Java security

50 %
50 %
Information about Java security

Published on March 6, 2014

Author: BartBlommaerts



A pragmatic approach to using public / private certificates in keystores in Java.

Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.

Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.

SECURITY SECURE CONNECTIONS IN JAVA Created by Bart Blommaerts / Christophe Weyn

DEAD GIVEAWAY Security has always been very important. But we may rely on infrastructure too much (eg. proxies, firewalls, ..).

CLOUD? Application Security becomes even more important in the cloud: Architect security in from the start. Maintain and evaluate security in all sprints. Maintain and evaluate security after deployment.

HTTPS BY DEFAULT ! Google Gmail Facebook Twitter LinkedIn Yahoo

HEADS UP “Inevitably, you’ll cry the first time you attempt to configure mutual authentication with SSL (aka two-way SSL).” * The Fifteen Minute Guide to Mutual Authentication

Unless you pay attention right now :-)

SSL Secure Socket Layer: protocol to ensure secure transactions between web servers and browsers. CERTIFICATES Different types exist: X509, PGP, SDSI, ...

X509 X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280.

DIFFERENT X509 CHARACTERISTICS ENCODINGS DER = used for binary DER encoded certificates. PEM = used for X509 files which contain Base64 encoded data .

DIFFERENT X509 CHARACTERISTICS EXTENSIONS CRT = common extension for certificates. CER = alternative extension for certificates. (Microsoft convention) KEY = extension used for public / private PKCS#8 keys. PKCS#8: PKI standard used to carry private certificate keypairs PKCS#12: PKI standard 'container' used to store private keys with accompanying public key certificates, protected with a password-based symmetric key.

CONVERSION WITH OPENSSL PEM TO DER oeslx0 -ncr.r -ufr dr-u cr.e pns 59 i etct otom e ot etdr

CONVERSION WITH OPENSSL DER TO PEM oeslx0 -ncr.r -nomdr-ufr pm-u cr.e pns 59 i etct ifr e otom e ot etpm


EXAMPLE EXPLAINED Subject: Identification of the certificate. Issuer: Government CA.

CERTIFICATE AUTHORITY Instance that issues digital certificates. A trusted third party. by the subject (owner) and the party relying upon the certificate Over 50 root certificates in current browsers. (eg. by Comodo, Symantec, ..)

VALIDITY Date From. Date Till. Beware of Certificate Revocation (CRL). eg. improperly issued, compromised, ..



EXAMPLE EXPLAINED Used to obtain the root CA certificate.

MORE IN DETAIL Certificate "trsprt-acpt" Issuer CN = Subject CN of "Government CA" Certificate "Government CA" Issuer CN = Subject CN of "Belgium Root CA2" Certificate "Belgium Root CA2" Issuer CN = Subject CN

ROOT CERTIFICATE Issuer CN = Subject CN. Self-signed certificate.

KEYSTORES A Java KeyStore (JKS) is a repository of security certificates, either authorization certificates or public key certificates - used for instance in SSL encryption. * Wikipedia

KEYSTORE Contains public/private keypairs. The private key is accompanied by certificate chain for the corresponding public key Decryption based on private key. Used for certificate validation (, signing).

SIGNSTORE Same as keystore, but only used for signing.

SYMMETRIC STORE Decryption + encryption, based on same symmetric key.

TRUSTSTORE Signature verifcation. Encryption based on public key. Used to store certificates of parties you trust.



1-WAY SSL The server is required to present a certificate to the client but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept a connection from any client.

2-WAY SSL The server presents a certificate to the client and the client presents a certificate to the server.

BEST PRACTICES DO NOT USE JVM PARAMETERS -jvxntsltuttr=X-jvxntsltuttrPswr=X Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX Obvious Security Risk.

BEST PRACTICES DO NOT USE DEFAULT CACERTS One day, you will upgrade or migrate, .. and forget about it.

