Java Webservice using HTTPS part 1

October 19, 2011

This article describes how to offer a web service over a secure HTTPS connection. In this first step of securing the connection, the server will accept any client without verifying the client’s identity.

First it is necessary to have a server certificate. For this example, we are using the keytool program which is shipped with Java and we create a self signed certificate and store it in a Keystore file named server_keystore.ks (you need to provide a password for the keystore and corresponding information for the certificate, the key tool asks for that).

keytool -genkey -alias webservice -keystore server_keystore.ks

Important: The value used for the CN in creating the certificate must match the host name of the server where the web service is found (i.e. localhost, foo.bar.com). The CN is the answer to the first question What is your first and last name?.
The key is stored under the alias webservice this is need later.

The next step is to configure the server to use HTTPS:

import javax.net.ssl.KeyManagerFactory;  
import javax.net.ssl.SSLContext;  
import com.sun.net.httpserver.HttpsServer;  
import com.sun.net.httpserver.HttpsConfigurator;  

// ...

httpsServer = HttpsServer.create(new InetSocketAddress(interfaceName, port), 0);  
SSLContext sslContext = SSLContext.getInstance("TLS");

// keystore  
char[] keystorePassword = "keystore_password".toCharArray();  
KeyStore ks = KeyStore.getInstance("JKS");  
ks.load(new FileInputStream("server_keystore.ks"), keystorePassword);  
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");  
kmf.init(ks, keystorePassword);

sslContext.init(kmf.getKeyManagers(), null, null);

HttpsConfigurator configurator = new HttpsConfigurator(sslContext);  
httpsServer.setHttpsConfigurator(configurator);

HttpContext httpContext = httpsServer.createContext("/path");  
Endpoint endpoint = Endpoint.create(serviceImpl);  
endpoint.publish(httpContext);  
// ...  
httpsServer.start()

This is it for the server. For the client to be able to connect, it is necessary to first export the servers certificate from the keystore:

keytool -export -alias webservice -keystore server_keystore.ks -file server.cer

This certificate must be imported into the client’s truststore (if the file does not exist yet, it is created), the key tool asks for the truststore’s password:

keytool -import -alias webservice -keystore client_truststore.ks -file server.cer

In order to enable the client to connect to the server, it must be given the information where to find the truststore data. This can be done in two ways: The first is to use the following Java system properties when launching the client app:

-Djavax.net.ssl.trustStore=client_truststore.ks  
-Djavax.net.ssl.trustStorePassword=truststore_password

The second way is to set the properties in the program itself:

System.getProperties().put("javax.net.ssl.trustStore", "client_truststore.ks");  
 System.getProperties().put("javax.net.ssl.trustStorePassword", "truststore_password");