With the evolution of e-business, data security has become very
important for Internet users. The Secure Socket Layer (SSL) protocol ensures
that the transfer of sensitive information over the Internet is secure.
SSL protects information from:
- Internet eavesdropping
- Data theft
- Traffic analysis
- Data modification
- Trojan horse browser /server
One way IMS Connector for Java communicates with IMS Connect is through
TCP/ IP sockets. If IMS Connector for Java uses TCP/ IP, SSL can be used to
secure the TCP/ IP communication between the two entities. The SSL support
provided by IMS Connector for Java, along with the support provided by IMS
Connect, uses a combination of public and private keys along with symmetric
key encryption schemes to achieve client and server authentication, data confidentiality,
and integrity. SSL rests on top of TCP/ IP communication protocol and allows
an SSL-enabled server to authenticate itself to an SSL-enabled client and
vice versa. Once authentication is complete, the server and client can establish
an encrypted connection that also preserves the integrity of the data.
For SSL support when running in a WebSphere® environment, IMS Connector
for Java uses the IBM® implementation of Java Secure Socket Extension (IBM JSSE).
This SSL library is included in WebSphere Studio Application Developer
Integration Edition, Rational Application Developer, and in WebSphere Application
Server.
SSL concepts
Certificate
A
digital certificate is a digital document that validates the identity of the
certificate's owner. A digital certificate contains information about the
individual, such as their name, company, and public key. The certificate is
signed with a digital signature by the Certificate Authority (CA), which is
a trustworthy authority.
Certificate authority
A
Certificate Authority (CA) is a trusted party that creates and issues digital
certificates to users and systems. The CA, as a valid credential, establishes
the foundation of trust in the certificates.
Certificate management
Certificates
and private keys are stored in files called keystores. A keystore is a database
of key material. Keystore information can be grouped into two categories:
key entries and trusted certificate entries. The two entries can be stored
separately for security purposes.
- Keystore
- A keystore holds key entries, such as the private key of the user, IMS
Connector for Java
- Truststore
- A truststore is a keystore that holds only certificates that the user
trusts. An entry should be added to a truststore only if the user makes a
decision to trust that entity. An example of a truststore entry would be the
certificate for the target IMS Connect.
For convenience, IMS Connector for Java allows the user
to store key entries and trusted certificate entries in either the keystore
or the truststore. The user may still choose to store them separately. IMS
Connector for Java supports only the keystore type "JKS" and X.509 certificates
on all supported platforms. On z/OS, IMS Connector for Java also supports
JCERACFKS (software encryption) and JCE4758RACFKS (hardware encryption) keystores
in RACF keyrings.
SSL process
The SSL protocol consists of server
authentication, client authentication (optional) followed by an encrypted
conversation. The following scenario steps through the SSL process.
Server
authentication
A customer, Alice, wants to send sensitive
information to her bank. She needs confirmation that the server to which she
is sending her personal information is really her bank. SSL-server authentication
allows a client to confirm a server's identity. SSL-enabled client software
uses standard techniques of public-key cryptography to ensure that a server's
certificate and public ID is valid and that the certificate and ID was issued
from one of the client's list of trusted certificate authorities (CA).
Client
authentication
Likewise, the bank needs confirmation that
it is really Alice who is sending information. SSL-client authentication allows
a server to confirm a client's identity. Using the same techniques used for
server authentication, SSL-enabled server software verifies that a client's
certificate and public ID is valid and that the certificate and ID was issued
by one of the server's list of trusted certificate authorities (CA).
SSL
handshake
Both Alice and the bank store their certificates
and private keys in keystores. The actual SSL session between Alice and the
bank is established by following a handshake sequence between client and server.
The sequence may vary depending on whether the server is configured to provide
a server certificate or to request a client certificate, and which cipher
suites are being used. A cipher is an encryption algorithm. The SSL protocol
determines how the client and server negotiate the cipher suites to authenticate
one another, to transmit certificates, and to establish session keys. Some
of the algorithms used in cipher suites include:
- DES - Data Encryption Standard
- DSA - Digital Signature Algorithm
- KEA - Key Exchange Algorithm
- MD5 - Message Digest algorithm
- RC2 and RC4 - Rivest encryption ciphers
- RSA - A public key algorithm for both encryption and authentication
- RSA key exchange - A key-exchange for SSL based on the RSA algorithm
- SHA-1 - Secure Hash Algorithm
- SKIPJACK - A classified symmetric-key algorithm implemented in FORTEZZA-compliant
hardware
- Triple-DES - DES applied three times.
SSL 2.0 and SSL 3.0 protocols support overlapping sets of cipher
suites. Administrators can enable or disable any of the supported cipher suites
for both clients and servers. When a particular client and server exchange
information during the SSL handshake, the client and server identify the strongest
enabled cipher suites that they have in common and use them for the SSL session.
Transport
Layer Security, Version 1 (TLS V1) is the successor to SSL 3.0 protocol. IMS
Connector for Java only supports TLS V1. There are no backward compatibility
issues.