7/28/2019 18-SSL_52

1/52

1

1

SSLSSL(Secure Socket Layer)(Secure Socket Layer)

This session is about how to use SSL for deploying web applicationssecurely over Tomcat.

By deploying web applications securely using SSL, I mean two specificthings. First, data confidentiality between browser and the web server. Forexample, if you are sending sensitive information such as your credit cardnumber to a web server, you want to make sure nobody can read it while it is

being transported on the wire. As we talked about in Web applicationSecurity session, SSL can be used to achieve this data confidentiality. Thesecond thing I am talking about is client certificate authentication. Againhere SSL can be used.

02/28/2006

7/28/2019 18-SSL_52

2/52

2

2

Sang ShinSang Shinsang.shin@sun.comsang.shin@sun.com

www.javapassion.com/j2eewww.javapassion.com/j2ee

Technology EvangelistTechnology EvangelistSun Microsystems, Inc.Sun Microsystems, Inc.

02/28/2006

7/28/2019 18-SSL_52

3/52

3

3

Disclaimer & Acknowledgments

? Even though Sang Shin is a full-time employeeof Sun Microsystems, the contents here arecreated as his own personal endeavor and thusdoes not reflect any official stance of SunMicrosystems.

? Sun Microsystems is not responsible for anyinaccuracies in the contents.

? Acknowledgments

All examples in this presentation is from JavaWSDP

02/28/2006

7/28/2019 18-SSL_52

4/52

4

4

Revision History? 01/22/2002: version 1, contents created with speaker notes (Sang)

? 10/26/2004: version 2, slides of JSSE are added (Sang)

02/28/2006

7/28/2019 18-SSL_52

5/52

5

5

Agenda

? What is SSL?

? What is Certificate?

? SSL support in Tomcat

? Steps of Installation/Configuration of SSLHTTPS Connector over Tomcat

? Browser and Certificates

So this is what we are going to talk about in this30 minutes session.

First, we will talk about what SSL is first, then we will talk aboutwhat a certificate is. We already talked about what a certificate is inSecurity Basics presentation. So this is a bit of rehash. SSL uses

public/private key scheme and understanding what a certificate is as acontainer of a public key and other information is important tounderstand SSL.

Then we will talk about how SSL can be supported over Tomcat andgo over the steps you will take in order to install and configure SSLconnector. And then we will talk about how a browser recognizes andmaintains server certificates that it receives when it accesses the SSL-

protected web page.

If you don't understand what I am talking about right now, don't beconcerned. We will go over each of these topics in rather detail in this

presentation, and you will have relatively good understanding onthese at the end of this presentation.

02/28/2006

7/28/2019 18-SSL_52

6/52

6

6

What is SSL?What is SSL?

So let's talk about what SSL is first.

02/28/2006

7/28/2019 18-SSL_52

7/52

7

7

SSL (Secure Socket Layer)

SSL stands for Secure Socket Layer. The primary security service SSLprovides is protection of data while the data is on the wire. That is, thedata can be sent over the wire in encrypted form using SSL, thus providesdata confidentiality.

02/28/2006

7/28/2019 18-SSL_52

8/52

8

8

Secure Socket Layer (SSL)? By far, the dominant security technology

on the web

? Transport layer security HTTPS is HTTP over SSL

? Responsible for the emergence ofe-commerce, other security sensitive

services on the web

? Beneficiary of several years of publicscrutiny

SSL is the dominant security technology especially over the web. Prettymuch all secure communications over the web is based on SSL.

SSL is transport layer security over TCP/IP. So any TCP/IP applicationcan be protected by using SSL. For example, FTP communication or

Telnet or HTTP communication can be protected by using SSL. By theway, you might have heard HTTPS. It stands for HTTP over SSL.

SSL is so popular on the web right now and I would even claim SSL ispartly responsible for the emergence of e-commerce and other securitysensitive services over the web. Well.. SSL has its own limitations,however, especially under the context of web services. But for now, SSLis the only option for doing any kind of sensitive transactions over the web.

And SSL has gone through many years of usage and pretty much all theproducts out there support it.

