Overview of secure socket layer (SSL)

With the evolution of e-business, data security has become very important for Internet users. The Secure Socket Layer (SSL) protocol ensures that the transfer of sensitive information over the Internet is secure. SSL protects information from:

One way IMS Connector for Java communicates with IMS Connect is through TCP/ IP sockets. If IMS Connector for Java uses TCP/ IP, SSL can be used to secure the TCP/ IP communication between the two entities. The SSL support provided by IMS Connector for Java, along with the support provided by IMS Connect, uses a combination of public and private keys along with symmetric key encryption schemes to achieve client and server authentication, data confidentiality, and integrity. SSL rests on top of TCP/ IP communication protocol and allows an SSL-enabled server to authenticate itself to an SSL-enabled client and vice versa. For an SSL connection between IMS Connector for Java and IMS Connect, IMS Connector for Java is considered to be the client and IMS Connect is considered to be the server. Once authentication is complete, the server and client can establish an encrypted connection that also preserves the integrity of the data.

For SSL support when running in a WebSphere® environment, IMS Connector for Java uses the IBM® implementation of Java Secure Socket Extension (IBM JSSE). The SSL library is included in WebSphere Studio Application Developer Integration Edition and in WebSphere Application Server.

SSL concepts

Certificate

A digital certificate is a digital document that validates the identity of the certificate's owner. A digital certificate contains information about the individual, such as their name, company, and public key. The certificate is signed with a digital signature by the Certificate Authority (CA), which is a trustworthy authority.
Certificate authority

A Certificate Authority (CA) is a trusted party that creates and issues digital certificates to users and systems. The CA, as a valid credential, establishes the foundation of trust in the certificates.
Certificate management

Certificates and private keys are stored in files called keystores. A keystore is a database of key material. Keystore information can be grouped into two categories: key entries and trusted certificate entries. The two entries can be stored in the same keystore or separately in a keystore and trustore for security purposes. Keystores and truststores are used by both the SSL client, IMS Connector for Java, and the SSL server, IMS Connect.
Keystore
A keystore holds key entries, such as the private key of the user. For example, the client IMS Connector for Java.
Truststore
A truststore is a keystore that holds only certificates that the user trusts. An entry should be added to a truststore only if the user makes a decision to trust that entity. An example of an IMS Connector for Java (client) truststore entry would be the certificate of the target server, IMS Connect.

For convenience, IMS Connector for Java allows the user to store key entries and trusted certificate entries in either the keystore or the truststore. The user may still choose to store them separately. IMS Connector for Java supports only X.509 certificates and the "JKS" keystore type on distributed platforms (which include zLinux) and the "JKS" keystore type or RACF keyrings on OS/390 and z/OS.

SSL process

The SSL protocol consists of server authentication, client authentication (optional but strongly recommended) followed by an encrypted conversation. The following scenario steps through the SSL process.

Server authentication

SSL server authentication allows a client to confirm a server's identity. SSL-enabled client software uses standard techniques of public-key cryptography to ensure that a server's certificate and public ID is valid and that the certificate and ID was issued from one of the client's list of trusted certificate authorities (CA).
Client authentication

SSL client authentication allows a server to confirm a client's identity. Using the same techniques used for server authentication, SSL-enabled server software verifies that a client's certificate and public ID is valid and that the certificate and ID was issued by one of the server's list of trusted certificate authorities (CA).
SSL handshake

Both the client, IMS Connector for Java, and the server, IMS Connect, store their certificates and private keys in keystores. The actual SSL session between IMS Connector for Java and IMS Connect is established by following a handshake sequence between client and server. The sequence will vary depending on whether the server is configured to provide a server certificate or to request a client certificate, and which cipher suites are being used. A cipher is an encryption algorithm. The SSL protocol determines how the client and server negotiate the cipher suites to authenticate one another, to transmit certificates, and to establish session keys. Some of the algorithms used in cipher suites include:
  • DES - Data Encryption Standard
  • DSA - Digital Signature Algorithm
  • KEA - Key Exchange Algorithm
  • MD5 - Message Digest algorithm
  • RC2 and RC4 - Rivest encryption ciphers
  • RSA - A public key algorithm for both encryption and authentication
  • RSA key exchange - A key-exchange for SSL based on the RSA algorithm
  • SHA-1 - Secure Hash Algorithm
  • SKIPJACK - A classified symmetric-key algorithm implemented in FORTEZZA-compliant hardware
  • Triple-DES - DES applied three times.

SSL 2.0 and SSL 3.0 protocols support overlapping sets of cipher suites. Administrators can enable or disable any of the supported cipher suites for both clients and servers. When a particular client and server exchange information during the SSL handshake, the client and server identify the strongest enabled cipher suites that they have in common and use one of them for the SSL session.

Transport Layer Security, Version 1 (TLS V1) is the successor to SSL 3.0 protocol. IMS Connector for Java only supports TLS V1. There are no backward compatibility issues.

Related concepts
IMS resource adapter security
Component-managed EIS sign-on
Container-managed EIS sign-on
Related tasks
Configuring component-managed EIS sign-on
Configuring container-managed EIS sign-on
Using secure socket layer (SSL) support
Feedback
(C) Copyright IBM Corporation 2000, 2005. All Rights Reserved.