Secure Sockets Layer (SSL) Security

The Secure Sockets Layer (SSL) provides an alternative form of secure communication between the presentation client and the application server. The secure connection is available between the presentation client and the application server.

This secure connection uses the Secure Sockets Layer (SSL) protocol to achieve authentication and encryption. This implementation is based upon open source code from the OpenSSL project. (For more information, see http://www.openssl.org.)

For details about the valid combinations of the RPCEncryptionEnabled parameter and RPCEncryptionHookDLL parameter on both the application server and presentation client, see "Enabling JADE Smart Thin Client Security Encryption", earlier in this chapter.

You can use the sample certificates supplied with the JADE release, which allow the presentation client to authenticate the application server, optionally allow the application server to authenticate the presentation client, and start an encrypted connection. These certificates are self-signed samples, which you should not use in a production environment where full trust is required.

It is the responsibility of the system administrator in a production environment to obtain and manage certificates; that is, security of these private keys and signing certificates.

It is your responsibility to obtain or generate the appropriate certificates. The physical security of private key files is also your responsibility.

As the OpenSSL libraries upon which this implementation is based support only hard-coded English single-byte character set messages, they are not translatable. The Unicode version of JADE converts any messages into Unicode before they are logged to the jommsg.log file.

The sample self-signed certificates are located in the directory in which your JADE binary files are installed and are named server.pem and client.pem for the application server and presentation client certificates, respectively.

The SSLProxyHost and SSLProxyPort parameter values are used if they are defined. If no values are specified for these parameters, the Windows registry is checked to see if a proxy server has been specified. The "same proxy for all protocols" value is used if it is specified or the "secure" proxy server entry if the "same proxy for all protocols" value is not specified. If neither value is present, a direct connection is attempted. See also "Automatically Detecting Proxy Settings" under "Presentation Client Considerations", later in this section.

Encryption software adds processing overheads (and therefore time) to the operation of both the presentation client and the application server. You should therefore take care to balance the requirements of secure communications with the extra processing load on the application server, as it must encrypt and decrypt data sent between it and all connected presentation clients.