Secure Socket Layer SSL and Tomcat

1
Secure Socket Layer (SSL)and Tomcat

2
What is SSL

• SSL stands for Secure Socket Layer.
• Secure Socket Layer (SSL) technology allows web
  browsers and web servers to communicate over a
  secure connection

3
Secure Socket Layer (SSL)

• Originally developed by Netscape, SSL has been
  universally accepted on the World Wide Web for
  authenticated and encrypted communication between
  clients and servers.
• Responsible for the emergence of
• e-commerce, other security sensitive
  services on the web

4
The SSL Protocol

• The SSL protocol runs above TCP/IP and below
  higher-level protocols such as HTTP or IMAP

5
Why SSL

• SSL addresses the following important security
  considerations.
• Authentication During initial attempt to
  communicate with a web server over a secure
  connection, that server will present your web
  browser with a set of credentials in the form of
  a server certificate. The purpose of the
  certificate is to verify that the site is who and
  what it claims to be.
• Confidentiality When data is being passed
  between the client and the server on a network,
  third parties can view and intercept this data.
  SSL responses are encrypted so that the data
  cannot be deciphered by the third party and the
  data remains confidential.
• Integrity When data is being passed between the
  client and the server on a network, third parties
  can view and intercept this data. SSL helps
  guarantee that the data will not be modified in
  transit by that third party.

6
What SSL Provides

• Confidentiality (Privacy)
• Data integrity (Tamper-proofing)
• Server authentication

7
SSL KEY EXCHANGE STEPS

• SSL client connects to an SSL server
• Server then sends its own certificate that
  contains its public key
• Client then creates a random key (premaster key)
  and uses server's public key to encrypts it

8
SSL KEY EXCHANGE STEPS (ctd ..)

• Client then sends encrypted premaster key to the
  server
• Server then decrypts it and uses decrypted
  premaster key to create secret session key
• Now both client and server uses secret session
  key for further communication

9
SSL and Authentication

• Server Authentication
• Server needs to provide its own certificate
  to a
• client in order to authenticate itself to the
  client
• A Web server typically has a CA-signed
  certificate and it provides it to its clients
• Client Authentication
• Client needs to provide its own certificate
  to a
• server in order to authenticate itself to the
  server
• Mutual Authentication

10
SSL and Web-tier Security

• Encrypted password move from the browser
• to the web server
• Encrypted data move between the browser
• and the web server
• Server authentication
• Done before encrypted data transfer
  occurs
• Client Authentication
• Not used in most cases

11
What is a Certificate (Ctd..)

• A certificate is cryptographically signed and is
  practically impossible for anyone else to forge
• A certificate can be purchased from (signed by)
  a well-known CA (Certificate Authority) like
  Verisign

12
What is Server Certificate?

• A server certificate is a container that
  contains server's public key and other
  miscellaneous information
• Web server must have an associated certificate
  for each external interface, or IP address, that
  accepts secure connections.This provides some
  kind of reasonable assurance that its owner is
  who you think it is

13
Why Server Certificate is Needed?

• Server Certificate enables Server Authentication
• Server sends server certificate as part of SSL
  key handshake
• HTTPS service of Tomcat would not work unless a
  server certificate is installed
• Verifies the server's identity to the client,
  before receiving any sensitive information

14
Creating a Server Certificate(ctd)

• To create a server certificate follow these
  steps
• 1) Create the keystore.
• 2) Export the certificate from the keystore.
• 3) Sign the certificate.
• 4) Import the certificate into a trust-store
  a repository of certificates used for verifying
  the certificates. A trust-store typically
  contains more than one certificate

15
Generate the server certificate

• To generate the certificate, run the keytool
  utility as follows
• JAVA_HOMEgt\bin\ keytool -genkey -keyalg RSA
  -alias tomcat -keystore localhost.jks
• When you press Enter, keytool prompts you to
  enter the server name, organizational unit,
  organization, locality, state, and country code

16
Generate the server certificate(Ctd)

• Screen Display

17
Export the certificate from the keystore.

• Export the generated server certificate in
  keystore.jks into the file server.cer.
• ltJAVA_HOMEgt\bin\keytool -export -alias tomcat
  storepass changeit -file server.cer
• -keystore localhost.jks

18
Export the certificate from the keystore(Ctd..)

• Screen Display

19
Signing Digital Certificates

• After a digital certificate is created , they are
  signed by its owner. After the digital
  certificate has been cryptographically signed by
  its owner, it is difficult for anyone else to
  forge.
• For sites involved in e-commerce or any other
  business transaction in which authentication of
  identity is important, a certificate can be
  purchased from a well-known certificate authority
  such as VeriSign or Thawte.
• If authentication is not really a concern ,use
  the self-signed certificate

20
Importing certificate into trust-store

• To create the trust-store file cacerts.jks and
  add the server certificate to the trust-store,
  run keytool with following parameters
• ltJAVA_HOMEgt\bin\keytool -import -v
  -trustcacerts-alias server-alias -file
  server.cer - keystore cacerts.jks -keypass
  changeit - storepass changeit

21
Importing certificate into trust-store

• Information on the certificate, such as that
  shown next, will display

22
Programming with JSSE

• The Java Secure Socket Extension (JSSE) provides
  a framework and a Java implementation of the SSL
  and TLS protocols
• It provides mechanisms for data encryption,
  server authentication, message integrity, and
  optional client authentication.
• The JSSE APIs supplement the java.security and
  java.net packages by providing extended
  networking socket classes, trust and key
  managers, and a socket factory framework for
  encapsulating socket creation behavior. These
  classes are included in the packages javax.net
  and javax.net.ssl.

