476 Chapter 11 • Developing Security-Enabled Applications 2. Click Console then click Add/Remove snap-in to call up the Add/Remove snap-in window. 3. Click Add and select Certificates from the list of snap-ins as seen in Figure 11.16. 4. Click Add to place a snap-in in the MMC. Now that the console is loaded, we can use Certificate Server to manage certificate requests, revocation lists, and certificate issuance. Microsoft seems to have created a very easy to manage system: Clients make requests to a certificate server, the request is checked and pro- cessed, and a certificate is either issued or the request is denied. Clients can request certificates via a Web form as shown in Figure 11.17, through their own certificates MMC snap-in, or through an auto- enrollment policy if the users are part of a Windows 2000 Active Directory. After a certificate request is processed and approved, a certificate is generated and the client can retrieve and install their certificate.The Certification Authority keeps track of approved issued certificates by organizing them in directories in the database as shown in Figure 11.18. www.syngress.com Figure 11.16 Add Snap-In Screen 137_hackapps_11 6/19/01 3:43 PM Page 476 Developing Security-Enabled Applications • Chapter 11 477 As Figure 11.18 shows, revoked, pending, and failed certificate requests are also logged by the CA.This makes the CA capable of recog- nizing certificates at all stages of their life cycle.The main benefit in this is that hackers trying to use a revoked or expired certificate to access an application or Web site will be denied access by the CA because it knows which certificates are valid and which are not. www.syngress.com Figure 11.17 Certificate Request Web Page Figure 11.18 Issued Certificate Logged in the CA MMC Snap-In 137_hackapps_11 6/19/01 3:43 PM Page 477 478 Chapter 11 • Developing Security-Enabled Applications Finally, Certificate Services can be used to revoke certificates that have become invalid for some reason by publishing them to a Certificate Revocation List.The revocation wizard allows you to revoke a certificate for specific reasons or for any of a few known errors with the certificate. Although much more simple to configure than Netscape’s CMS, Microsoft Certificate Services offer fully certificate management func- tionality and compatibility with LDAP, S/MIME, SSL, HTTPS, and Microsoft’s Encrypting File Service. Netscape Certificate Server For a while in the early 1990s, Netscape enjoyed the top spot as the most popular Web software package. Small enough to fit on a single floppy disk, the Netscape Navigator Web browser took the computing world by storm and made the Internet a lot more appealing to those of us old enough to be familiar with browsing through line after line of text on Web sites at some Unix terminal in the university computer lab. Netscape’s suite of applications has quietly flourished and come a long way in complexity and robustness since those days. Netscape/iPlanet Certificate Management System is the leading Windows-based alternative to employing certificate-based security.You must first install the CMS before you can use it, so let’s proceed with our implementation. Netscape Certificate Management Server is part of the suite of Netscape Server products, so you must install the Netscape Servers as a group. Installation of Netscape Certificate Server 1. Click Start and select Run. 2. Click Browse and locate the Setup.exe file. 3. Click OK to begin the installation.The installation splash screen appears. 4. Click Next until the server setup screen appears. Select Netscape Servers for installation and click Next. www.syngress.com 137_hackapps_11 6/19/01 3:43 PM Page 478 Developing Security-Enabled Applications • Chapter 11 479 5. The next screen gives you the opportunity to select the type of server installation you wish to perform: Express,Typical, or Custom. Select Express and click Next. 6. The selection screen for the components you wish to install appears on the next screen shown in Figure 11.19. Keep the components selected, because all these components are required for the Certificate Management System. Click Next to continue. 7. Click Next past the following screen to get to the Configuration Directory Server Administrator screen. Enter and confirm a password for the Directory Server Administrator account.The password must be at least eight characters in length. Click Next. 8. The next screen allows you to define an administration domain. Enter the name of the administration domain and click Next to proceed to the next configuration screen. 