Table of Contents
Advertisement
If all virtual hosts on a single IP address need to authenticate against the same certificate, the
addition of multiple virtual hosts probably will not interfere with normal SSL operations on the
server. Be aware, however, that most browsers will compare the server's domain name against
the domain name listed in the certificate, if any (applicable primarily to official, CA-signed
certificates). If the domain names do not match, these browsers display a warning. In general,
only address-based virtual hosts are commonly used with SSL in a production environment.
About Firewalls
A firewall controls the flow of data between two or more networks, and manages the links
between the networks. A firewall can consist of both hardware and software elements. This
section describes some common firewall architectures and their configuration. The information
here pertains primarily to the Enterprise Server. For details about a specific firewall technology,
refer to the documentation from your firewall vendor.
In general, configure the firewalls so that clients can access the necessary TCP/IP ports. For
example, if the HTTP listener is operating on port 8080, configure the firewall to allow HTTP
requests on port 8080 only. Likewise, if HTTPS requests are setup for port 8181, you must
configure the firewalls to allow HTTPS requests on port 8181.
If direct Remote Method Invocations over Internet Inter-ORB Protocol (RMI-IIOP) access
from the Internet to EJB modules are required, open the RMI-IIOP listener port as well, but this
is strongly discouraged because it creates security risks.
In double firewall architecture, you must configure the outer firewall to allow for HTTP and
HTTPS transactions. You must configure the inner firewall to allow the HTTP server plug-in to
communicate with the Enterprise Server behind the firewall.
About Certificate Files
Installation of the Enterprise Server generates a digital certificate in JSSE (Java Secure Socket
Extension) or NSS (Network Security Services) format suitable for internal testing. By default,
the Enterprise Server stores its certificate information in a certificate database in the
domain-dir/config directory:
■
■
Chapter 9 • Configuring Security
Keystore file, key3.db, contains the Enterprise Server's certificate, including its private key.
The keystore file is protected with a password. Change the password using the asadmin
change-master-password command.
Each keystore entry has a unique alias. After installation, the Enterprise Server keystore has
a single entry with alias s1as.
Truststore file, cert8.db, contains the Enterprise Server's trusted certificates, including
public keys for other entities. For a trusted certificate, the server has confirmed that the
public key in the certificate belongs to the certificate's owner. Trusted certificates generally
include those of certification authorities (CAs).
About Certificate Files
111
Advertisement
Chapters
Table of Contents
