Sitemap | Japanese
Java SSL - sslecho
SSL socket communication with client
certificate
Download: sslecho.zip
Introduction
SSL socket (JSSE) is included standard with Java 2 Standard Edition 1.4.x. The developer can easily protect his/her own network service with SSL as well as easily connect to an SSL-based Web server (specify "https:" for URL class, or use
HTTPSConnection class).
A notable point of this sample is that the client side also supplies its public key certificate. In SSL communication, the server side always presents its certificate, the client can assure identify of the server. Usually, however, the client need not present its certificate, the server usually does not perform authentication of the client. In this sample, the client also supplies its certificate, authentication is done in both direction, which are effective in a situation where higher security is required.
I took some sample code in O'Reilly's "Java Network Programming" written by Elliotte Rusty Harold as a staring point.
Files
server/server.class Execution file for server <- Deleted (please compile) server/server.java Source file for it
server/server.jks Keystore holding server's private key (example) server/server.cer Public key certificate for that private key (example) server/clients.jks Trustsotre of certificates that the server trusts
client/client.class Execution file for client <- Deleted (please compile) client/client.java Source file for it
client/client.cer Public key certificate for that private key (example) client/servers.jks Trustsotre of certificates that the client trusts
sslecho.html This page
Execution
Run the server on one machine, and run the client on another machine. You can run both on the same machine.
Change directory to "server" before running the server, and "client" before running the client.
[Server]
C:\SSLECHO> cd server
C:\SSLECHO\SERVER> java server [Client]
C:\SSLECHO> cd client
C:\SSLECHO\CLIENT> java client -host <server-name>
<server-name> is the name or IP address of the machine where the server is running. Specify "localhost" for <server-name> if you use one machine for running both. The server can handle any number of clients at the same time.
When the connection is made, characters typed at the client are sent by lines, and the server returns the same characters to the client. These are displayed on the client screen. To quit, type a line only with a period (.) at the client.
server = www.ssjava.net:7000 factory created socket created sender started receiver started handshake completed getCipherSuite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA getProtocol: TLSv1 getPeerHost: www.ssjava.net
Cert #0: CN=Sample echo server, OU=Tech, O=Kobu.Com, ... Hello server
Hello server Bye bye server Bye bye server .
sender exit .
receiver exit
By default, a certificate is presented only by the server. If you specify "-clientauth" option, the client must also present its certificate for successful connection.
[Server]
[Client]
C:\SSLECHO\CLIENT> java client -host <server-name> -clientauth
Recompile
Here is how to recompile the server and client source respectively.
[Server]
C:\SSLECHO\> cd server
C:\SSLECHO\SERVER> javac server.java [Client]
C:\SSLECHO\> cd client
C:\SSLECHO\CLIENT> javac client.java
Creating keystore and truststore.
In this sample, as you can see in the list of files, files necessary for operation of an SSL application are already there.
Here is description of how to create these files. See the description of "keytool" in the document for tools included in Java.
Preparation of server-side certificate (mandatory)
First, create a private key for the server in the server's private key storage (called keystore).
The next example creates a private key named "server" (called alias) in a keystore named "server.jks." In the sample code, single password of "changeit" is used for all keystores and private keys.
keytool -genkey -keystore server.jks -alias server
Next, extract the public key for the private key created above in a certificate file called "server.cer."
keytool -export -keystore server.jks -alias server -file server.cer
At last, add this server certificate to the storage of trustable public key certificates (called truststore) used by the client.
Here, store the certificate saved in file "server.cer" in the truststore named "servers.jks" and give the name of "server1" to the certificate.
keytool -import -keystore servers.jks -alias server1 -file server.cer
Place the server's keystore (singular "server.jks") in the same directory as "server.class."
"client.class."
Notes:
Keytool generates a DSA algorithm key pair by default. RSA keys are used in SSL-based Web servers. Specify "-keyalg RSA" for keys in the SSL certificate. Keytool outputs a binary-format certificate file by default. To output in an RFC1421 text-format, specify "-rfc." You don't have to specify the format when you import a certificate.
Preparation of client-side certificate (when -clientauth is used)
The procedures are the same as in the case of the server certificate.
First, create a client's private key (aliased as "client") in the client's keystore ("client.jks").
keytool -genkey -keystore client.jks -alias client
Next, extract the public key certificate in "client.cer."
keytool -export -keystore client.jks -alias client -file client.cer
Add this certificate to the server's truststore (clients.jks) with the name of "client1."
keytool -import -keystore clients.jks -alias client1 -file client.cer
Place the client's keystore (singular "client.jks") in the same directory as "client.class."
Place the truststore (plural "clients.jks") for the server in the same directory as "server.class."
Locations of default keystore and truststore
This sample uses the private key storage (keystore) and certificate storage
(truststore) in the same directory as the class file so that you don't have to change the existing Java settings.
However, if you place the truststore in the location of JSSE default
(<java.home>/jre/lib/security/jssecacerts), you don't have to explicitly specify the store location as in the sample code.
Certificates bundled with this sample are self-signed certificates created by
Kobu.Com with the above procedures. If you are going to use certificates signed by the third party (certificate authorities such as Verisign and Tharte), the authority's certificate must be in your truststore. Instead, the certificate in question need not be in the truststore. Certificates of some famous certificate authorities are already in the Java's default truststore (<java.home>/jre/lib/security/cacerts).
See the Java documents related to security and the JSSE reference manual for detail.
Reference
O'Reilly "Java Network Programming, 2nd Edition" Elliotte Rusty Harold Java document "Java Secure Socket Extension (JSSE) Reference Guide" (docs/guide/security/jsse/JSSERefGuide.html)
Java document "keytool - Key and Certificate Management Tool" (docs/tooldocs /windows|solaris/keytool.html)
Written: Apr 28, 2003
Written by: ARAI Bunkichi
Presented by: Kobu.Com (www.kobu.com/en)
The published sample code is a prototype and is not complete.
Please refrain from duplicating the sample code and its document in another place.