Establishing a Secure Website Using SSL

Most of the information on the Web is not sensitive; in fact, accessibility is perhaps the biggest single basis for its incredible popularity. But the Web is also increasingly serving private and sensitive information, including e-commerce, medical records, filing taxes, and Web-based e-mail. In the vast majority of cases, these transactions are encrypted with a protocol called Secure Sockets Layer (SSL).

Secure websites rely on certificates to provide two central tenets of their security:

• That your server can be trusted because it has an authentic certificate

• For the encryption of the interaction

Viewing Certificates

Unencrypted Hypertext Transfer Protocol (HTTP) traffic typically travels over port 80: When you type in an HTTPS URL, you are telling your browser to initiate a secure (SSL) connection to port 443 of the Web server. The browser and server negotiate the strongest cipher they have in common, and then the server sends the browser its X.509 certificate. If the browser can't verify the identity of the secure website, it will display a dialog allowing you to examine the certificate. To view the certificate, click the Show Certificate button.

If it is a server you trust (your own, for example), you can select the "Always trust these certificates" checkbox, after which you'll need to authenticate to add the certificate to your keychain. The next time you go to that site, the certificate will be trusted. Your browser then uses the certificate as an encryption key for the secure connection.

Setting Up a Secure Website

The following steps walk you through setting up a secure Web mail server site. If you'd like to have WebMail running on your server, you must have the IMAP mail server set up and running properly. Basically, there is just a one-checkbox difference between Webserving mail and not!

1.	Install the Server Admin utilities (included with Mac OS X Server, or downloadable from the Apple website).
2.	Launch /Applications/Server/Server Admin and connect to your server.
3.	Select the Web service in the left frame and open the Settings tab using the button at the bottom of the main window.
4.	Click the Sites tab in the top of the main window and click the "Add a new website" (+) button.
5.	Enter the domain name of your server, select its IP address from the drop-down menu, and click the Options button.
6.	Turn off the Performance Cache, turn on WebMail, and click the Security tab.
7.	Select the Enable Secure Sockets Layer (SSL) checkbox and click OK.
8.	In the Certificate drop-down menu, select Custom to configure your certificate (we're using the server's default certificate in this example).
9.	In the upper-left corner of the frame, click the button to return to the list of sites.
10.	Click the Enabled button next to your new secure website (the one on port 443).
11.	Select the unencrypted site (the one on port 80), click the "Edit selected website" (/) button, and click the Aliases tab.
12.	Click the "Add new alias or redirect" (+) button.
13.	Select Redirect from the drop-down menu, then enter /webmail for the pattern and https://www.example.com/webmail for the path. Click OK.
14.	Click the Return button to return to the list of sites.
15.	Click the Save button in the lower-right corner of the window.
16.	If the Web service was running when you added your new secure site, the following dialog will come up. Click Restart to restart the Web service. Alternately, if the Web service was not running, you can start it now by clicking the Start Service button.
17.	To check your work, open a browser and type www.example.com into the URL field. The browser should take you to your unencrypted site.
18.	In the URL field, type in www.example.com/webmail. The redirect that you created in steps 11 through 14 should redirect you to the secure WebMail site. Note Redirects must follow particular formatting requirements. The Pattern field cannot contain the http://domain_name portion of the URLit must be a search term such as a file or directory (for example. anything you might type in after the domain name of the site). The path must be a fully qualified domain name, such as a complete URL.

We've seen in other lessons the usefulness of certificates and encryption, and we put them to use here in our exercise. If you are serving a lot of static pages, the performance cache (step 6) can improve how quickly pages are served by keeping them stored in RAM. With pages that are created dynamically, this can cause problems or incompatibilities, as the content would not all fit into RAM. Therefore, we disabled it in order to use WebMail.

Is WebMail really as simple as one checkbox? Well, yes and no. After mail services are deployed in a compatible mode, yes. WebMail simply ties in with the IMAP mail services already running on your server, and gets its user account information from Directory Services, just as the mail services do. The compatible mode is as follows:

Look in Server Admin > Mail > Settings > Advanced > Security. At the minimum, you must choose the following settings:

• Login for SMTP

• Clear for IMAP

• Use for both SMTP SSL and "IMAP and POP SSL."

WebMail's default configuration uses these settings, and does not use SSL. Because we are serving WebMail from a secure site, all traffic between the browser and the server is encrypted with SSL.

You can (and should!) have more secure authentications options selected for your mail client users. For example, you might have Kerberos, CRAM_MDS, and Clear all selected for IMAP authentication methods. The weakness of this is that you are now relying on your users to configure their mail clients securely; with this configuration, nothing is requiring them to use SSL, or preventing them from using Clear authentication.

The final requirement for one-click WebMail is that your Web service is running on the same server as your mail service. That way, no unencrypted data is passing between two servers.

Note

Though it is possible to configure WebMail to use SSL (thereby allowing you to require SSL for mail clients), the PHP implementation on Mac OS X was compiled without the necessary openssl PHP extension.