SBClient SSL. Ehab AbuShmais

Ehab AbuShmais

Agenda

• SSL Background

• U2 SSL Support

• SBClient SSL

What Is SSL

• SSL (Secure Sockets Layer)

– Provides a secured channel between two communication endpoints

– Addresses all three security goals

– Used to secure many internet protocols: HTTP/SMTP/telnet/FTP etc.

• TLS (Transport Layer Security)

– IETF standard, improvement on SSLv3 – Currently v1

• SSL vs. SSH (Secured Shell) – Services vs. complexity

– Authentication: certificate mandated in SSL, optional in SSH – U2 is standardized on SSL

What Is SSL

• SSL is a protocol layer between

– a reliable connection-oriented network layer (e.g

TCP/IP) and

– the application protocol layer (e.g. HTTP).

• Cryptographic technology used by SSL

- Encryption for confidentiality

- Public Key Cryptography for key establishment

- Digital Digests for message integrity

How SSL works (Handshake)

• Client

Server

How SSL works (Handshake cont.)

• Client

Server

(1) --- Hello server! This is Alice ---

---

I am Bob,authenticate me

--- (2)

How SSL works (Handshake cont.)

• Client

Server

(1) --- Hello server! This is Alice ---

--- I am Bob,authenticate me --- (2)

(3) ---

material for session key

_---

---

preference for cipher suite

_---

How SSL works (Handshake cont.)

• Client

Server

(1) --- Hello server! This is Alice ---

--- I am Bob,authenticate me --- (2)

(3) --- material for session key ---

--- preference for cipher suite ---

--- I am done with handshake ---







---

agree on cipher suite/key

--- (4)

---

I am done as well

---How SSL works (data transfer)

• Client

Server

(1) --- Hello server! This is Alice ---

--- I am Bob,authenticate me --- (2)

(3) --- material for session key ---

--- preference for cipher suite ---

--- I am done with handshake ---

--- agree on cipher suite/key --- (4)

--- I am done as well

How SSL works summary

Adapted from: “Network Security with OpenSSL” by John Viega at al.

1

2

3

Encryption

• Purpose

– Provide confidentiality

• Encryption

– A process to convert plaintext into cipher text

using an algorithm with a key

• Decryption

– Convert cipher text back to plaintext

• Symmetric vs. Asymmetric Encryption

– Symmetric Algorithm: DES, AES, RC5 etc.

– Asymmetric Algorithm: RSA, DSA

Message Digest

• A cryptographic hash function that

– Takes an arbitrary length messages as input and

– Outputs a fixed length string that is characteristic of the original message

– Irreversibility: impossible to compute original message from its digest

– Non-collision: no two different messages produce same digest

• Main Usage

– digital signature and Message Authentication Code (MAC)

• Standard algorithms

– SHA1: 160-bit digest (considered more secure, recommended)

Digital Signature

• What is a certificate?

– A block of data that bundles an entity’s

name with its public key, and

– Signed by Certificate Authority (CA)

• Why certificates are needed?

– Guarantee the public key belongs to the

indicated owner

– A means of public key distribution

Digital Certificates: X.509

• X.509 is a primary standard defined by RFC 2459

• X.509 certificate contents (some optional)

– Version/Serial Number – Signature algorithm – Issuer (signer)

– Validation period (from … to …)

– Subject (entity, owner of public key) – Subject’s public key

– Signature (over the whole data) – Other extensions

• Issuer/Subject are described by

Certificate Authorities (CA)

• What’s a CA?

– A trusted third-party to vouch for the authenticity of a certificate

– CA’s private key is used to sign each certificate

– CA’s public key is published (in yet another certificate) and should be widely available

– CAs can form a hierarchy

• CRL (Certificate Revocation List)

• PKI (Public Key Infrastructure)

Certificate Generation

• Self-signing vs. CA-signing

– Certificate Authority (CA): trusted entity to sign certs – Self-sign: needs own private key

– CA-sign: needs CA-cert and CA’s private key

• X.509 Extensions (X.509 v3 certificates)

– Only for CA-signed certs. Self-signed cert always v1. – SubjectAltName: to identify cert owner

– KeyUsage: to restrict cert usage

– BasicConstraints: to id if it’s a CA cert

– SubjectKeyID: to facilitate cert verification – AuthorityKeyID: to facilitate cert verification

Security Context Record (SCR)

• Used by U2 secured client/telnet as well

• A structure holding all U2 SSL related properties – SSL/TLS version

– Sender’s Private key and certificate (“self-certificate”) – Preferred ciphers suites

– CA certificates – CRL

– Client authentication flag (for server use) – Certificate verification depth

– Authentication rules

• Authentication strength • Trusted peer names • Cert path

Security Context Record (SCR)

• Use wizard to create/view/modify SCRs

• Encrypted and stored in SCR database under

%UVHOME% or %UDTHOME%

– UV: &SECUCTX& – UD: _SECUCTX_

– Dynamic file, each record is encrypted and protected by a user-supplied pass phrase

– In-sync with accompanying binary file .bscrfile – Copy both hashed and binary file to deploy

• Server vs. Client SCR

– Server SCR must have self-cert/private key – Server SCR may enable client authentication – Client SCR must have CA-cert(s)

SSL Configuration Through UniAdmin

• First available in UD 6.0

• Improved in UV 10.1/UD 6.1

• Wizard-based

• Tasks performed:

– Public key-pair generation – Certificate Request creation – Certificate generation

– Security Context Record manipulation – Secured Telnet/UOJ/JDBC configuration

SBClient SSL

SSL support in SBClient is created by U2 engineers,

and based on the OpenSSL libraries. The same

functionality will be used by all U2 clients with the

benefits of a common interface and easier debugging of

any issues.

