Sun Java System Web Server 7.0 Update 5 Administrator's Guide

Enabling Security For HTTP Listener

Note –

Security can be enabled for the HTTP listener only when there are available installed certificates.

Once you have a certificate, you can associate the certificate with a HTTP Listener and thus secure the server.

Encryption is the process of transforming information so it is meaningless to anyone except the intended recipient. Decryption is the process of transforming encrypted information so that it is meaningful again. Web Server includes support for SSL and TLS protocols.

A cipher is a cryptographic algorithm (a mathematical function), used for encryption or decryption. SSL and TLS protocols contain numerous cipher suites. Some ciphers are stronger and more secure than others. Generally speaking, the more bits a cipher uses, the harder it is to decrypt the data.

In any two-way encryption process, both parties must use the same ciphers. Because a number of ciphers are available, you need to enable your server for those most commonly used.

During a secure connection, the client and the server agree to use the strongest cipher they can both have for communication. You can choose ciphers from the SSL2, SSL3, and TLS protocols.

Note –

Improvements to security and performance were made after SSL version 2.0; you should not use SSL 2 unless you have clients that are not capable of using SSL 3. Client certificates are not guaranteed to work with SSL 2 ciphers.

The encryption process alone isn’t enough to secure your server’s confidential information. A key must be used with the encrypting cipher to produce the actual encrypted result, or to decrypt previously encrypted information. The encryption process uses two keys to achieve this result: a public key and a private key. Information encrypted with a public key can be decrypted only with the associated private key. The public key is published as part of a certificate; only the associated private key is safeguarded.

Web Server supports the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocols for encrypted communication. SSL and TLS are application independent, and higher level protocols can be layered transparently on them.

SSL and TLS protocols support a variety of ciphers used to authenticate the server and client to each other, to transmit certificates, and to establish session keys. Clients and servers may support different cipher suites, or sets of ciphers, depending on factors such as which protocol they support, company policies on encryption strength, and government restrictions on export of encrypted software. Among other functions, the SSL and TLS handshake protocols determine how the server and client negotiate which cipher suites they will use to communicate.

Click theConfigurations > HTTP Listeners > Security tab to edit the HTTP Listeners security settings. The following table lists the properties that you can configure in this page.

Table 6–1 HTTP Listener Security Properties




Name of the HTTP Listener. 


Enable/Disable security for the selected HTTP Listener. 


Select the server certificate from the available certificates. You should have installed either a RSA or ECC certificate for performing this action. 

Client Authentication

Specifies whether the client authentication is required or optional. Select False option to disable client authentication. 

Authentication Timeout

Timeout after which client authentication handshake fails. [0.001–3600]. The default value is 60 seconds.

Maximum Authentication Data

Maximum amount of authentication data to buffer. [0–2147.0483647.0]. The default value is 104857.06.

SSL Version 2/Version 3

Enable/Disable SSL Version 2/ SSL Version 3. 


Enable/Disable TLS. Detect version rollbacks is enabled by default. This configures the server to detect man-in-the-middle version rollback attack attempts. Disabling this may be required for interoperability with some clients that incorrectly implement the TLS specification.

SSL3/SSL2/TLS Ciphers

To protect the security of your web server, you should enable SSL. You can enable the SSL 2.0, SSL 3.0, and TLS encryption protocols and select the various cipher suites. SSL and TLS can be enabled on the HTTP Listener for the Administration Server.

The default settings allow the most commonly used ciphers. Unless you have a compelling reason why you do not want to use a specific cipher suite, you should allow them all.