Sun Java System Web Server 6.1 SP12 Administrator's Guide

Setting Security Preferences

Once you have a certificate, you can begin securing your server. Several security elements are provided by Sun Java System Web Server.

Encryption is the process of transforming information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again. The Sun Java System Web Server 6.1 supports SSL and TLS encryption protocols.

A cipher is a cryptographic algorithm (a mathematical function), used for encryption or decryption. SSL and TLS protocols contain numerous cipher suites. Some ciphers are stronger and more secure than others. Generally speaking, the more bits a cipher uses, the harder it is to decrypt the data.

In any two-way encryption process, both parties must use the same ciphers. Because a number of ciphers are available, you need to enable your server for those most commonly used.

During a secure connection, the client and the server agree to use the strongest cipher they can both have for communication. You can choose ciphers from the SSL2,SSL3, and TLS protocols.


Note –

Improvements to security and performance were made after SSL version 2.0. Do not use SSL 2 unless you have clients that are not capable of using SSL 3. Client certificates are not guaranteed to work with SSL 2 ciphers.


The encryption process alone is not enough to secure your server’s confidential information. A key must be used with the encrypting cipher to produce the actual encrypted result, or to decrypt previously encrypted information. The encryption process uses two keys to achieve this result: a public key and a private key. Information encrypted with a public key can be decrypted only with the associated private key. The public key is published as part of a certificate; only the associated private key is safeguarded.

For a description of the various cipher suites, and more information about keys and certificates, see Introduction to SSL.

To specify which ciphers your server can use, check them in the list. Unless you have a compelling reason not to use a specific cipher, you should check them all. However, you may not wish to enable ciphers with less than optimal encryption.


Caution – Caution –

Do not select “No Encryption, only MD5 message authentication”. If no other ciphers are available on the client side, the server uses this setting by default and no encryption will occur.


SSL and TLS Protocols

The Sun Java System Web Server 6.1 supports the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocols for encrypted communication. SSL and TLS are application independent, and higher level protocols can be layered transparently on them.

SSL and TLS protocols support a variety of ciphers used to authenticate the server and client to each other, transmit certificates, and establish session keys. Clients and servers can support different cipher suites, or sets of ciphers, depending on factors such as which protocol they support, company policies on encryption strength, and government restrictions on export of encrypted software. Among other functions, the SSL and TLS handshake protocols determine how the server and client negotiate which cipher suites they will use to communicate.

Procedure To Communicate with LDAP Using SSL

You should require your Administration Server to communicate with LDAP using SSL. To enable SSL on your Administration Server, perform the following steps:

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Configure Directory Service link.

  3. Select Yes to use Secure Sockets Layer (SSL) for connections.

  4. Click Save Changes.

  5. Click OK to change your port to the standard port for LDAP over SSL.

Enabling Security for Listen Sockets

You can secure your server’s listen sockets by:

Turning Security On

You must turn security on before you can configure the other security settings for your listen socket. You can turn security on when you create a new listen socket, or when you edit an existing listen socket.

ProcedureTo Turn Security On When Creating a Listen Socket

To turn security on when creating a new listen socket, perform the following steps:

  1. Access the Server Manager and select the server instance the listen socket will be created in from the drop-down list.

  2. Select the Preferences tab.

  3. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page is displayed.

  4. Click the New button.

    The Add Listen Socket page is displayed.

  5. Enter the required information and select a default virtual server.

  6. To turn security on, select Enabled from the Security drop-down list.

  7. Click OK

  8. Click Apply, and then Restart for changes to take effect.


    Note –

    You to use the Edit Listen Sockets link to configure the security settings after a listen socket is created.


ProcedureTo Turn Security On When Editing a Listen Socket

You can also turn security on when editing a listen socket from either the Administration Server or the Server Manager. To turn security on when editing a listen socket, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Security tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Select the Preferences tab, if not already displayed.

  3. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page displays.

  4. To edit a listen socket, click the Listen Socket ID of the listen socket you want to edit.

    The Edit Listen Socket page displays.

  5. To turn security on for the listen socket, select Enabled from the Security drop-down list.

  6. Click OK.

  7. For the Server Manager, click Apply.

  8. Restart for changes to take effect.

ProcedureTo Select a Server Certificate for a Listen Socket

You can configure listen sockets in either the Administration Server or the Server Manager to use server certificates you have requested and installed.


Note –

You must have at least one certificate installed.


To select a server certificate for your listen socket to use, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Preferences tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page is displayed.

  3. To edit a listen socket, click the Listen Socket ID of the listen socket you want to edit.

    The Edit Listen Socket page is displayed.

