I initially thought it is straightforward that I just need to import their respective certificates in the truststore of their counterparts. But it proved more difficult than that.
This blog entry is my notes on one of the hurdle I faced and how I resolved it. What is Mutual Authentication? In General, SSL authentication is used in websites to authenticate the server. Which means that the server has to authenticate to the client by sending a digital certificate signed by a well known trusted CA. If the CA is trusted by the browser, the website is safe and you will see the address bar highlighed in green.
In Mutual Authentication, in addition to server authentication, the client also has to present its certificate to the server.
The server verifies it by checking if it is signed by a trusted CA and if it is tampered. If both server and client authenticated themselves, then SSL authentication is a success. How does mutual authentication actually works in Java? Keystores and truststores are the important pieces to get this work. Both keystores and truststores are storage files for private keys, public keys and certificates. But there is a big difference.
Keystore : Typically, it stores the identity information about the subject. Truststore : This holds the various certificates of Certifying Authorities.
Although technically they can be stored. This works best in test environment or in protected intranet. But in real world scenario this will not be the case. The server may have to deal with multiple unknown clients. And the clients may have to deal with unknown servers. That is where Certifiying Authorities help us. Problem faced: Default keystores from glassfish works. But genuine certificates did not work.
By default glassfish comes with a keystore and truststore. Both the keystore and truststore have a certificate each with alias of s1as.
It works great. Then I obtained two certificates from aces One for server and one for client. I converted the certificate into x format using openssl.
This did not work.Using Converters, Listeners, and Validators. Developing with JavaServer Faces Technology. Composite Components: Advanced Topics and Example. Configuring JavaServer Faces Applications. Uploading Files with Java Servlet Technology. Internationalizing and Localizing Web Applications.
JIRA and Source Code
Using the Embedded Enterprise Bean Container. Getting Started Securing Web Applications. Getting Started Securing Enterprise Applications. To Use keytool to Create a Server Certificate.
Implementing mutual authentication over SSL in Java
Securing Enterprise Information Systems Applications. Configuring Security Using Deployment Descriptors. Client authentication is a more secure method of authentication than either basic or form-based authentication.
You can think of a public key certificate as the digital equivalent of a passport. The certificate is issued by a trusted organization, a certificate authority CAand provides identification for the bearer. Before using client authentication, make sure the client has a valid public key certificate. For more information on creating and using public key certificates, read Working with Digital Certificates. With mutual authenticationthe server and the client authenticate each other.
Mutual authentication is of two types:. When using certificate-based mutual authentication, the following actions occur. If the verification is successful, the server grants access to the protected resource requested by the client. This section discusses setting up client-side authentication. Enabling both server-side and client-side authentication is called mutual, or two-way, authentication.
In client authentication, clients are required to submit certificates issued by a certificate authority that you choose to accept. The preferred method is to set the method of authentication in the web. This enforces mutual authentication by modifying the deployment descriptor of the given application. In this way, client authentication is enabled only for a specific resource controlled by the security constraint, and the check is performed only when the application requires client authentication.
A less commonly used method is to set the clientAuth property in the certificate realm to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. When you enable client authentication by setting the clientAuth property to trueclient authentication will be required for all the requests going through the specified SSL port.
If you turn clientAuth on, it is on all of the time, which can severely degrade performance. When client authentication is enabled in both of these ways, client authentication will be performed twice. You need to install your certificate in the GlassFish Server certificate file only when your certificate is self-signed. From the directory where you want to create the client certificate, run keytool as outlined here.
When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the javee. If this example is to verify mutual authentication and you receive a runtime error stating that the HTTPS host name is wrong, re-create the client certificate, being sure to use the same host name you will use when running the example.
For example, if your machine name is dukethen enter duke as the certificate CN or when prompted for first and last names. This is necessary because during SSL handshake, the server verifies the client certificate by comparing the certificate name to the host name from which it originates.Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity.
Because authentication relies on digital certificates, certification authorities such as Verisign or Microsoft Certificate Server are an important part of the mutual authentication process. From a high-level point of view, the process of authenticating and establishing an encrypted channel using certificate-based mutual authentication involves the following steps:. As a developer, if you're interested in developing or be able to debug the mutual SSL authentication effectively, it can be very useful to understand the intricacies of the handshake messages happening under the hood.
