On Fri, 27 Apr 2001, [iso-8859-1] Mat�as Salvador wrote:
> Hy People,
> I'm working with APACHE & TOMCAT and I am investigating how to make
>them secure , so i'd like to ask you all some questions:
>
Try to read the http://www.ccl.net/cca/software/UNIX/apache/
> 1. What do i have to take in count to make my webserver (APACHE, TOMCAT or BOTH)
>secure?
> 2. How do i have to configure the SSL in them?
> 3. Is it necesary to aquire a "Digital Certificate"? What is it for?
So your server can use SSL, i.e., give the browser client its public key,
and read the response with its private key, and then switch to symmetric
encryption.
> 4. How do I do to browse my dynamic or static pages and make the closed padlock
>appear?
You would have to get a real certificate signed by the CA. Read the
docs which come with openssl and mod_ssl.
> 5. How can someone hack my server?
get access in whichever way (e.g., via services which you do not need and
still run) then use of one of the systems expolits and be a root.
Alternatively, if you run Tomcat as root, and have an unsafe JSP or servlet
the hacker use it and mess you up in no time.
> 6. Is there anything I have to put in my servlets code to make them secure, or it is
>just a webservers or servlet containers topic?
Oh yes, you can use Java Security fatures, but if you do something which is
not secure, it will get you. And to know what is secure and what is not,
you need to read, and read, and read, and then try to break into your own
server.
> Thanks for any hint you can throw me, as I'm a little lost with all the things I
>read (Internet, Jakarta List, o'Reillys Book, etc..)
>
go to www.google.com and www.hotbot.com do search:
tomcat security
and then relax and read for a few days...
Jan
Jan K. Labanowski | phone: 614-292-9279, FAX: 614-292-7168
Ohio Supercomputer Center | Internet: [EMAIL PROTECTED]
1224 Kinnear Rd, | http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163 | http://www.osc.edu/
