Evan Jennings, IBM TPF Development

Since PUT 9, TPF has supported the Apache Web server. Apache is one of the most widely used, freely available Web server packages. It passes data between the server and client using HyperText Transfer Protocol (HTTP), which in turn uses TCP/IP. If the TCP/IP data is not secured in some manner on the public network, it is susceptible to snooping and tampering. For most data that is viewed by Web browsers (weather reports, news, stock prices, and so on), this is fine. After all, who would want to change the temperature that you see in your browser for Nome, Alaska from -33° to 99 °? However, there is also a need for sensitive data (credit card numbers, account balances, passwords, and so on) to be entered or viewed in the Web browser. Let's say, for example, that Mr. Underhanded used a Trojan Horse to start a bot (program) running on the computer to which your Internet service provider (ISP) connects and captures all 16-digit numbers it finds in the network traffic. He uses this list to try the numbers in succession until he hits upon the credit card number that you used to buy a book from gigabooks.com---and then he orders a yacht for himself.

As mentioned in the article System Is Securely Fastened While Traffic Is Flowing" in the 3rd Quarter 2001 issue of the TPF Systems Technical Newsletter, there are ways to secure sensitive TCP/IP data. The method supported on TPF is Secure Sockets Layer (SSL). When HTTP is combined with SSL, the result is HTTPS, which is described in RFC 2818 and gives you all the benefits of SSL in Web browsing: data privacy, data integrity, and authentication .

A Web server that supports HTTPS is called a secure web server. In a secure web server, you can access both secure and non-secure Web pages. Non-secure pages are accessed from the browser as before---the Uniform Resource Locator (URL) is prefixed with http://. However, for secure pages, the URL begins with https://. Normally, a secure web server is set up to listen on two ports: 80 is the non-secure port and 443 is the secure port.

When a page is opened with https://, the browser under the covers initiates an SSL handshake with port 443 on the server. The data that you view or enter on this page cannot be viewed or tampered with by a third party. Browsers usually indicate that the page being viewed is secure by showing a closed padlock at the bottom of the window. If the certificate is not recognized or is expired, the browser will start a dialog with you so the characteristics of the certificate can be displayed and give you the choice to accept or reject the certificate.

All recent browsers come with a set of certificates that they recognize. In Netscape, press Ctrl+Shift+I to see certificate information. In Microsoft Internet Explorer, click Tools -> Internet Options -> Content -> Certificates to bring up the certificate in formation. To do this in Netscape Communicator, click Communicator -> Tools -> Security Info -> Certificates.

Beginning with APAR PJ28369, TPF supports the mod_ssl module in Apache, allowing for secure web server support. A tarball for TPF is available at http://www.ibm.com/tpf/ Look for Downloads under Fast Links to obtain the package.