I am looking for “best practice” in the efforts of implementing SSL.

Currently, we are planning on a Certificate (128-bit) for the Server(s) (Housing the broker(s)), a Certificate for the Administrator Users, a Certificate for the Development Users and a Certificate for the Adapters (1 Cert for all).

How does this configuration compare with those used out there?

Thanks in advance…

For internal use, I’ve seen a single certificate suffice (per broker) and only on staging and production environments. Only operation/production staff get to access staging/production. Developers don’t get to touch those at all–using SSL ensures this.

For dev/test, there is no real reason to restrict access unless of course you don’t trust the developers/administrators.

Of course every site is different so your approach may be best depending on various factors–primarily comfort level with what those who have access might do to your open and/or secure systems.

It depends on what you need security for. Digital Certificates are can be used for authentication and/or for encryption.

It also depends on your existing design. I have found that breaking an entire systems integration into independent sub-systems based on the resources that are integrated is an excellent way of ensuring that your system will be maintainable as it grows in size and scope. This applies to your security architecture as well.

If you have not broken it down then your security will most likely be more of an on/off for the entire system.

I recommend that you read Chapter 10 of the AdminAnalysis.pdf file. One thing to keep in mind is that the digital certificates will be stored in certificate files that are password protected. If you use the same digital certificate in several certificate files then it will be more likely that access can be gained to one of the certificate files that subsequently can be used to gain access to the system. It comes back to what requirements you have for your security architecture.

Rgs,
Andreas Amundin
www.amundin.com

Here’s an add-on question: has anyone tried to get wM Enterprise Server or wM 6 working with 3rd-party SSL acceleration hardware? (eg [url=“rainbow.com - Above.com Marketplace”]rainbow.com - Above.com Marketplace)

Any war stories would be greatly appreciated.

—Jon W.