a/d trends: Securing E-commerce Sites

Developing secure e-business applications goes beyond just installing a firewall. It also means discovering other weapons in the arsenal that will offer protection against fraud and invasion of privacy.

Developers working in e-commerce should make themselves familiar with the seven golden steps to secure e-business on the AS/400.

IBM HTTP Server for AS/400 (5769-DG1): This product enables the base HTML serving capability for the AS/400. At the V4R2 level, it supports only server authentication, and at V4R3 it supports client authentication. It also enables the Web server to use SSL.

Digital Certificate Manager (DCM): DCM is a Web browser-based administration facility for certificates-based authentication encryption.

You can use DCM to augment AS/400 security by setting up your system to use digital certificates. Digital certificates allow you to use SSL for secure browser access to Web sites and other Internet services.

DCM allows you to create your own intranet Certificate Authority (CA). You can then use the CA to dynamically issue digital certificates to servers and users on your intranet. When you create a server certificate, DCM automatically generates the private and public keys for the certificate. You can also use DCM to register and use digital certificates from Verisign or other commercial organizations on your intranet or the Internet.

When a client certificate is created, Digital Certificate Manager automatically associates a certificate with the owner’s AS/400 user profile. You can further augment system security when you use digital certificates (instead of user names and passwords) to authenticate and authorize sessions between the server and users. Digital Certificate Manager is option 34 of OS/400 (5769-SS1). You must install this option to use DCM.

Cryptographic Access Provider (5769-AC1, AC2, or AC3): You need one of these to create certificate keys used for encryption. These cryptographic products determine the maximum key length permitted for cryptographic algorithms on your AS/400 system.

Certificate Authority (CA): There are two types of CAs, intranet and Internet. The intranet CA on the AS/400 system acts as a CA for your intranet network, whereas Internet CA charges a fee for issuing client or server certificates.

Digital Certificates are issued by a CA. CAs are trusted to properly issue certificates and have controls in place to prevent fraudulent use. They are the equivalent to the Department of Motor Vehicles, which issues drivers’ licenses. An individual may have many certificates from different CAs, just as we have many forms of personal identification.

If one can trust a CA, then one can be reasonably assured that any certificate they issue properly represents the individual holding it. A certificate authority is a trusted party that creates and issues certificates to users and servers. Trust in the CA is the foundation of trust in the digital certificate as a valid credential.

A CA uses its private key to create a “digital signature” on a certificate that it issues to validate the certificate’s origin.

Several businesses provide commercial Certificate Authority services for Internet users. However, organizations can create their own Certificate Authority in order to issue digital certificates to servers and users within their intranet. CAs broadcast their public key and Distinguished Name. People add them as trusted root key to Web servers and browsers. This means your server will trust anyone who has a certificate from that CA. There are several common CAs in the marketplace. Servers and browsers are shipped with several default trusted root keys and more can be added as needed.

Server Certificate: With V4R2, only server authentication was supported. Basically, server authentication is the process whereby a user makes an http URL request to the Web server. The Web server is now forced to surrender its server certificate to the client browser. The browser will then check the signature of the issuing CA and verify whether or not the Web server is who it claims to be.

When a server certificate is created, the intranet CA, which created the server certificate, signs the certificate and the user then installs the CA’s certificate in their browser.

Client Certificate: With V4R3, you can set up your Web server for SSL client authentication. In essence, client authentication is the process in which a user makes an http URL request to the Web server. The Web server sends its server certificate to the client browser.

Once the client browser has authenticated the signature on the server certificate, the client is then forced to send the client certificate to the Web server. The Web server will verify the signature on the client certificate is from a valid CA, and then authenticate the SSL encrypted session.

All further data transmission is in the form of a complex mathematical hashed algorithmic encryption. Client certificates are stored in your browser and you are free to choose which of them to use.

Browser: SSL supported browsers are Netscape Navigator 4.0 and higher or Microsoft Internet Explorer 4.0 and higher.

Conservative estimates of worldwide Internet use place more and more people on-line with each passing day. Doing everything possible to offer each of them secure and reliable e-business opportunities distinguishes world class enterprises from second class ones.

Mark Buchner is president and founder of Astech Solutions Inc. (Aurora, Ontario), which applies technology to the practical needs of the AS/400 market. Mbuchner@astech.com.