1 Secure Internet Applications on the AS/400 sstem Mark McKelve Abstract Toda s greater emphasis on business relationships and an increasingl mobile work force are driving the demand for secure access to corporate resources via the Internet. As valuable corporate data flows over untrusted networks, the integrit and privac of that data must be preserved. The AS/400 sstem s implementation of the Secure Sockets Laer (SSL) protocol and the collection of applications that use it provide an excellent solution for companies that want to access and share sensitive data over the Internet. SSL-enabled applications ensure that the communicating parties can positivel identif and authenticate each other and that all data exchanged is encrpted, protecting it from the pring ees of outsiders and from possible manipulation or forger. OS/400 Version 4 Release 4 provides a critical mass of SSL-read applications that can be immediatel put to use. These include the Telnet server, HTTP server, Database server (DRDA/DDM), Director Services, Client Access, Management Central, and Lotus Domino. In addition, an SSL Application Programming Interface (API) and a set of Java- SSL classes are available so that application developers and business partners can develop secure applications as well. The highl-optimized SSL support is included as part of OS/400, which makes it equall available to all applications. Unique crptographic controls make it possible for a single application to use different-length crptographic kes in different countries to compl with governmental regulations. Digital certificates are emploed to identif remote users and sstems, paving the wa for single sign-on and the elimination of separate passwords for each sstem. The Digital Certificate Manager provides a single point of control for all digital certificates on the sstem, which makes it eas to get the SSL-enabled applications operational. Introduction As everone in the computer industr knows, the Internet is having a profound impact on the wa in which we do business. More and more applications are being made available to customers and partners over the Internet and an increasingl mobile work force is demanding access to corporate resources via the Internet. One of the main limiting factors to using the Internet in these new was is securit. The initial battles to protect the corporate intranet were fought with packet filtering routers and firewalls, but as sensitive data leaves the confines of the protected network, firewalls are not enough. When data flows between a remote user and a corporate server, we
2 need to ensure that the integrit and privac of that data is preserved. The AS/400 sstem s Secure Sockets Laer (SSL) and the collection of applications that use it provide an excellent solution for companies that want to access sensitive data b using the Internet. The Secure Sockets Laer (SSL) protocol is a securit protocol that was developed b Netscape Communications Corporation in the earl 1990s. This protocol uses encrption and authentication techniques to ensure communications between a client and a server application remain private, and it enables the client and server to definitivel identif and authenticate each other. An attempts to impersonate one of the parties or modif the data while it is in transit are detectable, and all sensitive data is securel encrpted such that unauthorized third-parties cannot intercept and interpret the data transmission. Figure 1 shows how customers, partners and mobile workers can use the Secure Sockets Laer to communicate securel with public Web servers and sstems in the corporate intranet. Private corporate intranet Mobile workers Secure session Internet Customers and partners Public server Secure session Figure 1. SSL provides secure sessions over the Internet for customers, partners, and mobile workers. The AS/400 sstem supports the SSL protocol and provides a set of SSL-read applications to enable e-business and mobile computing. These features are useful an time the network being utilized cannot be trusted to securel exchange the information. Tpicall this will be the Internet, but it can be applied to corporate intranets and private network connections with customers and partners. Applications on AS/400 that are SSL-read include: Telnet server HTTP server Database server (DRDA/DDM) Director Services (Lightweight Director Access Protocol) Client Access Management Central Lotus Domino-
3 Tpicall, an SSL application is a sockets program written to the TCP transport laer. The SSL-enabled application will open to a unique port compared to its socket application counterpart. For example, the SSL-enabled Telnet server application opens to port 992 while the regular Telnet server will open to port 23. The SSL protocol consists of two separate protocols, the record protocol and the handshake protocol. The handshake protocol is encapsulated within the record protocol. The SSL handshake is used to establish an SSL session on the TCP/IP connection between a client and a server application. The SSL handshake usuall occurs immediatel after the TCP connection is established. During the handshake, the client and server agree on the encrption algorithms and the encrption kes that the will use for that session. In all SSL handshakes, the client will authenticate and verif the identit of the server. The server can optionall authenticate and verif the identit of the client. After the SSL handshake has successfull completed, information exchanged between the client and the server is encrpted using the negotiated kes. Figure 2 shows the SSL handshake followed b encrpted data transmission. An important advantage of SSL is its abilit to negotiate unique encrption kes for each SSL session between a client and server even if the have not previousl communicated with each other. server certificate (1) Exchange certificates and negotiate kes (handshake). client certificate Server appl (2) Send and receive encrpted data. Client appl Figure 2. Secure Sockets Laer handshake and data exchange. During the SSL handshake, the client and server exchange digital certificates. Digital certificates provide identifing information that enable the client and the server to identif each other. Digital certificates identif users and sstems in a computer network similar to the wa in which a passport or a driver s license identifies a person. Digital certificates are issued b trusted third-parties called certificate authorities, which are analogous to state licensing bureaus for driver s licenses. A SSL client must trust the certificate authorit which issued the server s certificate in order for the SSL handshake to complete successfull. The core of the SSL support on the AS/400 is the SSL protocol engine. It implements SSL protocol versions 2.0 and SSL protocol version 3.0 according to the published Netscape SSL specifications. The SSL protocol has been available on AS/400 since V4R1. It full supports server and client authentication.
