How to use SSL¶
- How to use SSL
- Requirements for using SSL
- Create key-pair
- Generate certificate request
- Create server keystore
- Create client keystore
- Modified "Hello World" sample for SSL usage
This sample shows you how to use SSL with SIMON.
Please first refer to the "Hello World" sample. The usage is just the same, except for creating the registry and doing the lookup.
Requirements for using SSL¶
All you need is a java keysore that contains the SSL certificate. If you don't know a certificate is created and stored in the keystore, you can follow these instructions. If you're familiar with java keystores, you can skip to the modified code sample below.
Create key-pair¶
open your os' console and type in the following command (All commands rely on the tools in the JDK/bin folder. And don't forget to change string values accordingly to your needs!)
#>keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -validity 1825 -keystore .serverkeystore -dname "CN=mydomain.tld,OU=MyInitials,O=MyCity,C=de"
Geben Sie das Keystore-Passwort ein:
Keystore-Passwort zu kurz - muss mindestens 6 Zeichen lang sein.
Geben Sie das Keystore-Passwort ein:
Geben Sie das Passwort erneut ein:
Geben Sie das Passwort für <mykey> ein.
(EINGABETASTE, wenn Passwort dasselbe wie für Keystore):
Generate certificate request¶
open your os' console and type in the following (change string values accordingly to your needs!)
#>keytool -certreq -alias mykey -keyalg RSA -file mydomain.csr -keystore .serverkeystore
Geben Sie das Keystore-Passwort ein:
With this .csr file you can create a new certificate. In this example we use the service from http://www.cacert.org.
Logon to cacert.org and request a new server certificate. Paste the content of your .csr file to the text field and follow the instructions on the website.
Create server keystore¶
On the cacert.org website, download the "Class 1 PKI Key Root Certificate" (in PEM format).
Insert the certificate as the "root" of the trust-chain:
#>keytool -import -file root.crt -alias root -keystore .serverkeystore
Geben Sie das Keystore-Passwort ein:
Eigner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Aussteller: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Seriennummer: 0
Gültig von: Sun Mar 30 14:29:49 CEST 2003 bis: Tue Mar 29 14:29:49 CEST 2033
Digitaler Fingerabdruck des Zertifikats:
MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
Unterschrift-Algorithmusname: MD5withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0 E6 8E F3 BD D2 B0 3A EE ..2...........:.
0010: B2 39 18 D1 .9..
]
]
#3: ObjectId: 2.16.840.1.113730.1.8 Criticality=false
#4: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: https://www.cacert.org/revoke.crl]
]]
#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0 E6 8E F3 BD D2 B0 3A EE ..2...........:.
0010: B2 39 18 D1 .9..
]
[EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA]
SerialNumber: [ 00]
]
#7: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Diesem Zertifikat vertrauen? [Nein]: ja
Zertifikat wurde zu Keystore hinzugefügt.
Then you need to download your certificate (show on webpage -> copy&paste -> insert in new textfile "mydomain.crt" and save). Insert the certificate with the following command to the keystore:
#>keytool -import -file mydomain.crt -alias mykey -keystore .serverkeystore
Geben Sie das Keystore-Passwort ein:
Zertifikatantwort wurde in Keystore installiert.
Create client keystore¶
There's a bit less effort for the client keystore:
#>keytool -import -v -alias mykey -file mydomain.crt -keystore .clientkeystore
Geben Sie das Keystore-Passwort ein:
Geben Sie das Passwort erneut ein:
Eigner: CN=mydomain.tld
Aussteller: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Seriennummer: 62ba4
Gültig von: Wed Dec 17 09:52:45 CET 2008 bis: Mon Jun 15 10:52:45 CEST 2009
Digitaler Fingerabdruck des Zertifikats:
MD5: 2B:E5:DC:8E:1C:0C:CE:AD:7D:76:D5:6F:9C:9D:2B:C6
SHA1: 94:49:BA:E8:7F:DB:90:A2:EB:F0:8B:7B:A6:F2:AB:C5:62:66:85:7D
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.cacert.org/]
]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
2.16.840.1.113730.4.1
1.3.6.1.4.1.311.10.3.3
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mydomain.tld
Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
]
Diesem Zertifikat vertrauen? [Nein]: ja
Zertifikat wurde zu Keystore hinzugefügt.
[.clientkeystore wird gesichert.]
That's all ...
Note This short manual was inspired by http://portal.uni-freiburg.de/rz/dienste/pki/docu/s-req/keytool
Modified "Hello World" sample for SSL usage¶
Server.java:
1 package de.root1.simon.codesample.server;
2
3 import java.io.IOException;
4 import java.net.InetAddress;
5 import java.net.UnknownHostException;
6 import java.security.KeyManagementException;
7 import java.security.KeyStoreException;
8 import java.security.NoSuchAlgorithmException;
9 import java.security.UnrecoverableKeyException;
10 import java.security.cert.CertificateException;
11
12 import de.root1.simon.Registry;
13 import de.root1.simon.Simon;
14 import de.root1.simon.exceptions.NameBindingException;
15 import de.root1.simon.ssl.DefaultSslContextFactory;
16
17 public class Server {
18
19 public static void main(String[] args)
20 throws UnknownHostException, IOException, NameBindingException, UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException {
21
22 // create the serverobject
23 ServerInterfaceImpl serverImpl = new ServerInterfaceImpl();
24
25 // create a SSL enabled server's registry ...
26 Registry registry = Simon.createRegistry(new DefaultSslContextFactory("path_to_keystore/.serverkeystore","MyKeyStorePass"), InetAddress.getByName("0.0.0.0"), 22222);
27
28 // ... where we can bind the serverobject to
29 registry.bind("server", serverImpl);
30
31 System.out.println("Server up and running!");
32
33 // some mechanism to shutdown the server should be placed here
34 // this should include the following command:
35 // registry.unbind("server");
36 }
37 }
Client.java:
1 package de.root1.simon.codesample.client;
2
3 import java.io.IOException;
4 import java.net.InetAddress;
5 import java.security.KeyManagementException;
6 import java.security.KeyStoreException;
7 import java.security.NoSuchAlgorithmException;
8 import java.security.UnrecoverableKeyException;
9 import java.security.cert.CertificateException;
10
11 import de.root1.simon.Simon;
12 import de.root1.simon.exceptions.LookupFailedException;
13 import de.root1.simon.ssl.DefaultSslContextFactory;
14
15 public class Client {
16
17 public static void main(String[] args) throws IOException, LookupFailedException, UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException {
18
19 // create a callback object
20 ClientCallbackImpl clientCallbackImpl = new ClientCallbackImpl();
21
22 // 'lookup' the server object via SSL
23 ServerInterface server = (ServerInterface) Simon.lookup(new DefaultSslContextFactory("path_to_keystore/.clientkeystore","MyKeyStorePass"), null, InetAddress.getByName("127.0.0.1"), 22222, "server");
24
25 // use the serverobject as it would exist on your local machine
26 server.login(clientCallbackImpl);
27 // do some more stuff
28 // ...
29
30 // and finally 'release' the serverobject to release to connection to the server
31 Simon.release(server);
32 }
33 }
Of couse, you can use your own SslContext, but most of the users are not that familiar with SSL and all the "complex" stuff and may use the DefaultSslContextFactory