  4. To turn security on for the listen socket, select Enabled from the Security drop-down list.


    Note –

    If you have an external module installed, the Manage Server Certificates page appears requiring the external module’s password before you can continue.


  5. Select a server certificate from the drop-down Server Certificate Name list for the listen socket.

    The list contains all internal and external certificates installed.


    Note –

    If no server certificates are installed, a warning message is displayed in place of the Server Certificate Name drop-down list.


  6. Click OK

  7. For the Server Manager, click Apply.

  8. Restart for changes to take effect.

ProcedureTo select ciphers

To protect the security of your web server, enable SSL. Enable the SSL 2.0, SSL 3.0, and TLS encryption protocols, and select the various cipher suites. SSL and TLS can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager will set the security preferences for all virtual servers associated with that listen socket.

If you wish to have unsecured virtual servers, they must all be configured to the same listen socket with security turned off.

The default settings allow the most commonly used ciphers. You should allow them all unless you have a specific reason,why you do not want to use a particular cipher suite. For more information regarding specific ciphers, see Introduction to SSL.


Note –

You must have at least one certificate installed.


The default and recommended setting for the tlsrollback parameter is true. This configures the server to detect man-in-the-middle version rollback attack attempts. Setting this value to false might be required for interoperability with some clients that incorrectly implement the TLS specification.

If you set the tlsrollback parameter to false, the connections becomes vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a Third parties can force a client and server to communicate using an older, less secure protocol such as SSLv2. Because there are known deficiencies in the SSLv2 protocol, failing to detect version rollback attack attempts makes it easier for a third party to intercept and decrypt encrypted connections.

To enable SSL and TLS, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Preferences tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Click the Edit Listen Sockets link.

    The Edit Listen Sockets page appears. For a secure listen socket, the Edit Listen Socket page displays the available cipher settings.


    Note –

    If Security is not enabled on the listen socket, no SSL and TLS information is listed. To work with ciphers, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.


  3. Select the checkboxes corresponding to the required encryption settings.


    Note –

    Select both TLS and SSL3 for Netscape Navigator 6.0. For TLS Rollback also select TLS, and make sure both SSL3 and SSL2 are disabled.


  4. Click OK.

  5. From the Server Manager, click Apply, and then Restart for changes to take effect.


    Note –

    When you apply changes after turning on security for a listen socket, the magnus.conf file is automatically shows the newly activated security feature, and all virtual servers associated with the listen socket are automatically assigned the default security parameters.


    Once you enable SSL on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server have the following format:

    https://servername.[domain.[dom]]:[port#]

    For example, https://admin.sun.com:443.

    If you use the default secure http port number (443), you don’t have to enter the port number in the URL.

Configuring Security Globally

Installing an SSL-enabled server creates directive entries in the magnus.conf file (the server’s main configuration file) for global security parameters. Security must be set to 'on’ for virtual server security settings to work. SSL properties for virtual servers can be found on a per-server basis in the SSLPARAMS element of the server.xml file.

To set values for your SSL configuration file directives, perform the following steps

ProcedureTo set values for your SSL configuration file directives

  1. Access the Server Manager and select the server instance of the virtual server from the drop-down list.

  2. Ensure that security is enabled for the listen socket you want to configure. To enable security, perform the following steps:

    1. Click the Edit Listen Sockets link.

    2. Click the Listen Socket ID corresponding to the listen socket on which you want to enable security.

      This takes you to the Edit Listen Socket page.

    3. Select Enabled from the Security drop-down list.

    4. Click OK.

  3. Click the Magnus Editor link.

  4. Select SSL Settings from the drop-down list and click Manage.

  5. Enter the values for:

    • SSLSessionTimeout

      • SSLCacheEntries

      • SSL3SessionTimeout

  6. Click OK

  7. Click Apply, and then Restart for changes to take effect.

    These SSL Configuration File Directives are described below:

SSLSessionTimeout

The SSLSessionTimeout directive controls SSL2 session caching.

Syntax

SSLSessionTimeout seconds

seconds is the number of seconds until a cached SSL session becomes invalid. The default value is 100. If the SSLSessionTimeout directive is specified, the value of seconds is silently constrained to be between 5 and 100 seconds.

SSLCacheEntries

Specifies the number of SSL sessions that can be cached.

SSL3SessionTimeout

The SSL3SessionTimeout directive controls SSL3 and TLS session caching.

Syntax

SSL3SessionTimeout seconds

seconds is the number of seconds until a cached SSL3 session becomes invalid. The default value is 86400 (24 hours). If the SSL3SessionTimeout directive is specified, the value of seconds is silently constrained to be between 5 and 86400 seconds.