4 The SSL protocol engine provides a set of published application programming interfaces (APIs) that are used b the IBM TCP/IP applications and are available for customers to SSL enable their socket applications. SSL support is also provided for programs written in Java b a set of Java SSL classes. Figure 3 shows the relationships between the various sstem components that implement the Secure Sockets Laer. LDAP DDM/DRDA HTTP Management Central Telnet Client Access User Application Digital Certificate Manager SSL APIs and javax.net.ssl classes SSL Protocol Engine Certificate Management Services TCP/IP Crptographic Service Provider Figure 3. AS/400 Secure Sockets Laer architecture. The SSL protocol engine uses the services of a crptographic service provider to perform all crptographic operations. The SSL protocol engine uses certificate management services to obtain a cop of the digital certificate that identifies the local sstem so it can be shared with the remote peer. It also uses the certificate management services to validate the remote user s or sstem s digital certificate. Certificate management services is responsible for storing and manipulating all digital certificates and their associated public and private kes. The Digital Certificate Manager provides a Web browser-based user interface to create new certificates, manage existing certificates, associate certificates with applications, and man other certificate-related functions. AS/400 applications that support Secure Sockets Laer The SSL support is useful onl when there are applications that use it. The number of applications supporting SSL dramaticall increased in AS/400 Version 4 Release 4. The SSL-read applications are: Telnet server The OS/400 secure Telnet server provides the capabilit for a user to establish a secure 5250 emulation session to an AS/400 sstem. The complete Telnet session is encrpted including the
5 initial session parameter negotiation, sign-on, and all subsequent data screens. The encrpted Telnet session provides secure access to traditional business applications and sstems administration functions over untrusted networks. The secure Telnet server can handle encrpted Telnet sessions concurrentl with regular Telnet sessions which enables access from the Internet and intranet simultaneousl with appropriate securit. The secure Telnet server is activated b assigning a digital certificate to the Telnet server using the Digital Certificate Manager. Corporate Intranet Telnet Server port 23 port 992 Encrpted session Internet Client Access Express for Windows Figure 4. Telnet server support for SSL. The Telnet client must also support SSL in order for a secure session to be established. Clients currentl available that support SSL include IBM enework Host On-Demand and Client Access Express for Windows. Database server OS/400 databases and files can be accessed securel using the SSL support of the DRDA/DDM TCP/IP server. The database or file request sent to the server and the contents returned to the client are both encrpted. The server interoperates with clients such as the AS/400 Toolbox for Java, the Client Access OLE DB Provider, and with an DRDA application requester products or DDM file I/O clients provided b independent software vendors that support SSL. SSL support is activated b assigning a digital certificate to the DRDA/DDM server using the Digital Certificate Manager. HTTP Server The IBM HTTP Server for AS/400 implements the HTTPS protocol, which is based upon SSL. The HTTP server has been SSL-enabled since V4R1. Beginning with V4R3, the HTTP server supports client authentication. When HTTPS is used, form data entered b the user and the Web pages returned b the server are encrpted to ensure privac. HTTPS is commonl used for Web
6 applications that contain personal information such as credit card numbers, financial information, or health records. SSL support is activated via the HTTP server configuration interface. A digital certificate must also be assigned to the HTTP server instance using the Digital Certificate Manager. The HTTP Server for AS/400 also has the capabilit of authenticating the user at the Web browser b using digital certificates. The Web browser automaticall supplies the user s digital certificate when a secure Web page is accessed. The use of client certificates provides improved user identification and reduces the need for passwords. The Web Server article has more information on the Web server. Director Services OS/400 Director Services (option 32) implements the Lightweight Director Access Protocol (LDAP), which is a director protocol that runs over TCP/IP. Common uses of LDAP directories include online telephone and directories. Director Services follows a client/server model where one or more LDAP servers contain the director data. An LDAP client connects to an LDAP Server, makes a request, and receives a repl or a referral to another LDAP server. If confidential director data is to be accessed over an untrusted network, a secure LDAP session can be used. The LDAP client establishes an SSL session with the LDAP server. Both the LDAP request and the repl are encrpted to ensure privac. OS/400 Director Services has supported SSL since V4R3. SSL support is activated b assigning a digital certificate to OS/400 Director Services b using the Digital Certificate Manager. The LDAP and OS/400 Director Services article has more information on Director Services. Client Access Client Access Express for Windows supports TCP/IP communications using SSL to the host servers on AS/400. The following servers used b Client Access Express are enabled for SSL communications: Sign-on server File server Database (ODBC) server Network print server Data queue server Central server Remote command/distributed program call server Once digital certificates are assigned to these host servers b using the Digital Certificate Manager and the host servers are started, the servers will automaticall be prepared to handle incoming
