SlideShare una empresa de Scribd logo
1 de 50
Descargar para leer sin conexión
SECURITY

SECURE CONNECTIONS IN JAVA
Created by Bart Blommaerts / Christophe Weyn
DEAD GIVEAWAY
Security has always been very important.
But we may rely on infrastructure too much (eg. proxies,
firewalls, ..).
CLOUD?
Application Security becomes even more important in the
cloud:
Architect security in from the start.
Maintain and evaluate security in all sprints.
Maintain and evaluate security after deployment.
HTTPS BY DEFAULT !
Google
Gmail
Facebook
Twitter
LinkedIn
Yahoo
HEADS UP
“Inevitably, you’ll cry the first time you attempt to configure
mutual authentication with SSL (aka two-way SSL).”
* The Fifteen Minute Guide to Mutual Authentication
Unless you pay attention right now :-)
SSL
Secure Socket Layer: protocol to ensure secure transactions
between web servers and browsers.

CERTIFICATES
Different types exist: X509, PGP, SDSI, ...
X509
X.509 certificate usually refers to the IETF’s PKIX
Certificate and CRL Profile of the X.509 v3 certificate
standard, as specified in RFC 5280.
DIFFERENT X509 CHARACTERISTICS
ENCODINGS

DER = used for binary DER encoded certificates.
PEM = used for X509 files which contain Base64 encoded
data .
DIFFERENT X509 CHARACTERISTICS
EXTENSIONS

CRT = common extension for certificates.
CER = alternative extension for certificates.
(Microsoft convention)

KEY = extension used for public / private PKCS#8 keys.
PKCS#8: PKI standard used to carry private certificate keypairs
PKCS#12: PKI standard 'container' used to store private keys with accompanying public key
certificates, protected with a password-based symmetric key.
CONVERSION WITH OPENSSL
PEM TO DER

oeslx0 -ncr.r -ufr dr-u cr.e
pns 59 i etct otom e ot etdr
CONVERSION WITH OPENSSL
DER TO PEM

oeslx0 -ncr.r -nomdr-ufr pm-u cr.e
pns 59 i etct ifr e otom e ot etpm
EXAMPLE (PUBLIC KEY)
EXAMPLE EXPLAINED
Subject: Identification of the certificate.
Issuer: Government CA.
CERTIFICATE AUTHORITY
Instance that issues digital certificates.
A trusted third party.
by the subject (owner) and the party relying upon the certificate

Over 50 root certificates in current browsers.
(eg. by Comodo, Symantec, ..)
VALIDITY
Date From.
Date Till.
Beware of Certificate Revocation (CRL).
eg. improperly issued, compromised, ..
EXAMPLE (PRIVATE KEY)
EXAMPLE (CHAINED CERTIFICATE)
EXAMPLE EXPLAINED
Used to obtain the root CA certificate.
MORE IN DETAIL
Certificate "trsprt-acpt"
Issuer CN = Subject CN of "Government CA"
Certificate "Government CA"
Issuer CN = Subject CN of "Belgium Root CA2"
Certificate "Belgium Root CA2"
Issuer CN = Subject CN
ROOT CERTIFICATE
Issuer CN = Subject CN.
Self-signed certificate.
KEYSTORES
A Java KeyStore (JKS) is a repository of security certificates,
either authorization certificates or public key certificates - used
for instance in SSL encryption.
* Wikipedia
KEYSTORE
Contains public/private keypairs.

The private key is accompanied by certificate chain for the corresponding public key

Decryption based on private key.
Used for certificate validation (, signing).
SIGNSTORE
Same as keystore, but only used for signing.
SYMMETRIC STORE
Decryption + encryption, based on same symmetric key.
TRUSTSTORE
Signature verifcation.
Encryption based on public key.
Used to store certificates of parties you trust.
EXAMPLE KEYSTORE
EXAMPLE (DEFAULT) TRUSTSTORE
1-WAY SSL

The server is required to present a certificate to the client
but the client is not required to present a certificate to the
server. To successfully negotiate an SSL connection, the
client must authenticate the server, but the server will
accept a connection from any client.
2-WAY SSL

