1

Updated on July 08, 2016.

I have to implement Web-service to Web-service communication over SSL. The requirement is like we have an application which runs on Eclipse Virgo server. The application comprises of few OSGI bundles. Currently when a user enters some data to store the application accepts it and persist the data to the heterogeneous data sources(Database, C process using JNI) based on the entities and this works fine.

Now what I need to achieve is like, the same application will be deployed in multiple servers and there will be an option in UI to specify the replication servers(i.e the server with same application running and the data needed to be replicated).

For this we plan to create a separate bundle to have a Restful web-service and move all the persistence logic to save the data to the heterogeneous data sources. This Rest API will check for the available replication servers and has to pass the same data with the Rest service in those servers.

The point to be noted is that, we make use of Spring Security framework to ensure security of our java application. Since we don't expose our web-services to any third party applications, all the calls including the call to web-service will be using this for authentication and authorization.

We don't do this for load balancing. Each server is independent and we install the application along with the required software using an installer application. The idea is to use the installer to create and install a Self-signed certificate. While installing the application we may not be knowing whether we need to replicate this to another server. Because not every client of this application needs a replication server. Clients who need to use replication servers must be able to enable and disable one or more replication Servers through the Java web applications admin screen at later stage. From there on what ever data manipulation occurs in one Server need to be replicated to other in a bi-directional way.

So my query is how do we get the public key dynamically and encrypt the request to connect to those replication servers in bi-directional manner since its running in SSL?

I am totally new to concept of SSL.

Thanks in advance.

Leejoy
  • 1,356
  • 5
  • 23
  • 36

1 Answers1

1

If you use certificates issued by a trusted CA you do not need additional configuration. But I guess you're going to use self-signed certificates because you have multiple servers and their use is not public

Each server requires its own SSL certificate bound to the IP or hostname of the server. I recommend creating a root certificate and an SSL certificate for each server certificate issued by the root. It is also possible to use a wildcard type * .domain.com.

You must include the root certificate in the trust store of the client application to achieve a successful SSL connection. To do so create a JKS keystore includes the root certificate and defines the trust store follows

System.setProperty ("javax.net.ssl.trustStore","path/to/your/truststore");
System.setProperty ("javax.net.ssl.trustStorePassword", "password");

You can modify the default truststore Also at jre/lib/security/cacerts

If you need detail of some step, please comment

EDITED

To create and distribute your certificate you can evaluate several options

1) Wildcard certificate *.domain.com

It allows multiple servers to share the domain with the same certificate. The certificate would be included in the installer, and the public part into the keystore of the client. A new replication server does not require additional configuration on the client. I think it is not applicable because you probably do not control the DNS of replication servers.

2) Self-signed certificate without a root CA

Each server generates its own self-signed certificate. Then the client must trust the certificate by including it in trustore. Normally I would not recommend an automatic download process, because it involves connecting to an unsecure source (for now), to obtain the certificate X509 from ssl connection, open the truststore and add a new certificate, but since there is an operator to expressly perform the operation, I think it is feasible

Check the answer here https://stackoverflow.com/a/37861267/6371459 showing how to create a custom TrustManager to rely on a host. After this open the truststore file in your server, add the certificate and save it (see Programmatically Import CA trust cert into existing keystore file without using keytool)

3) Self-signed certificate with a root CA

The certificate is created on client side, but is signed by your PKI (using a Public Key Infraestructure). The advantage is that your client only needs to include the root CA into the truststore. A new replication server is trusted whenever you use a certificate issued by this root CA.

For safety reason, you should not include the private key of your CA certificate in the installer. Then, the creation of the certificate will be more complex now. One option is previously create the certificate for the new hostname and send it along with the installer. Another option is to create a PKI infrastructure with a server responsible for signing the certificates

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Will I be able to do this dynamically? Because we plan to provide the Super Admin user of the application to specify the replications servers through the UI. – Leejoy Jul 08 '16 at 13:09
  • If you include the root CA in the truststore of the frontendserver, a new replication will not affect this part. For replicated backends, you need a certificate bound to IP or hostname of the server that has to be included in the replication process. You new to create a new certificate each time, select one from an available pre-built list, or use a wildcard for all servers – pedrofb Jul 08 '16 at 13:50
  • 1
    Interesting use case. I have explained in detail the options to create or distribute certificates – pedrofb Jul 11 '16 at 06:44
  • Thank you @pedrofb – Leejoy Jul 12 '16 at 04:22
  • Do you think two-way SSL authentication is possible using client & server certificates? If so how do we create Server & Client certificate? Suppose Server A want to replicate to Server B then Server B has to create both Server & Client certificate and pass client certificate to Server A? Or Server A's certificate is known as client certificate? – Leejoy Jul 14 '16 at 13:27
  • Yes it is possible. Server A's certificate is known as client certificate by Server B. Just include the public part of the certificate in the installer (not the private key), and configure Server B to accept this certificate. If server B has to accept several client certificate would be better to have a root CA. The root CA signs the client certificates, and server B only has to configure the public part of the root CA certificate – pedrofb Jul 14 '16 at 13:55
  • Thank you for swift response :) @pedrofb – Leejoy Jul 14 '16 at 14:07