Web Ten incorporates version 3.0 of the Secure Socket Layer (SSL) protocol to encrypt Web server transmissions. The secure socket layer intercepts network calls from the server to encrypt the data before forwarding it to the network layer for transmission to the browser.
The Web server and the browser negotiate an encryption algorithm, or cipher, to be used for the session. A session "key" is securely communicated to the browser using public key cryptography. The session key is then used symmetrically, i.e., to both encode and decode the actual session data.
The first step in setting up SSL is obtaining a Certificate.
The server certificate validates the identity of the server. Server certificates are signed by a trusted higher authority (the Certificate Authority, or "CA"), who assures the identity of the server.
In a typical commercial virtual host setup, each IP virtual host will have a unique server certificate.
Named virtual hosts (hosts that share an IP address) must share the certificate of the common IP host. By default, Web Ten associates a certificate issued to an IP virtual host with all configured named virtual hosts that share that IP address.
In order to obtain a server certificate, a Certificate Signing Request (CSR) must be sent to the Certificate Authority, along with other proof of identity documents.
Other documents validating the identity of the server must be mailed to the CA, along with a nominal service fee. These documents include:
Proof of the right to use the organization name, as in a copy of the company articles of incorporation, "doing business as" registration, etc.
Proof of domain name registration (except for ".com").
A letter, printed on organization letterhead and signed by an authorized representative, requesting certification of the domain name.
Your official certificate will be digitally signed and e-mailed to you by the CA. Rename the certificate to " xx.xx.xx.xx.crt " (where < xx.xx.xx.xx > is the IP address of the virtual host for which the certificate was generated), and place the official certificate in the tenon/ssl/private folder. The official certificate will replace the temporary self-signed certificate generated by Web Ten for use prior to receipt of the official certificate.
To generate an SSL certificate, click on the Certificate button beside the SSLSecurity entry in the Virtual Host Configuration table (see section See SSLSecurity). The SSL Settings page (shown below in See SSL Cipher Restrictions) is a form for generating a Certificate Signing Request (CSR).
The Common Name is the domain name of the Web server or of an IP-based virtual host. This must be a fully qualified domain name, not an IP address or a DNS alias.
The Organizational Unit is the department name or the name of a unit within an organization. This field is optional.
The Locality is the name of the city in which the organization resides. This field is optional.
The State or Province is the name of the state or province in which the organization resides.
The Email Address is the email address of a contact or representative within this organization.
To generate a Certificate Signing Request (CSR) save the SSL Settings via the Save CSR button. This action has several effects.
If a private key for this virtual host does not exist, such a key is created and saved in a secure area in Web Ten 's internal file system.
The actual Certificate Signing Request information is displayed in the Web Ten Administration Server (see See Certificate Signing Request Information). This CSR is a PEM-encoded document which may be emailed to the CA, or it can be copied and pasted into an on-line certificate request form. This CSR is also saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.csr (where < xx.xx.xx.xx > is the IP address of the virtual host for which the CSR was generated).
A temporary, self-signed certificate (for use while your CSR is being processed by the certificate authority) is created and saved in the tenon/ssl/certs folder in a file named xx.xx.xx.xx.crt (where < xx.xx.xx.xx > is the IP address of the virtual host for which the certificate was generated). This file should be replaced by the real certificate when one is returned from the Certificate Authority.
The self-signed certificate will allow your virtual server to perform secure transactions while your official certificate is being processed.
Once you have a certificate (even a Tenon-generated temporary one), you will be able to create a secure virtual host by toggling SSL Security "On" in the Virtual Host Configuration table. When SSL is activated for a virtual host, a red SSL designation appears to the right of the host name in the Virtual Hosts Table (see See Enabling SSL).
While the SSL 3.0 standard defines how encryption is applied to Web server-browser interactions, the actual encryption itself is performed by the negotiated cipher. Some common ciphers supported by Web Ten are shown in the following table:
Clicking on the Folder Contents of a secure virtual host in the Virtual Host Configuration table will let you stipulate various cipher restrictions for that virtual host.
