Welcome!

Java IoT Authors: Elizabeth White, Dana Gardner, Liz McMillan, Charlotte Spencer-Smith, Jnan Dash

Related Topics: Java IoT

Java IoT: Article

Using Self-Signed Certificates for Web Service Security

How to compete with trusted certificate authorities

One of the great things about the Java programming language is the Open Source community that provides great applications at little or no cost. An example of this is Apache Tomcat, which provides a solid Web server for development using servlet or JSP technology. Now that Web Service technology is maturing there's a potential for a whole scenario of applications to take advantage of a Swing feature-rich thin client on the front-end coupled to the data verification and business logic already developed in the Web or ejb tier. Such applications are only viable if they can be secure, however, security doesn't have to come at a great cost. The purpose of this article is to demonstrate how Web Service clients can use self-signed security certificates over the secure HTTPS protocol.

The Problem with Using Self-Signed Certificates
HTTPS typically works seamlessly with the non-secure HTTP protocol and doesn't interrupt the user's experience. This is because SSL certificates are designed to be verified and signed by a trusted third party. Verisign is a popular certificate authority. If a Web application requires secure communication, you can pay Verisign to sign your SSL certificate. Once Verisign does that, users on your Web site can switch between HTTP and HTTPS without interruption because all major Web browsers trust certificates signed by Verisign. Verisign is not the only option for getting certificates signed. To save operating costs, or for personal use, you can self-sign your own certificate. However, self-signing your certificate will interrupt your Web site user's experience. Typically the Web browser will display a dialog box asking if you want to trust a certificate you signed.

Web browsers are nice because when they get a certificate signed by an unknown certificate authority there's an option to proceed. When developing Web Service clients for communication over HTTPS it's not so easy. When running Java code there's no dialog box asking about trusting a distrusted certificate authority. The JRE will throw an exception trying to connect over HTTPS to a Web site with a distrusted certificate:

Caused by: sun.security.validator.ValidatorException: No trusted certificate found

There's no way to catch this exception and continue. To get the Web Service to work with a self-signed certificate the JRE has to somehow trust you as a certificate authority.

Solution Outline
To demonstrate a solution to this problem I'll do the following:

  1. Generate and self-sign my own certificate
  2. Configure Tomcat for SSL and make it use that certificate
  3. Create an example Web Service to be called over HTTPS
  4. Generate Web Service client code from WSDL
  5. Demonstrate a client using a custom keystore solution
Generating a Self-Signed Certificate
The JDK comes with a tool, keytool.exe, that is used to mange SSL public/private keys. Keys are added and removed from a binary file on the file system. The default keystore file is JAVA_HOME\jre\lib\security\cacerts. This file contains the list of certificate authorities that the JRE will trust. A list of well-known trusted companies like Verisign is already in the keystore. To see this list, execute with password "changeit":

D:\>keytool -list -rfc -keystore JAVA_HOME\jre\lib\security\cacerts

The keytool application can be used to edit this file. However, just in case something goes wrong it's better to create a new file. If keytool isn't told which file to use it creates HOME/.keystore by default.

To generate your own self-signed certificate execute:

D:\>keytool.exe -genkey -alias Tomcat -keyalg RSA -storepass bigsecret -keypass bigsecret -dname "cn=localhost"

After executing this command there will be a .keystore file in your HOME directory. Here's what the switches mean.

  • genkey: Tells the keytool applica-tion to generate new public/private key pair.
  • alias: The name used to refer to the keys. Remember, the .keystore file can contain many keys.
  • keyalg: Generates public/private keys using the RSA algorithm.
  • storepass: What password is needed to access the .keystore file.
  • keypass: What password is needed to manage the keys.
  • dname: This value is very important. I used "localhost" because this example is designed to run locally. If a Web application is registered as http://www.myserver.com then this value must be www.myserver.com. If the names don't match the certificate will automatically be rejected.
Once the keytool application creates a new public/private key pair it automatically self-signs the key. You have just generated your own self-signed certificate, which can be used for HTTPS communications. You only need to extract the self-signed public key. I'll show how to do this later.

