The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols were designed to help protect the privacy and integrity of data while it is transferred across a network. SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. The IETF standard called Transport Layer Security (TLS) is based on SSL. TLS is described in the TLS Protocol.
The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks:
SSL server authentication allows a user to confirm a server's identity expressed in the form of an X509 certificate.
SSL client authentication allows a server to confirm a user's identity using the same techniques as those used for server authentication.
An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering, that is, for automatically determining whether the data has been altered in transit.
The SSL protocol supports the use of a variety of cryptographic algorithms, or ciphers, for use in operations such as: authenticating the server and client to each other, transmitting certificates, and establishing session keys. Clients and servers may support different cipher suites, or sets of ciphers, depending on factors such as the version of SSL they support, company policies regarding acceptable encryption strength, and government restrictions on export of SSL-enabled software. Among its other functions, the SSL handshake protocol determines how the server and client negotiate the cipher suites they will use to authenticate each other, to transmit certificates, and to establish session keys.
WSO2 SOA Enablement Server uses the JSSE (Java Secure Socket Extension) reference implementation to provide both SSL3.0 and TLS1.0 protocols. For more information see Sun's Java Secure Socket Extension pages. SSL and TLS are not able to distinguish between server and service identity; there is only a check for the server identity specified by SSL or TLS specification. Specific details about SSL and TLS in WSO2 SOA Enablement Server can be found in the following sections:
WS-Security Provider is a standard set of SOAP extensions that can be used when building secure Web services to implement message level integrity and confidentiality. WS-Security is flexible and is designed to be used as the basis for securing Web services within a wide variety of security models including Kerberos and SSL. Specifically, it provides support for multiple security token formats, multiple trust domains, multiple signature formats, and multiple encryption technologies. For more details, please see http://www.oasis-open.org/home/index.php.
To configure and use WS-Security with WSO2 SOA Enablement Server, see WS Security Provider.