[ Table of Contents ] [ Previous Chapter ] [ Next Chapter ] [ Index ]



Secure Socket Layer (SSL)

Web Ten incorporates version 3.0 of the Secure Socket Layer (SSL) protocol to encrypt Web server transmissions. The secure socket layer intercepts network calls from the server to encrypt the data before forwarding it to the network layer for transmission to the browser.

 

The Web server and the browser negotiate an encryption algorithm, or cipher, to be used for the session. A session "key" is securely communicated to the browser using public key cryptography. The session key is then used symmetrically, i.e., to both encode and decode the actual session data.

 

The first step in setting up SSL is obtaining a Certificate.

 

Server Certificates

The server certificate validates the identity of the server. Server certificates are signed by a trusted higher authority (the Certificate Authority, or "CA"), who assures the identity of the server.

 

In a typical commercial virtual host setup, each IP virtual host will have a unique server certificate.

 

Named virtual hosts (hosts that share an IP address) must share the certificate of the common IP host. By default, Web Ten associates a certificate issued to an IP virtual host with all configured named virtual hosts that share that IP address.

 

Obtaining a Server Certificate

In order to obtain a server certificate, a Certificate Signing Request (CSR) must be sent to the Certificate Authority, along with other proof of identity documents.

 

  • Fill out the SSL Settings form (see section See SSL Settings) within the Web Ten Administration Server.

 

  • Submit the completed CSR to the Certificate Authority. Verisign Consulting ( www.verisign.com ) has an on-line CSR submission form at:

 

  • Cut and paste the CSR from the SSL Settings form into the CSR submission form.

 

Other documents validating the identity of the server must be mailed to the CA, along with a nominal service fee. These documents include:

 

Proof of the right to use the organization name, as in a copy of the company articles of incorporation, "doing business as" registration, etc.

 

Proof of domain name registration (except for ".com").

 

A letter, printed on organization letterhead and signed by an authorized representative, requesting certification of the domain name.

 

Your official certificate will be digitally signed and e-mailed to you by the CA. Rename the certificate to " xx.xx.xx.xx.crt " (where < xx.xx.xx.xx > is the IP address of the virtual host for which the certificate was generated), and place the official certificate in the tenon/ssl/private folder. The official certificate will replace the temporary self-signed certificate generated by Web Ten for use prior to receipt of the official certificate.

 

SSL Settings

To generate an SSL certificate, click on the Certificate button beside the SSLSecurity entry in the Virtual Host Configuration table (see section See SSLSecurity). The SSL Settings page (shown below in See SSL Cipher Restrictions) is a form for generating a Certificate Signing Request (CSR).

 

 

SSL Cipher Restrictions

 

 

Common Name

The Common Name is the domain name of the Web server or of an IP-based virtual host. This must be a fully qualified domain name, not an IP address or a DNS alias.

 

Organization Name

The Organization Name is the legal organization name.

 

Organizational Unit

The Organizational Unit is the department name or the name of a unit within an organization. This field is optional.

 

Locality

The Locality is the name of the city in which the organization resides. This field is optional.

 

State or Province

The State or Province is the name of the state or province in which the organization resides.

 

Country Code

The Country Code is a two-character country code for the country in which the organization resides. Use "US" for the U.S.A.

 

Email Address

The Email Address is the email address of a contact or representative within this organization.

 

Generating a CSR

To generate a Certificate Signing Request (CSR) save the SSL Settings via the Save CSR button. This action has several effects.

 

If a private key for this virtual host does not exist, such a key is created and saved in a secure area in Web Ten 's internal file system.

 

The actual Certificate Signing Request information is displayed in the Web Ten Administration Server (see See Certificate Signing Request Information). This CSR is a PEM-encoded document which may be emailed to the CA, or it can be copied and pasted into an on-line certificate request form. This CSR is also saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.csr (where < xx.xx.xx.xx > is the IP address of the virtual host for which the CSR was generated).

 

 

Certificate Signing Request Information

 

 

A temporary, self-signed certificate (for use while your CSR is being processed by the certificate authority) is created and saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.crt (where < xx.xx.xx.xx > is the IP address of the virtual host for which the certificate was generated). This file should be replaced by the real certificate when one is returned from the Certificate Authority.

