Hi All,
After server months of development we are ready to implement security part
of the system and are very confused on how to go about it and hopefully
someone in this mailing list has tackled this issue successfully.
...
Our systems are:
Linux Red Hat 6.2
Apache 1.12.? - Compiled/Built in our environment
Tomcat 3.2.1 - Compiled/Built in our environment
JDK 1.2.2
Oracle 8.1.6
As far as we understand you can apply SSL at:
1) OS level with a product like OpenSSL
2) Application Level with Sun's JSSE 1.0.2
Our main concern is performance, then portability of code between different
systems.
Performance
Do you get better system performance by applying SSL at the OS or at an
application layer ?
I would think at the OS level as the Security Software will be written in a
language like C making it very fast as it will be native to the process used
the target machine.
Code
IF you decided to use JSSE 1.0.2 implementation of SSL what impact will it
have when you port your code to a system that implements SSL at the OS level
?
If SSL Code is introduced correctly into the Framework then the impact will
be minimal between system implementations as it only should involve rippling
out a base class.
As mentioned performance is a very important issue and having several layers
of security from the firewall against the web server to the firewall against
the database to security sitting at the socket level encrypting and
decrypting everything that comes in its path not to mention getting Java to
do its magic through the interpreted bytecode!
At this stage in our development cycle we have a very superficial
understanding of the impact and possible solutions when it comes to
successfully implementing security and welcome any advise in this area.
Regards,
George
----- Original Message -----
From: "John Golubenko" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 06, 2001 3:14 AM
Subject: RE: SSL Help
> Hello,
>
> I have configured with OpenSSL (to Tomcat directly), made a key, etc. Now
> I can have a secure connections to my server, but browsers complains that
> my
> certificate isn't good, not signed, not knows, etc. Seems that browsers
> have to problems with Verisign or RSA (?) certificates, which cost
> 600-1000 dollars
> per each one. I'm don't have those kind of money to spend. So, how do I
> get my certificate, so the browser wouldn't ask to install it, or
> approval from the user.
>
> Thank you,
> John.
>
>
>
> >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
>
> On 2/5/01, 4:59:46 AM, "Coetmeur, Alain"
> <[EMAIL PROTECTED]> wrote regarding RE: SSL Help:
>
>
> > browse the archive those recent days/weeks
>
> > the secret are:
>
> > it is advised to use apache with openssl (mod_ssl or apache+ssl)
> > as the SSL processor and just configure it
> > to delegate servlet and JSP to tomcat...
> > look at http://www.modssl.org/
> > or http://www.apache-ssl.org/
> > for explanations, install doc, binaries, advices...
>
> > anyway you can make tomcat able to serve SSL directly.
> > install JSSE from SUN as documented
> > (detail in some of my former messages here)
> > this include putting the.jar in a lib or lib/ext directory
> > as explaine, and twickle some security.properties
>
> > create private key in the java keystore, produce a
> > certificate (externaly or auto-certifies) with
> CN=the.dns.name.of.my.tomcat
> > and add the certificate to the java keystore...
>
> > modify the server.xml as explained
> > in come comments... (I've send here a working server.xml)
>
> > add some options in TOMCAT_OPTS (in tomcat.bat) so that URL Factory
> > supports SSL, and JSSE can find the truststore...
> > set TOMCAT_OPTS=%TOMCAT_OPTS%
> > -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/../openssl/maui/cacerts"
> > -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
>
> > may the force be with you.
> > you can do it!
> > this can work, I've tested !
>
> > > -----Message d'origine-----
> > > De: venkatesan [mailto:[EMAIL PROTECTED]]
> > > Date: lundi 5 février 2001 12:50
> > > À: [EMAIL PROTECTED]
> > > Objet: SSL Help
> > >
> > >
> > > Hi All,
> > > I am developing web applications using servlets,
> > > Rmi, Sql-server and
> > > Tomcat in Apache web server under Linux platform. I would
> > > like to use SSL. Can
> > > any body tell that where can i get SSL for tomcat. How can i
> > > do it using
> > > Tomcat..
> > > Thanks in advance...
> > >
> > > cheers
> > > Venkateh
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, email: [EMAIL PROTECTED]
> > >
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, email: [EMAIL PROTECTED]
>
> NOTICE: This communication may contain confidential or other privileged
information. If you are not the intended recipient, or believe that you
have received this communication in error, please do not print, copy,
retransmit, disseminate, or otherwise use the information. Also, please
indicate to the sender that you have received this email in error, and
delete the copy you received. Any communication that does not relate to
official Columbia business is that of the sender and is neither given nor
endorsed by Columbia. Thank you.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