The server presents a certificate to the client and the client
presents a certificate to the server.
BEST PRACTICES

DO NOT USE JVM PARAMETERS
-jvxntsltuttr=X-jvxntsltuttrPswr=X
Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX

Obvious Security Risk.
BEST PRACTICES

DO NOT USE DEFAULT CACERTS
One day, you will upgrade or migrate, .. and forget about it.
BEST PRACTICES

KEEP IT REALLY SIMPLE
You will probably not be the one maintaining it.
Use a different keystore for each:
Platform (DEV, UAT, PRD).
Functionality: keystore, signstore, truststore.
BEST PRACTICES

DO NOT SHARE YOUR PRIVATE KEY
Obvious Security Risk.
DEMO APPLICATION
https://bitbucket.org/elvinno/security-brown-bag.git

SOAP messages over secured SSL connection.
Do not confuse with signing a SOAP message using an X.509 Certificate!
DEMO APPLICATION MODULES
Server: B o n a S r i e u l s e . a a
rwBgevcPbihrjv
Client: C i n . a a
letjv
PREREQUISITE FOR RUNNING THE DEMO
Create client & server public/private keypair and
certificates.
In this demo we'll be using java keytool to create a keystore with generated keypairs..
In a production environment certificates must be created/requested by the application manager.
Afterwards these certificate can be imported into a keystore using java keytool.
SERVER KEYPAIR
Create server keystore & generate certificate with java
keytool.
Use common name: server.security.brownbag.hp.com

$kyol-eky-eagRA-la scsre
eto gne kyl S ais e_evr
-esoesre_esoejs
kytr evrkytr.k
-trps cagi -aiiy30-esz 24
soeas hnet vldt 6 kyie 08
$kyol-it-esoesre_esoejs
eto ls kytr evrkytr.k
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
scsre,2-a-04 PiaeeEty
e_evr 9jn21, rvtKynr,
Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D
etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0

