background image

Transport-Layer Security

<< Java EE Security Implementation Mechanisms | Securing Containers >>
<< Java EE Security Implementation Mechanisms | Securing Containers >>

Transport-Layer Security

Transport-Layer Security
Transport-layer security is provided by the transport mechanisms used to transmit information
over the wire between clients and providers, thus transport-layer security relies on secure
HTTP transport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a
point-to-point security mechanism that can be used for authentication, message integrity, and
confidentiality. When running over an SSL-protected session, the server and client can
authenticate one another and negotiate an encryption algorithm and cryptographic keys before
the application protocol transmits or receives its first byte of data. Security is "live" from the
time it leaves the consumer until it arrives at the provider, or vice versa, even across
intermediaries. The problem is that it is not protected once it gets to its destination. One
solution is to encrypt the message before sending.
Transport-layer security is performed in a series of phases, which are listed here:
The client and server agree on an appropriate algorithm.
A key is exchanged using public-key encryption and certificate-based authentication.
A symmetric cipher is used during the information exchange.
Digital certificates are necessary when running secure HTTP transport (HTTPS) using Secure
Sockets Layer (SSL). The HTTPS service of most web servers will not run unless a digital
certificate has been installed. Digital certificates have already been created for the Application
Server. If you are using a different server, use the procedure outlined in
"Working with Digital
Certificates" on page 788
to set up a digital certificate that can be used by your web or
application server to enable SSL.
The advantages of using transport-layer security include the following:
Relatively simple, well understood, standard technology.
Applies to message body and attachments.
The disadvantages of using transport-layer security include the following:
Tightly-coupled with transport-layer protocol.
All or nothing approach to security. This implies that the security mechanism is unaware of
message contents, and as such, you cannot selectively apply security to portions of the
message as you can with message-layer security.
Protection is transient. The message is only protected while in transit. Protection is removed
automatically by the endpoint when it receives the message.
Not an end-to-end solution, simply point-to-point.
For more information on transport-layer security, read
"Establishing a Secure Connection
Using SSL" on page 785
.
Security Implementation Mechanisms
Chapter 28 · Introduction to Security in the Java EE Platform
773