Sun Java System Web Server 6.1 SP12 Administrator's Guide

Enabling Security for Listen Sockets

You can secure your server’s listen sockets by:

Turning Security On

You must turn security on before you can configure the other security settings for your listen socket. You can turn security on when you create a new listen socket, or when you edit an existing listen socket.

ProcedureTo Turn Security On When Creating a Listen Socket

To turn security on when creating a new listen socket, perform the following steps:

  1. Access the Server Manager and select the server instance the listen socket will be created in from the drop-down list.

  2. Select the Preferences tab.

  3. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page is displayed.

  4. Click the New button.

    The Add Listen Socket page is displayed.

  5. Enter the required information and select a default virtual server.

  6. To turn security on, select Enabled from the Security drop-down list.

  7. Click OK

  8. Click Apply, and then Restart for changes to take effect.


    Note –

    You to use the Edit Listen Sockets link to configure the security settings after a listen socket is created.


ProcedureTo Turn Security On When Editing a Listen Socket

You can also turn security on when editing a listen socket from either the Administration Server or the Server Manager. To turn security on when editing a listen socket, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Security tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Select the Preferences tab, if not already displayed.

  3. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page displays.

  4. To edit a listen socket, click the Listen Socket ID of the listen socket you want to edit.

    The Edit Listen Socket page displays.

  5. To turn security on for the listen socket, select Enabled from the Security drop-down list.

  6. Click OK.

  7. For the Server Manager, click Apply.

  8. Restart for changes to take effect.

ProcedureTo Select a Server Certificate for a Listen Socket

You can configure listen sockets in either the Administration Server or the Server Manager to use server certificates you have requested and installed.


Note –

You must have at least one certificate installed.


To select a server certificate for your listen socket to use, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Preferences tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Choose the Edit Listen Sockets link.

    The Edit Listen Sockets page is displayed.

  3. To edit a listen socket, click the Listen Socket ID of the listen socket you want to edit.

    The Edit Listen Socket page is displayed.

  4. To turn security on for the listen socket, select Enabled from the Security drop-down list.


    Note –

    If you have an external module installed, the Manage Server Certificates page appears requiring the external module’s password before you can continue.


  5. Select a server certificate from the drop-down Server Certificate Name list for the listen socket.

    The list contains all internal and external certificates installed.


    Note –

    If no server certificates are installed, a warning message is displayed in place of the Server Certificate Name drop-down list.


  6. Click OK

  7. For the Server Manager, click Apply.

  8. Restart for changes to take effect.

ProcedureTo select ciphers

To protect the security of your web server, enable SSL. Enable the SSL 2.0, SSL 3.0, and TLS encryption protocols, and select the various cipher suites. SSL and TLS can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager will set the security preferences for all virtual servers associated with that listen socket.

If you wish to have unsecured virtual servers, they must all be configured to the same listen socket with security turned off.

The default settings allow the most commonly used ciphers. You should allow them all unless you have a specific reason,why you do not want to use a particular cipher suite. For more information regarding specific ciphers, see Introduction to SSL.


Note –

You must have at least one certificate installed.


The default and recommended setting for the tlsrollback parameter is true. This configures the server to detect man-in-the-middle version rollback attack attempts. Setting this value to false might be required for interoperability with some clients that incorrectly implement the TLS specification.

If you set the tlsrollback parameter to false, the connections becomes vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a Third parties can force a client and server to communicate using an older, less secure protocol such as SSLv2. Because there are known deficiencies in the SSLv2 protocol, failing to detect version rollback attack attempts makes it easier for a third party to intercept and decrypt encrypted connections.

To enable SSL and TLS, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Preferences tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Click the Edit Listen Sockets link.

    The Edit Listen Sockets page appears. For a secure listen socket, the Edit Listen Socket page displays the available cipher settings.


    Note –

    If Security is not enabled on the listen socket, no SSL and TLS information is listed. To work with ciphers, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.


  3. Select the checkboxes corresponding to the required encryption settings.


    Note –

    Select both TLS and SSL3 for Netscape Navigator 6.0. For TLS Rollback also select TLS, and make sure both SSL3 and SSL2 are disabled.


  4. Click OK.

  5. From the Server Manager, click Apply, and then Restart for changes to take effect.


    Note –

    When you apply changes after turning on security for a listen socket, the magnus.conf file is automatically shows the newly activated security feature, and all virtual servers associated with the listen socket are automatically assigned the default security parameters.


    Once you enable SSL on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server have the following format:

    https://servername.[domain.[dom]]:[port#]

    For example, https://admin.sun.com:443.

    If you use the default secure http port number (443), you don’t have to enter the port number in the URL.