I have a client <-> server application that uses CORBA for communication. The client application is launched in a client machine using Java Web Start. I need to enable IIOP over SSL for the applications. On the server side, this easily done by setting keystore and keystore password in the jacorb.properties. I am not sure how to enable SSL on the client side with Javaws launch as I know very little about Java Web Start.
What are my options for enabling SSL for the javaws client
application?
If the client keystore file is placed in the server machine, how should the client application access or retrieve it?
Or can the client application generate a keystore dynamically everytime it is launched?
A little history of the application if it might help.
Prior to the upgrade the client application used custom SSL socket factory classes which retrieved the keystore from remote server machine. However, for various other reasons, we had to remove these socket factory class during the JacORB upgrade.
I decided to package the keystore in a jar and access it with JNLP. I wrote a sample program to test it. The code is available on GitHub
https://github.com/KiranMohan/corba-javaws-ssl
Related
In my case, the server has been secured by passing all console access to SSH,
but the client console must remain with Telnet because it is integrated in an application that can't be modified.
Due to incompatibility of protocols I imagine a "proxy" service in order to manage the SSH protocol including authentication and encryption decoding,
that would redirect the shell dialog in plain-text to a local socket (no file transfer or other feature needed).
Any advice about solution based on Windows utility (putty, netcat ...) or JEE service dev will be welcome.
I can only install something on the Windows client system.
Thx
I have a java process running on a remote server that exposes a SSL configured JMX port using the com.sun.management.jmxremote JVM arguments. The process uses a keystore that contains a self-signed certificate.
I am running Java Mission Control (JMC) on my local machine to connect to this remote JMX port. I have setup JMC with a truststore that has imported the self-signed certificate from the remote keystore. This is all great and I can connect with secured SSL as expected.
I checked the details of the self-signed certificate recently and was surprised to see that it had expired a month ago as I would have expected to have not been able to connect to the remote process using JMC, but I have been able to connect just fine with no expiration warnings.
I have confirmed that it is indeed using this certificate as when I run JMC without the truststore and try to connect I get a Certificate Path Building Exception. I have also looked at the SSL debug and can see the certificate is used.
Could anyone explain to me why I am still able to establish this connection using an expired certificate? If this process exposed a RESTful service that I connected to in a browser would I expect to not be able to connect or would I just get a warning (or nothing at all like in JMC).
Thanks for your time.
After further investigation I have found that the Trust Manager used by Java Mission Control will accept expired certificates without warning. However, it will prefer a valid certificate over an expired one should both be available. I am not aware whether or not this behavior can be changed.
I have developed a java application that uses a Signature Pad to capture biometric signatures. The Pad is plugged to the Client computers so i need to run the java controller on each local machines. To do that we run a JAR that contains a Jetty server. We use websockets protocol to start the signature process from the browser and to send data to the Jetty server.
The problem: We need to create a certificate for the websocket secure connection and this certificate must be emitted for 127.0.0.1 since the Jetty server is running on the Client local machines.
If I create a self-signed certificate the solution works fine but some browsers, for example Firefox, does not allow self-signed certs as trusted certs and I doubt that a CA issues a certificate for 127.0.0.1.
So, what would be the best solution? Keep using the self signed cert? Is there any other way?
If you have admin privileges on the POS terminals, how about adding a line to the HOSTS file like:
127.0.0.1 localhost.mycompany.com
Now you can use a real certificate for localhost.mycompany.com in the server application.
(From How can I establish a secure connection to a websocket on localhost?)
I have a Java application running on Tomcat and the application needs to consume a WCF service that requires client certificate authentication . I have the keystores and truststores configured on the client side and I have confirmed that the request is getting sent to IIS, however I'm getting an "unauthorized" error message from IIS logs. I'm wondering if there is any specific Tomcat configuration required in order to allow sending a client certificate from the client?
Thanks in advance.
It's the application code that is calling the WCF service, right? In that case, I don't think Tomcat configuration is what you need - Tomcat's SSL configuration is about what SSL authentication happens when browsers and other web clients connect to the Tomcat server and its applications, not about what happens when the applications are themselves clients to other network services. Rather, the application code calling the service needs to use an SSLContext created with the proper keystore, which will need to hold both the private key and certificate presented to the server for client authentication, and the certificates needed to authenticate the certificate presented by the WCF service.
I am really new in java-RMI and developed a small application on it.But to run my server and client I need to execute-
Java -Djava.security.policy=client.policy
So what should I do to ommite '-Djava.security.policy=client.policy' this command? Or is there any way to implement the security policy in java program?
Thanks in advance.
Policy file is required in RMI Application so that client can connect to the remote server.you also need to implement the securityManager in the client as well as in the Server. this security manager will allow you to connect to any rmi remote host to which client is intended to connect.I think policy file cannot be ommitted in RMI. it is required.