7 SSL connections, as well as non-ssl connections. Each server listens on a port that is used for non-ssl connections and a second port that is used exclusivel for SSL connections. It is not necessar to specificall start "SSL servers" or "non-ssl servers" because the host servers are prepared for either tpe of connection. The end user, b changing properties of the servers from the client, determines if SSL is actuall used. All data passed between the client and the secure host servers is encrpted using SSL. The Client Access Express for Windows article has more information on this new PC client product. Management Central Management Central provides the infrastructure to schedule and perform sstem management transactions on a group of sstems. Transactions include: asset inventor collection, software fix management, object packaging and distribution, remote command and real-time performance monitoring. Management Central transactions originate on a PC client, are processed b AS/400 central site sstem, and retransmitted to multiple AS/400 endpoint sstems. Each AS/400 sstem has a single Management Central server that ma accept connections and service transactions from multiple graphical clients and from multiple AS/400 sstems. The Management Central server on each AS/400 sstem interacts in a peer-to-peer fashion with other AS/400 sstems and is not restricted to a single role of central site or endpoint. Graphical Clients Win 32 Central Sites/End Points AS/400 End Points AS/400 Figure 5. Management Central uses SSL to identif sstems within the peer group. To ensure that transactions are accepted onl from trusted sstems within the peer group, Management Central uses digital certificates for sstem identification. During an introductor period, sstems within the peer group establish SSL sessions with each other and exchange digital certificates. Once the introductor period is over, sstems will accept transactions onl from sstems that had been previousl introduced. All transactions are sent using the SSL protocol, which ensures that the originated from a trusted sstem and that the were not modified while in-transit. The Sstems Management article has more information on Management Central.
8 Lotus Domino Lotus Domino is a separate licensed program that comes with its own complete SSL implementation. This SSL support enables Web pages served b the Domino server to be encrpted in the same manner as the IBM HTTP Server. In addition, data exchange between a Notes client and a Notes server can be optionall encrpted. Lotus Domino provides its own complete set of certificate management functions. The Domino for AS/400 article has more information on Lotus Domino. Partner and customer applications Because the SSL support is provided b both an Application Programming Interface (API) and a set of Java classes, application developers and business partners can write secure applications as well. In particular, client-server socket applications that are used over the Internet ma benefit from using the SSL protocol. The APIs and Java SSL classes are provided with OS/400 at no additional charge. AS/400 SSL architecture The SSL support on AS/400 is provided b an SSL infrastructure that includes the SSL APIs, SSL protocol engine, a software crptographic service provider, and certificate management services. The Digital Certificate Manager option of OS/400 provides the necessar digital certificates to enable the SSL protocol. There are multiple versions of the SSL protocol defined. The OS/400 implementation supports SSL Version 3.0, SSL Version 2.0, and SSL Version 3.0 with 2.0 compatibilit. However, the OS/400 implementation does not support a new Request for Comment (RFC), RFC2246, that was recentl made a standard b the Internet Engineering Task Force (IETF). This RFC defines The Transport Laer Securit (TLS) protocol. The TLS protocol is heavil based on the SSL version 3.0 protocol, but the are not identical or upward compatible. However, the can interoperate if the TLS implementation negotiates to an SSL V3.0 level. Secure Sockets Laer APIs OS/400 provides a set of SSL APIs that extend the OS/400 sockets APIs to provide secure communications between applications on a network. An application that uses SSL for secure communications is basicall a client/server application that is written using sockets. The OS/400 SSL APIs support both server and client authentication. The OS/400 SSL APIs are: SSL_Init() - Initialize the current job for SSL using a specific ke database. SSL_Init_Application() - Initialize the current job for SSL using the certificate registration facilit. SSL_Create() - Enable SSL support for the specified socket descriptor.
