Filter
Top Products
If all virtual hosts on a single IP address need to authenticate against the same certicate, the
addition of multiple virtual hosts probably will not interfere with normal SSL operations on the
server. Be aware, however, that most browsers will compare the server's domain name against
the domain name listed in the certicate, if any (applicable primarily to ocial, CA-signed
certicates). If the domain names do not match, these browsers display a warning. In general,
only address-based virtual hosts are commonly used with SSL in a production environment.
About Firewalls
A rewall controls the ow of data between two or more networks, and manages the links
between the networks. A rewall can consist of both hardware and software elements. This
section describes some common rewall architectures and their conguration. The information
here pertains primarily to the Enterprise Server. For details about a specic rewall technology,
refer to the documentation from your rewall vendor.
In general, congure the rewalls so that clients can access the necessary TCP/IP ports. For
example, if the HTTP listener is operating on port 8080, congure the rewall to allow HTTP
requests on port 8080 only. Likewise, if HTTPS requests are setup for port 8181, you must
congure the rewalls to allow HTTPS requests on port 8181.
If direct Remote Method Invocations over Internet Inter-ORB Protocol (RMI-IIOP) access
from the Internet to EJB modules are required, open the RMI-IIOP listener port as well, but this
is strongly discouraged because it creates security risks.
In double rewall architecture, you must congure the outer rewall to allow for HTTP and
HTTPS transactions. You must congure the inner rewall to allow the HTTP server plug-in to
communicate with the Enterprise Server behind the rewall.
About Certicate Files
Installation of the Enterprise Server generates a digital certicate in JSSE (Java Secure Socket
Extension) or NSS (Network Security Services) format suitable for internal testing. By default,
the Enterprise Server stores its certicate information in a certicate database in the
domain-dir/config directory:
■
Keystore le, key3.db, contains the Enterprise Server's certicate, including its private key.
The keystore le is protected with a password. Change the password using the asadmin
change-master-password command.
Each keystore entry has a unique alias. After installation, the Enterprise Server keystore has
a single entry with alias s1as.
■
Truststore le, cert8.db, contains the Enterprise Server's trusted certicates, including
public keys for other entities. For a trusted certicate, the server has conrmed that the
public key in the certicate belongs to the certicate's owner. Trusted certicates generally
include those of certication authorities (CAs).
AboutCerticate Files
Chapter9 • ConguringSecurity 111