![](/images/backgrounds/125470/bg6f.png)
Ifall virtual hosts on a single IP address need to authenticate against the same certicate, the
additionof multiple virtual hosts probably will not interfere with normal SSL operations on the
server.Be aware, however, that most browsers will compare the server's domain name against
thedomain name listed in the certicate, if any (applicable primarily to ocial, CA-signed
certicates).If the domain names do not match, these browsers display a warning. In general,
onlyaddress-based virtual hosts are commonly used with SSL in a production environment.
About FirewallsArewallcontrols the ow of data between two or more networks, and manages the links
betweenthe networks. A rewall can consist of both hardware and software elements. This
sectiondescribes some common rewall architectures and their conguration. The information
herepertains primarily to the Enterprise Server. For details about a specic rewall technology,
referto the documentation from your rewall vendor.
Ingeneral, congure the rewalls so that clients can access the necessary TCP/IP ports. For
example,if the HTTP listener is operating on port 8080, congure the rewall to allow HTTP
requestson port 8080 only. Likewise, if HTTPS requests are setup for port 8181, you must
congurethe rewalls to allow HTTPS requests on port 8181.
Ifdirect Remote Method Invocations over Internet Inter-ORB Protocol (RMI-IIOP)access
fromthe Internet to EJB modules are required, open the RMI-IIOP listener port as well, but this
isstrongly discouraged because it creates security risks.
Indouble rewall architecture, you must congure the outer rewall to allow for HTTP and
HTTPStransactions. You must congure the inner rewall to allow the HTTP server plug-in to
communicatewith the Enterprise Server behind the rewall.
About Certicate FilesInstallationof the Enterprise Server generates a digital certicate in JSSE (Java Secure Socket
Extension)or NSS (Network Security Services) format suitable for internal testing. By default,
theEnterprise Server stores its certicate information in a certicate database in the
domain-dir/configdirectory:
■Keystorele,key3.db, contains the Enterprise Server's certicate, including its private key.
Thekeystore le is protected with a password. Change the password using the asadmin
change-master-passwordcommand.
Eachkeystore entry has a unique alias. After installation, the Enterprise Server keystore has
asingle entry with alias s1as.
■Truststorele,cert8.db, contains the Enterprise Server's trusted certicates, including
publickeys for other entities. For a trusted certicate, the server has conrmed that the
publickey in the certicate belongs to the certicate's owner. Trusted certicates generally
includethose of certication authorities (CAs).
AboutCerticate Files
Chapter9 • Conguring Security 111