If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with. In this aspect, both client and server use 9 handshake messages to establish the encrypted channel prior to message exchanging. Whereas in mutual SSL authentication, both client and server authenticate each other through the digital certificate so that both parties are assured of the others' identity.
In this aspect, both client and server use 12 handshake messages to establish the encrypted channel prior to message exchanging. To help readers better visualize what's happening under the hood, I've enhanced a code example taken from the Microsoft website so that both client and server are capable of authenticating each other using the mutual SSL authentication.
The code sample is very simple, and I won't illustrate much here. Basically, what it does is the client application sends a " Hello from the client.
To capture the handshake messages transacted between the client and server, I use one of the popular and open-source packet analyzer tools called WireShark. It is a powerful and easy to use packet capture and analyzer tool, which can captures messages over a hundred of protocols.
To learn more about how you can make use of this tool, please visit its website. However, due to the lack of supported Loopback Interface in Windows operating system, I've to setup the client and server application running on two different machines in order to use Wireshark to capture their handshake messages. The handshake messages captured while running the applications are shown in the screenshot below, and the IP address " For analysis and verifying purposes, the handshake messages that we're concerned about are summarized and listed below:.
Messages from No. The demo project included in this article, which is available for download at the top of this article, is intended to be run locally as opposed to the captured one shown above. This is because the certificates included in the demo project are generated for "localhost" use only. If you would like to try it out, please follow the steps outlined below to get it up and running on your workstation.
Follow the steps outlined below to install the client and server certificates into the Windows certificate store:. AuthenticateAsServer function to true and falserespectively.Comment 2. Mutual authentication, sometimes also called two-way SSL, is very popular in server-to-server communication, such as in networked message brokers, business-to-business communications, etc.
Technology-wise, it is a very mature protocol. Servers do not verify the client's certificate. For two-way-SSL, however, the server will verify the client's certificates. This is called mutual authentication. This is used in server to server communication, such as ActiveMQ nodes passing message among themselves in order to route the message [Networked Brokers]. The details of SSL connection negotiations are shown in the following figure. When we run the application, we can see these steps from the log, if we turn the debug on.
This is the simplest case, just for the purpose of demonstration. Now, let's start the server in AnypointStudio, and on the terminal, run the following curl command:. If you don't want to go through the procedures, you may use the tool called restClient. You can download the tool here.
Once you unpack the file, you can run it like the following:. As you can see, it is successful. Now, let's add the runtime argument in the Anypoint studio as follows:. This will allow us to see the SSH handshake process in our log. In the last section, I have demonstrated how mutual authentication works, in particular, how the SSH handshake was done between the client and server.Mutual Authentication Simplified
That is not very realistic. In production cases, the server will not give the keystore to the client, as it contains private and public keys, together with server certificates. In real applications, server admins will only provide the client the server's certificates, which are generated by authorized ca providers. In this section, I want to demonstrate how it can be done by using keytool.
The main purpose is to understand the procedures and get insights into the contents of the server truststore and client truststore. From the example in the last section, we can see that the keystore generated by keytool has a private key, a public key, and self-signed certificates. We know that we cannot share the private keys with other parties, as it is the key to encrypt and decrypt messages.
OK, enough theory. Let's go through the procedures to create truststores for the server and client. From the above operations, we can see that server has a keystore which contains the private and public keys. It also has a truststore which contains the client's certificate.Every web application needs to be protected.
There could be different solutions to choose from depending up on your requirement and feasibility. Some may choose basic form based authentication or some may go all the way to Oauth2. In 2 Way Authentication or mutual authentication, the Server and Client does a digital handshake, where Server needs to present a certificate to authenticate itself to the Client and vice-versa. Once this handshake is successful then only further communication is allowed.
We will see step by step how to generate self signed certificate and configure that to our application and tomcat server. The image will give you brief idea on what I meant by above. Software used in this sample.
Create a JKS file for Server with below command on your shell or command prompt. Please make sure to change the information like company, location etc as per your need. Run below command to extract that certificate. It will ask for the password which you have supplied above while creating JKS.
Now we have all the keystores and public certificates. At this point we have all our JKS and Certificates ready. We will configure these to our Tomcat 8. As we need mutual authenticate we need to configure tomcat to request for certificate from all the clients who wants to communicate.
