Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

SSL Security with Alpha Five App Server

Protecting sensitive or personal data.

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Types of Web Pages

UnsecurePlain Texthttp://

Secure – SSL (secure sockets layer)TLS (transport layer security)Encrypted between browser and serverhttps://

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Other Types of Secure Web Communications in Alpha

Email – digitally signed and encrypted. Must use routines external to Alpha.

Encrypt a Zip attachment to email. SSL/TLS Email – from web server to mail

server only. Not to recipient’s inbox.

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

SSL Decisions

What Certification Authority What Type of Certificate What Encryption Level What Type of Browsers and Web Servers

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Certification Authority

Trusted 3rd Party They do the verification of the SSL

application GoDaddy

ThawteGeoTrustVerisignothers

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Types of Certificates

Self-Signed – free Turbo – ($20 - $149) High Assurance – ($90 - $400) Extended Validation – gets a green address

bar in Vista. – ($500 - $1,500)

(low rates are for GoDaddy)

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Encryption Level

40-bit 512-bit* 1024-bit* - used by most financial institutions 2048-bit*

* supported by Alpha Application Server

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Browser and Web Server

Export restriction on 128-bit encryption lifted in 2000.

Modern browsers (IE 5.5+) support 128-bit encryption.

Modern web servers support 128-bit encryption.

Notes on older operating systems and SGC (Server-Gated Cryptography)

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

How to do it

1) Create a certificate request from the Alpha Application Server settings screen.

2) Send the request to a Certification Authority and get back a certificate file

3) Install the key (created in #1) and certificate files in the Alpha App Server

4) Insure that port 443 is open in firewall and router

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

How to do it (cont.)

5) URL links must use https://

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

If a Security Warning Pops Up in the Browser

Insure that the URL specified in the CSR matches exactly

Always happens with a Self-Signed certificate

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Using a Self-Signed Cert or if info does not match

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – before Cert request

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – Certificate Signing Request (CSR)

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – CSR Result

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo – Cert Installed

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Demo - live

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007

Links

http://luxsci.com/info/about_ssl.html - See section on SSL in Action

Wikipedia – more technical GoDaddy Certs – describes different Cert

levels