Sun Java System Web Server 6.1 SP11 Administrator's Guide

ProcedureTo select ciphers

To protect the security of your web server, enable SSL. Enable the SSL 2.0, SSL 3.0, and TLS encryption protocols, and select the various cipher suites. SSL and TLS can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager will set the security preferences for all virtual servers associated with that listen socket.

If you wish to have unsecured virtual servers, they must all be configured to the same listen socket with security turned off.

The default settings allow the most commonly used ciphers. You should allow them all unless you have a specific reason,why you do not want to use a particular cipher suite. For more information regarding specific ciphers, see Introduction to SSL.

Note –

You must have at least one certificate installed.

The default and recommended setting for the tlsrollback parameter is true. This configures the server to detect man-in-the-middle version rollback attack attempts. Setting this value to false might be required for interoperability with some clients that incorrectly implement the TLS specification.

If you set the tlsrollback parameter to false, the connections becomes vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a Third parties can force a client and server to communicate using an older, less secure protocol such as SSLv2. Because there are known deficiencies in the SSLv2 protocol, failing to detect version rollback attack attempts makes it easier for a third party to intercept and decrypt encrypted connections.

To enable SSL and TLS, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Preferences tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Click the Edit Listen Sockets link.

    The Edit Listen Sockets page appears. For a secure listen socket, the Edit Listen Socket page displays the available cipher settings.

    Note –

    If Security is not enabled on the listen socket, no SSL and TLS information is listed. To work with ciphers, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.

  3. Select the checkboxes corresponding to the required encryption settings.

    Note –

    Select both TLS and SSL3 for Netscape Navigator 6.0. For TLS Rollback also select TLS, and make sure both SSL3 and SSL2 are disabled.

  4. Click OK.

  5. From the Server Manager, click Apply, and then Restart for changes to take effect.

    Note –

    When you apply changes after turning on security for a listen socket, the magnus.conf file is automatically shows the newly activated security feature, and all virtual servers associated with the listen socket are automatically assigned the default security parameters.

    Once you enable SSL on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server have the following format:


    For example,

    If you use the default secure http port number (443), you don’t have to enter the port number in the URL.