Configuring Tomcat for SSL
Now you have to configure Tomcat to use your self-signed certificate. I used Tomcat 5.0.30. Edit the TOMCAT/conf/server.xml file. Search the file for "8443" and uncomment the <Connector.../> bound to that port. Then you'll have to add the following property to the <Connector.../>:

keystorePass="bigsecret"

When the JRE starts, it will automatically find the HOME/.keystore file and Tomcat will try to access it using the password "bigsecret." When Tomcat starts there should be output to the console that looks similar to:

Feb 4, 2006 3:11:23 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8443

This means the <Connector.../> successfully read the .keystore file and you can now do secure HTTPS connections over the 8443 port. Open a Web browser and try https://localhost:8443/. Because the certificate is self-signed the Web browser will display a dialog box asking about trusting the connection. If accepted, all communications will be secure over HTTPS.

Creating the Web Service
I'm going to use the Apache Axis project to create a very simple Web Service. The Web Service will simulate checking for new e-mail messages. A Web Service client passes a token uniquely identifying a user. The Web Service returns a list of new e-mail messages (see Listing 1).

To get the Web Service deployed, follow these steps:

  1. Cut and paste the code from Listing 1 into a file named Email.jws in Webapp's root directory.
  2. Edit the Web.xml file, adding the Axis servlet and a *.jws mapping (Listing 2).
  3. Put the Axis jar files in WEB-INF/lib. See References at the end of this article for the Axis project URL.
After deploying this article's accompanying WAR file (and configuring Tomcat for SSL), the Web Service is accessible securely over HTTPS at the following URL:

https://localhost:8443/JDJArticleWebService/Email.jws

Using WSDL2Java
The Axis project provides a tool named WSDL2Java that takes a Web Service WSDL and automatically create the Java source code needed to use the Web Service. See Listing 3 for the command line used to generate code for the Email.jws Web Service.

Notice the URL in Listing 3 used to access the WSDL. It's the non-secure HTTP protocol over port 8080. Why not use HTTPS over port 8443? Because of the self-signed certificate, the WSDL2Java tool will encounter the same exact certificate problem this article is trying to provide a solution for. So for now the non-secure protocol must be used. This means the generated code must be altered slightly replacing "http" and "8080" references with "https" and "8443." This article's accompanying client zip file contains the altered code.

Client with a Custom Keystore
The JRE's default keystore is JAVA_HOME\jre\lib\security\cacerts. Java applications will throw an exception whenever they are presented with your self-signed certificate because your certificate isn't in this keystore. Therefore, when developing a client there are two options. The first option is to put your self-signed certificate into the JRE's default keystore. Although this would work it's not a very good solution because customization is required on every client machine. The second option is to generate a custom keystore, put your self-signed certificate into it, and distribute the custom keystore as part of your application (typically inside a jar file).

To create a custom keystore for your client the following has to be done:

  1. Export the self-signed public key from HOME/.keystore.
  2. Import the self-signed public key into a new keystore for you client.
To export the self-signed public key from HOME/.keystore execute the following:

D:\>keytool.exe -export -rfc -alias Tomcat -file Tomcat.cer -storepass bigsecret -keypass bigsecret

Now create the custom keystore for the client by importing Tomcat.cer:

D:>keytool.exe -import -noprompt -trustcacerts -alias Tomcat -file Tomcat.cer -keystore CustomKeystore -storepass littlesecret

Using the switch "-keystore CustomKeystore" will create a new keystore file called "CustomKeystore" in the present working directory. You'll find the CustomKeystore file in the /classpath/resources/keystore directory of this article's client zip file. Replace this one with the file just generated.

Now all that's left to do is to create a client that uses this custom keystore. I'll demonstrate two ways to do this.

The first is to use the Java system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to point to the CustomKeystore file and provide the password to access it. My example Web Service client in the jdj.wsclient.truststore package takes this approach (see Listing 4). The main() method sets the system properties then creates the objects to use the Web Service. When the JRE needs to access a keystore it looks for the "classpath/resources/keystore/CustomKeystore" file on the file system. Although this is a simple solution it's problematic because the keystore file must be on the file system and the client code must know where to look for it.

