ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button Java Security

Secure Your Sockets with JSSE


Java's APIs are great for developing networked or fully distributed applications. The java.net package makes it a cinch to develop custom socket-based client-server applications. The java.rmi packages make it possible to develop distributed object systems with minimal programming. Other packages, such as Apache's SOAP, provide the capability to develop distributed applications that communicate with non-Java-based objects.

Networked applications, by their very nature, require close attention to security. The Secure Sockets Layer (SSL) protocol was developed by Netscape in 1994 as a common solution to client-server communication security issues. SSL supports a flexible client-server authentication scheme and provides for algorithm-independent encrypted client-server communication. SSL runs as a layer between the Transport Control Protocol (TCP) and application layer protocols, such as HTTP and SMTP.

The current version of SSL is 3.0. It has been standardized by the Internet Engineering Task Force (IETF) as Transport Layer Security (TLS) version 1.0. There are few changes between TLS 1.0 and SSL 3.0, but it is good idea to continue to use SSL 3.0 until older, non-TLS-capable browsers fade away.

The Java Secure Socket Extension

Since SSL and TLS provide a standard, flexible, secure, and easy-to-use solution for basic client-server communication issues, the question naturally arises, "How can I use SSL within my Java programs?" Fortunately, Sun has answered that question with a complete SSL/TLS API, the Java Secure Socket Extension (JSSE). The current version of JSSE is 1.02, freely available from Sun's Web site.

In this column, I'll show you how to install JSSE and use it to implement HTTPS (i.e., HTTP over SSL). I'll provide you with an example of a mini-HTTPS server and Java clients that support SSL. I'll then show you how to setup a bi-directional SSL scheme where clients authenticate servers and servers authenticate clients.

Downloading and Installing JSSE

Since JSSE does not come with the Java 2 SDK, you must download it from Sun's site and integrate it with your current JDK installation.

  1. Download JSSE by going to http://www.javasoft.com/products/jsse/ and following the links at the bottom of the page. I suggest downloading both the software and documentation. Since JSSE is subject to export controls, you'll have to agree to these controls if you download JSSE from the U.S. or Canada.
  2. After downloading JSSE, you should have a file named jsse-1_0_2-do.zip. Unzip this file to produce a folder named jsse1.0.2.
  3. Within the jsse1.0.2 folder you'll find a lib directory and within the lib directory, you'll find the files jsse.jar, jcert.jar, and jnet.jar. Copy these files to the lib/ext subdirectory of your Java home directory. Use the program shown in Listing 1 to find your Java home directory. (It may not be where you think it is.) You should also copy these JAR files to the jre/lib/ext directory off of where the Java 2 SDK is installed.
  4. Test your JSSE installation by running the JSSETest program shown in Listing 2.

Listing 1. The ShowJavaHome program.

public class ShowJavaHome {
 public static void main(String[] args) {

Listing 2. The JSSETest program.

import java.security.*;

public class JSSETest {
 public static void main(String[] args) {
  try {
  }catch(Exception e) {
      System.out.println("JSSE is NOT installed correctly!");
  System.out.println("JSSE is installed correctly!");

Certificates, Keystores, and Truststores

Since SSL uses certificates for authentication, we'll need to create certificates for our clients and servers. JSSE can use certificates created by the java keytool, so creating these certificates will be straightforward.

However, before we begin, there is one issue that you should be aware of. JSSE differentiates between regular keystores and truststores. Keystores (from JSSE's perspective) are databases of key pairs and certificates that are used to set up SSL authentication. Truststores are keystores that are used to verify the identities of other clients and servers. When a client or server is setting up an SSL session, it will retrieve its certificates and keys from its keystore. When it verifies the identities of other clients or servers, it will retrieve trusted certification authority (CA) certificates from its truststores.

JSSE looks for truststores using the following algorithm.

  1. If the javax.net.ssl.trustStore system property is defined, then the value of this property is used as the truststore's location.
  2. If the file lib/security/jssecacerts file is defined off of the java.home directory, then the jssecacerts file is used as the truststore.
  3. If the file lib/security/cacerts file is defined off of the java.home directory, then the cacerts file is used as the truststore.

You can find the value of the javax.net.ssl.trustStore property using the ShowTrustStore program provided in Listing 3.

Listing 3. The ShowTrustStore program.

public class ShowTrustStore {
 public static void main(String[] args) {
  String trustStore = System.getProperty("javax.net.ssl.trustStore");
  if(trustStore == null)
   System.out.println("javax.net.ssl.trustStore is not defined");
  else System.out.println("javax.net.ssl.trustStore = " + trustStore);

Pages: 1, 2, 3, 4, 5

Next Pagearrow