BIRT iHub secure communications
BIRT iHub secures data in transit to prevent unauthorized third parties from accessing information passing between iHub services and between the iHub server and the end user. Data in transit use the following security protocols:
*Hypertext Transfer Protocol Secure (HTTPS) is used for communication between the user’s web browser and both the Administration Console and BIRT iHub Visualization Platform services.
*Secure Socket Layer (SSL) for communications between:
*The BIRT iHub server processes and the JDBC data sources
*The BIRT iHub server processes and the metadata database.
*Security Assertion markup Language (SAML) provides a secure means of authenticating and authorizing a user to access a volume.
Understanding HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a protocol used to enable secure communication over a computer network. When HTTPS is at the beginning of a URL web address such as https://www.actuate.com, the web browser attempts to activate an encrypted connection using the Secure Sockets Layer (SSL).
A server requires two keys and one certificate to build the HTTPS connection. These establish an SSL handshake to encrypt the data between the client and the server. HTTPS also encrypts the URL’s query parameters, headers, and cookies.
After the client completes the SSL handshake, the web browser securely uses the same features available to an HTTP connection, such as hyperlinks and JavaScript.
Understanding SSL
Secure Sockets Layer (SSL) is a protocol for securely exchanging information, such as passwords, credit card numbers, medical, and other private data, over a computer network. SSL provides the means to:
*Encrypt data exchanged between two parties.
*Verify the identity of the server and optionally the client.
*Verify the integrity of the message, that no tampering of the data occurred.
SSL uses the following components:
*Private key
Available only to the owner of the private key. Used to decrypt a message encrypted by the public key.
*Public key
Available to the public. Used to encrypt a message sent to the owner of the private key.
*Digital certificate
Contains information such as the certificate issuer, certificate expiration date, information about the certificate owner, and the certificate owner’s public key. The certificate is signed by a certificate authority, using a digital signature.
*Certification authority (CA)
A trusted agency that validates information about an entity such as an online business, and then signs a digital certificate for the entity to use.
BIRT iHub SSL communication process
A client uses a web browser to access a server hosting Visualization Platform. The secured connection starts when a client visits the SSL secured server using a URL web address beginning with HTTPS. The client receives the server's digital certificate identifying the server and including the server's public key. The client web browser checks the following characteristics of the certificate:
*That the domain in the certificate matches the domain of the server
*That the certificate is trusted or signed by a trusted certificate authority
*That the certificate is not expired
*That the certificate is not revoked
*That the encryption cipher chosen by the server is supported
After accepting the server's certificate, the client uses the public key from the server's certificate to encrypt a message and then sends the message to the server. The message requests that the server generate a session key, also known as a shared secret key. At the same time, the client uses the data in the message to generate the same session key that the client expects the server to generate.
The server uses its private key to decrypt the message from the client. Then, the server uses the data in the message to generate a session key, identical to the session key the client generated. The client and the server use the generated session key to encrypt data, decrypt data, and verify data integrity using checksums.
The server sends a message encrypted using the generated session key back to the client. This message completes the SSL handshake and confirms that data travels securely between both sides of the connection.
BIRT iHub SSL support
BIRT iHub enables SSL by default, specifying port 8001 in the acpmdconfig.xml file. BIRT iHub stores SSL certificates in the AC_SERVER_HOME/shared/credential folder.
BIRT iHub implements 2048 RSA private key encryption. Actuate supports the following secure protocol configurations:
*SSL V3 and TLSV 1.0
*TLSV 1.1 and TLSV 1.2
BIRT iHub disables SSL V2, client-initiated renegotiation for ihubd, and TLS compression.