Softsmith Infotech Secure Socket Layer (SSL) and Tomcat

Softsmith Infotech What is SSL SSL stands for Secure Socket Layer. Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection

Softsmith Infotech Secure Socket Layer (SSL) Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. Responsible for the emergence of e-commerce, other security sensitive services on the web

Softsmith Infotech The SSL Protocol The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP

Softsmith Infotech Why SSL SSL addresses the following important security considerations. Authentication: During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential. Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.

Softsmith Infotech What SSL Provides Confidentiality (Privacy) Data integrity (Tamper-proofing) Server authentication

Softsmith Infotech SSL KEY EXCHANGE STEPS SSL client connects to an SSL server Server then sends its own certificate that contains its public key Client then creates a random key (premaster key) and uses server's public key to encrypts it

Softsmith Infotech SSL KEY EXCHANGE STEPS (ctd..) Client then sends encrypted premaster key to the server Server then decrypts it and uses decrypted premaster key to create secret session key Now both client and server uses secret session key for further communication

Softsmith Infotech SSL and Authentication Server Authentication: Server needs to provide its own certificate to a client in order to authenticate itself to the client A Web server typically has a CA-signed certificate and it provides it to its clients Client Authentication: Client needs to provide its own certificate to a server in order to authenticate itself to the server Mutual Authentication

Softsmith Infotech SSL and Web-tier Security Encrypted password move from the browser to the web server Encrypted data move between the browser and the web server Server authentication – Done before encrypted data transfer occurs Client Authentication – Not used in most cases

Softsmith Infotech What is a Certificate (Ctd..) A certificate is cryptographically signed and is practically impossible for anyone else to forge A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign

Softsmith Infotech What is Server Certificate? A server certificate is a container that contains server's public key and other miscellaneous information Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections.This provides some kind of reasonable assurance that its owner is who you think it is

Softsmith Infotech Why Server Certificate is Needed? Server Certificate enables Server Authentication Server sends server certificate as part of SSL key handshake HTTPS service of Tomcat would not work unless a server certificate is installed Verifies the server's identity to the client, before receiving any sensitive information

Softsmith Infotech Creating a Server Certificate(ctd) To create a server certificate follow these steps: 1) Create the keystore. 2) Export the certificate from the keystore. 3) Sign the certificate. 4) Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate

Softsmith Infotech Generate the server certificate To generate the certificate, run the keytool utility as follows JAVA_HOME>\bin\ keytool -genkey -keyalg RSA -alias tomcat -keystore localhost.jks When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code

Softsmith Infotech Generate the server certificate(Ctd) Screen Display

Softsmith Infotech Export the certificate from the keystore. Export the generated server certificate in keystore.jks into the file server.cer. \bin\keytool -export -alias tomcat storepass changeit -file server.cer -keystore localhost.jks

Softsmith Infotech Export the certificate from the keystore(Ctd..) Screen Display

Softsmith Infotech Signing Digital Certificates After a digital certificate is created, they are signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte. If authentication is not really a concern,use the self-signed certificate

Softsmith Infotech Importing certificate into trust-store To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool with following parameters \bin\keytool -import -v -trustcacerts -alias server-alias -file server.cer - keystore cacerts.jks -keypass changeit - storepass changeit

Softsmith Infotech Importing certificate into trust-store Information on the certificate, such as that shown next, will display

Softsmith Infotech Programming with JSSE The Java Secure Socket Extension (JSSE) provides a framework and a Java implementation of the SSL and TLS protocols It provides mechanisms for data encryption, server authentication, message integrity, and optional client authentication. The JSSE APIs supplement the java.security and java.net packages by providing extended networking socket classes, trust and key managers, and a socket factory framework for encapsulating socket creation behavior. These classes are included in the packages javax.net and javax.net.ssl.

