This document discusses secure connections in Java using SSL/TLS. It provides information on key concepts like keystores, certificates, and truststores. It also demonstrates how to set up a basic client-server application with mutual authentication using self-signed certificates and keytool to generate and manage the certificates. Troubleshooting tips are provided for common exceptions encountered.
2. DEAD GIVEAWAY
Security has always been very important.
But we may rely on infrastructure too much (eg. proxies,
firewalls, ..).
3. CLOUD?
Application Security becomes even more important in the
cloud:
Architect security in from the start.
Maintain and evaluate security in all sprints.
Maintain and evaluate security after deployment.
5. HEADS UP
“Inevitably, you’ll cry the first time you attempt to configure
mutual authentication with SSL (aka two-way SSL).”
* The Fifteen Minute Guide to Mutual Authentication
7. SSL
Secure Socket Layer: protocol to ensure secure transactions
between web servers and browsers.
CERTIFICATES
Different types exist: X509, PGP, SDSI, ...
8. X509
X.509 certificate usually refers to the IETF’s PKIX
Certificate and CRL Profile of the X.509 v3 certificate
standard, as specified in RFC 5280.
10. DIFFERENT X509 CHARACTERISTICS
EXTENSIONS
CRT = common extension for certificates.
CER = alternative extension for certificates.
(Microsoft convention)
KEY = extension used for public / private PKCS#8 keys.
PKCS#8: PKI standard used to carry private certificate keypairs
PKCS#12: PKI standard 'container' used to store private keys with accompanying public key
certificates, protected with a password-based symmetric key.
15. CERTIFICATE AUTHORITY
Instance that issues digital certificates.
A trusted third party.
by the subject (owner) and the party relying upon the certificate
Over 50 root certificates in current browsers.
(eg. by Comodo, Symantec, ..)
22. KEYSTORES
A Java KeyStore (JKS) is a repository of security certificates,
either authorization certificates or public key certificates - used
for instance in SSL encryption.
* Wikipedia
23. KEYSTORE
Contains public/private keypairs.
The private key is accompanied by certificate chain for the corresponding public key
Decryption based on private key.
Used for certificate validation (, signing).
29. 1-WAY SSL
The server is required to present a certificate to the client
but the client is not required to present a certificate to the
server. To successfully negotiate an SSL connection, the
client must authenticate the server, but the server will
accept a connection from any client.
30. 2-WAY SSL
The server presents a certificate to the client and the client
presents a certificate to the server.
31. BEST PRACTICES
DO NOT USE JVM PARAMETERS
-jvxntsltuttr=X-jvxntsltuttrPswr=X
Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX
Obvious Security Risk.
32. BEST PRACTICES
DO NOT USE DEFAULT CACERTS
One day, you will upgrade or migrate, .. and forget about it.
33. BEST PRACTICES
KEEP IT REALLY SIMPLE
You will probably not be the one maintaining it.
Use a different keystore for each:
Platform (DEV, UAT, PRD).
Functionality: keystore, signstore, truststore.
37. PREREQUISITE FOR RUNNING THE DEMO
Create client & server public/private keypair and
certificates.
In this demo we'll be using java keytool to create a keystore with generated keypairs..
In a production environment certificates must be created/requested by the application manager.
Afterwards these certificate can be imported into a keystore using java keytool.
38. SERVER KEYPAIR
Create server keystore & generate certificate with java
keytool.
Use common name: server.security.brownbag.hp.com
$kyol-eky-eagRA-la scsre
eto gne kyl S ais e_evr
-esoesre_esoejs
kytr evrkytr.k
-trps cagi -aiiy30-esz 24
soeas hnet vldt 6 kyie 08
$kyol-it-esoesre_esoejs
eto ls kytr evrkytr.k
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
scsre,2-a-04 PiaeeEty
e_evr 9jn21, rvtKynr,
Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D
etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
CN: server.security.brownbag.hp.com must be used to connect to the server.
Java SSL context compares the name of the CN with the connection address.
=> Adjust in TCP host file!
39. CLIENT KEYPAIR
Create the client keystore
$kyol-eky-eagRA-la sccin
eto gne kyl S ais e_let
-esoecin_esoejs
kytr letkytr.k
-trps cagi -aiiy30-esz 24
soeas hnet vldt 6 kyie 08
$kyol-it-esoecin_esoejs
eto ls kytr letkytr.k
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
sccin,2-a-04 PiaeeEty
e_let 9jn21, rvtKynr,
Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2
etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
40. SERVER
Run main method in BrownBagServicePublisher.java
Has a keystore with a certificate & private key
Has a truststore containing the client certificate
41. CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS
Extract certificate from client keystore
Import client certificate into the truststore
$kyol-xot-esoecin_esoejs
eto epr kytr letkytr.k
-la sccin -iesccin.r -trps cagi
ais e_let fl e_letct soeas hnet
$kyol-mot-iesccin.r -la sccin
eto ipr fl e_letct ais e_let
-esoesre_rssoejs-trps cagi
kytr evrtuttr.k soeas hnet
$kyol-it-esoetuttr.k
eto ls kytr rssoejs
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
sccin,2-a-04 tutdetnr,
e_let 9jn21, rseCrEty
Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2
etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
42. TEST SERVER WITH FIREFOX
How-to:
Accept self signed certificate warning in Firefox.
