wood burning stoves 2.0*
The moose likes Servlets and the fly likes Java App and SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Java App and SSL" Watch "Java App and SSL" New topic
Author

Java App and SSL

A Farroll
Greenhorn

Joined: Oct 26, 2012
Posts: 23
Hi All,

I hava Java project that is complete and working well which runs on a Windows server with Apache Tomcat. Recently it was decided to implement an SSL certificate on one of the servers that holds a SQL Server database which the application interrogates. What impact will this have and what action do I need to take if any to ensure the application still works?

Thanks in advance. All help is appreciated as I am still learning Java. If this is the incorrect Forum Topic for my question I apologise.

Regards

A Farroll
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41621
    
  55
By "implement an SSL certificate" I assume you mean that it is installed so that the Tomcat will use it? In the best case you don't need to change anything about the application - it should simply be accessible through two different ports using HTTP and HTTPS.

There are a couple of things that you may want to do, though. For example, ensuring that the login and other sensitive data happens exclusively over HTTPS. Or ensuring that you have no hardcoded links to use HTTP - once a user has switched to HTTPS, you generally want to keep using HTTPS for his session.


Ping & DNS - my free Android networking tools app
A Farroll
Greenhorn

Joined: Oct 26, 2012
Posts: 23
Ulf Dittmer wrote:By "implement an SSL certificate" I assume you mean that it is installed so that the Tomcat will use it? In the best case you don't need to change anything about the application - it should simply be accessible through two different ports using HTTP and HTTPS.

There are a couple of things that you may want to do, though. For example, ensuring that the login and other sensitive data happens exclusively over HTTPS. Or ensuring that you have no hardcoded links to use HTTP - once a user has switched to HTTPS, you generally want to keep using HTTPS for his session.


Hi Ulf.

Thanks for prompt response. Yes, the certificate has been recieved from a certificate authority and we intend to install it on the server that will run our Live application using Tomcat. Thats good news that I don't need to change any Java code.

Could you elaborate on the other points that you say I may want to do please. The Java application has NO hardcoded links to URLS etc. But what about "ensuring that the login and other sensitive data happens exclusively over HTTPS"

Thanks again

Regards

A Farroll
Joe Areeda
Ranch Hand

Joined: Apr 15, 2011
Posts: 316
    
    2

I too am a bit confused about what "implementing an SSL certificate" actually means.

Ulf's reply is one interpretation. My guess is that you want SSL for the communication with the mysql database.

If that's the case you have to configure the JDBC driver to use SSL. A quick search turned up this how-to http://www.razorsql.com/articles/mysql_ssl_jdbc.html

Joe


It's not what your program can do, it's what your users do with the program.
A Farroll
Greenhorn

Joined: Oct 26, 2012
Posts: 23
Joe Areeda wrote:I too am a bit confused about what "implementing an SSL certificate" actually means.

Ulf's reply is one interpretation. My guess is that you want SSL for the communication with the mysql database.

If that's the case you have to configure the JDBC driver to use SSL. A quick search turned up this how-to http://www.razorsql.com/articles/mysql_ssl_jdbc.html

Joe


Thanks for repsonse Joe. It is to allow communication from the Java application to a Microsoft SQL Server database on another server. The application uses Hibernate and JNDI in Tomcat to connect to the SQL Server database

Thanks for any further assistance.

Regards

A Farroll
Joe Areeda
Ranch Hand

Joined: Apr 15, 2011
Posts: 316
    
    2

My approach is a bit different so I may be able to help with concepts but not with implementation details.

It seems like you have 2 machines with 2 separate certificates. Let's be clear on what SSL does for you: A) It provides the client with some level of trust that the server is who it purports to be and B) it encrypts data over the wire making it harder to ease drop on the transmission.

One machine runs a mysql server and provides database services to your web server and possibly other machines. The other is a web server which runs Tomcat.

I use lower level JDBC objects to communicate with the mysql server. I assume JDNI as a similar configuration to require SSL when connecting to the mysql server but I'm not sure how it's done.

In my case I run Apache to handle load balancing and Shibboleth authentication/authorization so I handle the https requirements in the Apache configuration. The way that's done is port 80 is open and available but all it does it redirect you the https port (443). There are often long discussions on whether a 302 redirect is better or worse than a mod_rewrite. Both work most of the time. I find the redirects easier but I have no objections for people who prefer rewrites.

I'm not sure how you do that when Tomcat is acting as the web server and container. I prefer not to close port 80 so users don't have to remember to put https:// in front of the url.

So in summary:

I believe there is some code modification to securely communicate with a mysql server. For JDBC it's a simple option added to the connection uri. I assume Hibernate/JDNI has a similar requirement.

For the webserver, everything is done in the server configuration files with the caveat Ulf mentioned than any links you provide internally or on web pages you produce should specify https if they are fully qualified. It's one thing to redirect people on their first page and quite another to do it on every page.

Sorry I couldn't be more specific.

Joe
A Farroll
Greenhorn

Joined: Oct 26, 2012
Posts: 23
Hi,

Thanks again for response Joe. I am no Java, Tomcat or SSL guru so bear with me and I apologise if some of my statements are somewhat ambiguous ( was previously involved in Unix scripting projects and handed this Java project from former colleague! Although emjoying Java so far).

Yes, the set up is that we have a server running Microsoft SQL Server database that has a SSL certificate installed and I have a Java application running on another server with Tomcat and have been given an SSL certificate that pairs up with the SSL certificate on the database server. I need to install the SSL certificate on the Java application\Tomcat server to allow it to communicate with the database server. The connection between the Java application\Tomcat and the database is done using JNDI\Hibernate.

Basically what do I have to do once I install the SSL certificate on the Java\Tomcat server?

Thanks again

A Farroll
Joe Areeda
Ranch Hand

Joined: Apr 15, 2011
Posts: 316
    
    2

I'm confused again (not an unusual situation for me).

A little searching produced this link on using mysql with ssl mysql using ssl command options

I'm not sure what the "SSL certificate that pairs up with the SSL certificate on the database server" means exactly. I''m guessing but I think they used a self signed certificate on the server side and this is the CA cert, as that is what I would do.

If that's the case see: Oracle's importing a certificate as a trusted certificate

Remember, at least in most cases, SSL gives the client some trust that the server is who they say they are. As far as I know it's not used to give the server information about the client. Mysql uses one of their login options to do that part. The first link above says how to require a secure connection from a client.

Just to be clear you are using SSL for the back end communications with the database and are not using it for browsers connecting to the server. That's a different issue, and if the mysql server's certificate was signed by a well known authority you shouldn't have to do anything to use it.

I suggest you clarify how the cert they gave you for your server is to be used.

Joe
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java App and SSL