CN: server.security.brownbag.hp.com must be used to connect to the server.
Java SSL context compares the name of the CN with the connection address.
=> Adjust in TCP host file!
CLIENT KEYPAIR
Create the client keystore
$kyol-eky-eagRA-la sccin
eto gne kyl S ais e_let
-esoecin_esoejs
kytr letkytr.k
-trps cagi -aiiy30-esz 24
soeas hnet vldt 6 kyie 08
$kyol-it-esoecin_esoejs
eto ls kytr letkytr.k
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
sccin,2-a-04 PiaeeEty
e_let 9jn21, rvtKynr,
Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2
etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
SERVER
Run main method in BrownBagServicePublisher.java
Has a keystore with a certificate & private key
Has a truststore containing the client certificate
CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS
Extract certificate from client keystore
Import client certificate into the truststore
$kyol-xot-esoecin_esoejs
eto epr kytr letkytr.k
-la sccin -iesccin.r -trps cagi
ais e_let fl e_letct soeas hnet
$kyol-mot-iesccin.r -la sccin
eto ipr fl e_letct ais e_let
-esoesre_rssoejs-trps cagi
kytr evrtuttr.k soeas hnet
$kyol-it-esoetuttr.k
eto ls kytr rssoejs
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
sccin,2-a-04 tutdetnr,
e_let 9jn21, rseCrEty
Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2
etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
TEST SERVER WITH FIREFOX
How-to:
Accept self signed certificate warning in Firefox.
Import client certificate & private key from PKCS#12 file
in Firfox' personal certificates.
Create PKCS#12 file: client_keystore.p12
$kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2
eto iprkytr scesoe letkytr.k dskytr letkytr.1
-rsoeyeJS-ettrtp PC1 -rsoeascagi
sctrtp K dssoeye KS2 sctrps hnet
-ettrps cagi -raissccin -etla sccin
dssoeas hnet scla e_let dsais e_let
-rkyascagi -eteps cagi -ormt
sceps hnet dskyas hnet npop
THE JAVA CLIENT
Run main method in Client.java
Has a keystore with the client certificate & private key
Has a truststore containing the server certificate
Uses the spring-ws framework
CREATE THE CLIENT TRUSTSTORE
Extract certificate from server keystore
Import server certificate into the truststore
$kyol-xot-esoesre_esoejs
eto epr kytr evrkytr.k
-la scsre -iescsre.r -trps cagi
ais e_evr fl e_evrct soeas hnet
$kyol-mot-iescsre.r -la scsre
eto ipr fl e_evrct ais e_evr
-esoecin_rssoejs-trps cagi
kytr lettuttr.k soeas hnet
$kyol-it-esoetuttr.k
eto ls kytr rssoejs
Kytr tp:JS
esoe ye K
Kytr poie:SN
esoe rvdr U
Yu kytr cnan 1ety
or esoe otis
nr
scsre,2-a-04 tutdetnr,
e_evr 9jn21, rseCrEty
Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D
etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
JAVA CODE
Init keystore & truststore in java code.
Configure SSLContext for the JVM.
vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin
od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto,
Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto {
etfctEcpin neoealKyxeto, eMngmnEcpin
fnlSrn KYTR ="pt/okytr.k"
ia tig ESOE
/aht/esoejs;
fnlSrn TUTTR ="pt/otuttr.k"
ia tig RSSOE
/aht/rssoejs;
fnlSrn KYTR_AS="hnet;
ia tig ESOEPS
cagi"
/La tekytr
/od h esoe
KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm);
eMngratr eFcoy
eMngratr.eIsac(eMngratr.eDfutloih()
Kytr kytr =Kytr.eIsac(JS)
eSoe eSoe
eSoegtntne"K";
kytr.odnwFlIpttemKYTR) KYTR_AStCaAry);
eSoela(e ienuSra(ESOE, ESOEPS.ohrra()
kyatr.ntkytr,KYTR_AStCaAry);
eFcoyii(eSoe ESOEPS.ohrra()
/La tetuttr
/od h rssoe
TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm);
rsMngratr rsFcoy
rsMngratr.eIsac(rsMngratr.eDfutloih()
Kytr tuttr =Kytr.eIsac(JS)
eSoe rsSoe
eSoegtntne"K";
tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry);
rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra()
tutatr.nttuttr)
rsFcoyii(rsSoe;
/CniueSLCnetfrteJM
/ofgr S otx o h V
SLotx cnet=SLotx.eIsac(SL)
SCnet otx
SCnetgtntne"S";
cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl)
otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul;
SLotx.eDfutcnet;
SCnetsteal(otx)
}
TROUBLESHOOTING
Use the system property:
-jvxntdbgsl
Daa.e.eu=s
CLIENT EXCEPTION
Uepce err jv.euiyIvldloihPrmtrxeto:
nxetd ro: aascrt.naiAgrtmaaeeEcpin
tetutnhr prmtrms b nnepy
h rsAcos aaee ut e o-mt

Truststore is not found.
CLIENT EXCEPTION
Cue b:snscrt.aiao.aiaoEcpin
asd y u.euiyvldtrVldtrxeto:
PI pt bidn fie:
KX ah ulig ald
snscrt.rvdrcrpt.uCrPtBidrxeto:
u.euiypoie.etahSnetahuleEcpin
ual t fn vldcriiainpt t rqetdtre
nbe o id ai etfcto ah o euse agt

Server certificate not found in truststore.
Server certificate expired or revoked.
CLIENT EXCEPTION
IOerr Rmt hs coe cneto drn hnsae
/ ro: eoe ot lsd oncin uig adhk;
nse ecpini jvxntslSLadhkEcpin
etd xeto s aa.e.s.SHnsaexeto:
Rmt hs coe cneto drn hnsae
eoe ot lsd oncin uig adhk

IOerr Cneto rst
/ ro: oncin ee;
nse ecpini jv.e.oktxeto:
etd xeto s aantSceEcpin
Cneto rst
oncin ee

The server doesn't trust the client, client certificate not in
server truststore.
The client is sending the wrong certificate to the server.
Or a technincal error...
QUESTIONS? ...

