How to secure your REST service? Part 2 – Using Certificates for encryption

As we saw in the previous article, a simple BASIC authentication over HTTP can protect your REST web service with a username and password. But since they are transmitted over the wire as Base64 encoded text, anybody could misuse it. Using encryption techniques like SSL, the data being sent on wire could be encrypted.

SSL stands for Secure Socket Layer, and it’s a protocol that does two things:

  1. Encrypts your data, which means no hacker can see what your browser sends to the server nor what the server sends to the browser.
  2. Authenticates your website, which means it tells your browser “This website really is who it claims to be.” For example, that when you type your username and password into your PayPal account, that the website really is PayPal, and not a hacker posing as PayPal.

HTTPS just means “HTTP with SSL.” Just as http:// means “this is a website,” seeing https:// means “this is a website, and it’s using SSL to encrypt data and authenticate the website.

In order to enable SSL, we need a certificate which is either self-signed or signed by an external Certificate Authority like Verisign, Thawte, etc.. For testing purposes, let us create a self-signed certificate. For more details on SSL & Certificates, check Tomcat SSL Configuration How-To.

How to create a self-signed certificate?

"%JAVA_HOME%\bin"\keytool -genkeypair -alias fig -keyalg RSA -keypass fig_store_pass -storepass fig_store_pass -keystore C:\Fig\fig.keystore

After answering a few more questions about your name, organization, etc., the self-signed certificate named ‘fig.keystore’ is created.

Note that the keypass and storepass passwords should be same. Otherwise, you get the following error “java.io.IOException: Cannot recover key“.

Verify if the certificate is created properly by this command.

"%JAVA_HOME%\bin"\keytool -list -keystore C:\Fig\fig.keystore

<Enter storepass password from above command to list entries in the given keystore>

How to enable SSL in Tomcat?

Uncomment the below line in $TOMCAT_HOME/conf/server.xml and add the keystore file location and password.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="150" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 keystoreFile="C:\Fig\fig.keystore"
 keystorePass="fig_store_pass" />

Also change the <transport-guarantee> value in web.xml to CONFIDENTIAL.

Now if you access the url in a browser, you will be asked for username and password. This is because of the BASIC authentication enabled in Tomcat. You may notice a crossed icon appear before the https protocol. This is because the server runs with a self-signed certificate and browser is warning the client that the server may not be whom it claims it is. In production environment, you should consider getting a signed certificate from trusted Certificate Authorities like Verisign or sign it with your own CA server.

Even if you try accessing the url via http protocol, you will be automatically redirected to https port.

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />

Pros & Cons

(+): Using certificates is the most secure way of communicating between client and server.
(-): Involves more work to create and set up certificates and at times expensive. User credentials are stored in the server in plain text which could be potentially compromised.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s