 

The self-signed certificate will allow your virtual server to perform secure transactions while your official certificate is being processed.

 

 

Browsers will question the validity of any server certificate signed by an authority of which they have no knowledge. The temporary, self-signed certificates should in no way be construed as proof of the virtual host's identity to your browser clients.

 

Enabling SSL

Once you have a certificate (even a Tenon-generated temporary one), you will be able to create a secure virtual host by toggling SSL Security "On" in the Virtual Host Configuration table. When SSL is activated for a virtual host, a red SSL designation appears to the right of the host name in the Virtual Hosts Table (see See Enabling SSL).

 

 

Enabling SSL

 

Ciphers

While the SSL 3.0 standard defines how encryption is applied to Web server-browser interactions, the actual encryption itself is performed by the negotiated cipher. Some common ciphers supported by Web Ten are shown in the following table:

 

RC2 and RC4

Block and stream ciphers using 128-bit keys, developed by and licensed from RSA data security, providing a very high level of security.

DES

A well-proven, 168-bit triple-encryption cipher.

Export RC2 and RC4

Identical to the 128-bit versions, except these ciphers use 40-bit keys.

SSL Cipher Restrictions

Clicking on the Folder Contents of a secure virtual host in the Virtual Host Configuration table will let you stipulate various cipher restrictions for that virtual host.

 

SSL Cipher Restrictions control whether or not access is allowed or denied to folders or files based on the encryption level negotiated between server and browser when an SSL connection is established (see See SSL Cipher Restrictions). These controls are only accessible when SSLSecurity (see section See SSLSecurity) is enabled for a particular virtual host. The SSL cipher restrictions are not show if SSLSecurity is not enabled. Access control checks by SSL cipher are made in addition to any other host or realm-based access controls.

 

SSL cipher restrictions contain two lists of check boxes for each cipher in the cipher suites. If any checkbox is checked, that cipher is banned or required as indicated by the particular category.

 

 

SSL Cipher Restrictions

 

 

Ban Cipher

If the cipher currently in force on the SSL connection is checked in this list, access to the file or folder is not permitted.

 

Require Cipher

 

If the cipher currently in force on the SSL connection has not been banned and is checked in this list, access to the file or folder is permitted. Ciphers not checked in this list are automatically banned access. However, if no ciphers are required, access is permitted subject to the SSLBanCipher list .

 

Using Web Ten with Multiple Certificates

Every SSL connection requires a unique IP address. Because WebTen supports IP-based virtual hosting, you can easily set up multiple secure virtual hosts. Each secure virtual host will need its own Certificate. Follow the steps in this chapter to set up subsequent SSL hosts.

 

Self-Signed Certificates

If WebTen is on an intranet and is not visible to the Internet at large, it can take advantage of SSL without having their certificate signed by a CA (Certificate Authority such as Verisign).To create your certificate, follow the directions in Section 11 of this document. That will yield a certificate signed by WebTen. While this is not a certificate signed by a CA, it will allow SSL encrypted transactions from your WebTen server. Some browsers will complain that the certificate is not signed by a valid authority (CA), but certificates for only internal or intranet use do not need to be validated by any CA (such as Verisign.)

 

Safeguarding SSL Keys and Certificates

 

Each SSL Certificate works in conjunction with the SSL Key file that was produced during the creation of the Certificate Signing Request. SSL Certificates do not stand alone. They require the SSL Key file to perform encryption. SSL Certificates will only work with the corresponding SSL Key file that was used to produce the actual Certificate Signing Request.

 

The SSL Key file is your private key that ensures that no one can replicate or assume your site's identity on the Web. If the SSL Key file is compromised, the inherent security of your SSL Certificate is lost. If the SSL Key file is lost, the SSL Certificate is useless and a new certificate will have to be issued.