9 SSL_Handshake() - Initiate the SSL handshake protocol. Causes digital certificates to be exchanged, certificates to be authenticated, and smmetric encrption kes to be negotiated. Upon successful conclusion, an SSL session has been established. SSL_Read() - Receive data from an SSL-enabled socket descriptor. The encrpted data received from the remote sstem is decrpted before it is returned to the application. SSL_Write() - Write data to an SSL-enabled socket descriptor. The application data is encrpted before it is sent to the remote sstem. SSL_Destro() - End SSL support for the specified socket descriptor. Applications ma intermix these SSL APIs with the standard sockets APIs to selectivel encrpt information. These APIs are available with OS/400 but are onl enabled if option 34 is installed and one of the three available Crptographic Access Provider products is installed. Because these APIs are extensions to the sockets programming interface, existing socket applications can be easil updated to use SSL to transmit data in encrpted form. Java SSL classes OS/400 supports SSL for Java programs b providing the javax.net, javax.net.ssl, and javax.securit.cert packages defined b Sun Microsstems. These Java SSL classes use the same SSL protocol engine used b the SSL APIs to maximize performance. The SSLSockets and SSLServerSockets classes defined in these packages can be used like an other sockets unless SSL-specific features are required, which makes it eas to enable SSL for an existing Java program. Secure Sockets Laer protocol engine The SSL protocol engine is responsible for performing the communication with the remote sstem according to the SSL protocol specification. The protocol engine is part of OS/400 s communication infrastructure for maximum performance and securit. The first action that the protocol engine performs when communicating with a remote sstem is an SSL handshake. The handshake establishes a common cipher suite, which identifies the crptographic algorithms to be used and the length of the kes to be generated. Next, the identit of the remote sstem or user is authenticated via digital certificates and the crptographic kes, which are subsequentl used for encrpting data, are established. If the local machine has previousl communicated with the remote sstem, the protocol engine ma be able to use cached information about that remote sstem and will attempt to do an abbreviated SSL handshake. An abbreviated SSL handshake improves performance because fewer data transmissions are required. During the handshake, digital certificates are exchanged. The digital certificate received from the remote sstem is verified to ensure that it is valid and that it has not been subject to tampering. This is done b verifing that the digital signature on the received certificate is consistent with the contents of the certificate. A check is also made to ensure that the certificate authorit that issued the certificate is in the list of trusted certificate authorities.
10 In order to determine that the remote sstem is the rightful holder of the certificate, an additional test is performed using public/private ke crptograph. Some random data is sent to the remote sstem. The remote sstem encrpts the random data with its private ke and returns the result. The local sstem decrpts the returned data with the public ke contained in the received certificate and compares it to the random data originall sent. If the values are equal, it means that the remote sstem must have the matching private ke for the certificate and is therefore the legitimate holder of the certificate. Once the remote sstem or user is identified and authenticated, a separate temporar ke is created. This temporar ke is used to generate the actual smmetric kes, which are used for encrpting and decrpting data sent between the two sstems. The temporar ke is based upon secret, randoml-generated data and is securel exchanged with the remote sstem. The actual smmetric kes used for the SSL session are never exchanged between the sstems. Certificate management services keeps certificates private Certificate management services is responsible for storing and manipulating all digital certificates and their associated kes. The certificates and an private kes are kept in a certificate store, which is an encrpted file. The certificate store contains two tpes of certificates: 1. Sstem certificates, which are used to identif the local AS/400 sstem when communicating with a remote user or sstem. For example, the certificate store on the sstem would contain a certificate identifing it as the server, as shown in Figure Certificate authorit certificates, which are used during the verification of certificates received from remote users or sstems. Certificate authorit certificates identif the trusted third-part who signed the remote user s or sstem s certificate. VeriSign is one of the most well-known certificate authorities. Certificate Management Services Certificate Store Server certificate for VeriSign CA GTE Cbertrust CA USPS CA - trusted - trusted - not trusted Figure 6. Certificates are kept in the sstem certificate store. Certificate management services decodes certificates received from remote sstems during the SSL handshake. It verifies that there has been no tampering with the certificate b checking its digital signature and verifing that the certificate was signed b a certificate authorit that is considered trusted. When these checks are completed, the application can be assured that the certificate identifies the remote user or sstem. The application can use the name, organization, and address information in the certificate in an wa that it sees fit.