02/28/2006

7/28/2019 18-SSL_52

9/52

9

9

SSL runs over TCP

source:java.sun.com

02/28/2006

7/28/2019 18-SSL_52

10/52

10

10

Why SSL? SSL Provides ...? Confidentiality (Privacy)

? Data integrity (Tamper-proofing)

? Server authentication (Proving a serveris what it claims it is) Used in typical B2C transaction

? Optional client authentication Would be required in B2B (or Web services

environment in which program talks to

program)

So what does SSL provide?

First, as was mentioned, SSL provides confidentiality of the data while it is onthe wire. We are talking about privacy or confidentiality of the data.

SSL also supports data integrity, which is also called as tamper-proofing. Thisis done as part of digital signing.

In a typical secure communication between your browser and the web server,for example, when you check out and ready to send your credit card number toa online shopping site, for example, amazon.com, the secure communication

between the browser and the web server gets started with so-called serverauthentication. That is, when you are sending your credit card information toamazon.com, you want to make sure the amazon.com you think it is is reallyamazon.com. So server authentication proves the identity of amazon.com toyour browser.

Optionally, you can do client authentication. In this case, the server wants tomake sure the client is what it claims it is. In a typical B2C environment, theserver does not usually send any sensitive information to the browser so there isless need for proving the client identity. In B2B or Web services environmentin the future, this will change.

02/28/2006

7/28/2019 18-SSL_52

11/52

11

11

SSL and Security Keys? Uses public/private key (asymmetric)

scheme to create secret key(symmetric)

? Secret key is then used for encryptionof data SSL operation is optimized for performance:

Using symmetric key for encryption is a lot

faster than using asymmetric keys

We talked about, during the session Security Basics presentation, howkeys are used in the context of cryptographic process. We also talkedabout there are two key schemes: public/private key scheme and secret keyscheme. The public/private key scheme is called asymmetric while secretkey scheme is called symmetric. We also learned that public/private key

operation is very expensive from the performance standpoint.

Now SSL uses both public/private key and secret key schemes. We willsee how these keys are created and used in the following slides. But

basically SSL uses public/private key to create what is called a secretsession key. And public/private key scheme is used for authenticationwhile the secret session key is used for encryption.

02/28/2006

7/28/2019 18-SSL_52

12/52

12

12

SSL Key Exchange (Simplified)

Server

This picture shows a simplified view on how SSL works.

First, the client, in this case, the browser, accesses the web server. And wealready learned during the Web application security session, how this

secure communication gets started. The web server then sends its publickey in the form of certificate. Please note that the certificate containsserver's public key.

After making sure the server's public key that it received is a valid one, theclient then creates a so called a premaster key and encrypts it using server's

public key and sends it to the server. Because the premaster key isencrypted with server's public key, only the server can decrypt it. Theserver then creates a secret session key which will be used for encryptingdata for any further data exchange between the browser and the server.

There is a few more things that happens in this handshake but this isbasically the guts of SSL handshake.

02/28/2006

7/28/2019 18-SSL_52

13/52

13

13

SSL Key Exchange Steps

1.SSL client connects to an SSL server

2.Server then sends its own certificate thatcontains its public key

3.Client then creates a random key (premasterkey) and uses server's public key to encrypts it

4.Client then sends encrypted premaster key tothe server

5.Server then decrypts it and uses decrypted

premaster key to create secret session key6.Now both client and server uses secret session

key for further communication

So this is the repeat of what I just said in the previous slide. (Please readthe slide.)

02/28/2006

7/28/2019 18-SSL_52

14/52

14

14

Negotiable Encryption Algorithms

? Not all clients and servers use sameencryption and authentication algorithms

? SSL client and server negotiatesencryption and decryption algorithms(cipher suites) during their initialhandshake Connection will fail of they do not have common

algorithms

Among the features of SSL that have made it the de facto standard vehiclefor secure e-commerce

transactions is its support for negotiable encryption andauthentication algorithms. The designers

of SSL realized that not all parties will use the same client

software and consequently not allclients will include any particular encryption algorithm. Thesame is true for servers. The client and

server at the two ends of a connection negotiate the encryptionand decryption algorithms (cipher

suites) during their initial handshake. It may turn out that theydo not have sufficient algorithms in

common, in which case the connection attempt will fail

02/28/2006

7/28/2019 18-SSL_52

15/52

15

15

SSL Handshake Protocol

1.ClientHello: The client sends the server information such as SSL protocol version, session id,and cipher suites information such cryptographic algorithms and key sizes

supported.2.ServerHello: The server chooses the best cipher suite that both the client and

server supportand sends this information to the client.