9. Click Next through the next few screens to confirm the set- tings and complete the installation. Now let’s configure the Netscape Servers.The first step in config- uring the servers is to generate a CA certificate and any other certifi- cates the server needs in order to properly sign and authenticate clients. www.syngress.com Figure 11.19 Server Component Selection Screen 137_hackapps_11 6/19/01 3:43 PM Page 479 480 Chapter 11 • Developing Security-Enabled Applications 1. The configuration process begins by specifying the port the CMS will use for SSL, as shown in Figure 11.20. Click Next to continue from this screen. 2. We now have to decide what CA we would like to sign our certificate request. Usually a request would be made to a well known CA from the trusted root CA list, however, for our pur- poses we elect to have to the server submit the request to itself, as shown in Figure 11.21. Click Next to continue. www.syngress.com Figure 11.20 SSL Port Configuration Figure 11.21 Select a CA to Sign Certificate 137_hackapps_11 6/19/01 3:43 PM Page 480 Developing Security-Enabled Applications • Chapter 11 481 3. Now a cryptographic cipher must be created for the key pair and the key length must be specified.The longer the key, the stronger the security the key pair represents.After key length is defined (see Figure 11.22), click Next to continue. A hashing algorithm for authentication must be selected next.The default algorithm is SHA1. Click Next to accept the default and continue. 4. The certificate extensions screen allows you to select the type of certificates you can issue and sign with your CA.We select the types that best suit our purpose, as shown in Figure 11.23. Click Next to continue. 5. You are again asked which CA you would like to sign the cer- tificate. Because we are using our own CA, we select the Sign SSL Certificate with my CA Signing Certificate option (see Figure 11.24) and click Next to bring us to the Single sign-on password screen. www.syngress.com Figure 11.22 Select Cryptography Token, Key Type, and Key Length 137_hackapps_11 6/19/01 3:43 PM Page 481 482 Chapter 11 • Developing Security-Enabled Applications 6. In the field required in the Single sign-on password screen (see Figure 11.25), enter a password at least eight characters long and confirm it in the next field. Click Next twice to complete configuration.You may now go to the Administration SSL Web page to request an Administrator/Agent certificate.Your basic configuration is complete. www.syngress.com Figure 11.23 Select the Certificate Extensions that CA Can Sign and Issue Figure 11.24 SSL Server Certificate Signing 137_hackapps_11 6/19/01 3:43 PM Page 482 Developing Security-Enabled Applications • Chapter 11 483 Administering Netscape CMS Administering Netscape CMS involves six general tasks: 1. Starting, stopping, and restarting the server. 2. Changing configuration. 3. Configuring certificate issuance and management policies. 4. Adding or modifying privileged-user and group information. 5. Setting up authentication mechanisms for users who may request services from the server. 6. Performing routine server maintenance tasks such as monitoring logs and backing up server data. We take a look at where on the server these tasks are performed. Most of these tasks are performed in one of the three tabs of the CMS window.The CMS window is a Java-based GUI designed to facilitate administration and certificate management. Figure 11.26 introduces us to the first tab on the CMS window: the Tasks tab. www.syngress.com Figure 11.25 Create Single Sign-On Password 137_hackapps_11 6/19/01 3:43 PM Page 483 484 Chapter 11 • Developing Security-Enabled Applications The Tasks tab allows us to start, stop, and restart the CMS. It also allows us to create or enroll for certificates.We now move on to the Configuration tab.The Configuration tab is where the majority of the administration tasks of the CMS are done. In the Configuration tab (shown in Figure 11.27), we can create users and groups, set up authentication, schedule certificate processing jobs, create certificate revocation, request and issuance policies, configure SMTP mail, configure encryption, and schedule the management of CRL publishing.We can also configure the network ports used for SSL administration and define the authentication methods used with the cer- tificates and the server. The CMS Status tab is where we go to check the logs for the server (see Figure 11.28). Here we can see failed and successful certificate cre- ation, certificate requests and issuance, and just about any process the server performs. www.syngress.com Figure 11.26 The CMS Tasks Tab 137_hackapps_11 6/19/01 3:43 PM Page 484 Developing Security-Enabled Applications • Chapter 11 485 www.syngress.com Figure 11.27 The CMS Configuration Tab Figure 11.28 CMS Status Tab 137_hackapps_11 6/19/01 3:43 PM Page 485 [...]