I obtained certifcate from comoda.
Configured in tomcat and able to access using https.
I need to encrypt the data and decrypt the same using anyother encryption method?
Or ssl itself take care of encryption and decryption.
I have to use public certificate for encryption and pass it to webservice which will decrypt it using a private key.
To achive that configure ssl is enough or do the encrption/ decryption in java layer?
A SSL Certificate is used to encrypt the traffic while in transit, between the webserver and the end-users browser.
It’s sole purpose is to make ‘listening on the wire’ useless.
Normally your webserver takes care of Encryption/Decryption of the in-transit traffic even as the users browser, if you store that input/output in e.g. a Database then the SSL certificate is not going to help encrypting that data. For that you need to make sure the programming language used to ‘store’ the data in the database uses encryption routines, or you could let the database take care of encrypting data in certain databases/tables etc.
Please have a look at the information that can be found on OWASP for securing web applications/services/servers
Once you configured you webserver make sure to test it for good SSL configuration (you can have SSL but bad config and your system is still vulnerable)
SSL Server Test (Powered by Qualys SSL Labs) please tick the box ‘Do not show the results on the boards’ if you would like to keep your site from showing up in the general results.
Here is a guide in to helping install the Certificate in your Web server
While sending request to WS (xml), passowrd need to be encrypted.
We dont have idea about how it stored in DB.
While propagating request it should be secure (encrypted).
Please provide the approach.
Would you please provide link to “How to install the certificate in Weblogic 12C server”?
I could n’t find in the URL.
For configuring SSL on Oracle Weblogic 12c, please have a look at their system documentation here
Let me make sure I understand correctly.
You are trying to send a web request to a web service, and the XML service does user authentication.
The credentials needed in this challenge need to be encrypted during transmission?
SSL will handle this, if the client makes a HTTPS connection to your web service, the client will first build an encrypted tunnel to your web service.
If you then send the challenge uid/pw to the web service this will be encrypted in transit, Weblogic 12c will decrypt and provide the clear data to the application.
If you setup a configuration like this, I’d advise to run the application ONLY on HTTPS and remove listening on plain HTTP.
An attacker could trick your client in to forcing the traffic to run over HTTP and then Tunnel the ‘hacked’ traffic via HTTPS to your server.
If the application uses session cookies, make sure they are set to ‘cookie type secure’ so that they can’t be retrieved by HTTP request interception.
It is clear now.
If the data in DB is encrypted, have to do decryption (manually) after that SSL will take care.
Is it correct?
Let’s see if this makes things more clear.
The red piece is where SSL certificate helps, the rest is ‘plain-text’ unless someone specifically configured or coded in the Application that the SQL statement that read/writes uses some form of ‘encryption’ other then that provided by an SSL cert, e.g. een implementation of AES at application level, or maybe even something that the Database supports
[Client]->[Browser + SSL]—> Internet → [Web server + SSL] → [Application, SQL] → Database
If the application and database reside on different systems it is possible to encrypt the network traffic between the SQL client and database server again.
But this still does not prevent the application from writing plain-text in to a database field. The network is only the transportation not the final destination.
So if an attacker finds a SQL Injection vulnerability in your application it would be perfectly able to ‘steal’ your database and ‘read’ the contents over an encrypted connection.