How to create a Server which accepts Client Certificate in Java


When you need to create a server which is requiring client certificate, you can use below code for that.

package testserver;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsExchange;
import com.sun.net.httpserver.HttpsParameters;
import com.sun.net.httpserver.HttpsServer;

public class TestServer {

    /**
     * @param args the command line arguments
     */

    final static String Server_Password = "password";
    final static String keystore = "D://NetbeansProjects/TestServer/src/testserver/keys/server.jks";
    final static String truststore = "D://NetbeansProjects/TestServer/src/testserver/keys/servertrust.jks";
    public static HttpsServer server;

    public static void main(String[] args)throws Exception{
        // TODO code application logic here;
            HttpsServer server = makeNewServer();
            server.start();
            System.out.println("Server is running.\n"+server.getAddress().getHostName()); System.in.read();
            server.stop(0);
       
    }
       public static HttpsServer makeNewServer() throws Exception {
        server = HttpsServer.create(new InetSocketAddress(8000), 0);

        SSLContext sslCon = createSSLContext();
        ServerConfigurator conf = new ServerConfigurator(sslCon);
        server.setHttpsConfigurator(conf);

        server.createContext("/auth", new ServerHandler());
        return server;
    }
    private static SSLContext createSSLContext()  {
        SSLContext sslContext = null;
        KeyStore ks;
        KeyStore ts;

        try{
            sslContext = SSLContext.getInstance("TLSv1.2");

            ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(keystore), Server_Password.toCharArray());
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            kmf.init(ks, Server_Password.toCharArray());

            ts = KeyStore.getInstance("JKS");
            ts.load(new FileInputStream(truststore), Server_Password.toCharArray());
            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
            tmf.init(ts);

            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        } catch (Exception e) {
            e.printStackTrace();
        }   
        return sslContext;
    }
}

class ServerConfigurator extends HttpsConfigurator {
    public ServerConfigurator(SSLContext sslContext) {
        super(sslContext);  }

    @Override
    public  void configure(HttpsParameters params) {
        SSLContext sslContext = getSSLContext();
        SSLParameters  sslParams = sslContext.getDefaultSSLParameters();
        sslParams.setNeedClientAuth(true);
        params.setNeedClientAuth(true);
        params.setSSLParameters(sslParams);
    }
}

class ServerHandler implements HttpHandler {
    public void handle(HttpExchange t) throws IOException {
        HttpsExchange ts = (HttpsExchange) t;
        SSLSession sess = ts.getSSLSession();
        System.out.printf("Responding to host: %s\n",sess.getPeerHost());

        t.getResponseHeaders().set("Content-Type", "text/plain");
        t.sendResponseHeaders(200,0);
        String response = "Hello!  I am a trusted server!\n";
        OutputStream os = t.getResponseBody();
        os.write(response.getBytes());
        os.close();
    }

}

Then you need to create Keystore and Truststore for your server.

What is the Keystore?

Keystore is used to store private key and own certificate which should present to other party for verifying own identity.

What is Truststore?

Truststore is used to save trusted CA certificates and public certificates of other parties. In java, cacerts is the Truststore and it is located at $JAVA_HOME/lib/security/cacerts.

Here, we are going to create self signed certificate which is signed by itself rather than trusted CA.
We can use java keytool to do this.

Create Server java key store
------------------------------------
keytool -genkey -alias server -keyalg RSA -keystore server.jks -validity 365 -dname "cn=$LOCALNAME, ou=Cert, o=Cert, c=CA" -storepass $PASSEORD -keypass $PASSWORD

Create client java key store
----------------------------------
keytool -genkey -alias MyClient -keyalg RSA -keystore MyClient.jks -validity 365 -dname "cn=$LOCALNAME, ou=Cert, o=Cert, c=CA" -storepass $PASS -keypass $PASS

Export Server certificate
-------------------------------
keytool -export -file server.cert -keystore server.jks -storepass $PASSWORD -alias server

