SSL
Hi experts,
Anyone knows what I need to do if I want to support my J2EE web application with SSL. I read many materials about it. I know that there are two components that can be applied i.e. JSSE and JAAS.
My question is which one is better? JSSE or JAAS? Can you all tell me the basic flow that I need to do to add SSL support to my web app? Do I need to spend any $ to do this?
Regards
Dave
Anyone knows what I need to do if I want to support my J2EE web application with SSL. I read many materials about it. I know that there are two components that can be applied i.e. JSSE and JAAS.
My question is which one is better? JSSE or JAAS? Can you all tell me the basic flow that I need to do to add SSL support to my web app? Do I need to spend any $ to do this?
Regards
Dave
ASKER
Thanks aozarov,
Any idea on the basic step that I need to accomplish?
regards
Dave
Any idea on the basic step that I need to accomplish?
regards
Dave
which application server/web container are you using?
>> I want to support my J2EE web application with SSL
I guess you want to achive that by enabling https connection to your web container.
This is the howto for tomcat: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
>> I want to support my J2EE web application with SSL
I guess you want to achive that by enabling https connection to your web container.
This is the howto for tomcat: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
ASKER
Thanks,
I am using Tomcat but we will migrate it to WebSphere. Anyway, just grab the concept of SSL in Tomcat first.
--------------------------
This "driver's license" is cryptographically signed by its owner, and is therefore extremely difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a Certificate is typically purchased from a well-known Certificate Authority (CA) such as VeriSign or Thawte. Such certificates can be electronically verified -- in effect, the Certificate Authority will vouch for the authenticity of the certificates that it grants, so you can believe that that Certificate is valid if you trust the Certificate Authority that granted it.
In many cases, however, authentication is not really a concern. An administrator may simply want to ensure that the data being transmitted and received by the server is private and cannot be snooped by anyone who may be eavesdropping on the connection. Fortunately, Java provides a relatively simple command-line tool, called keytool, which can easily create a "self-signed" Certificate. Self-signed Certificates are simply user generated Certificates which have not been officially registered with any well-known CA, and are therefore not really guaranteed to be authentic at all. Again, this may or may not even be important, depending on your needs.
--------------------------
So, after I get my certificate, I need to "sign" it into VA, am I right? How much does it cost normally? If I choose the second approach where I will only use keytool of java to create self-signed certificate, will my website still secure?
regards
Dave
I am using Tomcat but we will migrate it to WebSphere. Anyway, just grab the concept of SSL in Tomcat first.
--------------------------
This "driver's license" is cryptographically signed by its owner, and is therefore extremely difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a Certificate is typically purchased from a well-known Certificate Authority (CA) such as VeriSign or Thawte. Such certificates can be electronically verified -- in effect, the Certificate Authority will vouch for the authenticity of the certificates that it grants, so you can believe that that Certificate is valid if you trust the Certificate Authority that granted it.
In many cases, however, authentication is not really a concern. An administrator may simply want to ensure that the data being transmitted and received by the server is private and cannot be snooped by anyone who may be eavesdropping on the connection. Fortunately, Java provides a relatively simple command-line tool, called keytool, which can easily create a "self-signed" Certificate. Self-signed Certificates are simply user generated Certificates which have not been officially registered with any well-known CA, and are therefore not really guaranteed to be authentic at all. Again, this may or may not even be important, depending on your needs.
--------------------------
So, after I get my certificate, I need to "sign" it into VA, am I right? How much does it cost normally? If I choose the second approach where I will only use keytool of java to create self-signed certificate, will my website still secure?
regards
Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi aozarov,
Thank you so much for the info. I will post the question again if I have additional Q. Thanks mate!
Regards
Dave
Thank you so much for the info. I will post the question again if I have additional Q. Thanks mate!
Regards
Dave
You are welcome :-)
You can use this thread for getting more details about the same issue. ;-)
You can use this thread for getting more details about the same issue. ;-)
JSSE = Java Secure Sockets extention.
Most of the web containers / application servers supports it by enabling https connection.