HTTPS Security

HTTPS Security Configuration
  • Web servers are made secure by following criteria.
    • The server and client authenticate to each other.
    • The communication channel is private.
    • Tampering of data by a man in the middle is detected.
  • Non-Repudiation
    • Communicating endpoints prove to third parties that they received messages from each other.
    • Achieved through use of digital signatures.
  • We use transport security layer also referred to as secure socket layer(SSL), in which server authenticates to the client through the use of the Public Key Infrastructure(PKI).
    • The server will have authentication to the client.The communication channel is private and tampering attacks are  detected.
    • For client authentication we will have client present a secret access key passed with each request.
    • The TLS/SSL protocol requires that the user passes a public/private key pair.
      • Private key is kept secret from everyone 
      • Public key is made public by distributing a public key certificate.
    • In case of web application the public key certificate contains the server's public key and identifying information for the server.
      • The most important information in certificate is.
        • The canonical name which is set to the host name of the application server.
        • The certificate is signed by a trusted entity whose self signed certificate is held by connecting clients.
    • In order for clients to accept a server self signed certificate.We need to add this certificate to client's container of trusted certificates called as trust-store.
  • Configuring tomcat for SSL/TLS
    • Users are able to access applications securely through port 8443.
    • Once this configuration is done a self signed certificate is generated that browsers use to authenticate servers.
      • Generally these certificates are signed by trusted third parties whose certificates are preinstalled in the client system or added to a client system.
    • In tomcat we store this file generally under conf folder and make a reference to the same in server.xml configuration file of the tomcat.
      • This file is generally called as keystore.
    • We generate the key value pair file with the "keytool" command, which is the part of Java SDK.
    • Once we have generated key with name "keystore" we need to move it to the folder conf of the tomcat.
    • Next we need to uncomment the connector element in ${Tomcat_Home}\conf\server.xml that has port set to 8443.
    • To generate the file we use the following command
      •  keytool -genkey ^  
 -keystore keystore ^  
 -alias tomcat ^  
 -keyalg RSA ^  
 -keysize 2048 ^  
 -dname CN=localhost ^  
 -storepass changeit ^  
 -keypass changeit
      • This gives use a file with name "keystore"
    • Next using this file we enable HTTPS in our application server as follows
      •        <Connector port="8443"   
                   protocol="org.apache.coyote.http11.Http11NioProtocol"  
              maxThreads="200"  
              minSpareThreads="5"  
                     maxSpareThreads="75"  
                     enableLookups="true"  
                     disableUploadTimeout="true"  
                     acceptCount="100"  
                     scheme="https"  
                     secure="true"  
              SSLEnabled="true"  
              clientAuth="false"  
                     sslProtocol="TLS"  
                     keystorePass="changeit"  
                     keystoreFile="conf/keystore"/>
  • Creating a trust certificate
    • To create a certificate we use the following command
      •  keytool -export ^  
 -rfc ^  
 -file newsfeed.cert ^  
 -alias tomcat ^  
 -storetype JKS ^  
 -storepass changeit ^  
 -keypass changeit ^  
 -keystore C:\Users\gaurav\eclipse-workspace\Servers\Tomcat v8.5 Server at localhost-config\keystore
    • This command needs to be run from shell with current directory equal to the project directory which is the client application.
    • This will generate a file called as newsfeed.cert 
  • Creating a truststore with certificate
    • Next to create a trust store we use the following command which needs to be run from the directory of client application
    • A trust store is a collection of trusted certificates.
    •  keytool -import ^  
 -noprompt ^  
 -alias tomcat ^  
 -file newsfeed.cert ^  
 -storetype JKS ^  
 -keypass changeit ^  
 -storepass changeit ^  
 -keystore src/main/webapp/WEB-INF/truststore
  • Authenticating Clients
    • The next step is to add code needed for client authentication
    • Client authentication can be done as follows
      • Use HTTP basic authentication in which the username and password are base64 encoded and included with in a single header in each request.
      • Include the username and password in non standard headers in every request.
      • Include username and password as elements in the XML document submitted to the service.
      • Require client authentication as part of SSL connection establishment.
      • Require a secret access key with each request.

No comments:

Post a Comment

Subscribe to: Posts (Atom)

Spring Boot

What is circular/cyclic dependency in spring boot? When two services are interdependent on each other, that is to start one service, we requ...

  • Spring Data
    What is JPA? JPA Is also called as Java persistence API It is a standard form oracle to map object to database relations. Provides specific...
  • Frameworks in Spring
     Technology's / frameworks in Spring Spring core Spring MVC Spring boot Spring data Hibernate
  • minimum web version required to use JSTL
     Q What is the minimal web version required to use JSTL? And : 2.4 For example following tag from web.xml uses web 4.0 <web-app xmlns:xs...