Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
JTurbo Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 301
Product ServletExec
Category Security, Web Server Support
Question How does SSL (https) integrate with ServletExec?
Answer

SSL is a function of (and is configured in) the webserver, not SE.
SE runs behind the webserver.
SE can run behind an SSL-enabled webserver... yes.
Or SE can run behind a webserver that is not SSL-enabled.
SE does not care about or control whether the protocol is http, or https.

If you wanted to, you could have your servlet or JSP code that runs inside SE enforce the protocol of the request sort of like this [pseudo-code]:

if(! request.getProtocol().equals("https"))
 out.println("Hey! you have to use SSL, or else !!");
else
 //forward to the resource that was requested


You could even have code that runs inside SE that obtains the Client Certificate (if one was sent in the request) and then uses it for some purpose that is specific to your application.
But a Client Certificate is not required for SSL.

You could even make use of the Declaritive Security of webapps to define a Security Constraint in your webapp whose Transport Guarantee is set to "Confidential". This would cause all requests that match any aliases that you define for that Security Constraint (via a Web Resource Collection) to be checked for SSL by ServletExec. Basically it just saves you having to write the code that enforces that the protocol be https. Instead you just declare that certain aliases should be protected in this manner, and let SE enforce that for you.

Enabling your webserver so that it will support SSL is mostly beyond the scope of this FAQ. However I can tell you this:

  • You need to obtain a Server Certificate from a CA [Certificate Authority]. Examples of a CA include companies such as Verisign, & Thawte. You typically use the webserver software itself to generate a Certificate Request which is then sent/provided to the CA. The CA in turn provides the Server ID to you, which you then feed to your webserver to SSL enable it.
  • If your webserver is a commercial-grade webserver such as IIS, Apache, or SunONE, then you should consult the documentation for that webserver as well as any information that the CA can provide you, in order to learn how to SSL-enable your particular webserver.
  • If your webserver is the built-in webserver that comes with ServletExec 5.0 AS (and higher versions), Then you should consult the following resources in order to learn how to SSL-enable that webserver:
    1. The SE 5.0 User Guide contains a section describing the settings for the built-in webserver
    2. The SE Admin page for the settings of the built-in webserver has a "Help" page that gives very detailed information on how to SSL-enable that webserver.

Do not confuse a Server Certificate with a Client Certificate.
They are 2 completely different things.
At the time of this writing, Verisign refers to a Client Certificate as a "Class 1 Digital ID".
An OpenSSL book published by O'Reilly calls it a "Personal Certificate" (p. 55).
At the time of this writing it is possible to get one from Verisign as follows:
www.verisign.com - "Products & Services" - "Content Security" - "Digital IDs for Secure E-mail" - "Buy Now"
Then choose either: $14.95 per year, or free 60-day trial. They'll send an email to you, with instructions for obtaining and installing the client cert (X509 cert) into your web browser.
Remember, a client certificate is NOT required to SSL-enable your webserver. A Server Certificate is what's required to SSL-enable your webserver.



   
company media information terms of use privacy policy contact us