Security considerations for using SSL with HTTP server
IBM HTTP Server can provide secure Web connections to your system.
The topics on SSL and Webserving (HTTP) in the information center provides complete information for installing, configuring, and managing the encryption process. These topics provide both an overview of the server features and some considerations for using the server.
- Both the sender and receiver (server and client) must understand the encryption mechanism and be able to perform encryption and decryption. The HTTP server requires an SSL-enabled client. Most popular Web browsers are SSL-enabled. The IBM i encryption licensed programs support several industry-standard encryption methods. When a client attempts to establish a secure session, the server and client negotiate to find the most secure encryption method that both of them support.
- The transmission must not be able to be decrypted by an eavesdropper. Thus, encryption methods require both parties to have an encryption/decryption private key that only they know. If you want to have a secure external Web site, you should use an independent certificate authority (CA) to create and issue digital certificates to users and servers. The certificate authority is known as a trusted party.
Encryption and decryption require processing time and will affect the performance of your transmissions. Therefore, IBM i products provide the capability to run both the programs for secure and insecure serving at the same time. You can use the insecure HTTP server to serve documents that do not require security, such as your product catalog. These documents will have a URL that starts with http://. You can use a secure HTTP server for sensitive information such as the form where the customer enters credit card information. The program can serve documents whose URL starts either with http:// or with https://.
Reminder:Keep in mind that encryption requires both a secure client and a secure server. It is good Internet etiquette to inform your clients when transmissions are secure and not secure, particularly when your Web site only uses a secure server for some documents.