 

As you can see, it is important to preserve a copy of your SSL Key file and to protect it against theft. In WebTen, the SSL Key file is tightly protected against unauthorized access (for example, rogue Apple or Unix CGIs cannot read the SSL Key file). The following steps provide a means to export an SSL Key file in order to make a backup copy of it. Once an SSL Key file is exported, it should be copied to a floppy disk (or other removable media) and the exported copy should be removed from the WebTen system. The original SSL Key file is not deleted when it is exported; it is still available for normal SSL operations, and it is still protected against unauthorized access.

 

Exporting SSL Files

SSL Key and SSL Certificate files may be exported from a WebTen system using a special CGI named sslcerts.cgi. For security reasons, this CGI is not installed by default in a WebTen system. It must be installed and executed using the export option on the existing WebTen system prior to upgrading to the new version of WebTen. It then must be installed and executed using the import option on the new WebTen system after that system has been installed. Once the SSL Key and SSL Certificate files have been imported into the upgraded system, sslcerts.cgi should be de-installed from that system

 

Exporting the SSL Key and SSL Certificate files does not removethe files it exports, but copies these files to the destination folder.

 

 

 

To export the SSL Key and SSL Certificate files from an existing WebTen system:

 

  • Copy sslcerts.cgi (from the Utilities folder on the WebTen CD or from the support folder in the WebTen distribution) into the cgi-bin folder. If your existing version of WebTen has a support folder, copy sslcerts.cgi into the cgi- bin folder within the support folder. Otherwise, copy sslcerts.cgi into the active cgi-bin folder.

 

  • Execute sslcerts.cgi. If you put sslcerts.cgi in the /support/cgi-bin folder, use a URL like the following to execute this CGI. You must substitute your own host and domain names and replace the IP address " 10.0.0.1 " with your own IP address. When executing this CGI in this way, you will be required to provide your WebTen administrator's password. Note that the protocol is https as the server is operating with SSL security on.

<https://host.domain/webten_support/cgi-bin/sslcerts.cgi?10.0.0.1+export>

 

  • If you put the sslcerts.cgi in the /cgi-bin folder, use a URL like the following to execute this CGI. You must substitute your own host and domain names and replace the IP address " 10.0.0.1 " with your own IP address. When executing this CGI in this way, you will not be required to provide your WebTen administrator's password.

 

<https://host.domain/cgi-bin/sslcerts.cgi?10.0.0.1+export>

 

  • The exported SSL Key and SSL Certificate files will be placed in a folder within the /tenon folder. This folder will be named after the IP address that you provided in the URL above. For example, if the IP address was " 10.0.0.1 ", the folder will be named 10.0.0.1.ssl . Save this folder for subsequent importing into the newer version of WebTen.

 

  • Remove the sslcerts.cgi from the cgi-bin folder.

 

 

 

 

 

 

Importing SSL Files

To import the SSL Key and SSL Certificate files from a previous version of WebTen:

 

  • Copy the folder containing the SSL Key and SSL Certificate files exported from the previous version of WebTen to the /tenon folder on the new WebTen installation. Be sure to copy the entire folder (for example, the 10.0.0.1.ssl folder, not just the contents of this folder).

 

  • Copy sslcerts.cgi (from the Utilities folder on the WebTen CD or from the support folder in the WebTen distribution) into the cgi-bin folder within the support folder.

 

  • Execute sslcerts.cgi using a URL like the following. You must substitute your own host and domain names and replace the IP address " 10.0.0.1 " with your own IP address. When executing this CGI in this way, you will be required to provide your WebTen administrator's password.

 

<http://host.domain/webten_support/cgi-bin/sslcerts.cgi?10.0.0.1+import>

 

  • The imported SSL Key and SSL Certificate files will be placed into their respective places within the WebTen distribution.

 

  • Remove sslcerts.cgi from the /support/cgi-bin folder.

 

  • Remove the folder containing the SSL Key and SSL Certificate files (for example, the 10.0.0.1.ssl folder) from the WebTen system. You may choose to save these files in a safe place (preferably not on the WebTen system) for subsequent upgrading or for backups of your SSL Key and SSL Certificates files.

 

 



[ Table of Contents ] [ Previous Chapter ] [ Next Chapter ] [ Index ]