Transcript No Slide Title
Chapter 13 How to use SSL to work with a secure connection
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 1
Objectives Applied
Develop web applications that use secure connections whenever that’s needed.
Knowledge
In general terms, explain how the use of secure connections secures the data that’s used in an application.
In terms of your Java servlets and the server.xml file, describe what you have to do to implement the use of secure connections.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 2
A request made with a secure connection
The URL starts with https
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
A lock icon is displayed
Slide 3
How SSL works
Secure Sockets Layer
, or
SSL
, is the protocol used by the World Wide Web that allows clients and servers to communicate over a
secure connection
. With SSL, both the client and browser encrypt all data that’s sent and decrypt all data that’s received. SSL is able to determine if data has been tampered with during transit.
How TLS works
The
Transport Layer Security
, or
TLS
, is the protocol that’s the successor to SSL. Only newer browsers support TLS. If a server implements TLS, the newer browsers will use TLS, but the older browsers will use SSL. Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 4
How authentication works
Authentication
is the process of determining whether a server or client is who and what it claims to be. When a browser makes an initial attempt to communicate with a server over a secure connection that uses SSL, the server authenticates itself by providing a
digital secure certificate
. In some instances, the server may also request that your browser authenticate itself by presenting its own digital secure certificate. Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 5
Types of SSL Authentication Authentication
SSL server authentication SSL client authentication
Description
Allows a client to confirm a server’s identity by checking a digital secure certificate that’s installed on the server.
Allows a server to confirm a client’s identity by checking a digital secure certificate that’s installed on the client.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 6
A digital secure certificate
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 7
Common certificate authorities that issue digital secure certificates
www.verisign.com
www.geotrust.com
www.entrust.com
www.equifaxsecure.com
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 8
SSL strength
SSL strength
refers to the length of the generated key that is created during the encryption process. The longer the key, the more difficult to break the encryption code.
The pros and cons of SSL strengths Strength Pros and Cons
40-bit 128-bit It’s less expensive, but easier to break the encryption code.
It’s trillions of times stronger than 40-bit, but it’s more expensive.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 9
How to obtain a digital secure certificate
To use SSL in your web applications, you must first purchase a digital secure certificate from a trusted
certificate authority
, or
CA
.
Once you obtain the certificate, you send it to the people who host your web site so they can install it on the server.
A CA is a company that issues and manages security credentials.
To verify information provided by the requestor of the secure certificate, a CA must check with a
registration authority
, or
RA
.
Once the RA verifies the requestor’s information, the CA can issue a digital secure certificate.
Since SSL is built into all major browsers and web servers, installing a digital secure certificate enables SSL.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 10
How to configure a local testing environment for SSL
1.
Make sure the JSSE API is installed.
2.
Create a self-signed digital secure certificate as shown in the next figure.
3.
Open the server.xml file that’s in Tomcat’s conf directory and remove the comments from the Connector element that defines an SSL connector on port 8443 as shown in the next figure.
4.
Restart Tomcat.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 11
How JSSE works
The
Java Secure Socket Extension
API, or
JSSE
, is a collection of Java classes that enable secure connections within Java programs by implementing a version of the SSL and TLS protocols.
If you want to use a secure connection with your servlets and JSPs, you must have the JSSE API installed on the server.
If you’re using a commercial web server that supports servlet and JSP development, the JSSE API should already be installed.
If you’re working in a local testing environment and you’re using version 1.3.1 of the SDK or earlier, you may need to install the JSSE API. However, this API is included with version 1.4 of the SDK and later.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 12
How to install JSSE
To install the JSSE API, you can copy the jsse.jar file that’s included on the CD that comes with
Murach’s Java Servlets and JSP
from the JavaExtension directory to the SDK’s jre\lib\ext directory.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 13
How to create a secure certificate for testing purposes
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 14
How to define an SSL connection in Tomcat’s server.xml file
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 15
How to configure SSL on a local system
To test SSL connections in a local environment, you can create a self-signed certificate.
To create a self-signed certificate, you must create a
keystore file
.
When you create a keystore file, you must use “changeit” as the keystore password, and you should press Enter to use the same password for the key password.
The keystore file is named .keystore and it’s stored in your operating system’s home directory.
To define an SSL connection, you can open the server.xml file that’s stored in Tomcat’s conf directory. Then, you can remove the comments from the Connector element as shown above.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 16
How to determine if SSL is set up correctly in the testing environment
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 17
The URL you can enter to test the local SSL connection https://localhost:8443/index.html
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 18
Common problems when configuring the local SSL connection Problem 1
Java can’t find the jsse.jar file. This will cause a java.security.NoSuchAlgorithmException to be thrown.
Problem 2
Tomcat can’t find the keystore file. When you start Tomcat, it will throw a java.io.FileNotFoundException.
Problem 3
The keystore password and key passwords that you used to create the keystore file don’t match. When you start Tomcat, it will display a java.io.FileNotFoundException that says, “keystore was tampered with” or “password was incorrect.” Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 19
A URL that requests a secure connection over the Internet
https://www.murach.com/murach/email13/join_email_list.jsp
A URL that requests a secure connection from a local system
https://localhost:8443/murach/email13/join_email_list.jsp
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 20
A dialog box that may be displayed for secure connections
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Requested resource
Slide 21
Another dialog box that may be displayed for secure connections
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 22
How to request a secure connection
To request a secure connection, you use an absolute URL that starts with https. If you’re requesting a resource from a local system, you also need to specify the port that’s used for secure connections. For Tomcat, that port is usually 8443.
Once you establish a secure connection, you can use relative URLs to continue using the secure connection.
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 23
A JSP that uses a secure connection
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Double-click the lock icon to view the certificate
Slide 24
A URL that returns to a regular connection over the Internet http://www.murach.com/murach/index.htm
A URL that returns to a regular connection from a local system http://localhost:8080/murach/email13/join_email_list.jsp
Java Servlets and JSP CH13 © 2003, Mike Murach & Associates, Inc.
Slide 25