aspose file tools*
The moose likes Security and the fly likes https Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "https" Watch "https" New topic
Author

https

Rodrigo Soto
Greenhorn

Joined: Oct 13, 2009
Posts: 11
Hello,
I am trying to develop a java client that sends a request to a server but one of the requirements is that the connections has to be via https with certificates. I am new at java. I have read a few tutorials but they only explain how the server works but not a client. Thank you in advance for your help.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
It should be as simple as using an https URL, e.g.


Nice to meet you.
Rodrigo Soto
Greenhorn

Joined: Oct 13, 2009
Posts: 11
and what are the certificates for? I thought the whole purpose was to authenticate a user with valid certificates to have sensible information within the system. Am I wrong?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Rodrigo Soto wrote:and what are the certificates for? I thought the whole purpose was to authenticate a user with valid certificates to have sensible information within the system. Am I wrong?


Certificates are wonderful, they have so many uses, and some of them are almost valuable.

The "standard" model's first usage pattern is for a site to use SSL to ensure that communications between a user/customer's browser and the site is kept secure, so that a bad guy can not steal you credit card numbers, tax ids, etc. and do bad things.

A second usage pattern is that a site such as sears.com uses a signed certificate that has someone else say "This is really amazon.com and not old @Rodrigo setting up a site is his basement and claiming to be sears.com." This was all invented when it was assumed that lots of bad guys would setup fake versions of storefronts because Sears.com, Landsend.com, etc. would be too slow to claim the domain, or that folks would fake out DNS.

Part of this was correct, the old brick and mortar stores were very slow to get on the internet. But what really happened is that amazon.com jumped in first, and now has replaced sears.com and many other retailers, including your local record store, compusa.com, tower records, etc.

The first pattern is still valuable, the second is mostly moot.

The folks selling certificate signing services then started to push client-side certs. It was a way to get more revenue, if every person on the internet needed to pay for a certificate, they would make big bucks, lots of points, tons of rupees, etc.

The reality is that no store cares what your name is. All they care is "is the credit card good"? If it is, they will take your money. Client certs solve a problem that very few people have.

If you are running a public store, say competing with Amazon, then by all means, buy a certificate for your store. If not, you can create your own certificate, and sign it yourself , and the SSL protection will stay the same.

You don't need a professional SSL certificate for any technical reason.

Sometimes one is good PR.

greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
Rodrigo Soto wrote:and what are the certificates for? I thought the whole purpose was to authenticate a user with valid certificates to have sensible information within the system. Am I wrong?


The whole purpose is to make secure connections, but the devil is in the details. Most SSL sites use certificates only to authenticate the server to the client, and use usernames and passwords to authenticate the client to the server. Since you are writing the client side, you need to know what the server's authentication requirements are. Does your server require client certificates in SSL?
Rodrigo Soto
Greenhorn

Joined: Oct 13, 2009
Posts: 11
greg stark wrote:
Rodrigo Soto wrote:and what are the certificates for? I thought the whole purpose was to authenticate a user with valid certificates to have sensible information within the system. Am I wrong?


The whole purpose is to make secure connections, but the devil is in the details. Most SSL sites use certificates only to authenticate the server to the client, and use usernames and passwords to authenticate the client to the server. Since you are writing the client side, you need to know what the server's authentication requirements are. Does your server require client certificates in SSL?


The Server has a few requirements and one of them is that the connection has to be https over TLS using soap. But first I would like to understand how to do it with no soap messaging and then I think I can figure out how to use the soap message.

Thank you.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Rodrigo Soto wrote:The Server has a few requirements and one of them is that the connection has to be https over TLS using soap. But first I would like to understand how to do it with no soap messaging and then I think I can figure out how to use the soap message.


You didn't answer @gregg's question. And you are still mixing up terms.

If you use https, then you are using SSL. Its mostly the same as TLS, but its not meaningful to talk about "https over TLS" as HTTPS is essentially TLS.

Using HTTPS is not usually enough for authentication. Usually the server site expects that you use HTTPS and do a login with some sort of userid and password, or using client-side certs.

I agree that you are right in separating the SOAP stuff from the SSL stuff. Its nearly impossible to debug a connection once its using SSL. So nice vendors offer an unencrypted connection for testing.
Rodrigo Soto
Greenhorn

Joined: Oct 13, 2009
Posts: 11
Pat Farrell wrote:
You didn't answer @gregg's question. And you are still mixing up terms.

If you use https, then you are using SSL. Its mostly the same as TLS, but its not meaningful to talk about "https over TLS" as HTTPS is essentially TLS.

Using HTTPS is not usually enough for authentication. Usually the server site expects that you use HTTPS and do a login with some sort of userid and password, or using client-side certs.

I agree that you are right in separating the SOAP stuff from the SSL stuff. Its nearly impossible to debug a connection once its using SSL. So nice vendors offer an unencrypted connection for testing.


I will have to apologize since I am very new at Security issues. This is the requirement as stated from the vendor:"The HTTP connection shall be made using TLS connection and the port shall be configurable. HTTP connections shall require the encryption-option". Hope this helps and that I have answer @gregg's question.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Rodrigo Soto wrote:This is the requirement as stated from the vendor:"The HTTP connection shall be made using TLS connection and the port shall be configurable. HTTP connections shall require the encryption-option". Hope this helps and that I have answer @gregg's question.


Gregg's question was: " you need to know what the server's authentication requirements are"

which is not addressed by your quoted section. Authentication is in addition to the transport security, which is all that HTTPS, or HTTP+TLS provides.

You have to go back to your vendor and ask them. While you are talking to them, ask for a sample code fragment that you can use for testing. And ask for the specific port that they expect you to use. And ask them if they have a non-TLS testing version.

This all may be as simple as telling the Apache HttpClient to talk to "https://www.somevendor.com:1234"

But you need to get more information.
Rodrigo Soto
Greenhorn

Joined: Oct 13, 2009
Posts: 11
Pat Farrell wrote:
Gregg's question was: " you need to know what the server's authentication requirements are"

which is not addressed by your quoted section. Authentication is in addition to the transport security, which is all that HTTPS, or HTTP+TLS provides.

You have to go back to your vendor and ask them. While you are talking to them, ask for a sample code fragment that you can use for testing. And ask for the specific port that they expect you to use. And ask them if they have a non-TLS testing version.

This all may be as simple as telling the Apache HttpClient to talk to "https://www.somevendor.com:1234"

But you need to get more information.

Well I have talked to the people providing the service and this are the instructions

1. Extract your private key and public key.
2. Extract the CA public key.
3. Install these three items per your software.
4. Do NOT install the public keys of all of the other secure nodes/apps
5. Do NOT install the public keys of all of the other secure nodes/apps
6. Do NOT install the public keys of all of the other secure nodes/apps
7. When you make a TLS connection with someone, they will offer their certificate that is signed by the CA. You need to determine if it is signed properly using the public key I have given you.
* If yes, continue with the connection.
* If no, hit the eject button.
this is all they have given. Again I am a newbie at security any help is greatly appreciated.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Sorry, I can't make enough sense out of their instructions to help you much. Actually, all of their words make sense, but I'm not seeing how they relate to how you are supposed to code up a program to talk to their server.

I think you need to talk to your vendor's tech support folks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: https