Import client certificate & private key from PKCS#12 file
in Firfox' personal certificates.
Create PKCS#12 file: client_keystore.p12
$kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2
eto iprkytr scesoe letkytr.k dskytr letkytr.1
-rsoeyeJS-ettrtp PC1 -rsoeascagi
sctrtp K dssoeye KS2 sctrps hnet
-ettrps cagi -raissccin -etla sccin
dssoeas hnet scla e_let dsais e_let
-rkyascagi -eteps cagi -ormt
sceps hnet dskyas hnet npop
43. THE JAVA CLIENT
Run main method in Client.java
Has a keystore with the client certificate & private key
Has a truststore containing the server certificate
Uses the spring-ws framework
44. CREATE THE CLIENT TRUSTSTORE
Extract certificate from server keystore
Import server certificate into the truststore
$kyol-xot-esoesre_esoejs
eto epr kytr evrkytr.k
-la scsre -iescsre.r -trps cagi
ais e_evr fl e_evrct soeas hnet
$kyol-mot-iescsre.r -la scsre
eto ipr fl e_evrct ais e_evr
-esoecin_rssoejs-trps cagi
kytr lettuttr.k soeas hnet
$kyol-it-esoetuttr.k
eto ls kytr rssoejs
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
scsre,2-a-04 tutdetnr,
e_evr 9jn21, rseCrEty
Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D
etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
45. JAVA CODE
Init keystore & truststore in java code.
Configure SSLContext for the JVM.
vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin
od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto,
Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto {
etfctEcpin neoealKyxeto, eMngmnEcpin
fnlSrn KYTR ="pt/okytr.k"
ia tig ESOE
/aht/esoejs;
fnlSrn TUTTR ="pt/otuttr.k"
ia tig RSSOE
/aht/rssoejs;
fnlSrn KYTR_AS="hnet;
ia tig ESOEPS
cagi"
/La tekytr
/od h esoe
KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm);
eMngratr eFcoy
eMngratr.eIsac(eMngratr.eDfutloih()
Kytr kytr =Kytr.eIsac(JS)
eSoe eSoe
eSoegtntne"K";
kytr.odnwFlIpttemKYTR) KYTR_AStCaAry);
eSoela(e ienuSra(ESOE, ESOEPS.ohrra()
kyatr.ntkytr,KYTR_AStCaAry);
eFcoyii(eSoe ESOEPS.ohrra()
/La tetuttr
/od h rssoe
TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm);
rsMngratr rsFcoy
rsMngratr.eIsac(rsMngratr.eDfutloih()
Kytr tuttr =Kytr.eIsac(JS)
eSoe rsSoe
eSoegtntne"K";
tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry);
rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra()
tutatr.nttuttr)
rsFcoyii(rsSoe;
/CniueSLCnetfrteJM
/ofgr S otx o h V
SLotx cnet=SLotx.eIsac(SL)
SCnet otx
SCnetgtntne"S";
cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl)
otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul;
SLotx.eDfutcnet;
SCnetsteal(otx)
}
47. CLIENT EXCEPTION
Uepce err jv.euiyIvldloihPrmtrxeto:
nxetd ro: aascrt.naiAgrtmaaeeEcpin
tetutnhr prmtrms b nnepy
h rsAcos aaee ut e o-mt
Truststore is not found.
48. CLIENT EXCEPTION
Cue b:snscrt.aiao.aiaoEcpin
asd y u.euiyvldtrVldtrxeto:
PI pt bidn fie:
KX ah ulig ald
snscrt.rvdrcrpt.uCrPtBidrxeto:
u.euiypoie.etahSnetahuleEcpin
ual t fn vldcriiainpt t rqetdtre
nbe o id ai etfcto ah o euse agt
Server certificate not found in truststore.
Server certificate expired or revoked.
49. CLIENT EXCEPTION
IOerr Rmt hs coe cneto drn hnsae
/ ro: eoe ot lsd oncin uig adhk;
nse ecpini jvxntslSLadhkEcpin
etd xeto s aa.e.s.SHnsaexeto:
Rmt hs coe cneto drn hnsae
eoe ot lsd oncin uig adhk
IOerr Cneto rst
/ ro: oncin ee;
nse ecpini jv.e.oktxeto:
etd xeto s aantSceEcpin
Cneto rst
oncin ee
The server doesn't trust the client, client certificate not in
server truststore.
The client is sending the wrong certificate to the server.
Or a technincal error...