IBM® HTTP
Server can provide secure Web connections to your system.
A secure web site means that transmissions between the client and the
server (in both directions) are encrypted. These encrypted transmissions are
safe both from the scrutiny of sniffers and from those who attempt either
to capture or to alter the transmissions.
Note: Keep in mind that a secure
Web site applies strictly to the security of the information that passes between
client and server. The intent of this is not to reduce your server’s vulnerability
to hackers. However, it certainly limits the information that a would-be hacker
can obtain easily through sniffing.
The topics on SSL and Webserving (HTTP) in the information center provides
complete information for installing, configuring, and managing the encryption
process. These topics provide both an overview of the server features and
some considerations for using the server.
Internet Connection Server provides HTTP and HTTPS support when one of
the following licensed programs is installed:
When these options are installed, the product is referred to as the Internet
Connection Secure Server.
Security that depends on encryption has several requirements:
- Both the sender and receiver (server and client) must understand the encryption
mechanism and be able to perform encryption and decryption. The HTTP server
requires an SSL-enabled client. (Most popular Web browsers are SSL-enabled.)
The iSeries™ encryption
licensed programs support several industry-standard encryption methods. When
a client attempts to establish a secure session, the server and client negotiate
to find the most secure encryption method that both of them support.
- The transmission must not be able to be decrypted by an eavesdropper.
Thus, encryption methods require both parties to have an encryption/decryption
private key that only they know. If you want to have a secure external Web
site, you should use an independent certificate authority (CA) to create and
issue digital certificates to users and servers. The certificate authority
is known as a trusted party.
Encryption protects the confidentiality of transmitted information. However,
for sensitive information, such as financial information, you want integrity
and authenticity in addition to confidentiality. The client and
(optionally) the server must trust the party on the other end (through an
independent reference) and they must be sure that the transmission has not
been altered. The digital signature that is provided by a certification authority
(CA) provides these assurances of authenticity and integrity. The SSL protocol
provides authentication by verifying the digital signature of the server’s
certificate (and optionally the client’s certificate).
Encryption and decryption require processing time and will affect the performance
of your transmissions. Therefore, iSeries servers provide the capability
to run both the programs for secure and insecure serving at the same time.
You can use the insecure HTTP server to serve documents that do not require
security, such as your product catalog. These documents will have a URL that
starts with http://. You can use a secure HTTP server for sensitive information
such as the form where the customer enters credit card information. The program
can serve documents whose URL starts either with http:// or with https://.
Reminder: It is good Internet etiquette to inform your clients when
transmissions are secure and not secure, particularly when your Web site only
uses a secure server for some documents.
Keep in mind that encryption requires both a secure client and a secure
server. Secure browsers (HTTP clients) have become fairly common.