Más contenido relacionado

La actualidad más candente

Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)Maarten Mulders
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Si pp introduction_2
Si pp introduction_2Si pp introduction_2
Si pp introduction_2kamrandb2
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 

La actualidad más candente (16)

Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Si pp introduction_2
Si pp introduction_2Si pp introduction_2
Si pp introduction_2
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 

Similar a Java security

Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationJean-Christophe Sirot
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideRapidSSLOnline.com
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS TroubleshootingRomanTeresch
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Netwax Lab
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 

Similar a Java security (20)

Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certification
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS Troubleshooting
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 

Más de Bart Blommaerts

Cloud-Native Architecture
Cloud-Native ArchitectureCloud-Native Architecture
Cloud-Native ArchitectureBart Blommaerts
 
Innovation Without Asking Permission
Innovation Without Asking PermissionInnovation Without Asking Permission
Innovation Without Asking PermissionBart Blommaerts
 
JavaDay 2017: 10 tips to become an awesome technical lead (v4)
JavaDay 2017: 10 tips to become an awesome technical lead (v4)JavaDay 2017: 10 tips to become an awesome technical lead (v4)
JavaDay 2017: 10 tips to become an awesome technical lead (v4)Bart Blommaerts
 
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)Bart Blommaerts
 
10 tips to become an awesome Technical Lead v2 (Devoxx PL)
10 tips to become an awesome Technical Lead v2 (Devoxx PL)10 tips to become an awesome Technical Lead v2 (Devoxx PL)
10 tips to become an awesome Technical Lead v2 (Devoxx PL)Bart Blommaerts
 
10 tips to become an awesome technical lead
10 tips to become an awesome technical lead10 tips to become an awesome technical lead
10 tips to become an awesome technical leadBart Blommaerts
 
Pragmatic Architecture (SATURN 2017)
Pragmatic Architecture (SATURN 2017)Pragmatic Architecture (SATURN 2017)
Pragmatic Architecture (SATURN 2017)Bart Blommaerts
 
Pragmatic Architecture, Today (v2)
Pragmatic Architecture, Today (v2)Pragmatic Architecture, Today (v2)
Pragmatic Architecture, Today (v2)Bart Blommaerts
 
Serverless as a Collaborative Economy Enabler
Serverless as a Collaborative Economy EnablerServerless as a Collaborative Economy Enabler
Serverless as a Collaborative Economy EnablerBart Blommaerts
 
Pragmatic Architecture, Today.
Pragmatic Architecture, Today.Pragmatic Architecture, Today.
Pragmatic Architecture, Today.Bart Blommaerts
 
The Serverless Cloud @ JAX London 2016
The Serverless Cloud @ JAX London 2016The Serverless Cloud @ JAX London 2016
The Serverless Cloud @ JAX London 2016Bart Blommaerts
 
The Collaborative Economy
The Collaborative EconomyThe Collaborative Economy
The Collaborative EconomyBart Blommaerts
 
JavaOne: Efficiently building and deploying microservices
JavaOne: Efficiently building and deploying microservicesJavaOne: Efficiently building and deploying microservices
JavaOne: Efficiently building and deploying microservicesBart Blommaerts
 
Developing applications for the cloud
Developing applications for the cloudDeveloping applications for the cloud
Developing applications for the cloudBart Blommaerts
 
HP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudHP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudBart Blommaerts
 

Más de Bart Blommaerts (17)

Cloud-Native Architecture
Cloud-Native ArchitectureCloud-Native Architecture
Cloud-Native Architecture
 
Innovation Without Asking Permission
Innovation Without Asking PermissionInnovation Without Asking Permission
Innovation Without Asking Permission
 
JavaDay 2017: 10 tips to become an awesome technical lead (v4)
JavaDay 2017: 10 tips to become an awesome technical lead (v4)JavaDay 2017: 10 tips to become an awesome technical lead (v4)
JavaDay 2017: 10 tips to become an awesome technical lead (v4)
 
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)
JavaOne 2017: 10 tips to become an awesome Technical Lead (v3)
 
10 tips to become an awesome Technical Lead v2 (Devoxx PL)
10 tips to become an awesome Technical Lead v2 (Devoxx PL)10 tips to become an awesome Technical Lead v2 (Devoxx PL)
10 tips to become an awesome Technical Lead v2 (Devoxx PL)
 
10 tips to become an awesome technical lead
10 tips to become an awesome technical lead10 tips to become an awesome technical lead
10 tips to become an awesome technical lead
 