... dimension to your security implementation would be to monitor attacks on your application or your Web infrastructure as a whole.This way you can be aware of attacks and be better prepared to defend against attacks that transcend your current levels of security Security is an ongoing process www.syngress.com 491 137 _hackapps_ 11 492 6/ 19/ 01 3:43 PM Page 492 Chapter 11 • Developing Security-Enabled Applications. .. e-mail ,Web browser sessions, and data encryption www.syngress.com 137 _hackapps_ 12 6/ 19/ 01 3:45 PM Page 499 Chapter 12 Cradle to Grave: Working with a Security Plan Solutions in this chapter: s Examining Your Code s Being Aware of Code Vulnerabilities s Using Common Sense When Coding s Creating a Security Plan Summary Solutions Fast Track Frequently Asked Questions 499 137 _hackapps_ 12 500 6/ 19/ 01 3:45... more than one Web application at the same time One certificate with a public key can grant a user rights to access secure e-mail, secure pages on an e-commerce Web site, and transfer encrypted data over the Internet through a virtual private network www.syngress.com 495 137 _hackapps_ 11 496 6/ 19/ 01 3:44 PM Page 496 Chapter 11 • Developing Security-Enabled Applications Implementing PKI in Your Web Infrastructure... security Solutions Fast Track The Benefits of Using Security-Enabled Applications A decent hacker can exploit weaknesses in any application, after he is familiar with the language it was created in www.syngress.com 493 137 _hackapps_ 11 494 6/ 19/ 01 3:44 PM Page 494 Chapter 11 • Developing Security-Enabled Applications Not everyone in your organization needs access to all information A means of authentication,... level Look deep into the code Ask your co-workers to “crack” your code.Work together to protect your company against www.syngress.com 137 _hackapps_ 12 6/ 19/ 01 3:45 PM Page 501 Cradle to Grave: Working with a Security Plan • Chapter 12 attacks from both the outside and the inside By reviewing your code and then testing it, followed by your co-workers attempting to hack into your code, you are taking serious... the security you use renders your site impenetrable by unauthorized clients or at least takes so much effort to penetrate that hackers don’t want to invest the time or effort required.Trying to crack the security on your Web application or penetrate your Web infrastructure’s security should be performed the same way a hacker would try to break in to your systems or damage your application.The security... scenario www.syngress.com 497 137 _hackapps_ 11 498 6/ 19/ 01 3:44 PM Page 498 Chapter 11 • Developing Security-Enabled Applications Q: Is there a need to use both SSL and PGP in application environments? A: Though SSL and PGP can work together, it is not necessary to use them both in the same environment PGP is best suited for e-mail applications whereas SSL is best suited for Web client-server authentication... topic relevant to Hack Proofing your Web Applications. This last chapter deals with not only tying all of the previously discussed methods together, but also introducing a security plan Very often, simple common sense will assist you greatly As hard as you try, chances are good that your Web site still will not be secure enough to protect your organization from all attacks by malicious hackers At the very... www.syngress.com 137 _hackapps_ 11 6/ 19/ 01 3:44 PM Page 497 Developing Security-Enabled Applications • Chapter 11 Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about... you write probably contains vulnerabilities will go a long way in helping to lessen the chance of a security breach within your Web www.syngress.com 137 _hackapps_ 12 6/ 19/ 01 3:45 PM Page 5 09 Cradle to Grave: Working with a Security Plan • Chapter 12 applications. We would hope that if your organization is not doing code reviews, they are at least running development work by a QA team prior to release to . that transcend your current levels of security. Security is an ongoing process. www.syngress.com 137 _hackapps_ 11 6/ 19/ 01 3:43 PM Page 491 492 Chapter 11 • Developing Security-Enabled Applications Summary You. in applications was a certificate, a digital representation of a computer’s www.syngress.com 137 _hackapps_ 11 6/ 19/ 01 3:43 PM Page 492 Developing Security-Enabled Applications • Chapter 11 493 identity. solution in our particular environment. www.syngress.com 137 _hackapps_ 11 6/ 19/ 01 3:43 PM Page 4 89 490 Chapter 11 • Developing Security-Enabled Applications Testing methods should involve performance