23
Programming with JSSE(Ctd.)

• SSLSocket and SSLServerSocket
• The javax.net.ssl.SSLSocket is a subclass of the
  java.net.Socket class. Therefore, it supports all
  the standard Socket methods and adds additional
  methods specific to secure sockets. The
  javax.net.ssl.SSLServerSocket class is analogous
  to the SSLSocket class except that it is used to
  create server sockets.
• Creating an instance of SSLSocket can be
  done in two ways
• 1. As an instance of SSLSocketFactory by
  invoking one of the createSocket methods on
  that class
• 2. Through the accept method on the
  SSLServerSocket

24
Programming with JSSE(Ctd..)

• SSLSocketFactory and SSLServerSocketFactory
• The javax.net.ssl.SSLSocketFactory class is an
  object factory for creating secure sockets, and
  the javax.net.ssl.SSLServerSocketFactory is an
  object factory for creating server sockets.
• An SSLSocketFactory instance can be obtained
  in two ways
• 1.Get the default factory by calling
  SSLSocketFactory.getDefault.
• 2. Construct a new factory with specified
  configured behavior

25
Making Existing Client/Server Applications Secure

• Incorporating SSL into existing
  client/server applications to make them secure
  can be easily done using a few lines of JSSE
  code. The lines highlighted in bold in the
  following example show the code necessary to make
  a server secure
• import java.io.
• import javax.net.ssl.
• public class Server int port portNumber
• SSLServerSocket server
• try SSLServerSocketFactory factory
  (SSLServerSocketFactory) SSLServerSocketFactory.ge
  tDefault()
• server (SSLServerSocket) factory.createServerSoc
  ket(portNumber)
• SSLSocket client (SSLSocket) server.accept()
• // Create input and output streams as usual
• // send secure messages to client through the
• // output stream
• // receive secure messages from client through
• // the input stream
• catch(Exception e)

26
Making Existing Client/Server Applications Secure

• The lines highlighted in bold in the following
  example show the code necessary to make a client
  secure
• import java.io. import javax.net.ssl.
• public class Client .
• try
• SSLSocketFactory factory
  (SSLSocketFactory) SSLSocketFactory.getDefault()
  server (SSLServerSocket) factory.createServerSoc
  ket(portNumber)
• SSLSocket client (SSLSOcket)
  factory.createSocket(serverHost, port)
• // Create input and output streams as
  usual
• // send secure messages to server through
  the
• // output stream receive secure
• // messages from server through the input
  stream
• catch(Exception e)

27
SSL Support inTomcat

• To implement SSL on Tomcat you need the
  following installed
• - JSSE (Java Secure Socket Extension).
• package installed
• Server certificate keystore
• An HTTPS connector

28
Configure SSL Connector

• After the Server certificate is generated using
  keytool as shown above ,Tomcat needs to be
  configured for SSL
• By default, an SSL HTTPS Connector is not enabled
  in Tomcat.
• SSL HTTPS Connector on port 8443 can be enabled
  configured in one of two methods
• via Admintool
• Modify server.xml
• Restart Tomcat

29
Verify SSL Support

• The next step is verifying if SSL is configured
  correctly. For testing purposes, and to verify
  that SSL support has been correctly installed on
  Tomcat, load the default Tomcat introduction
  page with the following URL
• https//localhost8443/
• The https in this URL indicates that the browser
  should be using the SSL protocol. The port of
  8443 is where the SSL Connector was configured
  in the previous step

30
Verify SSL Support

• Screen Display

31
Verify SSL Support

• Screen Display of Certificate

32
Tips on running SSL

• The SSL protocol is designed to be as efficient
  as securely possible. However, encryption and
  decryption are computationally expensive
  processes from a performance standpoint.
• It is not necessary to run an entire web
  application over SSL, Pages that might require a
  secure connection include login pages, personal
  information pages, shopping cart checkouts, or
  any pages where credit card information could
  possibly be transmitted

33
SSL Drawbacks

• The problems associated with SSL are
• It prevents caching.
• Using SSL imposes greater overheads on the server
  and the client.
• Some firewalls and/or web proxies may not allow
  SSL traffic.
• There is a financial cost associated with gaining
  a Certificate for the server/subject device

34
Common Security Problems

• Unvalidated Parameters.
• Information from web request is not validated
  before used by a web application.Attackers can
  use these flaws to attack backend components
  through a web application.

35
Common Security Problems

• Broken Access Control
• Restriction on what authenticated users allowed
  to do are not properly enforced.
• Attackers can exploit these flaws to access other
  users accounts view sensitive files, or use
  unauthorized functions.

36
Common Security Problems

• Broken Account and session Management.
• Cross-Site scripting Flaws
• The web application can be used as a mechanism to
  transport an attack to an end users browsers.

37
Common Security Problems

• Buffer Overflows
• Web application components in some languages that
  do not properly validate input can be crashed
  and, in some cases, used to take control of
  process.
• These components can include CGI,libraries,drivers
  and web application server components.

38
Common Security Problems

• Error Handling Problems
• Error Conditions that occur during normal
  operation are not handled properly.
• If an attacker can cause errors to occur that the
  web application does not handle, they can gain
  detailed system information,deny service, cause
  security mechanisms to fail, or crash the server.

39
Common Security Problems

• Remote Administration Flaws
• Many web application allow administrators to
  access the site using a web interface.
• If these administrative functions are not very
  carefully protected, an attacker can gain full
  access to all aspects of a site.

40
Using a Firewall

• A firewall can be software ,hardware or a
  combination of both.
• They are different types proxy servers, packet
  filters.
• Play a key role in protecting Tomcat.