Pragmatic Architecture (SATURN 2017)
Pragmatic Architecture (SATURN 2017)Pragmatic Architecture (SATURN 2017)
Pragmatic Architecture (SATURN 2017)
 
Pragmatic Architecture, Today (v2)
Pragmatic Architecture, Today (v2)Pragmatic Architecture, Today (v2)
Pragmatic Architecture, Today (v2)
 
Serverless as a Collaborative Economy Enabler
Serverless as a Collaborative Economy EnablerServerless as a Collaborative Economy Enabler
Serverless as a Collaborative Economy Enabler
 
Pragmatic Architecture, Today.
Pragmatic Architecture, Today.Pragmatic Architecture, Today.
Pragmatic Architecture, Today.
 
The Serverless Cloud @ JAX London 2016
The Serverless Cloud @ JAX London 2016The Serverless Cloud @ JAX London 2016
The Serverless Cloud @ JAX London 2016
 
The Collaborative Economy
The Collaborative EconomyThe Collaborative Economy
The Collaborative Economy
 
JavaOne: Efficiently building and deploying microservices
JavaOne: Efficiently building and deploying microservicesJavaOne: Efficiently building and deploying microservices
JavaOne: Efficiently building and deploying microservices
 
e-IB Bouwstenen: Magda
e-IB Bouwstenen: Magdae-IB Bouwstenen: Magda
e-IB Bouwstenen: Magda
 
Developing applications for the cloud
Developing applications for the cloudDeveloping applications for the cloud
Developing applications for the cloud
 
Code Quality Assurance
Code Quality AssuranceCode Quality Assurance
Code Quality Assurance
 
HP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudHP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloud
 

Último

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Último (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