The following U2 database releases support SSL and

are the minimum recommendation:

SBClient SSL

Property List

• An SSL property list defines the characteristics and

behaviors of a secure connection.

• Use the Configure SSL Property List dialog box to

create a new SSL property list or access an existing

SSL property list.

• To create or access an SSL property list, enter

information to identify the property list as detailed on

the next slide:

SBClient SSL

To access this dialog box from the main menu, choose Setup > Configure SSL Property List.

SBClient SSL

This box allows you to

create a new list or access

an existing list.

Password is Optional. Enter the password for the new or existing SSL

property list. Otherwise, if the SSL property list does not have a password, For a new SSL property list, enter a unique name for the list.

SBClient SSL

OK to close the dialog box.

If you are creating a new list, a message dialog box states that the new list has been created.

Edit to create or edit an SSL property list.

Delete to delete the selected SSL property list. A dialog box appears, confirming that you want to delete the SSL property list. To cancel deletion of the list, click No. Otherwise, to confirm deletion of the list, click Yes.

SBClient SSL

SSL Version

SBClient supports two versions of Secure Sockets Layer: SSL version 3 and TLS version 1. Select the version of the protocol to be used for this secure connection:

SSLv3 - This is the default setting. It is the most widely used

protocol.

TLSv1 - This is the newer protocol. Most new applications support,

SBClient SSL

Certificate Store Type: The type of certificate stores to be used for all certificates issued for this secure connection:

U2 – This is the default setting. Use this setting if all certificates that apply to this secure connection are PEM or DER format OS-level files.

Windows – All certificates for this connection are looked up from the native Windows certificate store. Generally a CA Certificate is looked up from Windows CA and ROOT stores, while My Certificate is looked up from MY stores. In Microsoft’s terminology, these certificate stores are system stores: a collection of physical certificate stores that reside in the Windows Registry. SBClient looks up these stores from both of the

following Registry locations:

CERT_SYSTEM_STORE_CURRENT_USER CERT_SYSTEM_STORE_LOCAL_MACHINE

SBClient SSL

CA Certificate

If applicable, enter the path of the file to contain a Certificate Authority (CA) certificate for this secure connection. See

specifics for the certificate store type:

U2 certificate store type – Specify the path of the certificate file that is used as a CA certificate. The format of the certificate can be either PEM or DER. With the U2 type, you can specify

multiple certificate paths, separating each with a semicolon (;). If a CA certificate chain is required, you have the choice of

specifying multiple certificate files, separating each with a

semicolon (;), or for PEM-format certificates, concatenating the certificate files into one single file (using an OS-level editor or command line) and specifying the concatenated file.

SBClient SSL

CA Certificate

Windows certificate store type – Specify the same "friendly

name" or "Common name" that is used for the certificate in the certificate store. With the Windows type, specify only one

certificate, generally the most immediate CA certificate (the one used directly to sign the certificate to which authentication is to be performed). A certificate chain is automatically established and used in an SSL session. Note that the above description is based on the assumption that a correct and complete trust

relationship exists in the Windows certificate store for the

certificate involved. If a complete chain cannot be formed, an error is reported. This also applies to other certificate-related properties.

SBClient SSL

My Certificate

Optional

. Enter the path for your certificate for this

secure connection. See specifics for the certificate

store type:

U2 certificate store type – The format of the

certificate can be either PEM or DER.

Windows certificate store type – Specify the same

"friendly name" or "Common name" that is used for

the certificate in the certificate store.

SBClient SSL

My Private Key

Applicable to U2 certificate store type only. Required if you

entered a value in My Certificate. Enter the path for the file that contains the private key associated with My Certificate. The format of the key file can be either PEM or DER.

When an SSL property list is created, the private key is loaded into memory and validated against its corresponding certificate (My Certificate). If it passes validation, the key is stored with the SSL property list. This validation feature is designed to enhance the security and protection of the user’s private key.

After the SSL property list has been created, you do not need to keep the private key file on your hard drive. You can store the

SBClient SSL

Private Key Password

Applicable to U2 certificate store type only. Enter the password for the private key file.

Certificate Revocation List

Optional. Enter the path of a certificate revocation list (CRL) to be used for this secure connection. You can specify multiple CRL paths, separating each with a semicolon (;).

