Securing webservice with SSL/PKI

Question

My requirement is to secure the REST webservice. After some discussion decided to go with PKI over oauth. The implementation will be in Java.

Now I have the following questions in mind?

1. If I enable SSL in my web server that just implements PKI infrastructure?

2. If I implement whatever is mentioned in this guide, that will take care of all encryption and decryption?. How the original messaged passsed between the servers are encrypted/decrypted?. Or this guide just talks about authorizing the client and nothing to do with the message passed?

3. If my above assumptions are wrong, Can you hep me in understanding, all I need to know about implementing this infrastructure?

Answer 1

1. PKI (Public Key Infrastructure) deals with certificate life cycle, certificate authority (internal or external), certificate policies and how these certificate can be used.
2. Enabling SSL / TLS on web server makes secure http connection (https) instead of plain http. By enabling HTTPS, you are securing the data transferred between client and server through encryption.
3. Note that to enable ssl/tls, you need server certificate and how you obtain the certificate that is take care by this infrastructure. We can configure MS PKI or use openssl tool to generate certificate for in-house purpose, or can buy it from CA's like Verisign, DigiCert etc.
4. Implementing SSL/TLS will ensure data safety in transit, whereas Authentication & Authorization still needed for end users.

Answer 2

1. Nope, it does not. Public key infrastructure is about the handling of the certificates (holding the public keys) and the private keys. You need to take care of certificate exchange, certificate lifetime, certificate revocation etc. etc. Of course, most of these are taken over by the Certificate Authority like Verizon. Even then, you need to protect and backup the private key you are using, and make sure it fits your server name, and that you update your certificate when it's time runs out.

2. Yes, the SSL/TLS protocol takes responsability of securing all the messages passed, at "transport level". You may of course require additional security at application level (e.g. to store send messages securily on the server). In general, SSL/TLS would suffice, and the implementation takes care of it all. You should however decide which SSL cipher suites you want to enable.

3. Um, I would suggest you read articles and books about PKI, and possibly some howto's from CA's. That question (and actually the two other questions) are off topic for stackoverflow. It's impossible to answer that in a few sentences.