Secure communication with Transport Layer Security (TLS)
Transport Layer Security (TLS) is a security protocol that uses verified certificates and encryption keys to secure communications over the internet. TLS is an update to the Secure Sockets Layer (SSL) protocol.
You can enable TLS on your Open Liberty server to protect communications to and from applications on the server. TLS helps ensure that sensitive data such as user passwords, credit card numbers, and other personal information can be transmitted securely between a client and server. It is also an important protocol for authenticated access to websites. Securing the transmission of authentication tokens such as JSON Web Tokens with TLS helps ensure that user credentials are not exposed as they are passed among different applications and services.
TLS protocol
TLS provides end-to-end authentication, confidentiality, and data integrity for internet communications. Before any data is sent between a client and server, TLS confirms that each party is who they claim to be through the exchange of asymmetrically encrypted keys and digitally signed certificates. During the TLS handshake, the client and server agree on an encryption algorithm and a shared secret key that are used for that session only. Any data that is transmitted is encrypted by using that algorithm and key, which only the communicating parties can access. Furthermore, TLS-secured messages establish data integrity by creating a digital signature that the receiver uses to verify that a message was not tampered with during transmission.
TLS handshakes
The TLS handshake is a process by which a client and server set the terms for secure communications during a connection. The handshake occurs before any data is exchanged. Through this process, the client and server agree on a version of the TLS protocol, select cryptographic algorithms that are called cipher suites, and authenticate one another by exchanging and verifying digital certificates. These digital certificates are data files that contain cryptographic keys and other identifying information about a client or server. TLS certificates are digitally signed by a certificate authority, which acts as a trusted third party that can verify the identity of the parties that are exchanging information.
If one or both parties do not recognize a TLS certificate, the handshake fails and the secure connection is not established. A handshake can fail for different reasons, such as an expired certificate, or a mismatch between the TLS versions that are used by the client and server.
TLS and Open Liberty
To configure TLS for your Open Liberty server, enable the Transport Security feature. You can configure the feature to specify how the details of the TLS handshake and other aspects of the TLS protocol are implemented for your application.
You can also create and configure a TLS certificate for your Open Liberty server by running the securityUtility createSSLCertificate command.
TLS certificate revocation checks with OCSP
The online certificate status protocol (OCSP) is an internet protocol that web browsers use to determine whether a TLS certificate is valid or revoked. It provides a standardized way for a certificate authority to share the status of any issued certificates so that they can be verified by web servers or web browser clients.
Open Liberty does not check certificate revocations and instead relies on the underlying Java software development kit (SDK) to handle certificate revocation checking. You can configure your SDK to check for certificate revocation by setting Java security properties. For more information, see the Java SE documentation for OCSP Support for PKI.
TLS and SSL
Before the wide adoption of the TLS protocol, SSL was the standard protocol to secure web communications. Over time, many security vulnerabilities were identified for SSL and it is no longer in widespread use. However, for historical reasons, the term SSL is often used to refer to encrypted network connections even when TLS is in use. In Open Liberty, the term SSL is still used in feature and configuration names, even though TLS is the underlying protocol. Effectively, SSL is now a synonym for TLS.
Hostname verification is enabled by default. For more information on Hostname verification, see Transport Security.