11 Crptographic service providers provide efficient encrption OS/400 uses the BSAFE- tool kit developed b RSA Data Securit Inc., an industr leader in crptographic technolog, as the software crptographic service provider. The BSAFE encrption algorithms have been optimized for the AS/ bit RISC architecture for greater performance. Since BSAFE is included with OS/400, ou do not need to purchase a separate encrption package to write SSL applications on the AS/400 sstem. Although BSAFE is included with OS/400, it is not directl accessible and is subject to the crptographic controls described in the next section. The AS/400 sstem also supports a hardware crptographic service provider with the 4758 card, however, this crptographic service provider currentl cannot be used b SSL. Crptographic controls ensure compliance with government regulations Due to regulations imposed b the United States and other governments, the crptographic algorithms available and associated ke lengths permissible var b countr. To avoid shipping separate versions of each product that uses crptograph, AS/400 emplos a unique mechanism for controlling access to crptographic functions. A list of permitted algorithms and associated maximum ke lengths is maintained for each crptographic service provider. This SSL protocol engine queries the crptographic service provider installed on the AS/400, to ensure onl permitted algorithms are used and that maximum ke lengths are not exceeded. IBM provides a collection of no-charge Crptographic Access Provider products that specif the list of permitted algorithms and ke lengths for the crptographic service providers. The products are: 5769-AC1 - Supports smmetric ke algorithms with ke lengths no greater than 40 bits. Available onl in France AC2 - Supports DES and other smmetric ke algorithms such as RC2 and RC4 with ke lengths up to 56 bits. Available in most countries in which IBM does business with the exception of France, the United States and Canada. (Note: Recent changes in the encrption polic in France ma allow this product to be available there in the future.) 5769-AC3 - Supports DES and other smmetric ke algorithms such as RC2 and RC4 with ke lengths up to 128 bits. Available in the United States and Canada without restriction. With specific export approval b the U.S. government, it is also available to certain tpes of companies, such as financial institutions, in other countries. The AS/400 crptographic controls provide a number of unique advantages: Onl one version of each SSL-enabled application needs to be shipped, which reduces software distribution and management complexit for multinational corporations. As government regulations change, either new crptographic access provider products will be created or the existing products will be modified. When these new or changed products are
12 installed, the crptographic capabilities of all applications on the AS/400 sstem are immediatel effected. AS/400 applications written b customers and business partners that use SSL will automaticall use these controls, which makes compliance with government regulations easier. The SSL implementation for AS/400 is enabled for Global Server ID support. The Global Server ID support allows, with the proper government approvals, financial and other qualified companies residing outside the United States to use 128 bit smmetric kes for crptographic operations. The compan must obtain the proper United States Export Office approvals, install the 5769-AC3 product, and obtain a special certificate from VeriSign in order to use this support. Browsers from outside the United States will negotiate a 128 bit ke instead of the tpical 40 or 56 bit ke when connecting to a server using this special certificate. Digital Certificate Manager manages all certificates on the sstem The Digital Certificate Manager, which is included in OS/400 option 34, provides capabilities for an administrator to create or obtain the necessar digital certificates in order to use the Secure Sockets Laer (SSL) for secure browser access to Web sites and other secure Internet applications. The Digital Certificate Manager user interface is accessed from the AS/400 Tasks page using a Web browser. The Digital Certificate Manager is the central point for management of all sstem certificates for all secure applications. A given digital certificate can be easil shared between man applications (for example, HTTP, LDAP, and Telnet) or unique certificates can be used for each application at the administrator s discretion. The Digital Certificate Manager provides management functions for three tpes of certificates: Certificate authorit Sstem User Certificate authorit certificates The Digital Certificate Manager provides the abilit to issue certificates, on a limited basis, to users and sstems. Test certificates can be created to test secure applications that are to be used on the Internet prior to purchasing a certificate from an Internet certificate authorit such as VeriSign. Certificates can also be issued to sstems and users in corporate intranets. The Digital Certificate Manager is not intended to manage large certificate deploments throughout a corporate intranet or the Internet. The Digital Certificate Manager becomes a certificate authorit b creating a self-signed digital certificate for an organization. This certificate is used to issue certificates to sstems and users in the network. Certificate authorit polic that is set b the administrator specifies whether user certificates can be issued and the validit period for certificates.