The CRL is a special certificate published by the certificate

authority (CA), containing the serial numbers of certificates that the CA has revoked. If an incoming server certificate is

specified, it is checked against the CRL to verify that the certificate has not been revoked before other verification is

SBClient SSL

Authentication Depth

Enter the level at which to stop SBClient’s verification process in authentication processing. The default setting is 5, which is a sufficient depth in most cases. If you set the depth for fewer levels of authentication than actually employed for the

SBClient SSL

Authentication Strength

Select the appropriate option for this secure connection:

STRICT – This is the default setting. Strict authentication requires that the following conditions be met:

– The incoming server certificate is a well-formed X.509 certificate. – A valid CA certificate exists and verifies the incoming server

certificate.

– Peer name checking (if specified) is performed.

GENEROUS – This authentication strength requires only that the

incoming server certificate is a well-formed X.509 certificate. Note that generous authentication is not highly secure. We recommend using it in

SBClient SSL

Trusted Peer Name

Enter the name of a trusted peer as detailed below.

This property tells SBClient that additional checking

must be performed in authenticating the incoming

certificate. If you leave this box blank, the incoming

certificate is considered valid when the CA certificate

has verified it. However, if you specify a trusted peer

name, a further check is performed to verify that the

incoming certificate’s SubjectAltName extension or

CommonName subject field matches that of the

trusted peer.

SBClient SSL

Trusted Peer Name

The trusted peer name can be either a fully specified name (such as [email protected]) or a wildcard name. Two wildcard characters are supported:

% Match any character string _ Match one character

For example, %@us.xyz.com matches both [email protected] and [email protected], while [email protected]@us.xyz.com only.

You can enter the names of multiple trusted peers, separating each with a semicolon (;).

SBClient SSL

Certificate Path

Applicable to U2 certificate store type only. Optional. When you specify a certificate by the CA Certificate, My Certificate, or CRL property, the value for that property is registered internally.

When the certificate is loaded into memory to establish an SSL connection, SBClient uses this registered path by default to retrieve the certificate.

The Certificate Path property allows you to specify different locations in which to search the certificates. Note that this property applies to all certificates in the file.

SBClient SSL

Certificate Path

DEFAULT – Specifies the default behavior, as described on the pervious slide.

RELATIVE – SBClient looks for the certificate in the current directory under which the client process is running.

SBClient SSL

Certificate Path

ENV=[environment_variable] – In this phrase, substitute the environment variable name. With this option, the value of the environment variable is used as the path in which to load the certificates. SBClient looks up the environment variable for a client process only the first time the process makes an SSL connection; the value of the environment variable is cached for later reference by that process.

PATH=[path] – In this phrase, substitute the path for loading certificates specified in this property list. This can be either an absolute path or a relative path. The default path is

C:\IBM\UniDK\certs. With this path, the behavior is the same as that of the DEFAULT option.

SBClient SSL

Cipher Suite

Optional. Specify a suite of ciphers to be used in a specific order in the SSL handshake. If you make no entry, the default of all ciphers supported by the OpenSSL open source library applies.

SBClient SSL

To access this dialog box:

Select the session in the main window. From the main menu, choose Setup > Communication. In the Network Communication Setup dialog box, click Advanced. In the Telnet Advanced Configuration dialog box, click SSL Setup.

SBClient SSL

Select the SSL property list to be used for the secure connection.

Enter the password for the SSL property list. Otherwise, if the SSL property list does not have a password, leave this box blank.

SBClient SSL

SSL telnet port is 992. If you are using a

nonstandard port, type the port number

instead of selecting a ssl_telnet protocol setting from the list.

Note: The setup under Advanced must be

cleared out if not intended for SSL session

Troubleshooting SSL

Most problems with U2 SSL occur during initial

connection. It is important to check both ends of a

connection.

The basic requirements for a successful connection

between server and client using SSL and Telnet

are:

1. A server computer with an SSL Telnet server process. 2. A server digital certificate.

3. A client computer with a U2 SSL client application.

4. A means of authenticating a server certificate by the client. 5. An optional client certificate.

Troubleshooting SSL

• Whenever there is a problem, turn on logging first – SBClient logging

– Use prototolLogging(“x.log”,”ON”,8) for UniBasic programs – Turn on server debug flags (file/registry) for servers

• Common Problems – Wrong SSL port

– Missing or incorrect setting in .unisecurity – Ill-configured SCR

• Certs/cert path/peer name/ – Wrong CA cert/chain

Troubleshooting SSL

SBClient will produce client side log. There is also a server side log.

This check box enables a log to capture commands and data transferred in secure transactions. The log file is named

SSL.LOG and is stored in the log directory.

Make sure to turn off logging when

done as it will consume large amount of disk space.

SSL Resources

www.netscape.com

SSL was first developed by Netscape www.ietf.org

The Internet Engineering Task Force maintain the specification for the TLS protocol

www.verisign.com

VeriSign is a popular Certificate Authority and source of digital certificates. www.rsasecurity.com

RSA Security developed some of the encryption technology used in SSL. www.openssl.org

OpenSSL: the Open Source toolkit for SSL/TLS. This is the basis for the U2 SSLcommunications

www.microsoft.com

Thank You!

Ehab AbuShmais