SSL provides security for your interactions by securing the TCP/IP
connection between the IMS™ TM resource adapter and IMS Connect.
With the evolution of the Web and On-Demand Business, data security has
become very important for Internet users. The Secure Sockets Layer (SSL) protocol
ensures that the transfer of sensitive information over the Internet is secure.
SSL protects information from:
- Internet eavesdropping
- Data theft
- Traffic analysis
- Data modification
- Trojan horse browser/server
One way in which the IMS TM resource adapter communicates with IMS Connect is
through TCP/IP sockets. If the IMS TM resource adapter uses TCP/IP, SSL
can be used to secure the TCP/IP communication between the two entities. The
SSL support provided by IMS Connector for Java™, along with the support provided by IMS Connect,
uses a combination of public and private keys along with symmetric key encryption
schemes to achieve client and server authentication, data confidentiality,
and integrity. SSL rests on top of TCP/IP communication protocol and allows
an SSL-enabled server to authenticate itself to an SSL-enabled client and
vice versa. For an SSL connection between the IMS TM resource adapter and IMS Connect, the IMS TM
resource adapter is considered to be the client and IMS Connect is considered to be the server.
Once authentication is complete, the server and client can establish an encrypted
connection that also preserves the integrity of the data.
For SSL support when running in a WebSphere® environment, the IMS TM resource
adapter uses the IBM® implementation of Java Secure Socket Extension (IBM JSSE). The
SSL library is included in IBM's development environments such as Rational® Application
Developer and WebSphere Integration
Developer and in WebSphere Application Server.
SSL concepts
- Certificate
- A digital certificate is a digital document that validates the identity
of the certificate's owner. A digital certificate contains information about
the individual, such as their name, company, and public key. The certificate
is signed with a digital signature by the Certificate Authority (CA), which
is a trustworthy authority.
- Certificate authority
- A Certificate Authority (CA) is a trusted party that creates and issues
digital certificates to users and systems. The CA, as a valid credential,
establishes the foundation of trust in the certificates.
- Certificate management
- Certificates and private keys are stored in files called keystores. A
keystore is a database of key material. Keystore information can be grouped
into two categories: key entries and trusted certificate entries. The two
entries can be stored in the same keystore or separately in a keystore and
truststore for security purposes. Keystores and truststores are used by both
the SSL client, the IMS TM resource adapter, and the SSL server, IMS Connect.
- Keystore
- A keystore holds key entries, such as the private key of the IMS TM resource
adapter, and the SSL client.
- Truststore
- A truststore is a keystore that holds only certificates that the user
trusts. An entry should be added to a truststore only if the user makes a
decision to trust that entity. An example of an IMS TM resource adapter (client) truststore
entry is the certificate of the target SSL server; IMS Connect.
For convenience, the IMS TM resource adapter allows the user to
store key entries and trusted certificate entries in either the keystore or
the truststore. However, the user may still choose to store them separately.
The IMS TM
resource adapter supports only X.509 certificates and the "JKS" keystore
type on distributed platforms (which include zLinux) and the "JKS" keystore
type or RACF® keyrings
on OS/390® and z/OS®.
SSL process
The SSL protocol consists of server
authentication, client authentication (optional but strongly recommended)
followed by an encrypted conversation. The following scenario steps through
the SSL process.
Server authentication
SSL server
authentication allows a client to confirm a server's identity. SSL-enabled
client software uses standard techniques of public-key cryptography to ensure
that a server's certificate and public ID is valid and that the certificate
and ID was issued from one of the client's list of trusted certificate authorities
(CA).
Client authentication
SSL client authentication
allows a server to confirm a client's identity. Using the same techniques
used for server authentication, SSL-enabled server software verifies that
a client's certificate and public ID is valid and that the certificate and
ID was issued by one of the server's list of trusted certificate authorities
(CA).
Null Encryption
Null encryption
allows for authentication to take place during the SSL handshake. Once the
SSL handshake has completed, all messages flow without being encrypted over
that socket.
SSL handshake
Both the client, the IMS TM
resource adapter, and the server, IMS Connect, store their certificates and
private keys in keystores. The actual SSL session between the IMS TM resource
adapter and IMS Connect
is established by following a handshake sequence between client and server.
The sequence will vary depending on whether the server is configured to just
provide a server certificate, or to provide a server certificate and request
a client certificate, and which cipher suites are available to be used. A
cipher is an encryption algorithm. The SSL protocol determines how the client
and server negotiate the cipher suite to be used, authenticate one another,
transmit certificates, establish session keys and transmit messages. Some
of the algorithms used in cipher suites include:
- DES - Data Encryption Standard
- DSA - Digital Signature Algorithm
- KEA - Key Exchange Algorithm
- MD5 - Message Digest algorithm
- RC2 and RC4 - Rivest encryption ciphers
- RSA - A public key algorithm for both encryption and authentication
- RSA key exchange - A key-exchange for SSL based on the RSA algorithm
- SHA-1 - Secure Hash Algorithm
- SKIPJACK - A classified symmetric-key algorithm implemented in FORTEZZA-compliant
hardware
- Triple-DES - DES applied three times.
SSL 2.0 and SSL 3.0 protocols support overlapping sets of cipher
suites. Administrators can enable or disable any of the supported cipher suites
for both clients and servers. When a particular client and server exchange
information during the SSL handshake, the client and server identify the strongest
enabled cipher suites that they have in common and use one of them for the
SSL session.
Transport Layer Security, Version 1 (TLS V1) is the successor
to SSL 3.0 protocol. The IMS TM resource adapter only supports
TLS V1. There are no backward compatibility issues.