508 Building Java Applications for the iSeries Server with VisualAge for Java 3.5
13.3.2 Transaction security and Secure Sockets Layer
Transaction security includes several basic elements, such as:
SSL is the Secure Sockets Layer protocol defined by Netscape Communications Corporation.
It provides a private channel between a client and server that ensures privacy of data,
authentication of session partners and message integrity.
Digital certificates are used for session partner authentication. Server authentication is
common. Client authentication is not yet common, but it is growing in popularity.
Keys are the base for end-to-end information encryption. Figure 13-2 provides a high-level
view of SSL and transaction security.
Figure 13-2 Transaction security
You must re-write TCP/IP applications to use SSL. Primarily, SSL is used by HTTP (HTTPS)
for Web browsing. In OS/400 V4R3, Directory Services Server (LDAP) is SSL enabled. With
OS/400 V5R1, many applications including the host servers have been SSL enabled by the
licensed products as shown in Table 13-1.
Table 13-1 iSeries SSL Licensed Program Products
When you order OS/400, you are shipped the appropriate version of the 5722-ACx and
5722-CEx products in accordance with US export laws.
Installed Cryptographic Access
Required Client Encryption
5722-AC2 5722-CE2 56 bit
5722-AC3 5722-CE3 128 bit
Chapter 13. Deployment considerations and tools 509
When a packet travels across a standard network, it is possible to use a packet sniffer to
passively read the message. This means packets travelling a network can be read without
either the sender or receiver ever knowing. To overcome this, messages should be encrypted
to assure confidentiality.
Confidentiality means that the contents of the messages remain private as they pass through
the Internet. Without confidentiality, your computer broadcasts the message to the network,
similarly to shouting the information across a crowded room.
For example, you may want to know if the data received is the same as the data that was sent.
You can determine this through two possible solutions:
digital signature (or hashing) and
The sending system calculates a hash value based on the message being sent. The hash
value is appended to the transmission. The receiving system uses the same calculation to
generate a value. The receiving system then compares the calculated value with the received
value. If the values are different, then it assumes that the data changed. To provide more
bullet proof security, the message should first be encrypted using an appropriate encryption
Integrity means that the messages are not altered while being transmitted. If a router or other
network device inserts, deletes, or garbles the message as it passes by, the receiver would
detect the modification. Without integrity, you have no guarantee that the message you sent
matches the message that was received. Encryption and digital signature ensure integrity.
Consider the scenario where you want to know who is at the other end of a Web site to test its
authenticity. One way to find out is through the use of digital certificates and digital signatures
(see Figure 13-3).
Figure 13-3 Verifying identity: Digital certificates and digital signatures
Authenticity means that you know who you are talking to and that you trust that person.
Without authenticity, you have no way to be sure that anyone is who they say they are.
Authentication through digital certificates and digital signatures ensure authenticity.
Problem - How do we know who is at the other end?
I am going to setup a fake site to
sell football tickets. No one will
ever know. I'll make millions.
This site does not have a
certificate from a trusted source. I
think I'll order some football tickets
from someone else.
University of the Internet
Digital Signature of CA