Daily News |  Current Issue |  Archives  |  Blogs |  Keywords |  Mediakit  |  Advertise |    |  Free Trial!
System News
System News > Volume 134 > Issue 4 > Java Technology >
Sign in  |   Register  |   Password Help   |   Membership types
Using OpenSSO To Protect Java EE Applications
 Part 1: Setting Up X.509 Client Authentication
April 21, 2009,
Volume 134, Issue 4

Protecting a Java EE application with OpenSSO
 

"Using OpenSSO To Protect Java EE Applications, Part 1: Setting Up X.509 Client Authentication" by Bruno Bonfils and Rick Palkovic is the first part of a two-part tutorial that explains how to use OpenSSO to protect a Java EE application. The example it illustrates grants access -- which requires authentication by a certificate -- to part of an application. The authors assume that readers will already have deployed OpenSSO on GlassFish, JBoss or another application server. The choice of application server makes a difference, as described later in this article.

The first part of the article describes how to set up the authentication in OpenSSO with client certificates. The authors present a sequence diagram that illustrates the use case addressed in the article, in which a user logs in with a password that must be authenticated by a client certificate. Achieving user authentication with the HTTPS protocol under the X.509 specification requires both a server certificate and client certificates, issued by a Certificate Authority (CA), the authors note.

The shortcomings of the traditional technique used to manage revoked certificates, a Certificate Revocation List, are considered and contrasted to the real-time capabilities of the Online Certificate Status Protocol. The utility of using the PKI software Enterprise Java Bean Certificate Authority (EJBCA) as a certificate management tool is also considered. The authors provide a link from which readers can download the EJBCA installation guide and then proceed to a discussion of the installation itself.

The authors describe the EJBCA as a robust, high performance, platform independent, and component based solution that can be used stand-alone or can be integrated with other Java EE applications. Its features include:

  • Support for multiple CAs. For example, you can easily import an existing CA based on OpenSSL.
  • Support for CRL (both CRLv2 and Delta CRL) and OCSP.
  • Remote API using SOAP.
  • Key escrow for ciphering private keys.
  • Native support for Java Key Store (JKS), the file format used by the Java Virtual Machine (JVM) to store certificates and private keys.

Following the installation procedure, the paper turns to a consideration of the three modes for dealing with client certificates in an HTTPS socket, which are:

  • The traditional mode requires a single server certificate. An HTTPS client (typically a web browser) validates the server identity by matching the certificate to a list, or truststore, of Certificate Authorities. You probably use this mode every day during typical log-in activity.

  • Another mode requires both client and server certificates. The client certificate is validated by the server side, and the server certificate is validated by the client side.

- The third mode requires a server certificate, but the client certificate is optional.

The authors suggest that readers will want to use the same HTTPS URL whether a user is authenticated by password or certificate. This approach requires a server that supports the third, optional client certificate mode. At this writing, the GlassFish application server does not support this mode. Fortunately, the Apache Tomcat web server, supported by OpenSSO, is available as an alternative.

The paper next takes up certificate creation with the Tomcat web server. This requires the creation of a keystore, for which the authors outline the procedure, before proceeding to the creation of a new End Entity from the EJBCA Administration web page. Here the authors recommend using the Firefox browser to generate the public/private key.

The Tomcat application server used by OpenSSO requires configuration, which involves creating a new HTTPS connector and enabling client certificates for the connection. The authors detail the steps involved in this process. They also deal with OpenSSO configuration and provide the steps necessary to create the connector and its required authentication chain.

In part 2 of the article, which the authors promise will appear shortly, readers will learn how to protect a Java EE application using different profiles, according to the mechanisms used to authenticate with OpenSSO.

More Information

OpenSSO

Java EE at a Glance [...read more...]

Keywords:

fullsource
Print
Email
Current
Profile
Archive
Blog
Generate newsletter
 

Other articles in the Java Technology section of Volume 134, Issue 4:
  • Using OpenSSO To Protect Java EE Applications (this article)

See all archived articles in the Java Technology section.

Top 10 Most Popular Articles in Current Issue (Vol 168, Issue 1)

Featured Articles



Archive by Section
Archive by Activity
Archive by Date
News and Solutions for Users of Solaris, Java and Oracle's Sun hardware products
Just the news you need, none of what you don't – 42,000+ Members – 24,000+ Articles Published since 1998
BigAdmin Cloud Developer Disk Events FOSS Features HPC Hardware Intel
Java MySQL NetBeans News OpenOffice OpenSolaris OpenStorage Partners Performance Publications
Security Servers Service Software Solaris Storage SysAdmin Tape Workstation VendorVoice

Latest Issue  |   Archived Articles  |   Edit Account  |   Blogs  |   About SNI  |   Mediakit  |   NewsToLeads  |   Headlines  |   NewsToLeads  |   RSS Feeds
Copyright © 1998-2011 System News, Inc.