Running a Java web service with embedded Jetty web container. Would like to serve my RESTful API endpoints over HTTPS with a root CA-signed SSL cert (no OpenSSL).
Can I configure my embedded Jetty container to use a "free" AWS Certificate Manager cert cert or are those certs only for use by AWS infrastructure (ELB, CloudFormation, etc.)? If so can I assume these certs are root CA-signed?
Basically I'm trying to figure out whether I need to spend a few hundred bucks on a Thawte/GoDaddy cert or if I can get one for free via AWS.
From Mark's comment:
"AWS Certificate manager certs can only be used by ELB, CloudFront and API Gateway. You would have to place an ELB, or a CloudFront distribution in front of your Jetty application in order to use an ACM SSL certificate."
So yes you can use one of the free AWS root CA-signed certs if you put your Jetty-based services behind ELBs.
Related
So basically, I have made a RESTful API using ServiceTalk from Apple (Netty implementation) and Jersey and it works. Only through http though. I have seen that when I was making my React web page make a POST request through http, it would complain about CORS (which I'm still trying to fix) and that the browser (At least Brave) would not allow the request to be made because it was http and my web page was running on https using let's encrypt cert. How do I fix this issue? Do I need to add SSL with Netty? If so, how can I do that with a certificate that's going to be changing every once in a while?
I also have NGINX setup with Let's Encrypt and enabled auto-renew certificate setting from the setup wizard for NGINX + Let's Encrypt. If I can somehow make NGINX run the HTTPS request as a proxy to the netty server on http, then I think it would also be a better solution. I know this is a common practice with NodeJS Express + NGINX.
You are right, if you already have NGINX that serves your static content (html/css/js) it will be better to configure it as a proxy for a ServiceTalk backend service. That will let you keep SSL/TLS configuration in one place (NGINX config file only) and you will be able to use its auto-renew certificate feature. For an example of how you can configure NGINX as an SSL/TLS proxy for a backend service, see here: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
However, in this case, your connection between NGINX and ServiceTalk will not be encrypted. In some environments, it might be inappropriate according to security policies and requirements. If this is your case, you also need to configure SSL/TLS for ServiceTalk using HttpServerBuilder.secure() method that returns HttpServerSecurityConfigurator. Here is an example of a secure ServiceTalk server.
To avoid CORS, keep using NGINX as a proxy even when ServiceTalk also configured with SSL/TLS connections. If there is a requirement to avoid additional proxy on the way between a browser and backend service, target ServiceTalk directly. But NGINX gives additional features, like load balancing between multiple backend instances.
To get the best SSL performance in ServiceTalk/Netty we recommend to use OpenSSL provided instead of a built-in JDK provider. For more information, see Performance / netty-tcnative OpenSSL engine documentation section.
Note: ServiceTalk does not auto-renew SSL/TLS certificates. You will need to restart the server when certificate expires.
I have the following scenario:
Web application (currently running in Eclipse)
Apache httpd proxy
5 backend servers (tomcat) all listening on HTTPS
I have valid certificates for all backend servers and also have the cert chain imported in the keystore. Can anyone explain to me or give me a sample config for the proxy? I am getting different errors when trying to establish trust between the proxy and backend servers like (downstream server wanted client certificate but none are configured).
I have the following:
Web service hosted on trusted enterprise domain intranet (hosted in IIS)
Java console application used to test connection to web service
Java web application hosted in Tomcat (running on localhost)
I can successfully send and receive data to and from the web service via a console application. However, when I use the exact same code and libraries in a web application hosted in Tomcat, I am receiving an SSL certificate error stating:
suncertpathbuilderexception: unable to find valid certification path to requested target
Any reason why it would work via console but not via Tomcat on localhost. For what it's worth, it doesn't work on my dev (non-localhost) box either when hosted in Tomcat. Maybe I am targeting a different JRE when launching Tomcat which doesn't have the trusted certificate?
The certificate is signed by my company's trusted enterprise authority, so I guess it's a sort of enterprise-wide self-signed certificate. The certificate authority is registered in Windows trusted certificate authorities when I check in the Management Console Certificate Snap-In. I suspect that doesn't matter though.
Am I going to have to use keytool to generate a certificate to add to the trust store on every server that will be hosting this Tomcat application?
It is possible that your Tomcat installation uses another JVM. You need to check your installation. Check where JAVA_HOME and JRE_HOME point to.
The JVM does not use the Windows trusted certificate authorities.
You will have to use keytool to import your company's trusted enterprise authorities certificate on each server, but you will NOT need to generate any certificates.
I'm developing a simple web services using Java EE Servlets.
My clients are a simple java apps (no browsers), so I need to secure my communication using TLS (or SSL v3). About Application server, I'm using Glassfish v3.
For example, I need to transfer some data from client to server within a HTTP Post Request into a secure connection.
There are some external libraries, server configurations or tutorial that can I use?
On the server side you must somehow expose your servlets via HTTPS. If you are using tomcat, check out SSL Configuration HOW-TO. If you have an Apache web server in front, see: Apache SSL/TLS Encryption.
On the client side ssl and https support is built into JDK, just call any https://... address using URLConnection. However remember that the certificate your server uses must be trusted - either confirmed by some authority or added manually on the client. Self-signed certificates by default won't be accepted.
I'm trying to access an HTTPS based web service URL from a web/ear application deployed
on a Glassfish application server domain.
We have obtained the certificate from the vendor that exposes the HTTPS URL.
What are the steps required for installing SSL certificates in order to access the web service ?
Thanks
What are the steps required for installing SSL certificates in order to access the web service ?
If the certificate is a self-signed certificate or hasn't be signed by a CA for which the JVM already has a root CA like Thawte, Verisign, etc, you'll have to add it to a client trust store and to configure the web service client or GlassFish (which is a client here) to use this trust store to establish a chain of trust.
To import the stand-alone certificate into a trust store, use keytool. This post explains how to use it (see the section Creating Java Key and Trust Stores).
Then, configure the web service client to use this trust store. To do so, you'll need to define the system properties javax.net.ssl.trustStore and maybe javax.net.ssl.trustStorePassword. You can maybe do it at the GlassFish level (see this this post).
You need to configure Glassfish for https?
https://glassfish.dev.java.net/javaee5/security/faq.html#configssl
or you need to install a client certificate in your browser?