ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Secure Your Sockets with JSSE
Pages: 1, 2, 3, 4, 5

Generating a Server Certificate

Server certificates can be generated with a single keytool command. I used the following command to create an RSA certificate, referenced by the alias of jamie, and stored in a keystore named certs.

keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw

The keytool then prompted me for information to put into the certificate. My answers are shown in bold.

What is your first and last name?
  [Unknown]: enpower
What is the name of your organizational unit?
  [Unknown]: Software Development
What is the name of your organization?
  [Unknown]: Toolery.com
What is the name of your City or Locality?
  [Unknown]: Chula Vista
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is <CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US> correct?
  [no]: y

Note that I used a keystore password of serverkspw and a key password of serverpw. Go ahead and use these same values for the time being. You can use a different alias if you like. Also, enter your own information for the certificate. I used my machine name (enpower) for the first and last name of the certificate. You should do the same. If your machine does not have a name, use it's IP address. The enpower name is the name of my laptop's manufacturer.

A Secure Web Server

Now that we have a server certificate, all we need is a Java web server to take advantage of the certificate. Listing 4 provides an HTTP server that I've used in a few of my Java books. It is a fairly primitive server. I don't recommend using it for production systems. But it is small and works for simple HTTP-related examples.

Listing 5 provides a class named SecureServer that extends HTTPServer to provide support for SSL. As you can see, it is only about 50 lines. By following this example, you'll be able to see how easy it is to add SSL support to an existing HTTP application.

Compiling and Running SecureServer

Compile HTTPServer from within your working directory. (The same one that contains cacerts.) Then compile SecureServer. Next, create an HTML file named index.htm to be served in your directory. You can use the one shown in Listing 6 if you want.

Now start the server by entering java SecureServer from a console window. You may have to wait about a minute or two for the server to begin taking requests. The seeding of the secure random number generator slows things down. If you have a server currently running on port 443 (the HTTPS port), you'll have to disable it in order to get SecureServer to work.

When you run SecureServer, it will generate the following output.

SecureServer version 1.0
SecureServer is listening on port 443.

Now use a browser to establish an SSL connection to SecureServer. Since my machine name is enpower, I'll enter https://enpower/ in the Internet Explorer 5.5 address bar. Internet Explorer contacts SecureServer and tries to set up an SSL connection. SecureServer then sends IE its certificate. Because the certificate is not signed by a valid certificate authority, Internet Explorer displays the following popup.

Dialog box.

When I click on the View Certificate button, this dialog box appears.

Dialog box.

The above dialog explains why Internet Explorer balked at the certificate. If you click the Details tab, you can view the information that is contained in the certificate.

Dialog box.

If you click the Certification Path tab, you'll see that the certificate is self-signed.

Dialog box.

After clicking the OK button and accepting the certificate, Internet Explorer displays the following content.

Screen shot.

That's all there is to setting up server-side SSL. Next I'll discuss how SecureServer works and then show you how to set up SSL on the client side.

Pages: 1, 2, 3, 4, 5

Next Pagearrow