Middle-Tier Security

Using Secure Sockets Layer (SSL) for Web Applications

Secure Sockets Layer (SSL) is a protocol that provides network security and privacy. Developed by Netscape Communications, SSL uses encryption algorithms that include RC2, RC4, DES, TripleDES, IDEA, MD5, and others. In addition to providing encryption services, SSL uses trusted certificates to perform client and server authentication, and it uses message authentication codes to ensure data integrity. SSL is supported by both Firefox and Internet Explorer. Many Web sites use the protocol to protect confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection begin with HTTPS instead of HTTP. The SSL protocol is application independent and allows protocols such as HTTP, FTP, and Telnet to be transparently layered above it. SSL is optimized for HTTP. SSL includes software that was developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information, see http://www.openssl.org.

This documentation assumes that you have a basic understanding of SSL, and that you know how to obtain and use trusted certificates. See your Web application server's documentation for SSL implementation details at the following Web sites:

http://www.jboss.org/docs
http://www.oracle.com/technology/documentation/index.html
http://www.ibm.com/support/documentation/us/en/

Also, see http://support.sas.com/resources/thirdpartysupport/v92.

Note: Transport Layer Security (TLS) is the successor to SSL V3.0. The Internet Engineering Task Force (IETF) adopted SSL V3.0 as the de facto standard and renamed it TLS. Throughout this document, any reference to SSL also applies to TLS. [cautionend]

Set Up the SSL Environment for Your Web Application Server

After you have configured the Web application server for SSL, the Java Run Time Environment (JRE) in which the Web applications run will be ready to provide certificates in response to client requests.

If Web applications that communicate with each other are distributed across different machines, then the JRE that is used by each application requires a certificate. For example, suppose that a user logs on to the SAS Information Delivery Portal. If the user clicks on a report from within the portal, then the portal invokes SAS Web Report Studio in order to display the report (if the user has the appropriate capability assigned for viewing the report with SAS Web Report Studio).

If the portal and SAS Web Report Studio run on different machines, then the certificate must reside in the JRE for each machine. Because the portal communicates directly with SAS Web Report Studio, and SAS Web Report Studio sends the requested page back to the portal, the portal's JRE must have the certificate that is used by the JRE for SAS Web Report Studio.

If the applications run on different Web application servers within the same host, you should configure the JRE for each Web application server.

SSL for SAS Web Applications

After you have copied the keystore file to the appropriate directory in your Web application server, and edited the applicable configuration file or settings to enable SSL, you specify the https protocol and ports for SAS Web applications. This step ensures that the appropriate SAS Web applications will use the https protocol. See Step 1: Specify https Protocol and Port Number.

One-way SSL enables the application operating as the SSL client to verify the identity of the Web application server that is operating as the SSL server. In two-way SSL, the SSL client application verifies the identity of the Web application server, and then the Web application server verifies the identity of the SSL-client application. In two-way SSL, the application presents its certificate to the Web application server after the Web application server authenticates itself to the SSL client application.

You can configure one-way or two-way SSL. For more information, see:

One-Way SSL for SAS Information Delivery Portal

You can configure one-way SSL for SAS Information Delivery Portal by specifying the https protocol and ports in the SAS Management Console Configuration Manager for the portal and other SAS applications that are used by the portal. SAS Information Delivery Portal uses the SAS Content Server and the following SAS applications:

SAS Logon Manager
SAS Package Viewer
SAS Preferences Manager
SAS Help Viewer Metadata Configuration
SAS Web Application Themes
SAS Stored Process Web Application

When SSL is configured one way, all communications from all applications to the Web application server are encrypted and protected by SSL. However, encrypting and decrypting all communications might consume more resources and impact performance. For efficient use of resources, you can encrypt some of the communications by applying the https protocol to specific SAS applications. For example, SAS Web Application Themes and Help Viewer Meta Config use static content. Therefore, you can allow the SAS Web Application Themes and SAS Help Viewer Meta Config applications to use the regular http protocol and port numbers, and configure all of the other applications shown above to use the https protocol and port number.

Mixing the http and https protocols could enable an efficient environment where all communications are not being encrypted and protected by SSL. If you mix the http and https protocols, make sure that the SAS Logon Manager uses the https protocol. In addition, there are other considerations that might apply to your Web application server. For example, when you mix the protocols and your SAS Web applications are deployed in the Web application server, both the HTTP port and the HTTPS port must remain open and be available for use.

Step 1: Specify https Protocol and Port Number

To specify the https protocol and port number for the SAS Information Delivery Portal and other applications used by the portal, follow these steps:

In SAS Management Console, navigate to Plug-ins Application Management Configuration Manager Information Delivery Portal 4.2 and right-click to display the Information Portal Delivery 4.2 Properties dialog box.
Click the Connection tab.
In the Connection tab, modify the Communication Protocol field to display HTTPS.
On the Port Number field, enter the appropriate port number for the https protocol. For example, the default port numbers for the Web application servers are as follows: 8443 for JBoss, 7002 for WebLogic, and 9443 for WebSphere.
Click OK to exit the Information Delivery Portal 4.2 Properties dialog box.
To specify the https protocol and port number for other SAS applications, repeat the preceding steps for these applications:
- SAS Logon Manager
- SAS Package Viewer
- SAS Preferences Manager
- SAS Help Viewer
- SAS Web Application Themes
- SAS Stored Process

Next, specify the https protocol and port number for the SAS Content Server. See Step 2: Specify https Protocol and Port Number for the SAS Content Server.

Step 2: Specify https Protocol and Port Number for the SAS Content Server

When you configure SSL for SAS Information Delivery Portal, specify the https protocol and port number for the SAS Content Server. To specify the https protocol and ports for the SAS Content Server, follow these steps:

In SAS Management Console, navigate to Plug-ins Server Manager SAS Content Server and select it to display Connection:SAS Content Server in the right-side panel of SAS Management Console.
Select the Connection:SAS Content Server and press the right-mouse button to display and select Properties.
On the Options tab, modify the Application protocol field to display https.
In the Port number field, enter the correct port number. The default port numbers for the Web application servers are as follows: 8443 for JBoss, 7002 for WebLogic, and 9443 for WebSphere.
Click OK to save your settings and exit the Connection: SAS Content Server Properties dialog box.

Note that these changes go into effect when you start your Web application server.

Step 3: Update Remote Portlets for SSL

If you have remote portlets, update the protocol and port numbers for those portlets. Update the URL within the portlet.xml file, recreate the PAR file, and redeploy it.

Step 4: Restart the SAS Remote Services Application and the Web Application Server

Stop and restart the SAS Remote Services and the Web application server.

Step 5: Verify the SSL Connection

Log on to the appropriate URL that is configured with SSL. For example, to verify the SSL connection, log on to the appropriate URL:

https://yourmachine.company.com:8443/SASPortal

Two-Way SSL for SAS Information Delivery Portal

If you want to configure two-way SSL for SAS Information Delivery Portal, there are additional steps that you must complete in addition to the procedures that apply to one-way SSL. With two-way SSL, you create a new, unique client certificate, install it in the client (the Web browser), and configure your Web application server to ask for and accept this certificate. Here is a brief summary of steps to be followed when you configure two-way SSL:

Create new client certificate and sign it with your authority.
Import the client certificate into the browser.
Configure your Web application server to use the trust store, and to request and accept a client certificate
Modify your JVM parameters for SAS Remote Services and for your Web application server by specifying the locations of the server keystore and trust store.

For information about configuration, see your vendor documentation. Also, see http://support.sas.com/resources/thirdpartysupport/v92/.

Top of Page