Using secure connections with EAServer
The SSL
protocol allows connections to be secured using public-key encryption
and authentication algorithms that are based on digital certificates.
SSL is a wrapper protocol: packets for another protocol are secured
by embedding them inside SSL packets. For example, HTTPS is HTTP
secured by embedding each HTTP packet within an SSL packet. Similarly,
IIOPS is IIOP embedded within SSL.
EAServer’s built-in
SSL driver supports dynamic negotiation, cached and shared sessions,
and authorization for client and server using X.509 Digital Certificate
support.
For an overview of security in EAServer and
more information about EAServer and
SSL, see the EAServer Security Administration and Programming
Guide
.
For more information about the SSL protocol, see the documentation
for security on the Netscape DevEdge Web site
.
Quality of protection
The quality of protection (QOP) for EAServer packages,
components, and methods can be set in EAServer Manager. QOP establishes
a minimum level of encryption and authentication that a client must
meet before it can access a component’s business logic.
For example, to set the quality of protection for a component, add
the com.sybase.jaguar.component.qop property on the All Properties
page of the component’s property sheet and set it to a
security characteristic provided with EAServer,
such as sybpks_intl.
For a description of configuring QOP on the server and a list
of security characteristics provided with EAServer,
see the EAServer Security Administration and Programming
Guide
. This chapter describes configuring QOP on the
client.
SSL certificate-based authentication
In EAServer Manager, you can configure a secure IIOP or HTTP
port by configuring a listener and associating a security profile
with the listener. The profile designates a security certificate
to be sent to clients to verify that the connection ends at the
intended server, as well as other security settings.
PowerBuilder clients need a public key infrastructure (PKI)
system to manage digital certificates. You can use Security Manager,
which manages the EAServer certificate
database, or you can use Entrust/Entelligence, available separately
from Entrust Technologies (http://www.entrust.com).
For more information about PKI and configuring secure ports
and authentication options, see the EAServer Security
Administration and Programming Guide
.
Client installation requirements
EAServer provides several
sets of client runtime files. Because SSL support in PowerBuilder
clients is provided through the C++ client ORB,
you should install the SSL and C++ runtime files
on the computer on which PowerBuilder SSL clients will run. The
installation includes the client-side security database, SSL support
libraries, and the client-side Security Manager. You also need to configure
the client installation to load the client libraries when you run
your application. See the Installation Guide
for
more information.