|Back | Next | Contents||Cams Administrator's Guide|
Secure Sockets Layer (SSL) is a cryptographic protocol which provides secure communications for e-commerce, e-mail and other data transfers without eavesdropping, tampering or message forgery. SSL was first introduced by Netscape in 1996 with version 3.0 of the Netscape browser. It's successor, Transport Layer Security (TLS), is an IETF standard protocol first defined in RFC 2246. The term SSL generally applies to both protocols unless otherwise specified.
From a high-level, SSL has three capabilities that may be used independently or in combination to secure content transport (or the network pipe). These capabilities are:
SSL implementations rely on the user of digital certificates, which verify the identity of people and organizations. Certificates are electronic credentials that bind the identity of the certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign information digitally. These electronic credentials assure that the keys actually belong to the person or organization specified. Messages can be encrypted with either the public or the private key and then decrypted with the other key.
Each certificate contains at least the following information:
Certificates can also contain other user-supplied information, including a postal address, an email address and basic registration information, such as the country or region, postal code, age and gender of the user.
Most public web sites only use SSL to authenticate the web server to the client while the client remains unauthenticated to the web server. Web server authentication is easily implemented and sufficient for establishing an SSL connection while requiring users to install X.509 client certificates is prohibitively expensive and difficult for general Internet use. However, web servers can be configured to request or require that the client authenticate using an X.509 certificate. This is known as mutual authentication and is required when configuring Cams to use X.509 certificate authentication within a login module. In other words, Cams relies on successful SSL client authenticate so that the client certificate is automatically transmitted with the HTTPS request.
Web servers include instructions on how to configure them for SSL. Though instructions vary depending upon the web server, the basic ingredients are the same. An X.509 certificate, which has been signed by a trusted certificate authority (CA) or intermediary, must be installed in the web server. The word trusted implies that the browser must be configured to trust the CA that signed the web server certificate by importing its publicly available root or top-level certificate. Popular CA root certificates are pre-installed by default in all browsers and as such are intrinsically trusted. You must manually install root certificates for any CA you implement. These root certificates establish a chain of trust with the X.509 certificates they sign. If you don't install a root certificate for your CA in a browser, then your browser will prompt you to ask if you want to accept or trust the web server certificate. That's not the case for client certificates supplied from your browser to the web server. In that case, you MUST install the CAs root certificate in the web server or SSL authentication will fail (e.g., there's no practical way for a web server to prompt an administrator to accept or trust client certificates on a one by one basis). Also, CAs distribute Certificate Revocation Lists (CRLs), which are lists of serial numbers for certificates that have been revoked by the CA. Both browsers and web servers can be configured to reference or import CRLs.
When properly configured, the browser and web server use a process known as handshaking that requires no human interaction:
When a browser or web server receives a certificate, successful authentication requires that the following questions evaluate to true:
There is quite a bit more complexity under the hood, but we'll leave it up to you and your Google skills to find out more. The following sections provide some starting points.
A Certificate Authority is an entity that issues trusted digital certificates. A CA can be either a third party or implemented internally within an organization using commercial or open source software. A CA issues public key certificates, which states that the CA attests that a certificate's public key belongs to the person, organization or entity noted in the certificate. A CA's obligation is to verify an entity's credentials, so that relying parties can trust the information in the CA's certificates. If the user trusts the CA and can verify the CA's signature, then they can also verify that a public key belongs to the certificate owner.
You can purchase certificates from online CAs such as Verisign, Thawte or Comodo or you can implement your own CA. Commercial vendors including Microsoft, Red Hat and Sun Microsystems provide software to do so. You can also use OpenSSL, included free with most Linux distributions. OpenSSL is a open source toolkit that implements the SSL v2/v3 and TLS v1 protocols as well as a general purpose cryptography library. Various documents are available on how to configure OpenSSL for use as a CA. Another appendix in the Cams Administrator's Guide documents Configuring Apache 2.0 for SSL/TLS Mutual Authentication using an OpenSSL Certificate Authority. Another alternative is to use Cacert.org, which is a community driven CA that issues free certificates to the public.
SSL configuration instructions are specific to the web servers you use and are provided by the organizations that supply and support them. For your convenience, the following documentation links are instructions for some of the most common web servers supported by Cams:
Commonly, browsers import X.509 certificates in PCKS12 binary format, though other formats may also be acceptable. Brief instructions are provide here for Internet Explorer 6.0 and FireFox 1.5.
To import a certificate, start IE and follow the instructions below:
For more detailed information, please see Microsoft Internet Explorer 6 Resource Kit, Chapter 6 - Digital Certificates.
To import a certificate, start FireFox and follow the instructions below: