How to use SSL - SIMON 1.1.x

This sample shows you how to use SSL with SIMON.
Please first refer to the "Hello World" sample. The usage is just the same, except for creating the registry and doing the lookup.

Requirements for using SSL

All you need is a java keysore that contains the SSL certificate. If you don't know a certificate is created and stored in the keystore, you can follow these instructions. If you're familiar with java keystores, you can skip to the modified code sample below.

Create key-pair

open your os' console and type in the following command (All commands rely on the tools in the JDK/bin folder. And don't forget to change string values accordingly to your needs!)

    #>keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -validity 1825 -keystore .serverkeystore -dname "CN=mydomain.tld,OU=MyInitials,O=MyCity,C=de" 
    Geben Sie das Keystore-Passwort ein:
    Keystore-Passwort zu kurz - muss mindestens 6 Zeichen lang sein.
    Geben Sie das Keystore-Passwort ein:
    Geben Sie das Passwort erneut ein:
    Geben Sie das Passwort für <mykey> ein.
            (EINGABETASTE, wenn Passwort dasselbe wie für Keystore):

Generate certificate request

open your os' console and type in the following (change string values accordingly to your needs!)

    #>keytool -certreq -alias mykey -keyalg RSA -file mydomain.csr -keystore .serverkeystore
    Geben Sie das Keystore-Passwort ein:

With this .csr file you can create a new certificate. In this example we use the service from http://www.cacert.org.
Logon to cacert.org and request a new server certificate. Paste the content of your .csr file to the text field and follow the instructions on the website.

Create server keystore

On the cacert.org website, download the "Class 1 PKI Key Root Certificate" (in PEM format).
Insert the certificate as the "root" of the trust-chain:

    #>keytool -import -file root.crt -alias root -keystore .serverkeystore
    Geben Sie das Keystore-Passwort ein:
    Eigner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
    Aussteller: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
    Seriennummer: 0
    Gültig von: Sun Mar 30 14:29:49 CEST 2003 bis: Tue Mar 29 14:29:49 CEST 2033
    Digitaler Fingerabdruck des Zertifikats:
             MD5:  A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
             SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
             Unterschrift-Algorithmusname: MD5withRSA
             Version: 3

    Erweiterungen:

    #1: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]

    #2: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
    0010: B2 39 18 D1                                        .9..
    ]
    ]

    #3: ObjectId: 2.16.840.1.113730.1.8 Criticality=false

    #4: ObjectId: 2.16.840.1.113730.1.4 Criticality=false

    #5: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
      [DistributionPoint:
         [URIName: https://www.cacert.org/revoke.crl]
    ]]

    #6: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
    0010: B2 39 18 D1                                        .9..
    ]

    [EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA]
    SerialNumber: [    00]
    ]

    #7: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

    Diesem Zertifikat vertrauen? [Nein]:  ja
    Zertifikat wurde zu Keystore hinzugefügt.

Then you need to download your certificate (show on webpage -> copy&paste -> insert in new textfile "mydomain.crt" and save). Insert the certificate with the following command to the keystore:

    #>keytool -import -file mydomain.crt -alias mykey -keystore .serverkeystore
    Geben Sie das Keystore-Passwort ein:
    Zertifikatantwort wurde in Keystore installiert.

Create client keystore

There's a bit less effort for the client keystore:

    #>keytool -import -v -alias mykey -file mydomain.crt -keystore .clientkeystore
    Geben Sie das Keystore-Passwort ein:
    Geben Sie das Passwort erneut ein:
    Eigner: CN=mydomain.tld
    Aussteller: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
    Seriennummer: 62ba4
    Gültig von: Wed Dec 17 09:52:45 CET 2008 bis: Mon Jun 15 10:52:45 CEST 2009
    Digitaler Fingerabdruck des Zertifikats:
             MD5:  2B:E5:DC:8E:1C:0C:CE:AD:7D:76:D5:6F:9C:9D:2B:C6
             SHA1: 94:49:BA:E8:7F:DB:90:A2:EB:F0:8B:7B:A6:F2:AB:C5:62:66:85:7D
             Unterschrift-Algorithmusname: SHA1withRSA
             Version: 3

    Erweiterungen:

    #1: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:false
      PathLen: undefined
    ]

    #2: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
      DigitalSignature
      Key_Encipherment
    ]

    #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
      [accessMethod: 1.3.6.1.5.5.7.48.1
       accessLocation: URIName: http://ocsp.cacert.org/]
    ]

    #4: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      clientAuth
      serverAuth
      2.16.840.1.113730.4.1
      1.3.6.1.4.1.311.10.3.3
    ]

    #5: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
      DNSName: mydomain.tld
      Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5
    ]

    Diesem Zertifikat vertrauen? [Nein]:  ja
    Zertifikat wurde zu Keystore hinzugefügt.
    [.clientkeystore wird gesichert.]

That's all ...

Note This short manual was inspired by http://portal.uni-freiburg.de/rz/dienste/pki/docu/s-req/keytool

Modified "Hello World" sample for SSL usage

Server.java:

package de.root1.simon.codesample.server;

import java.io.IOException;
import java.net.UnknownHostException;

import de.root1.simon.Registry;
import de.root1.simon.Simon;
import de.root1.simon.exceptions.NameBindingException;

public class Server {

    public static void main(String[] args)
            throws UnknownHostException, IOException, NameBindingException {

        // create the serverobject
        ServerInterfaceImpl serverImpl = new ServerInterfaceImpl();

        // create the server's registry ...
        Registry registry = Simon.createRegistry(new DefaultSslContextFactory("path_to_keystore/.serverkeystore","MyKeyStorePass"), InetAddress.getByName("0.0.0.0"), 22222);

        // ... where we can bind the serverobject to
        registry.bind("server", serverImpl);

        System.out.println("Server up and running!");

        // some mechanism to shutdown the server should be placed here
        // this should include the following command:
        // registry.unbind("server");
        // registry.stop();
    }
}

Client.java:

package de.root1.simon.codesample.client;

import de.root1.mycommonproject.ServerInterface;
import de.root1.simon.Lookup;
import de.root1.simon.exceptions.EstablishConnectionFailed;
import java.io.IOException;

import de.root1.simon.Simon;
import de.root1.simon.exceptions.LookupFailedException;

public class Client {

    public static void main(String[] args) throws IOException, LookupFailedException, EstablishConnectionFailed {

        // create a callback object
        ClientCallbackImpl clientCallbackImpl = new ClientCallbackImpl();

        // 'lookup' the server object via ssl
        Lookup nameLookup = Simon.createNameLookup("127.0.0.1", 22222);
        nameLookup.setSslContextFactory(new DefaultSslContextFactory("path_to_keystore/.clientkeystore", "MyKeyStorePass"));
        ServerInterface server = (ServerInterface) nameLookup.lookup("server");

        // use the serverobject as it would exist on your local machine
        server.login(clientCallbackImpl);

        // do some more stuff
        // ...

        // and finally 'release' the serverobject to release to connection to the server
        nameLookup.release(server);
    }
}

Of couse, you can use your own SslContext, but most of the users are not that familiar with SSL and all the "complex" stuff and may use the DefaultSslContextFactory