Softsmith Infotech Programming with JSSE(Ctd.) SSLSocket and SSLServerSocket The javax.net.ssl.SSLSocket is a subclass of the java.net.Socket class. Therefore, it supports all the standard Socket methods and adds additional methods specific to secure sockets. The javax.net.ssl.SSLServerSocket class is analogous to the SSLSocket class except that it is used to create server sockets. Creating an instance of SSLSocket can be done in two ways: 1. As an instance of SSLSocketFactory by invoking one of the createSocket methods on that class 2. Through the accept method on the SSLServerSocket

Softsmith Infotech Programming with JSSE(Ctd..) SSLSocketFactory and SSLServerSocketFactory The javax.net.ssl.SSLSocketFactory class is an object factory for creating secure sockets, and the javax.net.ssl.SSLServerSocketFactory is an object factory for creating server sockets. An SSLSocketFactory instance can be obtained in two ways 1.Get the default factory by calling SSLSocketFactory.getDefault. 2. Construct a new factory with specified configured behavior

Softsmith Infotech Making Existing Client/Server Applications Secure Incorporating SSL into existing client/server applications to make them secure can be easily done using a few lines of JSSE code. The lines highlighted in bold in the following example show the code necessary to make a server secure : import java.io.*; import javax.net.ssl.*; public class Server { int port = portNumber; SSLServerSocket server; try { SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber); SSLSocket client = (SSLSocket) server.accept(); // Create input and output streams as usual // send secure messages to client through the // output stream // receive secure messages from client through // the input stream } catch(Exception e) { } }

Softsmith Infotech Making Existing Client/Server Applications Secure The lines highlighted in bold in the following example show the code necessary to make a client secure import java.io.*; import javax.net.ssl.*; public class Client {. try { SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber); SSLSocket client = (SSLSOcket) factory.createSocket(serverHost, port); // Create input and output streams as usual // send secure messages to server through the // output stream receive secure // messages from server through the input stream } catch(Exception e) { } }

Softsmith Infotech SSL Support inTomcat To implement SSL on Tomcat you need the following installed : - JSSE (Java Secure Socket Extension). package installed – Server certificate keystore – An HTTPS connector

Softsmith Infotech Configure SSL Connector After the Server certificate is generated using keytool as shown above,Tomcat needs to be configured for SSL By default, an SSL HTTPS Connector is not enabled in Tomcat. SSL HTTPS Connector on port 8443 can be enabled & configured in one of two methods – via Admintool – Modify server.xml Restart Tomcat

Softsmith Infotech Verify SSL Support The next step is verifying if SSL is configured correctly. For testing purposes, and to verify that SSL support has been correctly installed on Tomcat, load the default Tomcat introduction page with the following URL: The https in this URL indicates that the browser should be using the SSL protocol. The port of 8443 is where the SSL Connector was configured in the previous step

Softsmith Infotech Verify SSL Support Screen Display

Softsmith Infotech Verify SSL Support Screen Display of Certificate

Softsmith Infotech Tips on running SSL The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint. It is not necessary to run an entire web application over SSL, Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted

Softsmith Infotech SSL Drawbacks The problems associated with SSL are It prevents caching. Using SSL imposes greater overheads on the server and the client. Some firewalls and/or web proxies may not allow SSL traffic. There is a financial cost associated with gaining a Certificate for the server/subject device

Softsmith Infotech Common Security Problems Unvalidated Parameters.: –Information from web request is not validated before used by a web application.Attackers can use these flaws to attack backend components through a web application.

Softsmith Infotech Common Security Problems Broken Access Control: –Restriction on what authenticated users allowed to do are not properly enforced. –Attackers can exploit these flaws to access other users accounts view sensitive files, or use unauthorized functions.

Softsmith Infotech Common Security Problems Broken Account and session Management. Cross-Site scripting Flaws –The web application can be used as a mechanism to transport an attack to an end user’s browsers.

Softsmith Infotech Common Security Problems Buffer Overflows: –Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of process. –These components can include CGI,libraries,drivers and web application server components.

Softsmith Infotech Common Security Problems Error Handling Problems: –Error Conditions that occur during normal operation are not handled properly. –If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information,deny service, cause security mechanisms to fail, or crash the server.

Softsmith Infotech Common Security Problems Remote Administration Flaws: –Many web application allow administrators to access the site using a web interface. –If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.

Softsmith Infotech Using a Firewall A firewall can be software,hardware or a combination of both. They are different types: proxy servers, packet filters. Play a key role in protecting Tomcat.