A.1 Understanding the Public Key Infrastructure and TLS Components to Establish Secure Communication

To be able to configure secure communication between Single Sign-on and applications that require secure communication, requires that you have a good understanding of the components that allow the secure communication to occur. Single Sign-on uses industry standards of X.509 certificates, public key infrastructure (PKI), and transport layer security (TLS).

This section provides a basic introductions to these components. For more detailed information, see:

You want to secure the communication channels between servers and clients to protect your data and stop security breaches from happening in your environment. The following graphic depicts the different components required for secure communication using certificates, PKI, TLS, and tools to manage the keys.

Figure A-1 Components of Secure Communications

The secure communication occurs between a server and a client. In the graphic, that is a web server and the browser is the client. The following items are the terms that you need to understand to create a secure connection between a server and a client.

  • Certificate Authority: It is an entity that issues digital certificates. A certificate authority (CA) acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. There are two different types of CAs.

    • Well-known: It is certificate authority that provide server certificates signed by well-known CAs such as IdenTrust or DigiCert.

    • Self-signed: It is a certificate authority that other products such as openSSL, eDirectory, and Active Directory that contain a certificate authority. You can create self-signed certificates through the certificate authorities in these other products to use in test environments.

    A security recommendation is to use a well-known CA to issue certificates in productions environments.

  • Public Key Infrastructure (PKI) Certificates: Are are digital certificates that the CA issues that prove ownership of the certificate. The CA can issue certificates for users, applications, or devices. The PKI certificates contain the following information:

    • Version number

    • Unique serial number

    • CA digital signature and algorithm used

    • Validity period

    • Certificate Usage

    • Subject name, URL, email address

    • Public and private keys (sometimes it is only the public key)

  • Key Pair: Consists of a private key and public key that work together to encrypt and decrypt messages. PKI is based on the fact that everyone will trust any communication encrypted with a public key or trust any certificate signed by a private key.

    • Private Key: It is an cryptographic key that you use it to decrypt any communication encrypted by the public key. Only the private key of the key pair can decrypt the communication encrypted with the corresponding public key. You keep the private key private and do not share it.

    • Public Key: It is a cryptographic key that you use to encrypt communications to keep the communication secure. Only someone with the private key can decrypt the communications. You share the public key so that anyone with access to the public key can verify that any communication signed with this public key is really from the sending source.

  • Certificate Revocation List: It is a list that the CA creates and manage that contains a list of unique serial numbers that it has revoked. The CA uses the certificate revocation list (CLR) to denied requests from any user, application, or device that contain a serial number on the CLR.

  • Certificate Signing Request: It is a message sent from an applicant to the CA to apply for a PKI certificate. Usually the certificate signing request (CSR) contains a copy of the public key of the applicant making the request, identifying information such as a domain name, and a digital signature.

  • KeyStore: It is a secure Java repository that stores the private key and identity certificate for the server in the trust relationship. The information is stored encrypted on the server with a KeyStore password that you set and manage. Use either the keytool or keytoolgui tools to set and manage the KeyStore passwords.

  • TrustStore: It is a secure Java repository that stores the certificates signed by a CA in a secure repository on the client. The information is stored and encrypted on the client with a TrustStore password that you set and manage. Use either the keytool or keytoolgui tools to set and manage the TrustStore passwords.

  • Transport Layer Security Protocol: It is the secure protocol created by all of the components defined in this section. It allows the server and client to communicate securely by using certificates and key pairs to prove identity on the server and client.