When a client and server communicate, secure socket layer (SSL) ensures that the communication is private and secure by providing authentication, encryption, and integrity checks. A general assumption is that SSL handshake and SSL data transfer only happens between a Web Browser and a Web Server, so SSL Certificates are only required for Web Servers in the overall IT Infrastructure. In reality SSL Certificates can be used for many key applications in an IT infrastructure – Web servers, Java application servers, databases (Oracle, SQL), Microsoft Active Directory servers and mail servers like Microsoft Exchange can all use SSL.
Isn’t it Enough to Just Protect the Web Servers using SSL?
Application environments have become complex. Many infrastructure tiers are involved in supporting the service and the different tiers communicate with each other to support the service. The servers involved could be in different geographic locations. With the increasing use of cloud computing, some of the servers involved may even be hosted on public clouds.
SSL secures all communications between any two servers. If servers are unprotected, hackers could actively eavesdrop all the communications and maybe able to inject new ones. The more security critical the application, the more important it is to protect it with SSL. This is the reason why some of the core IT servers – Web Servers, Java application servers, Database Servers, messaging servers, Active Directory servers, and Microsoft Exchange – are often configured with SSL certificates.
Why protect these services with SSL?
|Services||Why SSL?||Without SSL|
|SSL ensures secure communication between a browser and a Web Server||Hackers can easily steal confidential information – credit card, PIN, Social Security numbers and other personal information of a customer.|
|SSL protects access to business logic and secures data access service from application server to other systems and database||Unauthorized personal can modify critical data by accessing the database and other systems.|
|SSL enables emails exchanged between mail client and exchange server to be encrypted and secured||Attackers can steal important emails and passwords of key executives.|
|SSL secures access to user accounts, administrative groups, server accounts and resource accounts stored in Active Directory||Active Directory can be compromised and the damage might be a substantial monetary loss or even a serious blow to the reputation of the organization.|
|SSL secures data transfer across the network between instances of databases and other systems of that application environment||Hackers can steal critical data stored in the database.|
Monitoring SSL Certificates
SSL certificates often have a validity period and if ever an SSL certificate becomes invalid, the application that uses it will stop working. So monitoring of SSL certificates is important. The key requirements for SSL certificate monitoring include:
- The ability to proactively monitor the validity of all the SSL certificates used by an organization;
- Multi-modal alerting capability to alert administrators about impending certificate expiry or validity issues with certificates;
- Capability to track and alert about changes to SSL certificates;
- The ability to check the legitimacy of a SSL certificate by verifying certificate fingerprint;
The eG Enterprise performance management system can check SSL certificates used by different applications – Active Directory, Exchange Server, Web Servers (Apache, IIS, etc.) and application servers – Tomcat, WebSphere, WebLogic and GlassFish, and databases – Oracle, SQL Server, MySQL and others. For more information on how eG Enterprise can ensure the validity and legitimacy of your SSL certificates please read the white paper SSL Certificate Expiry Monitoring and Management