3.Certificate: The server sends the client its certificate which contains the server's

public key.While this message is optional, it is used when server authentication is required.

In other

words, it is used to confirm the server's identity to the client.4.Certificate Request: This message is sent only if the server requires the client to

authenticate

itself. Most e-commerce applications do not require the client to authenticateitself.

5.Server Key Exchange: This message is sent if the certificate, which contains the

server'spublic key, is not sufficient for key exchange.

6.ServerHelloDone: This message informs the client that the server finished the

initialnegotiation process.

7.Certificate: This message is sent only if the server requested the client to

authenticate itself.8.Client Key Exchange: The client generates a secret key to be shared between the

client and

server. If the Rivest-Shamir-Adelman (RSA) encryption algorithm is used, theclient encrypts

the key using the server's public key and sends it to the server. The server uses

its privateor secret key to decrypt the message and retrieves the shared secret key. Now,

client and

server share a secret key that has been distributed securely.

9.Certificate Verify: If the server requested to authenticate the client, this message

02/28/2006

7/28/2019 18-SSL_52

16/52

16

16

SSL and Encryption? You need only server's certificate in

order to have encrypted data transfer This is the reason why you don't need to install

client certificate on your browser in order tosend your credit card number securely

Now I just want to repeat a key aspects of SSL one more time so that youfolks get clear understanding how it works.

As mentioned before, SSL is used for both encryption and authentication.For encryption, you need a certificate from only one side. In a typical B2C

communication, it is the server's certificate that is used. This is the reasonwhy you can still send your credit card information to amazon.com evenwithout installing client certificate on your browser.

02/28/2006

7/28/2019 18-SSL_52

17/52

17

17

SSL and Authentication? Server authentication

Server needs to provide its own certificate to aclient in order to authenticate itself to the client

A Web server typically has a CA-signedcertificate and it provides it to its clients

? Client authentication Client needs to provide its own certificate to a

server in order to authenticate itself to the

server

? Mutual authentication

Another important security service SSL provides is authentication. Duringyour initial attempt to communicate with a Web server over a secureconnection, that server will present your Web browser with a set ofcredentials in the form of a server certificate. The purpose of the certificateis to verify that the server is who and what it claims it is.

Now in an internet environment, the server certificate is typically signed bywell-know certificate authority such as Verisign.

In some cases, the server may request a client certificate in order to verifythat the client is who and what it claims it is and that is known as clientauthentication.

And when both server authentication and client authentication areperformed using certificates, it is referred as mutual authentication.

02/28/2006

7/28/2019 18-SSL_52

18/52

18

18

SSL and Authentication? In a typical browser talking to web

server communication, only serverauthentication is needed When you send your credit card to a server,

you want to make sure the server is who it

claims to be

? In the future of B2B environment, client

certification would be also required

So just to repeat what has been said a couple of times already, in a typicalbrowser talking to a web server B2C communication, only the serverauthentication occurs. In the future of B2B communication or Webservices environment, where the difference between client and serverwould be blurring, both parties might have to authenticate themselves to

the other parties, thus mutual authentication would be required.

02/28/2006

7/28/2019 18-SSL_52

19/52

19

19

SSL and Web-tier Security? Encrypted password move from the

browser to the web server

? Encrypted data move between thebrowser and the web server

? Server authentication Done before encrypted data transfer occurs

? Client Authentication Not used in most cases

Again, I added this somewhat repeating slide to make sure you reallyunderstand how things work between a browser and the web server.

Between a browser and web server, any sensitive information should beencrypted. And examples of sensitive information include your password

and credit card number.

Server authentication has to occur before sensitive information getstransported from the browser to the server. And on the other direction,there is a less need for it in a typical B2C environment.

