20 WebSphere Portal Collaboration Security Handbook
trusted third party, called a certificate authority (CA). Some important details
about CAs include:
When a public/private key pair is generated, the public key, together with the
identity of the owner, must be submitted to a CA.
The CA signs the data with the CA’s own private key. The data becomes a
digital certificate, and the CA returns it to the owner.
A certificate does not contain any confidential data and should be made
available to the world so that other people can use this certificate for sending
data to the owner of the certificate and decrypting data from the owner.
There are many commercial CAs. There are also some local CAs for each
country. Commercial CA certificates are often included in products such as Web
Adding secret key cryptography to the mix
We now have established a secure way to transfer messages through public key
cryptography without having the authentication problems associated with it. The
problem that remains is performance. It would be nice to marry the performance
of secret key cryptography with the management scalability of public key
cryptography. Here is how it works:
1. When two entities want to communicate, they set up communication channels
using public key cryptography.
2. During this setup, a secret key is created and transferred to the parties
involved. This secret key will only be used for this session and will be
3. After all parties have the secret key, they can send information to each other
with secret key cryptography.
4. When the communication channel is closed, the secret key is destroyed.
2.2.2 Secure Sockets Layer protocol
In this section, we take a closer look about how the Secure Sockets Layer (SSL)
protocol works. This protocol is used by the IBM Tivoli Web Services Manager
components to communicate securely over untrusted networks.
SSL was conceived by Netscape Communications. It became the de facto
standard to authenticate and encrypt communication between clients and
servers on TCP/IP networks.
SSL performs the following functions:
Authenticates the server to the client.
Chapter 2. Portal security concepts 21
Optionally, authenticates the client to the server.
Creates an encrypted connection between both machines.
The authentication of the server to the client and vice versa happens through the
exchange of certificates. The certificate authority that signed the certificate can
be a different CA for the server than for the client. They must be trusted by the
client and the server, respectively.
The encryption of the connection enables you to keep the data sent over the
connection confidential. In addition, it also checks whether the data has been
changed during the transfer.
All of these functions of SSL depend strongly on the cryptographic principles
described in 2.2.1, “Cryptographic principles” on page 15.
SSL sits between the TCP/IP protocols, which are responsible for the transport
and routing of data over the Internet, and the application protocols, such as
Hypertext Transfer Protocol (HTTP). This is shown in Figure 2-6. The SSL
structure in Figure 2-6 consists of two protocol levels:
– Handshake protocol
– Change cipher specification protocol
– Alert protocol
– Application protocol
Figure 2-6 SSL structure and placement in the protocol stack
Record layer protocol