13 Sstem certificates Applications on the AS/400 sstem require certificates in order to use SSL. These sstem certificates identif the local AS/400 sstem when communicating with remote sstems. The Digital Certificate Manager provides the capabilities to create these sstem certificates either using the local certificate authorit function or b requesting a certificate from an Internet certificate authorit. Each secure application on the AS/400 sstem is registered with the Digital Certificate Manager. When a new sstem certificate is created or received, the administrator can assign the certificate to one or more secure applications. Once a certificate is assigned to an application, the application is enabled to use SSL. Since the Digital Certificate Manager is aware of all secure applications, it eas to use the same certificate for man applications, simplifing sstem administration. The Digital Certificate Manager also keeps a list of certificate authorit certificates that are to be considered trusted. A certificate received from a remote sstem during an SSL handshake must be signed b a trusted certificate authorit in order for SSL to be enabled. Highl secure applications ma trust onl a single intranet certificate authorit while other applications ma trust certificates signed b an of a number of Internet certificate authorities. User certificates The Digital Certificate Manager provides the functions necessar for users to obtain the certificates the need in order to use SSL. Certificate authorit certificates can be downloaded and installed into Web browsers or other client software. This enables the Web browser to validate an server certificates that it receives during an SSL handshake. If the AS/400 sstem is acting as a certificate authorit, Web browser users ma request that a certificate be created for them and automaticall installed into their Web browser. Web browser users that alread have a certificate ma register it with the AS/400 sstem so that it can be used in the future to identif them. Man of the user certificate management functions involve associating a digital certificate with an AS/400 user profile. Once associated with a profile, a certificate ma be used as a form of identification instead of requiring a password. Certificates issued to users are automaticall associated with their AS/400 user profile, and existing certificates from other certificate authorities ma be registered with a user profile.
14 Digital identification of users is possible with OS/400 The OS/400 securit component contains a set of functions that enable AS/400 users to be identified using digital certificates. A set of digital ID APIs enable digital certificates to be stored inside OS/400 user profile objects, as shown in Figure 7. When a certificate is stored inside a user profile, it means that a user presenting a cop of that certificate and possessing the associated private ke is entitled to all of the privileges of that user profile. OS/400 User Profile Objects Sam Sall VeriSign Certificate GTE Certificate VeriSign Certificate XYZ Corp. Certificate 59 Figure 7. User profile objects contain user certificates. The functions provided b the OS/400 digital ID APIs are: Add a certificate to a user profile. Delete a certificate from a user profile. List all certificates for a user profile. Find the user associated with a given certificate. The digital ID functions are used b the IBM HTTP Server to allow certificates to be used as an alternative to passwords as proof of identit for Web browser users. Since a single digital certificate can be used to identif one s self to multiple sstems, the have the potential for becoming a solution for single sign-on. Validation list objects ma be used for situations where authentication using certificates is desirable but ou do not wish to create OS/400 user profiles. A validation list object contains a list of certificates that are authorized to a particular function such as a Web application. The primar use of validation lists is to provide Internet users controlled access to applications without creating user profiles. Virtual Private Networks are an alternative to SSL SSL is not the onl mechanism available for creating secure communications between sstems. The AS/400 sstem supports Virtual Private Networks (VPN) through its implementation of the IETF IPSec (RFC 2401) and related standards. VPN differs from SSL in that it creates a secure channel between two TCP/IP hosts over which multiple TCP/IP connections can be established, as shown in Figure 8. Authentication is at the TCP/IP host interface level for VPN versus a user
15 application level for SSL. All TCP and UDP applications can use the secure channel created b the VPN without requiring changes to the applications. Because SSL requires a handshake for ever session established, it is less efficient than VPN, which requires onl a single handshake between a pair of hosts. But, SSL can selectivel encrpt portions of a TCP/IP session while the all data over a TCP interface is alwas encrpted with VPN. SSL has generall been easier to set up because configuration is supported directl b client software such as Web browsers. Because of the unique operational advantages of each, it is likel that most organizations will deplo both SSL and VPNs for the foreseeable future. All data sent over the VPN is encrpted. Internet Two sessions over a virtual private network between two AS/400 sstems. Conclusion Figure 8. Data transmission over a Virtual Private Network. The AS/400 sstem provides a comprehensive SSL solution for those companies worried about who might be looking at their data as it flows through an untrusted network such as the Internet. The entire SSL infrastructure and associated certificate management functions are provided b OS/400 making it available for a variet of IBM and partner-developed applications. Since these functions are integrated into the operating sstem, the provide a highl reliable and secure environment. IBM provides a number of applications based on SSL that mean secure access to the our AS/400 sstem is a realit toda.
