iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

411

412

413

414

415

416

417

418

419

420

Security Concepts

iTP Secure WebServer System Administrator’s Guide—523346-002

D-7

Obtaining Certificates

To obtain a public key certificate, Juliet first generates her own key pair. She then

sends the public key part of her key pair to an appropriate CA, along with convincing

proof of her identity. After validating Juliet’s identity, the CA sends Juliet a certificate

attesting to the binding between Juliet Capulet and her public key. It also sends her a

certificate chain verifying the CA’s own public key. As discussed in Using Certificates

on page D-6, Juliet can now use her certificate and inherited chain to demonstrate the

legitimacy of her public key.

CAs require varying forms of proof for verifying an applicant’s identity. One CA may

require a driver’s license, another may require notarization of the certificate request

form, yet another may require fingerprints. The Apple Computer Open Collaborative

Environment (OCE), for example, requires that the certificate request form be

notarized.

Secure Sockets Layer (SSL)

This section introduces the Secure Sockets Layer (SSL). It describes the following

topics:

•

What SSL Does on page D-7

•

SSL 3.0 Protocol Enhancements Over SSL 2.0 on page D-8

•

Deploying SSL on page D-8

What SSL Does

The Secure Sockets Layer (SSL) protocol provides channel security for all

communications between a web client and a server during any session for which SSL

is operative.

SSL provides the following types of security between a web client and a server:

Because SSL and HTTP are different protocols and typically use different port

numbers (such as 443 and 80, respectively), the iTP Secure WebServer can handle

secure and standard clients simultaneously. This means that some information can be

provided to users in unencrypted form while other information can be provided only in

encrypted form.

Private After a simple handshake to define a secret key, all messages

between the web client and server are encrypted.

Authenticated The server is always authenticated with its public key certificate.

The web client is optionally authenticated to the server.

Reliable The message transport uses a message authentication code

(MAC) to ensure that messages are not modified in transit.