No Slide Title

Download Report

Transcript No Slide Title

Chapter 13
How to use SSL to work
with a secure connection
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 1
Objectives
Applied
 Develop web applications that use secure connections whenever
that’s needed.
Knowledge
 In general terms, explain how the use of secure connections
secures the data that’s used in an application.
 In terms of your Java servlets and the server.xml file, describe
what you have to do to implement the use of secure connections.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 2
A request made with a secure connection
The URL
starts with
https
A lock icon is
displayed
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 3
How SSL works
 Secure Sockets Layer, or SSL, is the protocol used by the World
Wide Web that allows clients and servers to communicate over a
secure connection.
 With SSL, both the client and browser encrypt all data that’s sent
and decrypt all data that’s received.
 SSL is able to determine if data has been tampered with during
transit.
How TLS works
 The Transport Layer Security, or TLS, is the protocol that’s the
successor to SSL.
 Only newer browsers support TLS.
 If a server implements TLS, the newer browsers will use TLS, but
the older browsers will use SSL.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 4
How authentication works
 Authentication is the process of determining whether a server or
client is who and what it claims to be.
 When a browser makes an initial attempt to communicate with a
server over a secure connection that uses SSL, the server
authenticates itself by providing a digital secure certificate.
 In some instances, the server may also request that your browser
authenticate itself by presenting its own digital secure certificate.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 5
Types of SSL Authentication
Authentication
SSL server
authentication
SSL client
authentication
Java Servlets and JSP CH13
Description
Allows a client to confirm a server’s identity by
checking a digital secure certificate that’s
installed on the server.
Allows a server to confirm a client’s identity by
checking a digital secure certificate that’s
installed on the client.
© 2003, Mike Murach & Associates, Inc.
Slide 6
A digital secure certificate
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 7
Common certificate authorities that issue digital
secure certificates
www.verisign.com
www.geotrust.com
www.entrust.com
www.equifaxsecure.com
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 8
SSL strength
 SSL strength refers to the length of the generated key that is created
during the encryption process. The longer the key, the more
difficult to break the encryption code.
The pros and cons of SSL strengths
Strength Pros and Cons
40-bit
It’s less expensive, but easier to break the encryption code.
128-bit
It’s trillions of times stronger than 40-bit, but it’s more
expensive.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 9
How to obtain a digital secure certificate
 To use SSL in your web applications, you must first purchase a
digital secure certificate from a trusted certificate authority, or CA.
Once you obtain the certificate, you send it to the people who host
your web site so they can install it on the server.
 A CA is a company that issues and manages security credentials.
 To verify information provided by the requestor of the secure
certificate, a CA must check with a registration authority, or RA.
 Once the RA verifies the requestor’s information, the CA can
issue a digital secure certificate.
 Since SSL is built into all major browsers and web servers,
installing a digital secure certificate enables SSL.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 10
How to configure a local testing environment for
SSL
1. Make sure the JSSE API is installed.
2. Create a self-signed digital secure certificate as shown in the next
figure.
3. Open the server.xml file that’s in Tomcat’s conf directory and
remove the comments from the Connector element that defines an
SSL connector on port 8443 as shown in the next figure.
4. Restart Tomcat.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 11
How JSSE works
 The Java Secure Socket Extension API, or JSSE, is a collection of
Java classes that enable secure connections within Java programs
by implementing a version of the SSL and TLS protocols.
 If you want to use a secure connection with your servlets and JSPs,
you must have the JSSE API installed on the server.
 If you’re using a commercial web server that supports servlet and
JSP development, the JSSE API should already be installed.
 If you’re working in a local testing environment and you’re using
version 1.3.1 of the SDK or earlier, you may need to install the
JSSE API. However, this API is included with version 1.4 of the
SDK and later.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 12
How to install JSSE
 To install the JSSE API, you can copy the jsse.jar file that’s
included on the CD that comes with Murach’s Java Servlets and
JSP from the JavaExtension directory to the SDK’s jre\lib\ext
directory.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 13
How to create a secure certificate for testing
purposes
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 14
How to define an SSL connection in Tomcat’s
server.xml file
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className=
"org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https"
secure="true">
<Factory className=
"org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"/>
</Connector>
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 15
How to configure SSL on a local system
 To test SSL connections in a local environment, you can create a
self-signed certificate.
 To create a self-signed certificate, you must create a keystore file.
 When you create a keystore file, you must use “changeit” as the
keystore password, and you should press Enter to use the same
password for the key password.
 The keystore file is named .keystore and it’s stored in your
operating system’s home directory.
 To define an SSL connection, you can open the server.xml file
that’s stored in Tomcat’s conf directory. Then, you can remove
the comments from the Connector element as shown above.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 16
How to determine if SSL is set up correctly in the
testing environment
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 17
The URL you can enter to test the local SSL
connection
https://localhost:8443/index.html
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 18
Common problems when configuring the local
SSL connection
Problem 1
Java can’t find the jsse.jar file. This will cause a
java.security.NoSuchAlgorithmException to be thrown.
Problem 2
Tomcat can’t find the keystore file. When you start Tomcat, it
will throw a java.io.FileNotFoundException.
Problem 3
The keystore password and key passwords that you used to create
the keystore file don’t match. When you start Tomcat, it will
display a java.io.FileNotFoundException that says, “keystore was
tampered with” or “password was incorrect.”
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 19
A URL that requests a secure connection over the
Internet
https://www.murach.com/murach/email13/join_email_list.jsp
A URL that requests a secure connection from a
local system
https://localhost:8443/murach/email13/join_email_list.jsp
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 20
A dialog box that may be displayed for secure
connections
Requested
resource
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 21
Another dialog box that may be displayed for
secure connections
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 22
How to request a secure connection
 To request a secure connection, you use an absolute URL that
starts with https. If you’re requesting a resource from a local
system, you also need to specify the port that’s used for secure
connections. For Tomcat, that port is usually 8443.
 Once you establish a secure connection, you can use relative
URLs to continue using the secure connection.
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 23
A JSP that uses a secure connection
Double-click
the lock icon
to view the
certificate
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 24
A URL that returns to a regular connection over
the Internet
http://www.murach.com/murach/index.htm
A URL that returns to a regular connection from a
local system
http://localhost:8080/murach/email13/join_email_list.jsp
Java Servlets and JSP CH13
© 2003, Mike Murach & Associates, Inc.
Slide 25