16 References OS/400 Sockets Programming, SC September, OS/400 Securit APIs, SC , June AS/400 Sstem API Reference, SC , June AS/400 Information Center: IBM white papers on Internet securit: SSL Java Standard Extension to JDK 1.1: IETF Transport Laer Securit (TLS) working group: Notices IBM, AS/400, and OS/400 are trademarks of the IBM Corporation in the United States or other countries or both. Java is a trademark of Sun Microsstems, Inc. BSAFE is a trademark of RSA Data Securit, Inc. The VeriSign Name and Mark are exclusivel licensed to VeriSign, Inc. Digital ID and Digital ID Center are service marks of VeriSign, Inc. Other compan, product, and service names ma be trademarks or service marks of others.
ERserver iseries Securing applications with SSL ERserver iseries Securing applications with SSL Copyright International Business Machines Corporation 2000, 2001. All rights reserved. US Government Users
ERserver iseries Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted
Implementing Secure Sockets Layer on iseries Presented by Barbara Brown Alliance Systems & Programming, Inc. Agenda SSL Concepts Digital Certificate Manager Local Certificate Authority Server Certificates
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
Implementing Secure Sockets Layer (SSL) on i Presented by Barbara Brown Alliance Systems & Programming, Inc. Agenda SSL Concepts History of SSL Digital Certificate Manager Local Certificate Authority Server
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
TN3270 Security Enhancements SecureWay Communication Server for OS/390 Copyright IBM Corporation, 1999 1 Support in OS/390 V2.R6 Copyright IBM Corporation, 1999 2 Secure Sockets Layer - What is it? Application
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known
System i Security Secure Sockets Layer (SSL) Version 5 Release 4 System i Security Secure Sockets Layer (SSL) Version 5 Release 4 Note Before using this information and the product it supports, read the
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
IBM i Version 7.3 Security Digital Certificate Manager IBM IBM i Version 7.3 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
z/os Firewall Technology Overview Mary Sweat E - Mail: email@example.com Washington System Center OS/390 Firewall/VPN 1 Firewall Technologies Tools Included with the OS/390 Security Server Configuration
Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording
Outline WEB Security & SET (Chapter 19 & Stalling Chapter 7) Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction (SET) Web Security Considerations
Software Announcement June 1, 2004 Services Expedite software adds Secure Sockets Layer TCP/IP support Overview Services Expedite software for Microsoft Windows, AIX, and OS/400 is being enhanced to support
DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES * Shamima Rahman Tuan Anh Nguyen T. Andrew Yang Univ. of Houston Clear Lake 2700 Bay Area Blvd., Houston, TX 77058 firstname.lastname@example.org email@example.com
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
Security is of the utmost importance when doing business on the Web. Your customers want to know that their information is protected when crossing data lines. A Thawte SSL Web Server Certificate or SuperCert
BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9
Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...
