SSL (SECURED SOCKET LAYER)

   SSL (SECURED SOCKET LAYER)  

----> It is a Protocol to provide  Secured communication.

----> Protocol means follow rules and regulations according to instructions given by the client or enduser



 -----> 1) FTP (FILE TRANSFER PROTOCOL)

-----> 2) TCP/IP (TRANSMISSION CONTROL PROTOCOL / INTERNET PROTOCOL)



----> It establishes communication along with Data Integrity and Encryption over the network between the nodes.

----> Here HTTP is a standard protocol.

----> In HTTP we cant secured our information means we cannot kept secret data whenever we are sending from one place to another place.

----> Means here HTTP is not using any Security to send any data to the client or end user.

----> HTTP is sending request from browser to Server.



SSL CONFIGURATION  :



STEP  1  :  Goto Tools  -----> Options -----> Advance Encryption  ------> View Certificate ----> Click lock ------> More information -----> View Certificate

STEP 2  :  Take an domain name means any bank www.ICICI Bank.com(URL) 

     URL MEANS UNIFORM RESOURCE LOCATOR.        

STEP 3  : Check Server to know IP address and Host name.

STEP 4  :  Giving IP address or Host name with Proxy request or HTTP request.

STEP 5  : Creating SSL for domain.

STEP 6  : Here we have to generate a key for SSL means we have to follow 5 steps to generate a key or Certificate.




Q)  What SSL Certificate Contains ? 



A)   SSL Certificate may contain 



1) domain name 

2) company name 

3) address 

4) city

5) state and country. 



----> It will also contain the expiry date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. 



----> When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. 



----> If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.




SSL Handshake
--------------


Client Server

1. Client issues secure request (https://test.com/index.jsp)
----------------------------------------------------------------->
2. Server sends x.509 certificate to containing server’s Public Key
<----------------------------------------------------------------
3. Client checks the server’s certificate against the list of known CA’s . (If certificate is not trusted , Browser may give option to accept certificate at user’s risk .
---------------------------------------------------------------------------------
4. Client generates random symmetric key and encrypts using server’s public key and sends to server.
---------------------------------------------------------------------------->
5. Client & Server knows the Symmetric key and encrypt the user data using symmetric key during the rest of the session
<-------------------------------------------------------------------------------->



(i)  Generate a Key

     a) Key Name
     b) Key Password
     c) Key Size
     d) Key Algorithm (These are stored in JKS(JAVA KEY STORE))

-----> Here if we want to Generate a key we have to give some requirements

1) CN(Common Name)   :  ICICI Bank.com

2) CO (Company Organisation)  : Wipro.

3)  Location  :  HYDERABAD.

4) State         : AP

5) Country    : IN



(ii)  CSR (CERTIFICATE SIGNING REQUEST)

    a)  Generate Certificate Request

    b) Certificate Authorities  (CA) 

    C) Server CA.crt / pm ----> Stored in JKS

    d) Intermediate CA  ------> Stored in JKS


(iii) Sending CSR for CA

(iv) Import into JKS (get Certificates and import into Key Store)

(v)  List the Key Store




2 types of SSL



1) one way SSL (unlimited Clients)

2) two way SSL (Limited Clients)




Q) What you do when SSL will expires  ?



A) goto var/was/App/JDK/bin-----> Ikeyman tool



1) First i will take the KeyStore backup ( Sample certificate)

2) Later i will delete that original certificate

3) Next i will generate the keys

4) After wards i will import the new Certificate


----> If Certificate is expiring take the backup sample of that certificate

EX : Sample.jks (back up)

----> After taking the back up delete that Sample certificate




SSL Enabling  :  Types of Configuring  and enabling SSL



1) APPSERVER TO CONSOLE

2) APPSERVER TO DMGR

3) APPSERVER TO DATABASE




Enabling SSL in the IBM HTTP Server configuration:

Procedure :

STEP  1   :  Navigate to the configuration folder in the installation directory for IBM HTTP Server. The default path is C:\Program Files\IBM\HTTPServer\conf.

STEP  2  : Open the httpd.conf file in a text editor.

STEP  3  :  Comment out the following line by adding the # symbol to the beginning of the line

Installing your Certificates on a IBM HTTP Server

    Storing a CA Certificate:

• Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder on Windows.
• Select Key Database File from the main User Interface, select Open.
• In the Open dialog box, select your key database name. Click OK.
• In the Password Prompt dialog box, enter your password and click OK.
• Select Signer Certificates in the Key Database content frame, click the Add button.
• In the Add CA Certificate from a File dialog box, select the certificate to add or use the Browse option to locate the certificate. Click OK.
• In the Label dialog box, enter a label name and click OK.

To receive the CA-signed certificate into a key database:

• Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder on Windows.
• Select Key Database File from the main User Interface, select Open.
• In the Open dialog box, select your key database name. Click OK.
• In the Password Prompt dialog box, enter your password, click OK.
• Select Personal Certificates in the Key Database content frame and then click the Receive button.
• In the Receive Certificate from a File dialog box, select the certificate file. Click OK.