Java security

  • 1. SECURITY SECURE CONNECTIONS IN JAVA Created by Bart Blommaerts / Christophe Weyn
  • 2. DEAD GIVEAWAY Security has always been very important. But we may rely on infrastructure too much (eg. proxies, firewalls, ..).
  • 3. CLOUD? Application Security becomes even more important in the cloud: Architect security in from the start. Maintain and evaluate security in all sprints. Maintain and evaluate security after deployment.
  • 4. HTTPS BY DEFAULT ! Google Gmail Facebook Twitter LinkedIn Yahoo
  • 5. HEADS UP “Inevitably, you’ll cry the first time you attempt to configure mutual authentication with SSL (aka two-way SSL).” * The Fifteen Minute Guide to Mutual Authentication
  • 6. Unless you pay attention right now :-)
  • 7. SSL Secure Socket Layer: protocol to ensure secure transactions between web servers and browsers. CERTIFICATES Different types exist: X509, PGP, SDSI, ...
  • 8. X509 X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280.
  • 9. DIFFERENT X509 CHARACTERISTICS ENCODINGS DER = used for binary DER encoded certificates. PEM = used for X509 files which contain Base64 encoded data .
  • 10. DIFFERENT X509 CHARACTERISTICS EXTENSIONS CRT = common extension for certificates. CER = alternative extension for certificates. (Microsoft convention) KEY = extension used for public / private PKCS#8 keys. PKCS#8: PKI standard used to carry private certificate keypairs PKCS#12: PKI standard 'container' used to store private keys with accompanying public key certificates, protected with a password-based symmetric key.
  • 11. CONVERSION WITH OPENSSL PEM TO DER oeslx0 -ncr.r -ufr dr-u cr.e pns 59 i etct otom e ot etdr
  • 12. CONVERSION WITH OPENSSL DER TO PEM oeslx0 -ncr.r -nomdr-ufr pm-u cr.e pns 59 i etct ifr e otom e ot etpm
  • 14. EXAMPLE EXPLAINED Subject: Identification of the certificate. Issuer: Government CA.
  • 15. CERTIFICATE AUTHORITY Instance that issues digital certificates. A trusted third party. by the subject (owner) and the party relying upon the certificate Over 50 root certificates in current browsers. (eg. by Comodo, Symantec, ..)
  • 16. VALIDITY Date From. Date Till. Beware of Certificate Revocation (CRL). eg. improperly issued, compromised, ..
  • 19. EXAMPLE EXPLAINED Used to obtain the root CA certificate.
  • 20. MORE IN DETAIL Certificate "trsprt-acpt" Issuer CN = Subject CN of "Government CA" Certificate "Government CA" Issuer CN = Subject CN of "Belgium Root CA2" Certificate "Belgium Root CA2" Issuer CN = Subject CN
  • 21. ROOT CERTIFICATE Issuer CN = Subject CN. Self-signed certificate.
  • 22. KEYSTORES A Java KeyStore (JKS) is a repository of security certificates, either authorization certificates or public key certificates - used for instance in SSL encryption. * Wikipedia
  • 23. KEYSTORE Contains public/private keypairs. The private key is accompanied by certificate chain for the corresponding public key Decryption based on private key. Used for certificate validation (, signing).
  • 24. SIGNSTORE Same as keystore, but only used for signing.
  • 25. SYMMETRIC STORE Decryption + encryption, based on same symmetric key.
  • 26. TRUSTSTORE Signature verifcation. Encryption based on public key. Used to store certificates of parties you trust.
  • 29. 1-WAY SSL The server is required to present a certificate to the client but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept a connection from any client.
  • 30. 2-WAY SSL The server presents a certificate to the client and the client presents a certificate to the server.
  • 31. BEST PRACTICES DO NOT USE JVM PARAMETERS -jvxntsltuttr=X-jvxntsltuttrPswr=X Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX Obvious Security Risk.
  • 32. BEST PRACTICES DO NOT USE DEFAULT CACERTS One day, you will upgrade or migrate, .. and forget about it.
  • 33. BEST PRACTICES KEEP IT REALLY SIMPLE You will probably not be the one maintaining it. Use a different keystore for each: Platform (DEV, UAT, PRD). Functionality: keystore, signstore, truststore.
  • 34. BEST PRACTICES DO NOT SHARE YOUR PRIVATE KEY Obvious Security Risk.
  • 35. DEMO APPLICATION https://bitbucket.org/elvinno/security-brown-bag.git SOAP messages over secured SSL connection. Do not confuse with signing a SOAP message using an X.509 Certificate!
  • 36. DEMO APPLICATION MODULES Server: B o n a S r i e u l s e . a a rwBgevcPbihrjv Client: C i n . a a letjv
  • 37. PREREQUISITE FOR RUNNING THE DEMO Create client & server public/private keypair and certificates. In this demo we'll be using java keytool to create a keystore with generated keypairs.. In a production environment certificates must be created/requested by the application manager. Afterwards these certificate can be imported into a keystore using java keytool.