02/28/2006

7/28/2019 18-SSL_52

20/52

20

20

Certificates &Certificates &Keytool UtilityKeytool Utility

Now let's talk about how certificates are created and which tool you canuse to create so called self-signed certificates.

02/28/2006

7/28/2019 18-SSL_52

21/52

21

21

What is a Certificate?

? A certificate is like digital driver license

? A certificate is cryptographically signed and ispractically impossible for anyone else to forge

? A certificate can be purchased from (signed by)a well-known CA (Certificate Authority) likeVerisign (for a fee)

? A certificate can be self-signed whenauthentication over the internet is not really a

concern, that is only data privacy and integrityare important

A certificate is a digitally-signed statement from one entity (person,company, etc.), saying that the public key (and some other information) ofsome other entity has a particular value. So in a sense, it is like digitalversion of your ID card such as driver's license.

The certificate is cryptographically signed and is practically impossible foranyone else to forge.

For sites involved in e-commerce, or any other business transaction in whichauthentication of identity is important, a signed certificate can be purchasedfrom a well-known Certificate Authority (CA) such as Verisign or Thawte.

If authentication is not really a concern, in other words, you only wants dataconfidentiality via encryption, then you can save the time and expenseinvolved in obtaining a CA certificate and simply use a self-signedcertificate. This is very important aspect you want to make sure you

understand.

02/28/2006

7/28/2019 18-SSL_52

22/52

22

22

What is Server Certificate?

? A certificate that contains information about theserver

Server's public key

Other misc. information

? Web server must have an associated certificatefor each external interface, or IP address, thataccepts secure connections

HTTP service of Tomcat will not run unless a server

certificate has been installed

So what is server certificate? A server certificate is a container thatcontains server's public key and other miscellaneous information.

Now as I said several times already, in a typical B2C communication,only server authentication occurs. That is, the web server sends its

own certificate to each browser that connects to it. So a web servermust have an certificate for any externally exposed interface forexample an IP address that accepts secure connections. In fact, this isthe reason why you have to install SSL package and HTTPSconnector to Tomcat, otherwise, no SSL operation would occur.

02/28/2006

7/28/2019 18-SSL_52

23/52

23

23

Why Server Certificate is Needed?

? Enables server authentication Verifies the server's identity to the client

Client would need to have an access to theserver certificate

Server sends server certificate as part of SSLkey handshake

HTTPS service of Tomcat would not work unlessa server certificate is installed

Certificates are used with the HTTPS protocol to authenticate Webservers to clients. (There is incorrect information in Java WSDPregarding this. ) The HTTPS service of the Tomcat server will not rununless a server certificate has been installed. Use the procedureoutlined in Java WSDP to set up a server certificate that can be used

by Tomcat to enable SSL.

02/28/2006

7/28/2019 18-SSL_52

24/52

24

24

keytool Utility

? A key and certificate management utility? Enables users to create and administer their own

public/private key pairs and associated certificates? Ships with JDK (Uses RSA-based JCE provider

as default)? Allows users to cache the public keys (in the form

of certificates) of their communicating peers? Stores the keys and certificates in a so-called

keystore

One tool that can be used in order to set up a Tomcat server certificate iskeytool, a key and certificate management utility. The keytool utility letyou create a self-signed certificate among others things it lets you do.

The keytool utility that ships with the J2SE SDK version also supports a

Java Cryptographic Extension provider that has implementations of RSAalgorithms. This provider enables you to import RSA-signed certificates.

It also enables users to administer their own public/private key pairs andassociated certificates for use in self-authentication (where the userauthenticates himself/herself to other users/services) or data integrity andauthentication services, using digital signatures.

It also allows users to cache the public keys (in the form of certificates) oftheir communicating peers.

The keytool stores the keys and certificates in a so-called keystore. Thedefault keystore implementation implements the keystore as a file. It

protects private keys with a password. For more information on keytool,read its documentation athttp://java.sun.com/j2se/1.4/docs/tooldocs/solaris/keytool.html.

02/28/2006

7/28/2019 18-SSL_52

25/52

25

25

SSL Support inSSL Support inTomcatTomcat

Now let's talk about how SSL is being supported in Tomcat.