Export Client certificate
--------------------------------
keytool -export -file MyClient.cert -keystore MyClient.jks -storepass $PASSWORD -alias MyClient

Import Server certificate to Client trust store
----------------------------------------------------------
keytool -import -file server.cert -alias server -keystore clienttrust.jks -storepass $PASSWORD 

Import Client certificate to Server trust store
----------------------------------------------------------
keytool -import -file MyClient.cert -alias MyClient -keystore servertrust.jks -storepass $PASSWORD 
Important Points
  • When you are executing keytool commands in windows command prompt, command prompt should be opened as an administrator
  • You should create your keystore at $JAVA_HOME/bin.
  • It is good to use same password for keystore and keys to avoid unnecessary error
Exception Handling
  • javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ssl.someUrl.de found -                                                                                     
Reason: When an HTTPS Client connects to a server, it verifies that the hostname in the certificate matches the hostname of the server. Hence, CN should be the hostname of the server that you are going to connect.
  • Exception while sending data Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target                                                        
Resolution:  Make sure you have imported the public certificate of the target instance into the Truststore 
  • Exception while sending data Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake Caused by: java.io.EOFException: SSL peer shut down incorrectly                                                                                                                
Reason:  Protocol version error.  Check TLS version EX: sslContext = SSLContext.getInstance("TLSv1.2"); or in my case I have set  sslParams.setNeedClientAuth(true);   params.setNeedClientAuth(true);  in my server code. But,  I have tested this without importing client certificate to server truststore. 

Comments

  1. PrancerAugust 5, 2020 at 6:14 AM

    Thank you for the great post.
    Prancer is a pre-deployment and post-deployment multi-cloud validation framework for your Infrastructure as Code (IaC) pipeline and continuous compliance in the cloud.
    https://www.prancer.io/

    ReplyDelete

Post a Comment

Popular posts from this blog

How to add standard and custom Metadata to PDF using iTextSharp

In a previous blog, I explained How to add custom metadata using Syncfusion library. But this package gives so many difficulties when adding metadata to pdf. Such problems are,    1. When once add custom meta data to a pdf, it does not able to change or remove those custom meta data from the pdf.    2. It does not compatible with meta data search engines. It does not show custom meta data properly when those are searched through the search engines. Due to these reasons, Syncfusion is not good library for custom meta data. But, iTextSharp provides flexible framework to deal with custom meta data as well as standard meta data for PDF. Below I have provided the source code to show usage of iTextSharp library. You can download iTextShrp.dll from here                              PdfReader pdf = new PdfReader(input_path); ...
Read more

How to set and get Metadata to image using BitmapMetadata class in C#

When images are considered, those are storing their Meta data using different types of Meta containers such as EXIF, Adobe XMP, IPTC, Photoshop Image resource and Text descriptions. This every container has their specific unique rules to encode (store) and decode (extract) Meta data. As well as these each Meta container is storing specific Meta information. Exif Meta containers are mostly storing location information and GPS (Global Positioning System) records. As well as, Adobe XMP is responsible to store Dublin core Meta data which provides standard Meta tags that can be used to describe digital objects basically and IPTC is storing Meta information about application records. Meta data extractor is mainly considering these Exif, IPTC and adobe XMP Meta containers when it is extracting Meta data from images. As well as, these different Meta data containers are considered; they are structuring Meta tags in different dir...
Read more

How to generate direct line token to start a new conversation between your own client application and bot framework in Java

You can enable the communication between your bot framework and your client application using Direct Line API. When you add your client application as a site to communicate with your bot framework through azure portal, bot framework will generate secret keys. Your client application can use these generated secret keys to authenticate direct line requests issued to your bot framework. Let me explain how we can generate token to start a  conversations between your own client and bot framework. When we send a request to direct line for generating token,  if the request is successful it will send the conversation id and token that is valid to that conversation id. If client application already has a earlier used conversation Id, you can pass that id as an input to this method for generating token. If there is no conversation id, you can pass null value.  Return type of this method is a Map to retrieve generated token and conversation Id which is valid for that to...
Read more