Thursday, January 20, 2011

Create a SSL key value for Mutual Authentication

In order to be able to use mutual authentication, we need to do the following:
    • Create a client keystore.
    • Export the client certificate from the client keystore.
    • Import the client certificate to the server truststore.
    • Create a client truststore.
    • Export the server certificate from the server keystore.
    • Import the server certificate to the client truststore.
The examples in this section will use the GlassFish application server in its default configuration.
The GlassFish installation directory will be referred to as GLASSFISH_DIR. We also need to work
from some terminal window, since we need to use the keytool command to create and manipulate
key and truststores.
    •  Create a directory named “client” at some arbitrary location.
    •  Create a directory named “server” inside the “client” directory created in the previous step.
    •  Back up the cacerts.jks file located in the GLASSFISH_DIR/domains/domain1/config/
       directory.
    •  Copy the cacerts.jks file that you just backed up to the “server” directory.
    •  Back up the keystore.jks file located in the GLASSFISH_DIR/domains/domain1/config/
       directory.
    •  Copy the keystore.jks file that you just backed up to the “server” directory.
    •  Open a terminal window and go to the “client” directory.
    •  Using the keytool command, create the client keystore and key as follows. The questions
       ansked by the keytool program can be answered more or less arbitrarily, as long as you
       remember the alias of the key you generate.
 keytool -genkey -alias client -keypass changeit -storepass changeit -keystore
 client_keystore.jks
 What is your first and last name?
   [Unknown]: My Client
 What is the name of your organizational unit?
   [Unknown]: Client Org Unit
 What is the name of your organization?
   [Unknown]: Client Org
 What is the name of your City or Locality?
   [Unknown]: Client City
 What is the name of your State or Province?
   [Unknown]: Client State
 What is the two-letter country code for this unit?
   [Unknown]: US
                                                  235
Is CN=My Client, OU=Client Org Unit, O=Client Org, L=Client City, ST=Client State, C=US
correct?
  [no]: yes
   •  Using the keytool command, export the client certificate.
keytool -export -alias client -keystore client_keystore.jks -storepass changeit -file
client.cer
Certificate stored in file <client.cer>
   •  Import the client certificate to the server truststore.
keytool -import -v -trustcacerts -alias client -keystore server/cacerts.jks -keypass
changeit -file client.cer
Enter keystore password: changeit
Owner: CN=My Client, OU=Client Org Unit, O=Client Org, L=Client City, ST=Client State,
C=US
Issuer: CN=My Client, OU=Client Org Unit, O=Client Org, L=Client City, ST=Client State,
C=US
Serial number: 49cadb4c
Valid from: Thu Mar 26 19:33:00 CST 2009 until: Wed Jun 24 19:33:00 CST 2009
Certificate fingerprints:
       MD5: 00:E7:89:7B:FA:2D:65:21:CC:65:A8:AA:FF:FC:F7:2F
       SHA1: 23:9F:2D:E1:6B:27:ED:CA:A3:83:90:47:9C:CF:55:C7:59:A6:14:2C
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing server/cacerts.jks]
   •  Change directory to the “server” directory.
   •  Export the server certificate.
keytool -export -alias s1as -keystore keystore.jks -storepass changeit -file server.cer
Certificate stored in file <server.cer>
   •  Go back to the “client” directory.
   •  In one single step, create the client truststore and import the server certificate into it.
keytool -import -v -trustcacerts -alias s1as -keystore client_cacerts.jks -storepass
changeit -keypass changeit -file server/server.cer
Owner: CN=Bo5b.local, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa
Clara, ST=California, C=US
Issuer: CN=Bo5b.local, OU=Sun Java System Application Server, O=Sun Microsystems,
L=Santa Clara, ST=California, C=US
Serial number: 47e86844
Valid from: Tue Mar 25 19:49:40 CST 2008 until: Fri Mar 23 19:49:40 CST 2018
Certificate fingerprints:
       MD5: 9A:70:E1:43:87:71:6B:A1:52:E0:B7:55:93:B6:DA:74
       SHA1: D8:04:53:C4:46:88:8B:30:EA:DC:1C:1C:1A:90:2B:ED:49:5C:9F:27
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing client_cacerts.jks]
   •  Copy the files cacerts.jks and keystore.jks from the “server” directory to the
      GLASSFISH_DIR/domains/domain1/config/ directory, replacing any files with the same
      names.
   •  If GlassFish is running, restart it, so that the modified keystore and truststore takes effect.
   •  Save the client_cacerts.jks and client_keystore.jks files – the web service clients in the
      examples below will need these files.
                                                   236
Web Tier Web Services
In this section we will implement a servlet-based web service and associated client and then show
how to apply access control, SSL and mutual authentication to this web service and its client.
Servlet Based Web Service
First we will implement the basic servlet-based web service without any encryption:
     •     Create a dynamic web project in Eclipse that uses the GlassFish server.