02/28/2006

7/28/2019 18-SSL_52

26/52

26

26

SSL on Tomcat? You need the following modules

JSSE (Java Secure Socket Extension)

Server certificate keystore

An HTTPS connector

? You have to install and configure SSLHTTPS connector over Tomcat

You only need to configure Tomcat to take advantage of SSL supportwhen you are planning on running it as a stand-alone Web server.When you are planning to run Tomcat primarily as a JSP and JavaServlet container behind another Web server, such as Apache Webserver, it is usually necessary to configure the primary Web server to

handle the SSL connections from users. The communications betweenthe primary Web server and Tomcat do not need to be encrypted.

To install and configure SSL support on Tomcat, you need thefollowing three things

* Java Secure Socket Extension (JSSE)* A server certificate keystore* An HTTPS connector

02/28/2006

7/28/2019 18-SSL_52

27/52

27

27

JSSE

? Included in Java WSDP

/common/jsse.jar

? Provides Java packages that support SSL/TLS(jsse.jar)

? SSL supports Encryption, server authentication,message integrity over TCP/IP

Data over any application level protocol (HTTP,FTP, Telnet, ...) can be securely protected

? Based on Certificate-based (Public and Privatekey) security scheme

You need to have Java Secure Socket Extension (JSSE) packageinstalled in order for Tomcat to use SSL. JSSE is integrated into theJava WSDP.

JSSE is a set of Java packages that enables secure Internet

communications. These packages implement a Java version of SSL(Secure Sockets Layer) and TLS (Transport Layer Security) protocolsand include functionality for data encryption, server authentication,message integrity, and optional client authentication.

Using JSSE, developers can provide for the secure passage of databetween a client and a server running any application protocol (suchas HTTP, Telnet, NNTP, and FTP) over TCP/IP.

By default, the location of the jsse.jar file under Java WSDP is/common/lib/jsse.jar.

02/28/2006

7/28/2019 18-SSL_52

28/52

28

28

Steps of InstallingSteps of Installingand Configuringand ConfiguringSSL over TomcatSSL over Tomcat

Now let's go over the steps you will follow in order to install andconfigure SSL over Tomcat.

02/28/2006

7/28/2019 18-SSL_52

29/52

29

29

1. Generate a key pair and a

self-signed Server certificate

? keytool -genkey -keyalg RSA -alias tomcat

-keystore

? Enter password, fully-qualified name ofyour server, organizational unit,organization, etc.

? Tomcat is looking for the keystore to have

the name .keystore in the home directoryof the machine on which Tomcat is runningas a default

First, you want generate a public/private key pair and generate aserver certificate from the pair.

To generate the certificate, run the keytool utility as follows, setting with the name of your keystore file:

keytool -genkey -keyalg RSA -alias tomcat-keystore

Tomcat is looking for the keystore to have the name .keystore (dot -keystore) in the home directory of the machine on which Tomcat isrunning.

02/28/2006

7/28/2019 18-SSL_52

30/52

30

30

1.1 Example: keytool usageC:\>keytool -genkey -keyalg RSA -alias tomcat -keystore

\tmp\keyfile.keystoreEnter keystore password: changeitWhat is your first and last name? [Unknown]: localhostWhat is the name of your organizational unit?

[Unknown]: sunWhat is the name of your organization?

[Unknown]: mdeWhat is the name of your City or Locality?

[Unknown]: burlington

What is the name of your State or Province?[Unknown]: ma

What is the two-letter country code for this unit?[Unknown]: us

Is CN=localhost, OU=sun, O=mde, L=burlington, ST=ma, C=us correct?[no]: yes

Enter key password for (RETURN if same as keystore password):

This slide shows an example of creating a certificate.The keytool utility prompts you for the following information:# Keystore password--Enter a password. (You may want to use changeit to beconsistent with the default password of the J2SE SDK keystore.)

