Understanding SSL
SSL (Secure Sockets Layer) is a transaction security standard that provides encrypted protection between browsers and app servers. When SSL is enabled for an app server, browsers communicate with the app server by means of an HTTPS connection, which is HTTP over an encrypted Secure Sockets Layer. HTTPS connections are widely used by banks and web vendors for secure transactions over the web.
A browser and an app server create a secure HTTPS connection by using a handshaking procedure. When browser connects to an SSL-enabled app server, the app server sends back its identification in the form of a digital certificate that contains the server name, the trusted certificate authority, and the server's public encryption key. The browser uses the server's public encryption key from the digital certificate to encrypt a random number and sends the result to the server. From the random number, both the browser and app server generate a session key. The session key is used for the rest of the session to encrypt/decrypt all transmissions between the browser and app server, enabling them to verify that the data didn't change in route.
The end result of the handshaking procedure described above is that only the server is authenticated. The client can trust the server, but the client remains unauthenticated. MarkLogic Server supports mutual authentication, in which the client also holds a digital certificate that it sends to the server. When mutual authentication is enabled, both the client and the server are authenticated and mutually trusted.
MarkLogic Server uses OpenSSL to implement the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1) protocols.
The following are the definitions for the SSL terms used in this section:
A certificate, or more precisely, a public key certificate, is an electronic document that incorporates a digital signature to bind together a public key with identity information, such as the name of a person or an organization, address, and so on. The certificate can be used to verify that a public key belongs to an individual or organization. In a typical public key infrastructure (PKI) scheme, the signature will be that of a certificate authority.
A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key. If the CA is trusted, then any certificate it issues is trusted unless it has been revoked.
A certificate chain is a group of interdependent CAs. A certificate chain consists of a single trusted root CA, one or more intermediate CA, and one or more end CA. The intermediate and end certificates must be imported into MarkLogic Server.
Note
MarkLogic Server supports only one intermediate CA per host.
A certificate request is a request data structure containing a subset of the information that will ultimately end up in the certificate. A certificate request is sent to a certificate authority for certification.
A key is a piece of information that determines the output of a cipher. SSL/TLS communications begin with a public/private key pair that allow the client and server to securely agree on a session key. The public/private key pair is also used to validate the identity of the server and can optionally be used to verify the identity of the client.
A certificate template is a MarkLogic Server construct that is used to generate certificate requests for the various hosts in a cluster. The template defines the name of the certificate, a description, and identity information about the owner of the certificate.
A cipher is an algorithm for encrypting information so that it's only readable by someone with a key. A cipher can be either symmetric or asymmetric. Symmetric ciphers use the same key for both encryption and decryption. Asymmetric ciphers use a public and private key.
Note
Signed certificates are imported via the Certificate Templates import page, as described in Importing a Signed Certificate into MarkLogic Server. Certificate Authority certificates are imported via the Certificate Authorities import page, as described in CA Certificate (User Cert Signer) Import from Admin Interface.