Ifall virtual hosts on a single IP address need to authenticate against the same certicate, the
additionof multiple virtual hosts probably will not interfere with normal SSL operations on the
server.Be aware, however, that most browsers will compare the server's domain name against
thedomain name listed in the certicate, if any (applicable primarily to ocial, CA-signed
certicates).If the domain names do not match, these browsers display a warning. In general,
onlyaddress-based virtual hosts are commonly used with SSL in a production environment.
About Firewalls
Arewallcontrols the ow of data between two or more networks, and manages the links
betweenthe networks. A rewall can consist of both hardware and software elements. This
sectiondescribes some common rewall architectures and their conguration. The information
herepertains primarily to the Enterprise Server. For details about a specic rewall technology,
referto the documentation from your rewall vendor.
Ingeneral, congure the rewalls so that clients can access the necessary TCP/IP ports. For
example,if the HTTP listener is operating on port 8080, congure the rewall to allow HTTP
requestson port 8080 only. Likewise, if HTTPS requests are setup for port 8181, you must
congurethe rewalls to allow HTTPS requests on port 8181.
Ifdirect Remote Method Invocations over Internet Inter-ORB Protocol (RMI-IIOP)access
fromthe Internet to EJB modules are required, open the RMI-IIOP listener port as well, but this
isstrongly discouraged because it creates security risks.
Indouble rewall architecture, you must congure the outer rewall to allow for HTTP and
HTTPStransactions. You must congure the inner rewall to allow the HTTP server plug-in to
communicatewith the Enterprise Server behind the rewall.
About Certicate Files
Installationof the Enterprise Server generates a digital certicate in JSSE (Java Secure Socket
Extension)or NSS (Network Security Services) format suitable for internal testing. By default,
theEnterprise Server stores its certicate information in a certicate database in the
domain-dir/configdirectory:
Keystorele,key3.db, contains the Enterprise Server's certicate, including its private key.
Thekeystore le is protected with a password. Change the password using the asadmin
change-master-passwordcommand.
Eachkeystore entry has a unique alias. After installation, the Enterprise Server keystore has
asingle entry with alias s1as.
Truststorele,cert8.db, contains the Enterprise Server's trusted certicates, including
publickeys for other entities. For a trusted certicate, the server has conrmed that the
publickey in the certicate belongs to the certicate's owner. Trusted certicates generally
includethose of certication authorities (CAs).
AboutCerticate Files
Chapter9 • Conguring Security 111