# First and last name--Enter the fully-qualified name of your server. This fully-qualified name includes the host name and the domain name. For testing purposeson a local machine, this will be localhost. (Yes, I know entering localhost asa value of first and last name is somewhat confusing.)# Organizational unit--Enter the appropriate value.# Organization--Enter the appropriate value.# City or locality--Enter the appropriate value.# State or province--Enter the unabbreviated name.# Two-letter country code--For the USA, the two-letter country code is US.# Review the information you've entered so far, enter Yes if it is correct.# Key password for Tomcat--Do not enter a password. Press Return.

02/28/2006

7/28/2019 18-SSL_52

31/52

31

31

2. Configure SSL Connector &

Restart Tomcat? By default, SSL HTTPS is not enabled in Tomcat? You enable and configure an SSL HTTPS

Connector on port 8443 in one of two methods

viaAdmintool

Modify (actually uncomment SSL connector

element) /conf/server.xml asdescribed in

? /docs/tutorial/doc/WebAppSecurity6.html#68482

? Restart Tomcat

By default, an SSL HTTPS Connector is not enabled in Tomcat. Youcan enable and configure an SSL HTTPS Connector on port 8443using either of the two mentioned above, either by using Admintool ormodifying the server.xml file manually. Then restart Tomcat.

Now let's take a look at each step in detail in the following slide.

02/28/2006

7/28/2019 18-SSL_52

32/52

32

32

2.1 Admintool

To configure an SSL Connector using admintool, you must first have created a keystoreas described in Setting Up a Server Certificate of Java WSDP. Tomcat will be lookingfor a keystore file named .keystore in the home directory of the machine on whichTomcat is running. When you have verified that you have created the .keystore file,follow these steps.

# Start Tomcat, if you haven't already done so.# Start admintool by entering http://localhost:8080/admin in a Web browser.# Enter a user name and password combination that is assigned the role of admin.# Select Service (Java Web Services Developer Pack) in the left pane.# Select Create New Connector from the drop-down list in the right pane.# In the Type field, select HTTPS.# In the Port field, enter 8443 (or whatever port you require). This defines the TCP/IP

port number on which Tomcat will listen for secure connections.# Enter the Keystore Name and Keystore Password if you have created a keystore filenamed something other than .keystore, if .keystore is located in a directory other than

the home directory of the machine on which Tomcat is running, or if the password issomething other than the default value of changeit. If you have used the defaultvalues, you can leave these fields blank. The home directory is generally/home/user_name on Unix and Linux systems, and C:\Documents andSettings\user_name on Microsoft Windows systems. Make sure you give the full pathname, for example, c:\Documents and Settings\boda\keyfile.keystore under Windows.# Select Save to save the new Connector for this session.# Select Commit Changes to write the new Connector information to the server.xml fileso that it is available the next time Tomcat is started.

02/28/2006

7/28/2019 18-SSL_52

33/52

33

33

2.2 SSL Connector Element in

server.xml

You can also configure HTTP Connector by changing the server.xml.

An example Connector element for an SSL connector is included inthe default server.xml. This Connector element is commented out bydefault. To enable the SSL Connector for Tomcat, remove the

comment tags around the SSL Connector element.

02/28/2006

7/28/2019 18-SSL_52

34/52

34

34

3. Verify SSL Support

? From the browser, go to https://localhost:8443/

? Port 8443 is where SSL connector iscreated

The next step is verifying if SSL is configured correctly.

For testing purposes, and to verify that SSL support has been correctlyinstalled on Tomcat, load the default Tomcat introduction page withthe following URL:

https://localhost:8443/The https in this URL indicates that the browser should be using theSSL protocol. The port of 8443 is where the SSL Connector wasconfigured in the previous step.

02/28/2006

7/28/2019 18-SSL_52

35/52

35

35

3.1 Example: Verify SSL Support

Now the first time a user accesses secure site, the New Site Certificatedialog displays.

What this dialog box is saying is that the browser has no knowledgeof this web server meaning the browser does not have any way to

verify if the server's certificate it received is in fact a valid one or not.This is because the server's certificate is the one that I created, that is,self-signed. If the certificate has been signed by well-knownCertificate Authority such as VeriSign, then the browser willautomatically will recognize that the public key is a valid one andwould not display this dialog box.

