Server-side SSL conceptual overview in Java

Question

Server-side SSL conceptual overview in Java

My job is to secure (formerly HTTP) the web service with HTTPS. From the departed employee, I inherited code that inserts an object SSLEnginebetween the TCP and HTTP layers on our existing server. As far as I know, this code is working correctly. I get SSLEnginefrom SSLContext.createSSLEngine(), but how to create the appropriate one SSLContextconfuses me.

SSLEngineI myself have a beautiful conceptual introduction to my javadoc, but, unfortunately, this is the part with which I do not need to interact. On the other hand, SSLContext.init () is very rarely documented and simply says that I have to pass “sources of authentication keys” and “sources of solutions for trusting each other,” and I have no idea what it is. The documentation for the types of these parameters (usually my next attempt to understand it) is general in order to not say anything, and the class documentation for is SSLContextalso useless.

I am provided with a group of ascii-armored-enabled files .crt, .pemand .keywhich together allow Apache to serve HTTPS in a domain that will ultimately handle the Java server. I suppose I need to somehow load them into SSLContextor SSLEngine, but I'm not sure if SSLContext.init()this is even the most suitable place for this (although there seem to be not many other places to be).

What documentation should I start by reading in order to get a working idea on how to do this?

My attempts at Google create many semi-documented code samples of unknown quality and security, as well as some advanced pass-throughs, such as “how to write your own key provider”, but not a general conceptual introduction to the most basic use of JRE classes.

, , -, , , , , . , , .

( , , , SSL , ).

+5

java ssl ssl-certificate

Henning Makholm 14 . '12 19:09

2

1:

KeyManager SSLContext, SSLContext, , , , KeyManager .

TrustManager SSLContext, .

: 2:

( , , SSL ..).

, .

: api, - .

: 3:

SSLSocket Socket ( SSLSocket, Socket).

SSLContext SSLSession, ssl. , Socket.

0

John Smith 14 . '12 19:23

Bruno · Accepted Answer · 2012-08-14T19:39:22+0000

, JSSE, SSLContext.

( null SSLContext.init(...)) , , (. Customization).

( truststore, , ).

, SSLContext :

KeyStore ks = KeyStore.getInstance(...); // Load the keystore
ks.load(...); // Load as required from the inputstream of your choice, for example.

KeyStore ts = KeyStore.getInstance(...); // Load the truststore
ts.load(...);

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, <the key password>);

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

, . , " " , (+ ) ( , ), ( , ), , .

, /, PCKS12, , .

EDIT: ( )

, , TrustManager, SSL- ?

.

cliemt, TrustManager, , ?

. CA , . ( - ), PKI , , CA.

TrustManager, ( ) , ( , ), , PKI. , , , .

; , , URL- , .

. URL-, , . HTTP SSLEngine, ( ).

SSLEngine - SSL/TLS Java , . , . HTTP-, ( /, , ). .

, , , . , ( SSL/TLS) , X509TrustManager, - ( SSL/TLS ), SSLSession ( ) . , . , PKI, - ( API, ).

, . , , , . CA : , .

, <the key password>? ; , - , (, ).

. , (, , ).

Server-side SSL conceptual overview in Java

More articles: