Secure Sockets layer (SSL)

SSL provides security for your interactions by securing the TCP/IP connection between the IMS™ TM resource adapter and IMS Connect.
With the evolution of the Web and On-Demand Business, data security has become very important for Internet users. The Secure Sockets Layer (SSL) protocol ensures that the transfer of sensitive information over the Internet is secure. SSL protects information from:

One way in which the IMS TM resource adapter communicates with IMS Connect is through TCP/IP sockets. If the IMS TM resource adapter uses TCP/IP, SSL can be used to secure the TCP/IP communication between the two entities. The SSL support provided by IMS Connector for Java™, along with the support provided by IMS Connect, uses a combination of public and private keys along with symmetric key encryption schemes to achieve client and server authentication, data confidentiality, and integrity. SSL rests on top of TCP/IP communication protocol and allows an SSL-enabled server to authenticate itself to an SSL-enabled client and vice versa. For an SSL connection between the IMS TM resource adapter and IMS Connect, the IMS TM resource adapter is considered to be the client and IMS Connect is considered to be the server. Once authentication is complete, the server and client can establish an encrypted connection that also preserves the integrity of the data.

For SSL support when running in a WebSphere® environment, the IMS TM resource adapter uses the IBM® implementation of Java Secure Socket Extension (IBM JSSE). The SSL library is included in IBM's development environments such as Rational® Application Developer and WebSphere Integration Developer and in WebSphere Application Server.

SSL concepts

Certificate
A digital certificate is a digital document that validates the identity of the certificate's owner. A digital certificate contains information about the individual, such as their name, company, and public key. The certificate is signed with a digital signature by the Certificate Authority (CA), which is a trustworthy authority.
Certificate authority
A Certificate Authority (CA) is a trusted party that creates and issues digital certificates to users and systems. The CA, as a valid credential, establishes the foundation of trust in the certificates.
Certificate management
Certificates and private keys are stored in files called keystores. A keystore is a database of key material. Keystore information can be grouped into two categories: key entries and trusted certificate entries. The two entries can be stored in the same keystore or separately in a keystore and truststore for security purposes. Keystores and truststores are used by both the SSL client, the IMS TM resource adapter, and the SSL server, IMS Connect.
Keystore
A keystore holds key entries, such as the private key of the IMS TM resource adapter, and the SSL client.
Truststore
A truststore is a keystore that holds only certificates that the user trusts. An entry should be added to a truststore only if the user makes a decision to trust that entity. An example of an IMS TM resource adapter (client) truststore entry is the certificate of the target SSL server; IMS Connect.

For convenience, the IMS TM resource adapter allows the user to store key entries and trusted certificate entries in either the keystore or the truststore. However, the user may still choose to store them separately. The IMS TM resource adapter supports only X.509 certificates and the "JKS" keystore type on distributed platforms (which include zLinux) and the "JKS" keystore type or RACF® keyrings on OS/390® and z/OS®.

SSL process

The SSL protocol consists of server authentication, client authentication (optional but strongly recommended) followed by an encrypted conversation. The following scenario steps through the SSL process.

Server authentication

SSL server authentication allows a client to confirm a server's identity. SSL-enabled client software uses standard techniques of public-key cryptography to ensure that a server's certificate and public ID is valid and that the certificate and ID was issued from one of the client's list of trusted certificate authorities (CA).
Client authentication

SSL client authentication allows a server to confirm a client's identity. Using the same techniques used for server authentication, SSL-enabled server software verifies that a client's certificate and public ID is valid and that the certificate and ID was issued by one of the server's list of trusted certificate authorities (CA).
Null Encryption

Null encryption allows for authentication to take place during the SSL handshake. Once the SSL handshake has completed, all messages flow without being encrypted over that socket.
SSL handshake

Both the client, the IMS TM resource adapter, and the server, IMS Connect, store their certificates and private keys in keystores. The actual SSL session between the IMS TM resource adapter and IMS Connect is established by following a handshake sequence between client and server. The sequence will vary depending on whether the server is configured to just provide a server certificate, or to provide a server certificate and request a client certificate, and which cipher suites are available to be used. A cipher is an encryption algorithm. The SSL protocol determines how the client and server negotiate the cipher suite to be used, authenticate one another, transmit certificates, establish session keys and transmit messages. Some of the algorithms used in cipher suites include:
  • DES - Data Encryption Standard
  • DSA - Digital Signature Algorithm
  • KEA - Key Exchange Algorithm
  • MD5 - Message Digest algorithm
  • RC2 and RC4 - Rivest encryption ciphers
  • RSA - A public key algorithm for both encryption and authentication
  • RSA key exchange - A key-exchange for SSL based on the RSA algorithm
  • SHA-1 - Secure Hash Algorithm
  • SKIPJACK - A classified symmetric-key algorithm implemented in FORTEZZA-compliant hardware
  • Triple-DES - DES applied three times.

SSL 2.0 and SSL 3.0 protocols support overlapping sets of cipher suites. Administrators can enable or disable any of the supported cipher suites for both clients and servers. When a particular client and server exchange information during the SSL handshake, the client and server identify the strongest enabled cipher suites that they have in common and use one of them for the SSL session.

Transport Layer Security, Version 1 (TLS V1) is the successor to SSL 3.0 protocol. The IMS TM resource adapter only supports TLS V1. There are no backward compatibility issues.

Related concepts
IMS TM resource adapter security
Container-managed EIS signon
Component-managed EIS signon

Feedback