The second is a more portable solution that keeps resources inside the jar file and avoids the file system issues. The client code is responsible for reading the CustomKeystore file and somehow using it to create a secure connection to the server. My example Web Service client in the jdj.wsclient.socketfactory package takes this approach (see Listing 5). Listing 5 shows how to read the CustomKeystore file as a resource and use it to create a javax.net.ssl.SSLSocketFactory. Configuring the Axis pluggable architecture, the MySocketFactory class can be then used to create secure Socket objects from this factory.

Conclusion
This article started with a simple problem: I wanted to secure Web Service communications over HTTPS using my own self-signed certificates. By default, the JRE will reject my application's self-signed certificate because I am not a trusted certificate authority. To get secure communications to work I had to get the Web Service client JRE to trust my self-signed certificate. To achieve this, I used the keytool application and generated a new public/private key pair, extracted the self-signed public key, and then created a new keystore and imported this self-signed certificate. I then created a totally self-contained Web Service client that doesn't require any client-side configuration.

References

More Stories By Michael Remijan

Michael J. Remijan is a research programmer at the National Center for Supercomputing Applicaitons (NCSA). His chief responsibilities include data miming and access to terabyte-sized astronomy data sets. Michael received a BS in mathematics and computer science from the University of Illinois and is currently working on an MBA in technology management.

Comments (5) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Devs 07/26/06 03:20:28 PM EDT

Hello,
I read your article. I am trying to use your approach mentioned in Listing 5(putting keytore on the jar file ). How do I go about doing it. I create MySSLFactory using Listing 5. Now what do I have to confiugre in axis. How do I tell axis to use the MySSLFactory.

Thanks
Deval

Faizan Raza 06/21/06 02:46:05 AM EDT

Nice article and very precise.
Helped me a lot in sorting out the problems i had with the self signed certificate.

thanks
Faizan

Philip Rallings 06/18/06 04:15:00 PM EDT

excellent article that explains everyting clearly

Is it possibe to have a cope of the zip file that accompanied the article.

Many Thanks
Phi

Ismael 06/02/06 07:06:48 AM EDT

I have followed your article, it is very clear, congratulations.

But I am having some problems with my testings, I am trying to use your thid approach (putting keytore on the jar file as you detail on listing 5).

I know that I should use MySocketFactory, but the listing code contains only a method, it is not a class.

What should I do:

-Create a class (which interfaces should it implement o which classes to extend). How should I configure Axis to use it.

-Put this method on a class and call it on the startup (code has a reference to factory not solved on the method)

Maybe I should get the default factory (I do not know which method should I use) and set the new one on the code published.

It would be great to have all the complete code used to make the article. This way I could find out how to apply them to my code.

Regards,
Ismael

SYS-CON Media News Desk 05/26/06 10:44:51 AM EDT

One of the great things about the Java programming language is the Open Source community that provides great applications at little or no cost. An example of this is Apache Tomcat, which provides a solid Web server for development using servlet or JSP technology. Now that Web Service technology is maturing there's a potential for a whole scenario of applications to take advantage of a Swing feature-rich thin client on the front-end coupled to the data verification and business logic already developed in the Web or ejb tier. Such applications are only viable if they can be secure, however, security doesn't have to come at a great cost. The purpose of this article is to demonstrate how Web Service clients can use self-signed security certificates over the secure HTTPS protocol.