White Paper Transparent, Encrypted Access to Networked Applications TFS Technology www.tfstech.com Table of Contents Overview 3 User Friendliness Saves Time 3 Enhanced Security Saves Worry 3 Software Componenets
Security & Privacy on the WWW Briefing for CS4173 Topic Outline 1. Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security
Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server
Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
TCP/IP Services b Scott Slvester and Brad L Brech Abstract Enterprises around the world have recognized the shift of networking to TCP/IP technologies and the business potential of leveraging these technologies
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
Part III-b Contents Part III-b Secure Applications and Security Protocols Practical Security Measures Internet Security IPSEC, IKE SSL/TLS Virtual Private Networks Firewall Kerberos SET Security Measures
Transition Networks White Paper Why Authentication Matters YOUR NETWORK. OUR CONNECTION. : Why Authentication Matters For most organizations physical security is a given. Whether it is video surveillance,
Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0003.01 Prog. Director Mark Ferrar Status Approved Owner Tim Davis Version 1.0 Author Phil Benn Version
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
for iseries, version 3.5 Complete Security Suite for iseries (AS/400) TCP/IP and SNA Connectivity Someone may be manipulating information in your organization - and you may never know about it! If your
Introduction to Security and PIX Firewall Agenda Dag 28 Föreläsning LAB PIX Firewall VPN A Virtual Private Network (VPN) is a service offering secure, reliable connectivity over a shared, public network
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
Other VPNs TLS/SSL, PPTP, L2TP Advanced Computer Networks SS2005 Jürgen Häuselhofer Overview Introduction to VPNs Why using VPNs What are VPNs VPN technologies... TLS/SSL Layer 2 VPNs (PPTP, L2TP, L2TP/IPSec)
CHAPTER 1 Secure Sockets Layer (SSL) is an application-layer protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
Q&A Cisco IOS SSL VPN Q. What is Cisco IOS SSL VPN or SSL VPN? A. Secure Sockets Layer (SSL)-based VPN is an emerging technology that provides remote-access connectivity from almost any Internet-enabled
Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1 How the Web Works - HTTP Hypertext transfer protocol (http). Clients request documents (or scripts) through URL. Server response with documents. Documents
Networking Security IP packet security Networking Security IP packet security Copyright International Business Machines Corporation 1998,2000. All rights reserved. US Government Users Restricted Rights
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine
Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
Citrix MetaFrame XP Security Standards and Deployment Scenarios Including Common Criteria Information MetaFrame XP Server for Windows with Feature Release 3 Citrix Systems, Inc. Information in this document
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
1.1 Multipoint Control Unit (MCU) A. The MCU shall be capable of supporting (20) continuous presence HD Video Ports at 720P/30Hz resolution and (40) continuous presence ports at 480P/30Hz resolution. B.
2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session
JAVA 2 Network Security M A R C O PISTOIA DUANE F. RELLER DEEPAK GUPTA MILIND NAGNUR ASHOK K. RAMANI PTR, UPPER http://www.phptr.com PRENTICE HALL SADDLE RIVER, NEW JERSEY 07458 Contents Foreword Preface
Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide
S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M Bomgar Product Penetration Test September 2010 Table of Contents Introduction... 1 Executive Summary... 1 Bomgar Application Environment Overview...
Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major
Java / ActiveX Security David Gristwood Senior Consultant Microsoft Ltd Security Issues Covers many areas: Transact business securely Ensure privacy of conversations Authenticate users in communications
Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi History of FTP The first proposed file transfer mechanisms were developed for implementation on hosts at M.I.T.
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical
Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Network Layer: IPSec Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security
Introducing the Collaboration Service 10.2 for the Enterprise IM app 3.1 introducing The Collaboration Service Sender Instant Messaging Server Collaboration Service 10 device Recipient V. 1.0 June 2013
Acceleration of Data through SSL Virtual Private Networks Rob Jansen University of Minnesota, Morris 600 East Fourth Street Morris, MN 56267 (123) 456-7890 firstname.lastname@example.org ABSTRACT A Virtual Private
APNIC elearning: IPSec Basics Contact: email@example.com esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
SSL Certificate Management or What in the heck am I getting myself into! Table of Contents What is SSL and TLS? What do SSL and TLS do (and not do)? Keystore and Certificate Lifecycle Certificates Certificate
SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three
Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption
Chapter 1 AS/400 System Overview 1.1 Major Characteristics of AS/400 1.1.1 High Level of Integration 1.1.2 Object Orientation 1.1.3 Relational and Integrated Database 1.1.4 Data and Program Independence
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University firstname.lastname@example.org
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
Web Security School Entrance Exam By Michael Cobb 1) What is SSL used for? a. Encrypt data as it travels over a network b. Encrypt files located on a Web server c. Encrypt passwords for storage in a database
Why SSL is better than IPsec for Fully Transparent Mobile Network Access SESSION ID: SP01-R03 Aidan Gogarty HOB Inc. email@example.com What are we all trying to achieve? Fully transparent network access
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist firstname.lastname@example.org Specialties: Routing &
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
Network Configuration Settings Many small businesses already have an existing firewall device for their local network when they purchase Microsoft Windows Small Business Server 2003. Often, these devices