  • 38. SERVER KEYPAIR Create server keystore & generate certificate with java keytool. Use common name: server.security.brownbag.hp.com $kyol-eky-eagRA-la scsre eto gne kyl S ais e_evr -esoesre_esoejs kytr evrkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoesre_esoejs eto ls kytr evrkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 PiaeeEty e_evr 9jn21, rvtKynr, Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0 CN: server.security.brownbag.hp.com must be used to connect to the server. Java SSL context compares the name of the CN with the connection address. => Adjust in TCP host file!
  • 39. CLIENT KEYPAIR Create the client keystore $kyol-eky-eagRA-la sccin eto gne kyl S ais e_let -esoecin_esoejs kytr letkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoecin_esoejs eto ls kytr letkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 PiaeeEty e_let 9jn21, rvtKynr, Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 40. SERVER Run main method in BrownBagServicePublisher.java Has a keystore with a certificate & private key Has a truststore containing the client certificate
  • 41. CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS Extract certificate from client keystore Import client certificate into the truststore $kyol-xot-esoecin_esoejs eto epr kytr letkytr.k -la sccin -iesccin.r -trps cagi ais e_let fl e_letct soeas hnet $kyol-mot-iesccin.r -la sccin eto ipr fl e_letct ais e_let -esoesre_rssoejs-trps cagi kytr evrtuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 tutdetnr, e_let 9jn21, rseCrEty Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 42. TEST SERVER WITH FIREFOX How-to: Accept self signed certificate warning in Firefox. Import client certificate & private key from PKCS#12 file in Firfox' personal certificates. Create PKCS#12 file: client_keystore.p12 $kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2 eto iprkytr scesoe letkytr.k dskytr letkytr.1 -rsoeyeJS-ettrtp PC1 -rsoeascagi sctrtp K dssoeye KS2 sctrps hnet -ettrps cagi -raissccin -etla sccin dssoeas hnet scla e_let dsais e_let -rkyascagi -eteps cagi -ormt sceps hnet dskyas hnet npop
  • 43. THE JAVA CLIENT Run main method in Client.java Has a keystore with the client certificate & private key Has a truststore containing the server certificate Uses the spring-ws framework
  • 44. CREATE THE CLIENT TRUSTSTORE Extract certificate from server keystore Import server certificate into the truststore $kyol-xot-esoesre_esoejs eto epr kytr evrkytr.k -la scsre -iescsre.r -trps cagi ais e_evr fl e_evrct soeas hnet $kyol-mot-iescsre.r -la scsre eto ipr fl e_evrct ais e_evr -esoecin_rssoejs-trps cagi kytr lettuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 tutdetnr, e_evr 9jn21, rseCrEty Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
  • 45. JAVA CODE Init keystore & truststore in java code. Configure SSLContext for the JVM. vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto, Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto { etfctEcpin neoealKyxeto, eMngmnEcpin fnlSrn KYTR ="pt/okytr.k" ia tig ESOE /aht/esoejs; fnlSrn TUTTR ="pt/otuttr.k" ia tig RSSOE /aht/rssoejs; fnlSrn KYTR_AS="hnet; ia tig ESOEPS cagi" /La tekytr /od h esoe KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm); eMngratr eFcoy eMngratr.eIsac(eMngratr.eDfutloih() Kytr kytr =Kytr.eIsac(JS) eSoe eSoe eSoegtntne"K"; kytr.odnwFlIpttemKYTR) KYTR_AStCaAry); eSoela(e ienuSra(ESOE, ESOEPS.ohrra() kyatr.ntkytr,KYTR_AStCaAry); eFcoyii(eSoe ESOEPS.ohrra() /La tetuttr /od h rssoe TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm); rsMngratr rsFcoy rsMngratr.eIsac(rsMngratr.eDfutloih() Kytr tuttr =Kytr.eIsac(JS) eSoe rsSoe eSoegtntne"K"; tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry); rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra() tutatr.nttuttr) rsFcoyii(rsSoe; /CniueSLCnetfrteJM /ofgr S otx o h V SLotx cnet=SLotx.eIsac(SL) SCnet otx SCnetgtntne"S"; cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl) otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul; SLotx.eDfutcnet; SCnetsteal(otx) }
  • 46. TROUBLESHOOTING Use the system property: -jvxntdbgsl Daa.e.eu=s
  • 47. CLIENT EXCEPTION Uepce err jv.euiyIvldloihPrmtrxeto: nxetd ro: aascrt.naiAgrtmaaeeEcpin tetutnhr prmtrms b nnepy h rsAcos aaee ut e o-mt Truststore is not found.
  • 48. CLIENT EXCEPTION Cue b:snscrt.aiao.aiaoEcpin asd y u.euiyvldtrVldtrxeto: PI pt bidn fie: KX ah ulig ald snscrt.rvdrcrpt.uCrPtBidrxeto: u.euiypoie.etahSnetahuleEcpin ual t fn vldcriiainpt t rqetdtre nbe o id ai etfcto ah o euse agt Server certificate not found in truststore. Server certificate expired or revoked.
  • 49. CLIENT EXCEPTION IOerr Rmt hs coe cneto drn hnsae / ro: eoe ot lsd oncin uig adhk; nse ecpini jvxntslSLadhkEcpin etd xeto s aa.e.s.SHnsaexeto: Rmt hs coe cneto drn hnsae eoe ot lsd oncin uig adhk IOerr Cneto rst / ro: oncin ee; nse ecpini jv.e.oktxeto: etd xeto s aantSceEcpin Cneto rst oncin ee The server doesn't trust the client, client certificate not in server truststore. The client is sending the wrong certificate to the server. Or a technincal error...