BEST PRACTICES KEEP IT REALLY SIMPLE You will probably not be the one maintaining it. Use a different keystore for each: Platform (DEV, UAT, PRD). Functionality: keystore, signstore, truststore.


DEMO APPLICATION SOAP messages over secured SSL connection. Do not confuse with signing a SOAP message using an X.509 Certificate!

DEMO APPLICATION MODULES Server: B o n a S r i e u l s e . a a rwBgevcPbihrjv Client: C i n . a a letjv

PREREQUISITE FOR RUNNING THE DEMO Create client & server public/private keypair and certificates. In this demo we'll be using java keytool to create a keystore with generated keypairs.. In a production environment certificates must be created/requested by the application manager. Afterwards these certificate can be imported into a keystore using java keytool.

SERVER KEYPAIR Create server keystore & generate certificate with java keytool. Use common name: $kyol-eky-eagRA-la scsre eto gne kyl S ais e_evr -esoesre_esoejs kytr evrkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoesre_esoejs eto ls kytr evrkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 PiaeeEty e_evr 9jn21, rvtKynr, Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0 CN: must be used to connect to the server. Java SSL context compares the name of the CN with the connection address. => Adjust in TCP host file!

CLIENT KEYPAIR Create the client keystore $kyol-eky-eagRA-la sccin eto gne kyl S ais e_let -esoecin_esoejs kytr letkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoecin_esoejs eto ls kytr letkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 PiaeeEty e_let 9jn21, rvtKynr, Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94

SERVER Run main method in Has a keystore with a certificate & private key Has a truststore containing the client certificate

CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS Extract certificate from client keystore Import client certificate into the truststore $kyol-xot-esoecin_esoejs eto epr kytr letkytr.k -la sccin -iesccin.r -trps cagi ais e_let fl e_letct soeas hnet $kyol-mot-iesccin.r -la sccin eto ipr fl e_letct ais e_let -esoesre_rssoejs-trps cagi kytr evrtuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 tutdetnr, e_let 9jn21, rseCrEty Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94

TEST SERVER WITH FIREFOX How-to: Accept self signed certificate warning in Firefox. Import client certificate & private key from PKCS#12 file in Firfox' personal certificates. Create PKCS#12 file: client_keystore.p12 $kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2 eto iprkytr scesoe letkytr.k dskytr letkytr.1 -rsoeyeJS-ettrtp PC1 -rsoeascagi sctrtp K dssoeye KS2 sctrps hnet -ettrps cagi -raissccin -etla sccin dssoeas hnet scla e_let dsais e_let -rkyascagi -eteps cagi -ormt sceps hnet dskyas hnet npop

THE JAVA CLIENT Run main method in Has a keystore with the client certificate & private key Has a truststore containing the server certificate Uses the spring-ws framework

CREATE THE CLIENT TRUSTSTORE Extract certificate from server keystore Import server certificate into the truststore $kyol-xot-esoesre_esoejs eto epr kytr evrkytr.k -la scsre -iescsre.r -trps cagi ais e_evr fl e_evrct soeas hnet $kyol-mot-iescsre.r -la scsre eto ipr fl e_evrct ais e_evr -esoecin_rssoejs-trps cagi kytr lettuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 tutdetnr, e_evr 9jn21, rseCrEty Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0

