Performing Mutual Authentication
In some applications, client authentication is of paramount importance.
So far, we have
SecureServer running against each
SecureServer provides its certificate to
SecureServer. Then they set up a secure
communication channel. This scenario is still a little one-sided. How
SecureServer know that it is talking to
SecureBrowser? That's where mutual authentication comes
Creating a Client Certificate
The first thing that we need to do is to create a certificate for our client. This is accomplished using the keytool.
keytool -genkey -keyalg rsa -alias jaworski Enter keystore password: 12345678 What is your first and last name? [Unknown]: libretto70ct What is the name of your organizational unit? [Unknown]: Software Development What is the name of your organization? [Unknown]: Toolery.com What is the name of your City or Locality? [Unknown]: Chula Vista What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is <CN=libretto70ct, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US> correct? [no]: y Enter key password for <jaworski> (RETURN if same as keystore password):
I created the above certificate on another computer named Libretto70CT.
The next thing that we need to do is to export the certificate. Again, we'll use the keytool.
keytool -export -alias jaworski -file jj.cer Enter keystore password: 12345678 Certificate stored in file <jj.cer>
Now, we import the certificate (
jj.cer) into a
keystore on the server. This keystore will function as the server's
keytool -import -alias jaworski -file jj.cer
Enter keystore password: 12345678
Owner: CN=libretto70ct, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
Issuer: CN=libretto70ct, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
Serial number: 3ae65817
Valid from: Tue Apr 24 21:52:39 PDT 2001 until: Mon Jul 23 21:52:39 PDT 2001
Trust this certificate? [no]: y
Certificate was added to keystore
The keystore that is created from the above command is the default
.keystore. Rename it to
jssecacerts and put it in the
subdirectory of your
java.home directory. This
will make your server aware of the client's key.
Modifying SecureServer and SecureBrowser
SecureBrowser to present its certificate to
SecureServer so that
SecureServer can also
SecureBrowser. The change required on
SecureServer's part is minimal. Simply change the
following line in
SecureServer's constructor from
this("SecureServer", "1.0", 443, false);
this("SecureServer", "1.0", 443, true);
This turns on mutual authentication in
On the client side, we must tell the underlying SSL implementation
which keystore to use and which password to use to access the
keystore. This amounts to setting the
javax.net.ssl.keyStorePassword properties. On my
Libretto, the default keystore that was created is named
.keystore and is located in the
directory. Simply add the following two lines to the bottom of the
Seeing it in Action
All that's left is to restart
SecureServer and access
SecureBrowser. Make sure that you give
SecureServer a minute or two to start up. Then startup
SecureBrowser on your client machine. (I recommend using
separate machines because it simplifies the process of managing
keystores and truststores.
java SecureBrowser https://enpower/
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Welcome to Java Security using JSSE</title>
<h1>Welcome to Java Security using JSSE</h1>
<p>This page was securely sent using SSL version 3.0.</p>
SecureServer reports the transaction as follows:
SecureServer version 1.0
SecureServer is listening on port 443.
Accepted connection to LIBRETTO70CT (192.168.1.70) on port 1098.
Received the following request:
GET / HTTP/1.1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
File sent: C:\WINDOWS\Desktop\JSSE\index.htm
Number of bytes: 487
Request completed. Closing connection.
When you are finished with these examples, go back and delete all of the keystores that you've created to keep any trusted certificates from laying around on your system.
Jamie Jaworski is a Java security expert and author, focused on cryptography and such.
Return to ONJava.com.
Hoe SecureBrowser client knows which clientCertificate to present to SecureServer
2007-05-08 06:37:47 zchen_joe [View]
Caused by: java.io.IOException: HTTPS hostname wrong: should be <192.168.10.142>
2007-02-06 02:41:19 annu_itech [View]
2006-12-04 12:29:23 james_baker [View]
changes required if java 1.4 is used
2005-12-06 13:32:53 jav_qs [View]
2005-01-12 07:00:59 frantic [View]
Web server client
2004-02-23 19:55:41 rbracken [View]
Not a real world article
2003-06-09 10:07:41 anonymous2 [View]
Doubts in SSLSocket
2003-05-30 22:29:19 anonymous2 [View]
Accessing a secured site with my browser
2003-04-19 12:02:14 anonymous2 [View]
Could also explain a couple of anomolies...
2003-03-27 03:05:38 anonymous2 [View]
2002-10-29 21:44:23 soorej [View]
2002-10-01 13:34:37 anonymous2 [View]
real world certificates?
2002-09-25 03:29:59 alastairchisholm [View]
2002-06-12 01:50:59 surajs40 [View]
2002-03-04 03:58:17 dwbrown [View]
jssecacerts named twice in /lib/security
2002-02-20 06:10:17 luthriaajay [View]
2001-11-02 06:35:13 pinwu [View]
doubt in example
2001-10-09 23:27:19 meenarc [View]
Many thanks to Jamie Jaworski
2001-05-10 07:54:30 email@example.com [View]