Securing Communications for Java Processes
Last Updated on August 17, 2021 by Hammad Rauf
There are often situations when two processes need to establish a secure connection, like for example when one JVM calls another JVM using HTTP/HTTPS protocol. For providing encrypted communication channel HTTPS protocol is often used because of its widespread availabilty and firm foundation on public-private key big brother encryption systems, the big brother being the Certification Authorities (Like Versign etc.).
The JVM (Java Virtual Machine Process – The Java Process running a programmer or vendor application code)
which is starting the connection is called the client, and the JVM which is being connected to is the server. Secure HTTPS connections can be configured in 2 ways. First method requirires only the Server to provide a Digital Certificate, and the second method requires the Server as well as the Client to prove its identity by providing their Digital Certificates.
Digital Certificate
So what is a Digital Certificate? A digital certificate primarliy is a tool used in establishing identity of a computer on the public network (Internet) by means of one’s trust in the Certification Authority (CA), the big brother (For example Verisign, EnTrust, etc.). As defined in this link, a digital certificate consists of electronic files that can contain name of the computer/entity being identified, validity period, serial number, finger-print and encrypted checksums.
When a Digital Certificate is installed on a computer Server, it is usually placed in a specially encoded file, which has restricted access. The HTTP server can read this file and present the configured certificate to incoming network requests for HTTPS connections. The client, let us consider a web browser in this case, is usually pre-programmed to verify this certificate as part of establishing the HTTPS connection. Browsers usually have a list of CA’s and there public certificates already installed.
Public-Private Key Pair
Digital certification system has 2 key pair that make them work. This is also known as the public-private key pair concept. The private key is a file that only the owner of the Digital Certificate should have. The public key can be distributed, or even published. For one certificate the public key and the private key are related, that is one key will not work without the other part.
An Example
Let us consider this example. HTTPS-A and HTTPS-B want to communicate securely over a public network. A message m to be sent over public network is encrypted by HTTPS-A with its own private key, so now m becomes M. M is tranmitted over the network and recieved by the HTTPS-B. HTTPS-B will use HTTPS-A’s public key to decrypt M back to its original form m. Using a slightly more involved method (Digital signing), it can also be verified that the message m has not been changed during transmission, as it may be possible over a public network.
JVM to JVM Secure Communication
JVM usually depend upon the Web Server (HTTP server) to provide HTTP/HTTPS transport. This is more true today then before, specially with the advent web services and SOA. For the rest of the discussion, I will assume that JVM is always using a HTTPS connection to connect with remote server.
It is important to remember that client JVM (A) needs to have the public-key of the remote server (JVM B or its front end HTTP Server, as the case may be). If the JVM B also will be initiaing calls to JVM A than JVM B will also need the public key of JVM A or its front end HTTP Server, as the case may be. Also when JVM A connects with a remote server B, it is the JVM A Process that is directly opening the secure connection to the remote server and not the JVM A’s front end web server.
Different JVM Container servers (Application Servers) have different places where certifcates are stored. Please refer to your Application Servers documentaion to determine where these certificates are stored. Generally speaking it is a good stratagey to keep the “private key digital certificates” seperate from the “public key digital certificates”. IBM Web-Sphere terminology refers to “private key digital certificates store” as KeyStore, and “public key digital certificates store” as TrustStore.
Further Reading and References
- Wikipedia, date accessed September 11, 2014, http://en.wikipedia.org/wiki/Public_key_certificate
- Digital Certificates, date accessed September 11, 2014, http://www.utexas.edu/its/help/digital-certificates/845
- WebSphere Application Server V7.0 Security Guide, Page 192- 193, date accessed September 11, 2014, http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf