Java security tutorial-create an SSL connection and Certificate

Source: Internet
Author: User
Tags certificate fingerprint glassfish ssl connection netbeans

Java security tutorial-create an SSL connection and Certificate
This article is translated from javacodegeeks by ImportNew-hejiani. Welcome to the Java group. For more information, see the requirements at the end of the article.

In our series of articles on Java EE security, we have also described in detail how to create SSL connections and certificates in Java EE applications. As mentioned in the previous article, SSL (Secure Sockets Layer, Secure Sockets Layer)/TLS (Transport Layer Security, Transport Layer Security) ensures the connection Security between the client and the web server. The client uses web resources over HTTPS connections. Java provides a complete security system API class library to create secure connections with clients and send/receive messages in encrypted format.

  • JCA (Java Cryptography Architecture, Java encryption Architecture)
  • JCE (Java Cryptographic Extension, Java encryption Extension package)
  • JSSE (Java Secured Socket Extension, Java Secure Socket Extension package)

SSL connections must be held by the web ServerDigital CertificateThe certificate allows the client to trust the reliability of the web application. Applications that require sending encrypted information apply for digital certificates from CA (Certificate Authority, Digital Certificate Authority. CA verifies the application owner's details and other identity information and issues a digital certificate.
In the PKI (Public Key Infrastructure, Public Key Infrastructure) system, a digital certificate is issued by a CA, which includesRecognition Name (DN, Distinguished Name)/owner Name/user (Subject),Serial number of the unique identification certificate,Owner Public Key,Date of issue,Expiration time,CA Identification name,Digital signature of the issuing authority (CA),Signature Creation Algorithm. The digital certificate issued by the CA is published in the CA registration database, so that the authenticated user can use the owner's public key.

How does the browser verify the reliability of applications or websites with certificates?

All commercial CAs are associated with mainstream browsers, and their root certificates are embedded in browsers. The SSL compatibility of the browser can be checked through the certificate storage area. The certificate storage area provides information about the CA certificate, and the CA certificate is stored in the browser storage. At the same time, the CA website also provides browser SSL compatibility information.

The following picture shows the details of the certificate for the sample Website http://abcgen.uk. The certificate ensures that the reliability of the owner has been verified. The digital certificate is issued to ABCGen Idiotechie plc and its Common Name is www. abcgen. uk.

Note: We have not referenced any real websites for security reasons. The examples in this article are exemplary and only for learning purposes. In this example, the certificate is issued by Verisign as Class 3, indicating that Verisign has verified and confirmed the owner. This is not a required PKI standard. The next item is the certificate validity. Fingerprints is the encoded public key. Data is hashed using the SHA1 and MD5 cryptographic functions.

Certificate details

Certificate hierarchy. The first is the root certificate, and the second is extended verification. Certification Bodies (CAS) provide more advanced security certifications through extended verification. Key storage zones of all mainstream browsers contain root and extended verification information so that they can authenticate the reliability of specific applications.

Certificate hierarchy

I hope you have understood the general idea. Let's code it now.

Products Used
  • IDE:Netbeans 7.2
  • Java Development Kit (JDK): Version 6
  • Glassfish server:3.1
  • Authentication Mechanism:Form Based Authentication
  • Authentication Server:LDAP OpenDS v2.2
Target

Create an SSL connection between the web server and the client.

Step 2:

Create a server certificate on the Glassfish Server

Open the command line prompt in windows-> enter the {domain_dir}/config directory, and {domain_dir} is the Glassfish domain path, such as C: \ NetBeans \ 7.2 \ config \ GF3 \ domain1 \ config

Step 2:

Use the keytool command to generate a certificate. Keytool is a key and certificate management tool provided by Java SE 6. Run the following command:

>keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jksThe command will ask for the following details:What is your first and last name?[Unknown]:  localhost  <<For testing purposes we need to use localhost since it maps to the application server hostname. Ideally in production environments this field should include application server’s name.>>What is the name of your organizational unit?[Unknown]:  idiotechieWhat is the name of your organization?[Unknown]:  idiotechieWhat is the name of your City or Locality?[Unknown]:  edinburghWhat is the name of your State or Province?[Unknown]:  EDNWhat is the two-letter country code for this unit?[Unknown]:  GBIs CN=localhost, OU=idiotechie, O=idiotechie, L=edinburgh, ST=EDN, C=GB correct?[no]:  YES
Step 2:

The generated certificate is exported to the server. cer file.

>keytool -export -alias server-alias -storepass changeit -file server.cer -keystore keystore.jksCertificate stored in file <server.cer>
Step 2:

Add the certificate to the trust store file

>keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeitOwner: CN=localhost, OU=idiotechie, O=idiotechie, L=edinburgh, ST=EDN, C=GBIssuer: CN=localhost, OU=idiotechie, O=idiotechie, L=edinburgh, ST=EDN, C=GBSerial number: 519e7165Valid from: Thu May 23 20:43:33 BST 2013 until: Wed Aug 21 20:43:33 BST 2013Certificate fingerprints:MD5:  34:B7:71:CD:C9:56:9A:EA:0C:F2:91:50:EA:7F:4B:64SHA1: AA:DE:EC:1B:27:8E:BC:3A:7A:82:8C:B7:FA:C3:AA:11:2F:97:1F:2CSignature algorithm name: SHA1withRSAVersion: 3Trust this certificate? [no]:  YESCertificate was added to keystore[Storing cacerts.jks]
Step 2:

The verification certificate is successfully added to the keystore.

>keytool -list -v -keystore keystore.jksEnter keystore password:Alias name: server-aliasCreation date: 23-May-2013Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=localhost, OU=idiotechie, O=idiotechie, L=edinburgh, ST=EDN, C=GBIssuer: CN=localhost, OU=idiotechie, O=idiotechie, L=edinburgh, ST=EDN, C=GBSerial number: 519e7165Valid from: Thu May 23 20:43:33 BST 2013 until: Wed Aug 21 20:43:33 BST 2013Certificate fingerprints:MD5:  34:B7:71:CD:C9:56:9A:EA:0C:F2:91:50:EA:7F:4B:64SHA1: AA:DE:EC:1B:27:8E:BC:3A:7A:82:8C:B7:FA:C3:AA:11:2F:97:1F:2CSignature algorithm name: SHA1withRSAVersion: 3

Step 2:

Check whether the certificate is successfully added to the trust store.

>keytool -list -keystore cacerts.jksEnter keystore password:server-alias, 23-May-2013, trustedCertEntry,Certificate fingerprint (MD5): 34:B7:71:CD:C9:56:9A:EA:0C:F2:91:50:EA:7F:4B:64

Currently, certificates are available in both the keystore and truststore. The keystore contains the private key of the server, while the truststore only contains the CA certificate or public key. This is the clear division between certificates and keys. Keys are stored in a safer environment of the keystore, while public keys are stored in truststore for easier access. However, in this example, because we do not have a CA certificate, the server certificate is stored in the trusted store.

Step 2:

Log on to the admin console from the server configuration view.
Then click deployments-> server-config-> HTTP Service-> http-listeners-2. The Http-Listeners-2 is secure HTTPS port 8181.
Click the SSL tab, and change Certificate Nick-name to "server-alias". The Certificate has been created.

Application Server SSL settings

Step 2:

Restart the server.

All server-related configurations are now complete.

The following is the code. We will use.

The only thing that needs to be changed isWeb. xmlChange transport-guarantee from none to confidential.

<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>

CONFIDENTIALThe protection mode is used when the application needs to prevent other entities from accessing the transmitted content.

Compile, deploy, and run the application.

Now, even if you enter URL http: // localhost: 9999/SampleWebApp/index. the jsp server also uses https: // localhost: 8181/SampleWebApp/index. jsp redirects users to secure HTTPS connections. Because the certificate generated by the server is self-Signed rather than from the CA certificate, the browser will have an untrusted website security certificate warning message. This is because the browser's truststore does not actually contain these certificates.

Secure applications

To avoid adding more warning information to the exception list of the browser. You can view the certificate details of the sample application in the Mozilla Firefox browser:

Localhost certificate details

I hope you understand how to create digital certificates and secure web applications.

Download Sample Code: link.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.