SSL Cipher Restrictions control whether or not access is allowed or denied to folders or files based on the encryption level negotiated between server and browser when an SSL connection is established (see See SSL Cipher Restrictions). These controls are only accessible when SSLSecurity (see section See SSLSecurity) is enabled for a particular virtual host. The SSL cipher restrictions are not show if SSLSecurity is not enabled. Access control checks by SSL cipher are made in addition to any other host or realm-based access controls.
SSL cipher restrictions contain two lists of check boxes for each cipher in the cipher suites. If any checkbox is checked, that cipher is banned or required as indicated by the particular category.
If the cipher currently in force on the SSL connection is checked in this list, access to the file or folder is not permitted.
If the cipher currently in force on the SSL connection has not been banned and is checked in this list, access to the file or folder is permitted. Ciphers not checked in this list are automatically banned access. However, if no ciphers are required, access is permitted subject to the SSLBanCipher list .
Every SSL connection requires a unique IP address. Because WebTen supports IP-based virtual hosting, you can easily set up multiple secure virtual hosts. Each secure virtual host will need its own Certificate. Follow the steps in this chapter to set up subsequent SSL hosts.
If WebTen is on an intranet and is not visible to the Internet at large, it can take advantage of SSL without having their certificate signed by a CA (Certificate Authority such as Verisign).To create your certificate, follow the directions in Section 11 of this document. That will yield a certificate signed by WebTen. While this is not a certificate signed by a CA, it will allow SSL encrypted transactions from your WebTen server. Some browsers will complain that the certificate is not signed by a valid authority (CA), but certificates for only internal or intranet use do not need to be validated by any CA (such as Verisign.)
Each SSL Certificate works in conjunction with the SSL Key file that was produced during the creation of the Certificate Signing Request. SSL Certificates do not stand alone. They require the SSL Key file to perform encryption. SSL Certificates will only work with the corresponding SSL Key file that was used to produce the actual Certificate Signing Request.
The SSL Key file is your private key that ensures that no one can replicate or assume your site's identity on the Web. If the SSL Key file is compromised, the inherent security of your SSL Certificate is lost. If the SSL Key file is lost, the SSL Certificate is useless and a new certificate will have to be issued.
As you can see, it is important to preserve a copy of your SSL Key file and to protect it against theft. In WebTen, the SSL Key file is tightly protected against unauthorized access (for example, rogue Apple or Unix CGIs cannot read the SSL Key file). The following steps provide a means to export an SSL Key file in order to make a backup copy of it. Once an SSL Key file is exported, it should be copied to a floppy disk (or other removable media) and the exported copy should be removed from the WebTen system. The original SSL Key file is not deleted when it is exported; it is still available for normal SSL operations, and it is still protected against unauthorized access.
SSL Key and SSL Certificate files may be exported from a WebTen system using a special CGI named sslcerts.cgi. For security reasons, this CGI is not installed by default in a WebTen system. It must be installed and executed using the export option on the existing WebTen system prior to upgrading to the new version of WebTen. It then must be installed and executed using the import option on the new WebTen system after that system has been installed. Once the SSL Key and SSL Certificate files have been imported into the upgraded system, sslcerts.cgi should be de-installed from that system
Exporting the SSL Key and SSL Certificate files does not removethe files it exports, but copies these files to the destination folder.
To export the SSL Key and SSL Certificate files from an existing WebTen system:
<https://host.domain/webten_support/cgi-bin/sslcerts.cgi?10.0.0.1+export>
<https://host.domain/cgi-bin/sslcerts.cgi?10.0.0.1+export>
To import the SSL Key and SSL Certificate files from a previous version of WebTen:
<http://host.domain/webten_support/cgi-bin/sslcerts.cgi?10.0.0.1+import>