@ThingsExpo Stories
One of the bewildering things about DevOps is integrating the massive toolchain including the dozens of new tools that seem to crop up every year. Part of DevOps is Continuous Delivery and having a complex toolchain can add additional integration and setup to your developer environment. In his session at @DevOpsSummit at 18th Cloud Expo, Miko Matsumura, Chief Marketing Officer of Gradle Inc., will discuss which tools to use in a developer stack, how to provision the toolchain to minimize onboa...
Companies can harness IoT and predictive analytics to sustain business continuity; predict and manage site performance during emergencies; minimize expensive reactive maintenance; and forecast equipment and maintenance budgets and expenditures. Providing cost-effective, uninterrupted service is challenging, particularly for organizations with geographically dispersed operations.
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 ad...
Join us at Cloud Expo | @ThingsExpo 2016 – June 7-9 at the Javits Center in New York City and November 1-3 at the Santa Clara Convention Center in Santa Clara, CA – and deliver your unique message in a way that is striking and unforgettable by taking advantage of SYS-CON's unmatched high-impact, result-driven event / media packages.
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
There will be new vendors providing applications, middleware, and connected devices to support the thriving IoT ecosystem. This essentially means that electronic device manufacturers will also be in the software business. Many will be new to building embedded software or robust software. This creates an increased importance on software quality, particularly within the Industrial Internet of Things where business-critical applications are becoming dependent on products controlled by software. Qua...
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, will discuss the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filte...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Avere delivers a more modern architectural approach to storage that doesn’t require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbuilding of data centers ...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies adopt disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevO...
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
Fortunately, meaningful and tangible business cases for IoT are plentiful in a broad array of industries and vertical markets. These range from simple warranty cost reduction for capital intensive assets, to minimizing downtime for vital business tools, to creating feedback loops improving product design, to improving and enhancing enterprise customer experiences. All of these business cases, which will be briefly explored in this session, hinge on cost effectively extracting relevant data from ...
SYS-CON Events announced today that iDevices®, the preeminent brand in the connected home industry, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. iDevices, the preeminent brand in the connected home industry, has a growing line of HomeKit-enabled products available at the largest retailers worldwide. Through the “Designed with iDevices” co-development program and its custom-built IoT Cloud Infrastruc...
As enterprises work to take advantage of Big Data technologies, they frequently become distracted by product-level decisions. In most new Big Data builds this approach is completely counter-productive: it presupposes tools that may not be a fit for development teams, forces IT to take on the burden of evaluating and maintaining unfamiliar technology, and represents a major up-front expense. In his session at @BigDataExpo at @ThingsExpo, Andrew Warfield, CTO and Co-Founder of Coho Data, will dis...
The Quantified Economy represents the total global addressable market (TAM) for IoT that, according to a recent IDC report, will grow to an unprecedented $1.3 trillion by 2019. With this the third wave of the Internet-global proliferation of connected devices, appliances and sensors is poised to take off in 2016. In his session at @ThingsExpo, David McLauchlan, CEO and co-founder of Buddy Platform, will discuss how the ability to access and analyze the massive volume of streaming data from mil...
WebSocket is effectively a persistent and fat pipe that is compatible with a standard web infrastructure; a "TCP for the Web." If you think of WebSocket in this light, there are other more hugely interesting applications of WebSocket than just simply sending data to a browser. In his session at 18th Cloud Expo, Frank Greco, Director of Technology for Kaazing Corporation, will compare other modern web connectivity methods such as HTTP/2, HTTP Streaming, Server-Sent Events and new W3C event APIs ...
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
Eighty percent of a data scientist’s time is spent gathering and cleaning up data, and 80% of all data is unstructured and almost never analyzed. Cognitive computing, in combination with Big Data, is changing the equation by creating data reservoirs and using natural language processing to enable analysis of unstructured data sources. This is impacting every aspect of the analytics profession from how data is mined (and by whom) to how it is delivered. This is not some futuristic vision: it's ha...
Silver Spring Networks, Inc. (NYSE: SSNI) extended its Internet of Things technology platform with performance enhancements to Gen5 – its fifth generation critical infrastructure networking platform. Already delivering nearly 23 million devices on five continents as one of the leading networking providers in the market, Silver Spring announced it is doubling the maximum speed of its Gen5 network to up to 2.4 Mbps, increasing computational performance by 10x, supporting simultaneous mesh communic...
The cloud promises new levels of agility and cost-savings for Big Data, data warehousing and analytics. But it’s challenging to understand all the options – from IaaS and PaaS to newer services like HaaS (Hadoop as a Service) and BDaaS (Big Data as a Service). In her session at @BigDataExpo at @ThingsExpo, Hannah Smalltree, a director at Cazena, will provide an educational overview of emerging “as-a-service” options for Big Data in the cloud. This is critical background for IT and data profes...
With the Apple Watch making its way onto wrists all over the world, it’s only a matter of time before it becomes a staple in the workplace. In fact, Forrester reported that 68 percent of technology and business decision-makers characterize wearables as a top priority for 2015. Recognizing their business value early on, FinancialForce.com was the first to bring ERP to wearables, helping streamline communication across front and back office functions. In his session at @ThingsExpo, Kevin Roberts...