Now since the browser is not sure, it is asking the user to verify thevalidity of the certificate using a series of dialog box. So here it saysthat the web server's name is localhost and it receives a certificatefrom it. By the way, since we are running the server on the localhost,the name of the web server happened to be set to localhost. If theserver is a machine other than localhost, that machine's host namewill be displayed.

02/28/2006

7/28/2019 18-SSL_52

36/52

36

36

3.2 Example: Verify SSL Support

So the browser display a bit of information about the certificate itreceived so that you can make in intelligent decision whether toaccept this certificate or not. So here the browser found out that thecertificate was created for an organization entity called MDE andsigned by MDE and which encryption method is used. (By the way,

MDE stands for Market Development Engineering group within Sun.And since I work for MDE, I used it as a organization name when Icreated the self-signed certificate.)

02/28/2006

7/28/2019 18-SSL_52

37/52

37

37

3.3 Example: Verify SSL Support

Now it is asking if you are ready to accept this certificate. And youhave a choice to accept this certificate only for this session or foreveror you can certainly reject it.

02/28/2006

7/28/2019 18-SSL_52

38/52

38

38

3.4 Example: Verify SSL Support

This is another warning message. Basically what is saying is thatcertificate can be used in order to encrypt the information that is beingtransported between the browser and the web server. However, itdoes not protect it from fraud. That is, if in fact, this website is run bySadam Hussein, the information that you are exchanging with him can

be seen only by you and him, but you don't know what he will do withthe information you passed to him.

02/28/2006

7/28/2019 18-SSL_52

39/52

39

39

3.5 Example: Verify SSL Support

This is the final message.

02/28/2006

7/28/2019 18-SSL_52

40/52

40

40

Browser &Browser &CertificatesCertificates

We touched upon a bit how a browser deals with newly received certificatefrom a new web server it encounters for the first time. Let's talk aboutsome of the certificate management features of a typical browser. Thisexample is used using Netscape navigator.

02/28/2006

7/28/2019 18-SSL_52

41/52

41

41

Netscape: Certificates of CA's

If picture shows all the certificate authorities that the browser knowsabout. These are typically pre-installed by the browser vendor. Asyou can see, they include Verisign as one of the primary certificationauthorities.

02/28/2006

7/28/2019 18-SSL_52

42/52

42

42

Netscape: Certificates of Websites

This is the list of certificates from websites that this browser hasaccessed.

02/28/2006

7/28/2019 18-SSL_52

43/52

43

43

Netscape: Certificates of Other People

People certainly can use certificates as a way to communicate withyou, for example, through email, in a secure fashion. And this is thelist of people who sent you emails using certificates. Thesecertificates are mainly used for confidentiality only.

02/28/2006

7/28/2019 18-SSL_52

44/52

44

44

Netscape: Certificates of Yourself

This is the list of certificates you have installed yourself.

02/28/2006

7/28/2019 18-SSL_52

45/52

45

45

JSSEJSSE

Now let's talk a bit on Web services tools for J2EE.

02/28/2006

7/28/2019 18-SSL_52

46/52

46

46

What is JSSE?? Java API for Secure Sockets Layer

(SSL)

? Now standard part of J2SE 1.4

SSL 3.0 and TLS 1.0

? Supports

Encryption

Server authentication

Optional client authentication Data integrity

SSL was founded by netscape. IETF standardized it as TLS.

Provides security at the session layer. Uses the keys transparently.

02/28/2006

7/28/2019 18-SSL_52

47/52

47

47

Why JSSE?? 100% pure Java implementation

? Abstracts the complex underlyingcryptographic algorithms and thusminimizes the risk of creating subtle anddangerous security vulnerabilities

Uses algorithms, keys transparently

? Simple to use to create secure

application

SSL was founded by netscape. IETF standardized it as TLS.

Provides security at the session layer. Uses the keys transparently.

47

Why JSSE?? 100% pure Java implementation

? Abstracts the complex underlyingcryptographic algorithms and thusminimizes the risk of creating subtle anddangerous security vulnerabilities

Uses algorithms, keys transparently

? Simple to use to create secure

application

02/28/2006

7/28/2019 18-SSL_52

48/52

48

48

JSSE Framework? Supplements java.security and java.net

packages

? Provides javax.net and javax.net.sslpackages Extends networking socket classes, trust and

key managers, and a socket factory frameworkfor encapsulating socket creation behavior

SSL was founded by netscape. IETF standardized it as TLS.