JAVA CODE Init keystore & truststore in java code. Configure SSLContext for the JVM. vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto, Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto { etfctEcpin neoealKyxeto, eMngmnEcpin fnlSrn KYTR ="pt/okytr.k" ia tig ESOE /aht/esoejs; fnlSrn TUTTR ="pt/otuttr.k" ia tig RSSOE /aht/rssoejs; fnlSrn KYTR_AS="hnet; ia tig ESOEPS cagi" /La tekytr /od h esoe KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm); eMngratr eFcoy eMngratr.eIsac(eMngratr.eDfutloih() Kytr kytr =Kytr.eIsac(JS) eSoe eSoe eSoegtntne"K"; kytr.odnwFlIpttemKYTR) KYTR_AStCaAry); eSoela(e ienuSra(ESOE, ESOEPS.ohrra() kyatr.ntkytr,KYTR_AStCaAry); eFcoyii(eSoe ESOEPS.ohrra() /La tetuttr /od h rssoe TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm); rsMngratr rsFcoy rsMngratr.eIsac(rsMngratr.eDfutloih() Kytr tuttr =Kytr.eIsac(JS) eSoe rsSoe eSoegtntne"K"; tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry); rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra() tutatr.nttuttr) rsFcoyii(rsSoe; /CniueSLCnetfrteJM /ofgr S otx o h V SLotx cnet=SLotx.eIsac(SL) SCnet otx SCnetgtntne"S"; cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl) otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul; SLotx.eDfutcnet; SCnetsteal(otx) }

TROUBLESHOOTING Use the system property: -jvxntdbgsl

CLIENT EXCEPTION Uepce err jv.euiyIvldloihPrmtrxeto: nxetd ro: aascrt.naiAgrtmaaeeEcpin tetutnhr prmtrms b nnepy h rsAcos aaee ut e o-mt Truststore is not found.

CLIENT EXCEPTION Cue b:snscrt.aiao.aiaoEcpin asd y u.euiyvldtrVldtrxeto: PI pt bidn fie: KX ah ulig ald snscrt.rvdrcrpt.uCrPtBidrxeto: u.euiypoie.etahSnetahuleEcpin ual t fn vldcriiainpt t rqetdtre nbe o id ai etfcto ah o euse agt Server certificate not found in truststore. Server certificate expired or revoked.

CLIENT EXCEPTION IOerr Rmt hs coe cneto drn hnsae / ro: eoe ot lsd oncin uig adhk; nse ecpini jvxntslSLadhkEcpin etd xeto s aa.e.s.SHnsaexeto: Rmt hs coe cneto drn hnsae eoe ot lsd oncin uig adhk IOerr Cneto rst / ro: oncin ee; nse ecpini jv.e.oktxeto: etd xeto s aantSceEcpin Cneto rst oncin ee The server doesn't trust the client, client certificate not in server truststore. The client is sending the wrong certificate to the server. Or a technincal error...


Add a comment

Related presentations

Related pages Java Security Resources

Java Security Resources. This page provides access to information related to Java security. We have customized this information for different types of Java ...
Read more

Java SE Security - Oracle | Integrated Cloud Applications ...

Java SE Security Overview. Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security ...
Read more

Security level settings in the Java Control Panel

Security levels in the Java Control Panel Very High This is the most restrictive security level setting. All the applications that are signed with a valid ...
Read more

Java security - Wikipedia, the free encyclopedia

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints ...
Read more (Java Platform SE 7 ) - Oracle Help Center

Provides the classes and interfaces for the security framework. This includes classes that implement an easily configurable, fine-grained access control ...
Read more

Java | heise Security

Java wurde von der Firma Sun als plattformübergreifende Programmiersprache entwickelt. Beim ihrem Einsatz auf Web-Seiten lädt der Besucher ein kleines ...
Read more

Security (Java Platform SE 7 ) - Oracle Help Center

This class centralizes all security properties and common security methods. One of its primary uses is to manage providers.
Read more

Java Security Resource Center - Oracle | Integrated Cloud ...

The Java Security Resource Center provides information on security of the Java Platform, Standard Edition (Java SE). It provides a description of security ...
Read more

Fehlermeldungen zu ""

Diagnostische Meldungen des Konvertierungs-Assistenten für die Programmiersprache Java nach Paket geordnet Fehlermeldungen zu ""
Read more | Android Developers

Certificate: This interface was deprecated in API level 1. Use Certificate instead. DomainCombiner: Legacy security code; do not ...
Read more