This can be done by adding or updating existing connector in tomcats server. Please make sure you keep a backup of existing settings and file. The client app is also Simple Spring Boot Application, which does a rest call to server resource as hosted above. Apart from this we need to specify the client JKS as system properties. That can be done as below. You can see that I have specified all debugging for SSL. So you will see how server and client do a digital handshake. To load the server resource I have added simple Spring Boot command line runner as.
Regarding the results, if you try and load the url in browser it will fail. On the other hand, If I run the client where I am passing certificate details, I get correct response.
You can see that I am getting correct response. The response is sent only after digital handshake is successful. The server and client exchange information that will be visible on console. Please feel free to get back to me if you have any questions. You can download the code from our repository mentioned below. I have a scenario. App1 app2 app3 I hv 3applications. From application1 to application2 using rsa algorithm and certificate one request will be sent.
App2 validates certificate and encrypted request sent to app3. How to do this do u hv any idea? Pls guide me.This guide describes how to enable secure communication between client and server using SASL mechanism.
This proposed implementation builds on the existing ZooKeeper authentication and authorization design in a straightforward way. To briefly review, ZooKeeper supports pluggable authentication schemes.
The left member of the pair specifies authentication as the authentication scheme and the principal. The right member indicates what permissions are given to this principal. For example, one ACL pair on a given node might be:. The right side indicates that the user the permissions "READ" on the given node.
The designated name of the SASL authentication scheme is simply "sasl", so if you are using Kerberos, you may set a ZooKeeper's node to be:. COM may read the given node. DigestAuthenticationProvideryou would do:. Then, after connecting to ZooKeeper, you would do the following to grant all permissions to the user "user" using password "password":. How to set passwords for both mechanisms is described below in the Configuration section. COM :.
This is because authentication is performed using SASL-enabled token exchange immediately after connection, rather than occuring any time after connection, as addauth is. Existing unit tests that test existing authentication providers still pass and code that uses these authentication providers should also work.
If ZooKeeper is configured to use Kerberos see "Server Configuration" below for how to do thisboth client and server should be configured to use a keytab or credential cache that the LoginThread will use to refresh the Subject's credentials.
LoginThread loginThread :. Similar code exists on the server side, shown below. You need to define the SASL authentication provider class in your server config. You can also set a few optional configuration parameter for SASL:. Note that the passwords in the above are in plain text, so the JAAS configuration file should not be readable by anyone other than the ZooKeeper server process user.
Note that as in the server configuration the password in the above is in plain text, so the JAAS configuration file should not be readable by anyone other than the ZooKeeper client process user. Evaluate Confluence today. Apache ZooKeeper. Pages Blog. Space shortcuts How-to articles. Child pages. Client-Server mutual authentication. Browse pages. A t tachments 0 Page History.
Jira links. COM kerberos. JAAS configuration file, Kerberos mechanism.Despite SSL being widely used, Java mutual SSL authentication also referred to as 2-way SSL authentication or certificate based authentication is a fairly simple implementation when understanding the key concepts of how mutual SSL authentication works.
Today I noticed that a relatively simple concept as this is widely misunderstood and people seem to really struggle implementing 10 lines of code.
With that in mind, you will then also understand the following concepts required to make mutual authentication work:.
The Identitystore is a secure store for keys used in the SSL protocol. We use the Identitystore to store our private keys and their associated certificates used to authenticate ourselves as the client to a server. In mutual SSL authentication we our Java client needs to authenticate with the server. A note about security: In the example and scripts below we will use hard-coded, simple passwords and key files without passwords.
In a production environment you will typically sandbox the key generation and would access passwords from configuration stores and not hardcode in code. The third party will then issue you with a client certificate and typically will often provide you with CA certificate. If this request succeeds without an error or SSL-handshake issue, we can almost start to code. If your 3rd party does not provide you with their server certificate, you can easily retrieve it via openssl otherwise skip the first step :.
In the IdentityStore will put our private key, our certificate and the CA chain under an alias which our client is going to use to authenticate itself with the server:.
The code itself is pretty simple and requires not much explanation. Tags: java. Brave Privacy Browser:. Recent Posts Reflecting on four weeks in Austria Jan 13, Some background and why this blog Aug 24, Afrihost lawyers respond in the spam appeal process Aug 18,