in java, client must use the key file to connect server.how can i init it in the code?
i want server create the key in code. What to do?
ths for u Answer
In java, client must use the key file to connect server.
No. It needs a truststore file that contains either the server's certificate or the certificates of one or more of that certificate's signers.
How can I init it in the code?
You can't. The question doesn't make sense. The idea is that you have certificate material obtained offline that gives you a reason to trust the server. Or possibly the other way around, if your server requires client authentication. In either case, creating it dynamically doesn't make any sense.
i want server create the key in code.
maybe this helps you: http://code.google.com/p/xebia-france/wiki/HowToGenerateaSelfSignedX509CertificateInJava
Related
Sorry in advance if this question has been posted before. I have look around but couldn't find an answer.
I am creating a server in Java that has a SSL socket to accept clients. I have been looking around on how to create the socket and have started to add the code to my application. After looking around the find out how to allow a self-signed certificate for testing I found that I create a keystore and add the certificate to that. To use the certificate I would need to add "System.setProperty("javax.net.ssl.keyStore", "keystorename.jks")" The only problem is I have to specify the password in the code as well if I go off other developers examples.
I would like to know if I have to specify the password and if I do need to what is the security implications?
Thanks in advance,
Yes you do, and the security implication is that the password is (1) fixed by the code and (2) probably visible in the object code. The solution to (2) is ultimately physical security of the software and the host it runs on.
I have a Java app (deployed as a JAR file) that allows file sharing through SLLSockets. If all users use the same certificate, file transfers are not secure, since it violates the core concept of asymmetric encrypted communication. Therefore, I understand that each user needs to have its own certificate. This brings up my first question:
How can you generate a certificate programmatically, and where would you store it ? I don't want users to have to generate their own certificate with keytool, then have to tell the app where it is located.
Now, let's say my first question is answered and each user has its own certificate. Prior to opening the SSL connection between two hosts, you need to add each other's certificate to the trustStore. The only way I know to achieve this is by exchanging them through Sockets (note that I am using JGroups to exchange Socket connection info). This brings up my next two questions:
How do you guarantee authentication and integrity when exchanging the certificates ?
How do you programmatically add the received certificate to the trustStore ?
Finally, this whole post brings up my fourth question:
Are the steps described above the correct way to send data securely between two hosts, using SSLSocket asymmetric encrypted communication ?
You don't need client certificates necessarily.
Could you not use username/password authentication?
You can still secure the transfer just by using a server certificate.
Client certs are also kind of a pain, and not entirely secure. They tie you to a machine, and evil processes can read them. Smart cards mitigate this, but aren't free.
So what i would like is a secure connection between my phone (java) and my raspberry pi.
I already made a custom server with the help of autobahn wich is on my github (i can't post more link...).
And i don't understand why the client doesn't need any keys or anything to connect to the server.
I followed the readme here in order to create my key there (i know that i should not share them, but i will recreate my own keys when the project will be finished).
And i've found that for the Java-websocket module it needs some keystore to run. And i think that having a storepass and keypass like this in a .java is not secure at all, isn't it ?
what java need is the certificate to confirm the validity of the autosigned key.
the python client trust automatically all certificate.
Here is the server : https://github.com/flyingrub/SSWOD
And here the server : https://github.com/flyingrub/SecureKey
I want to make a webapp accessible to some limited users only. So I select a SSL client authentication. I am newbie so not much knowledge about it I follow this tutorial to achive it. here is some quires in my mind. I am using basic self signed SSL.
1) Can we create a single client certificate for all clients which is provide by me? so whoever has a client certificate can access a app. sounds not a good way.
2) if not (1) then is there easy way to create a client certificate and register on tomcat user.xml. I dont want to force user to create a client certificate and send me so I register on server.
3) How to redirect to some other page if SSL certificate not match.?
4) can we use a private public key of one machine to another one?
5) there is multiple apps on my server but I want to authenticate only one app with SSL. Is is possible then how?
please also suggest me any good tutorials for this. Finally My requriment is to give access to limited users up to 50. and my clients can register his system in some user friendly way.
1) Can we create a single client certificate for all clients which is provide by me?
It doesn't make sense. The client certificate is supposed to uniquely identify the client. They should have one each.
so whoever has a client certificate can access a app. sounds not a good way.
It isn't.
2) if not (1) then is there easy way to create a client certificate and register on tomcat user.xml. I dont want to force user to create a client certificate and send me so I register on server.
It's the only secure way. If you create the certificate you have the private key so it isn't private so it can't do what it's supposed to do, legally. For example you can't prove that only the client could have executed any transaction, so you lose legal non-repudiability. You shoudn't be using users.xml for this, you should be using one of the other Tomcat security Realms, for example a database.
3) How to redirect to some other page if SSL certificate not match.?
If you're using Container Managed Authentication, which you should be, that's all defined in web.xml for the application.
4) can we use a private public key of one machine to another one?
It doesn't make sense, see above. A private key is supposed to be private and under the exclusive control of one entity.
I question whether using client certificates is even the right solution here. If you just want to restrict access to the server give each client a login.
5) there is multiple apps on my server but I want to authenticate only one app with SS
I am trying to connect to a webservice over ssl with a client certificate. Is there an elegant way of doing this apart from shoving things like "javax.net.ssl.keyStore" into System.properties.
Any pointers to code examples would be appreciated.
You could just install the cert into the system keystore. (Location varies across platforms, and you will need admin rights).
you might get some samples from the website for this book : http://www.manning.com/kanneganti/
See example code in my article. It shows how to dynamically provide the custom keystore to the HTTPS server as for the WS client. http://jakubneubauer.wordpress.com/2011/09/06/java-webservice-over-ssl/
Not sure if this is fully relevant, but still. This entry describes the way of generating the certificate and installing it on a local system without using the keytool. Probably you could reuse some parts of the (very simple) source code.