SSL Security with Alpha Five App Server Protecting

SSL Security with Alpha Five App Server Protecting sensitive or personal data. Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Types of Web Pages l l Unsecure Plain Text http: // Secure – SSL (secure sockets layer) TLS (transport layer security) Encrypted between browser and server https: // Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Other Types of Secure Web Communications in Alpha l l l Email – digitally signed and encrypted. Must use routines external to Alpha. Encrypt a Zip attachment to email. SSL/TLS Email – from web server to mail server only. Not to recipient’s inbox. Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

SSL Decisions l l What Certification Authority What Type of Certificate What Encryption Level What Type of Browsers and Web Servers Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Certification Authority l l l Trusted 3 rd Party They do the verification of the SSL application Go. Daddy Thawte Geo. Trust Verisign others Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Types of Certificates l l Self-Signed – free Turbo – ($20 - $149) High Assurance – ($90 - $400) Extended Validation – gets a green address bar in Vista. – ($500 - $1, 500) (low rates are for Go. Daddy) Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Encryption Level l l 40 -bit 512 -bit* 1024 -bit* - used by most financial institutions 2048 -bit* * supported by Alpha Application Server Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Browser and Web Server l l Export restriction on 128 -bit encryption lifted in 2000. Modern browsers (IE 5. 5+) support 128 -bit encryption. Modern web servers support 128 -bit encryption. Notes on older operating systems and SGC (Server-Gated Cryptography) Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

How to do it 1) 2) 3) 4) Create a certificate request from the Alpha Application Server settings screen. Send the request to a Certification Authority and get back a certificate file Install the key (created in #1) and certificate files in the Alpha App Server Insure that port 443 is open in firewall and router Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

How to do it (cont. ) 5) URL links must use https: // Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

If a Security Warning Pops Up in the Browser l l Insure that the URL specified in the CSR matches exactly Always happens with a Self-Signed certificate Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Using a Self-Signed Cert or if info does not match Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – before Cert request Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – Certificate Signing Request (CSR) Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – CSR Result Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – Cert Installed Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo - live Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Links l l l http: //luxsci. com/info/about_ssl. html - See section on SSL in Action Wikipedia – more technical Go. Daddy Certs – describes different Cert levels Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007