Provides security at the session layer. Uses the keys transparently.

48

JSSE Framework? Supplements java.security and java.net

packages

? Provides javax.net and javax.net.sslpackages Extends networking socket classes, trust and

key managers, and a socket factory frameworkfor encapsulating socket creation behavior

02/28/2006

7/28/2019 18-SSL_52

49/52

49

49

SunJSSE Provider

? JSSE provider that comes with JDK 1.4.1

? Installed and pre-registered with the JavaCryptography Architecture

? Supplies implementations of the SSLv3.0 and TLS v1.0 as well as mostcommon SSL and TLS cipher suites getSupportedCipherSuites

getEnabledCipherSuites

setEnabledCipherSuites

The J2SE v1.4.1 release comes with a JSSE provider, SunJSSE, that comes installed andpre-registered with the Java Cryptography Architecture. Think of the SunJSSE

provider as the nameof the implementation. It supplies implementations of the SSL v3.0 and TLS v1.0

as well as mostcommon SSL and TLS cipher suites. If you wish to find the list of cipher suites that

are supported

by your implementation of SSL (SunJSSE in this case), make a call to thegetSupportedCipherSuites method in SSLSocket. Not all of these cipher suites,

however,

might be enabled. To find out which ones are enabled, call the methodgetEnabledCipherSuites. The list can be modified by calling

setEnabledCipherSuites.

02/28/2006

7/28/2019 18-SSL_52

50/52

50

50

JSSE Programming: Server Side

import java.io.*;

import javax.net.ssl.*;

public class Server {

int port = portNumber; SSLServerSocket server;

try {

SSLServerSocketFactory factory =(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

server =(SSLServerSocket)factory.createServerSocket(portNumber);

SSLSocket client = (SSLSocket) server.accept();

// Create input and output streams as usual// send secure messages to client through the

// output stream

// receive secure messages from client through// the input stream

} catch(Exception e) {}

}

Converting the previous program to use SSL is fairly trivial.

We use a SSLServerSocketFactory to get a factory which is used to create a socket associatedwith a port, which is then used to accept connections

50

JSSE Programming: Server Side

import java.io.*;

import javax.net.ssl.*;

public class Server {

int port = portNumber; SSLServerSocket server;

try {

SSLServerSocketFactory factory =(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

server =(SSLServerSocket)factory.createServerSocket(portNumber);

SSLSocket client = (SSLSocket) server.accept();

// Create input and output streams as usual// send secure messages to client through the

// output stream

// receive secure messages from client through// the input stream

} catch(Exception e) {}

}

02/28/2006

7/28/2019 18-SSL_52

51/52

51

51

JSSE Programming: Client Side

import java.io.*;

import javax.net.ssl.*;

public class Client {

...try {

SSLSocketFactory factory = (SSLSocketFactory)

SSLSocketFactory.getDefault();server =

(SSLServerSocket)factory.createServerSocket(portNumber);SSLSocket client =

(SSLSOcket) factory.createSocket(serverHost, port);

// Create input and output streams as usual// send secure messages to server through the

// output stream receive secure

// messages from server through the input stream} catch(Exception e) {

}}

Converting the previous program to use SSL is fairly trivial.

We use a SSLServerSocketFactory to get a factory which is used to create a socket associatedwith a port, which is then used to accept connections

51

JSSE Programming: Client Side

import java.io.*;

import javax.net.ssl.*;

public class Client {

...try {

SSLSocketFactory factory = (SSLSocketFactory)

SSLSocketFactory.getDefault();server =

(SSLServerSocket)factory.createServerSocket(portNumber);SSLSocket client =

(SSLSOcket) factory.createSocket(serverHost, port);

// Create input and output streams as usual// send secure messages to server through the

// output stream receive secure

// messages from server through the input stream} catch(Exception e) {

}}

02/28/2006

7/28/2019 18-SSL_52

52/52

52

Passion!Passion!

02/28/2006