Security considerations for using SSL with HTTP server

IBM HTTP Server can provide secure Web connections to your system.

A secure web site means that transmissions between the client and the server are encrypted in both directions. These encrypted transmissions are safe both from the scrutiny of sniffers and from those who attempt either to capture or to alter the transmissions.
Note: Keep in mind that a secure Web site applies strictly to the security of the information that passes between client and server. The intent of this is not to reduce your server’s vulnerability to hackers. However, it certainly limits the information that a would-be hacker can obtain easily through sniffing.

The topics on SSL and Webserving (HTTP) in the information center provides complete information for installing, configuring, and managing the encryption process. These topics provide both an overview of the server features and some considerations for using the server.

Security that depends on encryption has several requirements:
  • Both the sender and receiver (server and client) must understand the encryption mechanism and be able to perform encryption and decryption. The HTTP server requires an SSL-enabled client. Most popular Web browsers are SSL-enabled. The IBM i encryption licensed programs support several industry-standard encryption methods. When a client attempts to establish a secure session, the server and client negotiate to find the most secure encryption method that both of them support.
  • The transmission must not be able to be decrypted by an eavesdropper. Thus, encryption methods require both parties to have an encryption/decryption private key that only they know. If you want to have a secure external Web site, you should use an independent certificate authority (CA) to create and issue digital certificates to users and servers. The certificate authority is known as a trusted party.
Encryption protects the confidentiality of transmitted information. However, for sensitive information, such as financial information, you want integrity and authenticity in addition to confidentiality. The client and (optionally) the server must trust the party on the other end (through an independent reference) and they must be sure that the transmission has not been altered. The digital signature that is provided by a certification authority (CA) provides these assurances of authenticity and integrity. The SSL protocol provides authentication by verifying the digital signature of the server’s certificate (and optionally the client’s certificate).

Encryption and decryption require processing time and will affect the performance of your transmissions. Therefore, IBM i products provide the capability to run both the programs for secure and insecure serving at the same time. You can use the insecure HTTP server to serve documents that do not require security, such as your product catalog. These documents will have a URL that starts with http://. You can use a secure HTTP server for sensitive information such as the form where the customer enters credit card information. The program can serve documents whose URL starts either with http:// or with https://.

Reminder:Keep in mind that encryption requires both a secure client and a secure server. It is good Internet etiquette to inform your clients when transmissions are secure and not secure, particularly when your Web site only uses a secure server for some documents.