Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 1
Chapter 15
How to use SSL to work with
a secure connection
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 2
Objectives
Applied
1. Develop web applications that use secure connections whenever
that’s needed.
Knowledge
1. Explain how the use of secure connections secures the data that’s
used in an application.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 3
A request made with a secure connection
A lock icon is
displayed
The URL starts
with https
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 4
An introduction to SSL
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
are the protocols used by the Internet that allow clients and servers
to communicate over a secure connection.
Although there are slight differences between SSL and TLS, the
protocol remains substantially the same.
With SSL, the browser encrypts all data that’s sent to the server
and decrypts all data that’s received from the server.
With SSL, the server encrypts all data that’s sent to the browser
and decrypts all data that’s received from the browser.
SSL is able to determine if data has been tampered with during
transit, and verify that a server or a client is who it claims to be.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 5
A digital secure certificate
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 6
Types of digital secure certificates
Certificate Description
Server certificate Issued to trusted servers so client computers
can connect to them using secure connections.
Client certificate Issued to trusted clients so server computers
can confirm their identity.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 7
How authentication works
Authentication is the process of determining whether a server or
client is who and what it claims to be.
When a browser makes an initial attempt to communicate with a
server over a secure connection, the server authenticates itself by
providing a digital secure certificate.
If the digital secure certificate is registered with the browser, the
browser doesn’t display the certificate by default.
The user can typically view the certificate by clicking on the lock
icon that’s displayed by the browser.
In rare cases, the server may request that a browser authenticate
itself by presenting its own digital secure certificate.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 8
Some certificate authorities that issue digital secure certificates www.symantec.com/ssl-sem-page
www.godaddy.com/ssl
www.globalsign.com
www.startcom.org
www.comodo.com/
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 9
SSL strengths
Strength Pros and Cons
40-bit Relatively easy to crack the encryption
code.
56-bit Thousands of times stronger than 40-bit.
Still possible to crack.
128-bit Over a trillion times a trillion times
stronger than 40-bit.
Extremely difficult to crack.
More expensive.
256-bit Virtually impossible to crack the
encryption code.
More expensive.
Not all browsers support it.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 10
How to get a digital secure certificate
To use SSL, you must first purchase a digital secure certificate
from a trusted certificate authority (CA) and install it on your
server.
A CA is a company that issues and manages security credentials.
To verify information, a CA must check with a registration
authority (RA).
Installing a digital secure certificate enables SSL.
SSL strength refers to the length of the generated key that is
created during the encryption process. The longer the key, the
more difficult to crack the encryption code.
The SSL strength that’s used depends on the strength provided by
the certificate, the strength supported by the web server, and the
strength supported by the browser.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 11
A command prompt after creating a secure certificate for testing
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 12
Tomcat’s server.xml file
The Connector element for an SSL/TLS connection <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${user.home}/.keystore"
keystorePass="changeit"/>
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 13
How to configure SSL/TLS on a local system
1. Use the Command Prompt (Windows) or Terminal (Mac) to create
a keystore file.
Use the cd command to navigate to the bin directory of your
JDK.
Run the keytool command and respond to the prompts.
Be sure to use “changeit” as the keystore password
Press Enter to use the same password for the key password.
2. Edit the server.xml file in Tomcat’s conf directory.
Remove the comments from the Connector element for the
SSL connector.
Edit its attributes.
3. Restart Tomcat.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 14
SSL/TLS notes
The Java Secure Socket Extension (JSSE) API is a collection of
Java classes that enable secure connections within Java programs
by implementing a version of the SSL and TLS protocols.
To test SSL connections in a local environment, create a self-
signed certificate. To do that, you create a keystore file.
By default, Tomcat’s server.xml file defines the protocol as TLS,
not SSL. As a result, newer browsers use TLS, and older browsers
use SSL.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 15
The URL you can use to test the local SSL connection
https://localhost:8443
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 16
Warning page for the security certificate
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 17
If SSL is set up correctly on the local system
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 18
Common problems configuring the local SSL connection
Problem 1
Problem: Tomcat can’t find the keystore file. It throws a
java.io.FileNotFoundException.
Solution: Make sure the .keystore file is located in your home
directory. For Windows, this directory is C:\Users\user.name.
Problem 2
Problem: The keystore password and key passwords used to
create the keystore file don’t match. Tomcat says, “keystore was
tampered with” or “password was incorrect.”
Solution: Delete old keystore file and create new keystore file.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 19
How to request a secure connection…
on the Internet
https://www.murach.com/email/join.jsp
on a local system
https://localhost:8443/ch15email/join.jsp
Notes
To request a secure connection, use an absolute URL that starts
with https. If requesting a resource from a local system, specify
the port used for secure connections. For Tomcat, that is usually
8443.
Once you establish a secure connection, use relative URLs to
continue using the secure connection.
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 20
A JSP that uses a secure connection
Click the lock icon
to view the
certificate
Murach's Java Servlets/JSP (3rd Ed.), C15 © 2014, Mike Murach & Associates, Inc.
Slide 21
How to return to a regular connection…
on the Internet
http://www.murach.com/email/join.jsp
on a local system
http://localhost:8080/ch15email/join.jsp
Notes
Once you establish a secure connection, the application continues
using that connection as long as you use relative URLs.
To return to a regular HTTP connection after using a secure
connection, code an absolute URL that starts with http.