           I have called my project JAX-WS_GreetingServletMutualAuth.
     •     Implement the web service as follows:
 package com.ivan;
 import java.util.Date;
 import javax.jws.WebService;
 /**
   * This class implements the JAX-WS Hello World web service.
   * This is the servlet version of the web service.
   *
   * @author Ivan A Krizsan
   */
 @WebService
 public class HelloWorldWS
 {
       /* Constant(s): */
       /* Instance variable(s): */
       @Resource
       private WebServiceContext mWSContext;
       /**
         * Greets the user by composing a greeting-string including supplied
         * message.
         *
         * @param inMessage Message to be included in greeting string.
         * @return Greeting string.
         */
       public String hello(final String inMessage)
       {
              return "Hello from Servlet WS: " + inMessage + " " +
                  new Date() + ", the principal is: " +
                  mWSContext.getUserPrincipal();
       }
 }
     •     If not already present, create a web.xml file in the WEB-INF directory with the following
           contents.
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns="http://java.sun.com/xml/ns/javaee"
       xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
       xsi:schemaLocation="
              http://java.sun.com/xml/ns/javaee
              http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
              id="WebApp_ID" version="2.5">
       <display-name>JAX-WS_GreetingServletMutualAuth</display-name>
 </web-app>
                                                     237
     •   If not already present, create a sun-web.xml file in the WEB-INF directory with the
         following contents.
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0
 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
 <sun-web-app error-url="">
       <context-root>/JAX-WS_GreetingServletMutualAuth</context-root>
       <!-- The stuff below is just default settings. -->
       <class-loader delegate="true" />
       <jsp-config>
            <property name="keepgenerated" value="true"/>
       </jsp-config>
 </sun-web-app>
     •   Start GlassFish.
     •   Deploy the web service to GlassFish.
Web Service Client
The web service client used in this example is a standalone Java program that only relies on the
Java 6 runtime environment. To set up an Eclipse project for the client:
     •   Create a Java project.
     •   Copy the client keystore and truststore files, client_cacerts.jks and client_truststore.jks, into
         the root of the project.
     •   Implement the main client class:
         Note that there will be errors in this class until we have generated additional classes needed
         on the client side in the next step.
 package com.ivan.client;
 import   javax.net.ssl.HostnameVerifier;
 import   javax.net.ssl.HttpsURLConnection;
 import   javax.net.ssl.SSLSession;
 import   com.ivan.HelloWorldWS;
 import   com.ivan.HelloWorldWSService;
 /**
   * Standalone static JAX-WS client invoking the secured Hello service.
   * When launching the program, the following VM flags need to be set
   * for SSL:
   * -Djavax.net.ssl.trustStore=client_cacerts.jks
   * -Djavax.net.ssl.trustStorePassword=changeit
   *
   * Additionally, for mutual authentication:
   * -Djavax.net.ssl.keyStore=client_keystore.jks
   * -Djavax.net.ssl.keyStorePassword=changeit
   *
   * Finally, when debugging SSL handshakes etc:
   * -Djavax.net.debug=all
   *
   * @author Ivan A Krizsan
   */
 public class HelloWSClient
 {
       static
       {
            /*
             * Java by default verifies that the certificate CN (Common Name) is
                                                     238
        * the same as host name in the URL. If the CN in the certificate is
        * not the same as the host name, your web service client fails.
        * This piece of code allows for using localhost as host name
        * with a certificate in which the CN does not match.
        * This is meant to be a workaround while developing the web
        * service and clients and SHOULD be removed in the production
        * version.
        */
      HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
      {
           public boolean verify(String hostname, SSLSession session)
           {
               if (hostname.equals("localhost"))
               {
                   return true;
               }
               return false;
           }
      });
  }
  /* Instance variable(s): */
  private HelloWorldWSService mHelloWorldService;
  public static void main(String[] args)
  {
      HelloWSClient theClient = new HelloWSClient();
      theClient.callService();
  }
  private void callService()
  {
      mHelloWorldService = new HelloWorldWSService();
      System.out.println("Service object: " + mHelloWorldService);
      HelloWorldWS thePort = mHelloWorldService.getHelloWorldWSPort();
      String theResponse = thePort.hello("Steven Segal");
      System.out.println("Response from web service: " + theResponse);
  }
}

No comments:

Post a Comment