-1

I'm new to SSL and security and I want to build a java client for a web service that uses SSL. the server is properly configured to use two way ssl configuration, but how to build the client..

also if spring has anything for this it will be good..
thanks in advance

pavel
  • 26,538
  • 10
  • 45
  • 61
monim
  • 3,427
  • 3
  • 23
  • 36

2 Answers2

0

You dont have to do nothing special with the client, just use HTTPS on your request instead HTTP.

paul
  • 12,873
  • 23
  • 91
  • 153
  • 1
    That is true, unless you use certifcates that are not inside the default JVM keyStore (e.g. self signed or emitted by a company-specific AC), or keypairs for that matter, which most certainly is the case if the OP uses 2 way SSL (the default JVM keystore has no SSL client authentication material as far as I recall). Then, making things work may involve additionnal steps, such as adding certificates and keys to the default JVM keystore, or building / using specifically configured `SSLSocketFactory` instances. – GPI Jul 21 '14 at 10:48
  • I don't think it is that simple, you have to establish an ssl session and provide your certificate to the server some how – monim Jul 21 '14 at 11:21
  • The certification is configure on the server side – paul Jul 21 '14 at 11:45
  • Both sides have some configuration to provide when using 2 way SSL. Both clients and servers have a keyStore and a trustStore. First, the server advertises to the client its certificate found in the server KeyStore. The client trustStore is used to validate it. Second, the client sends its own certificate found in the client keystore. The server TrustStore is used to validate it. Setup trust and key stores is required in *both* server and client for a 2 way SSL handeshake to succeed. – GPI Jul 21 '14 at 16:27
0

to get things work you have to create a client keystore and truststore, then define SSLContext with these stores, then instantiate SSLSocketFactory to produce SSLSockets like this: 

SSLContext sslcontext = SSLContexts.createDefault();        
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
            sslcontext, SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER);

CloseableHttpClient httpClient = HttpClients.custom()
        .setSSLSocketFactory(sslsf)
        .build();    
HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());

you should read this http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html to understand how it works.
also this question how to write java client and server applications that uses mutual ssl authentication between them? may be useful.

Community
  • 1
  • 1
monim
  • 3,427
  • 3
  • 23
  • 36