java Secure Socket Extension and Java Cryptography Extension providers
The Federal Information Processing Standards (FIPS)-approved Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE) providers are optional in WebSphere Application Server. By default, the FIPS-approved JSSE and JCE providers are disabled. When these providers are enabled, WebSphere Application Server uses FIPS-approved cryptographic algorithms in the IBMJCEFIPS provider package only.
Important: The IBMJCEFIPS module is a FIPS 140-2-approved cryptographic provider. For more information on the FIPS certification process and to check the status of the IBM submission, refer to Cryptographic Module Validation Program FIPS 140-1 and FIPS
140-2 Pre-validation List Web site.
Sub-topics
Authenticity
Confidentiality
Integrity
Digital certificates
Network communication using Secure Sockets Layer and the Transport Channel Service
Related information
FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List