Java Reference
In-Depth Information
Sometimes, authentication is not really a concern. For example, an administrator might
simply want to ensure that data being transmitted and received by the server is private and
cannot be snooped by anyone eavesdropping on the connection. In such cases, you can
save the time and expense involved in obtaining a CA certificate and simply use a self-
signed certificate.
SSL uses
public-key cryptography
, which is based on key pairs.
Key pairs
contain one
public key and one private key. Data encrypted with one key can be decrypted only with
the other key of the pair. This property is fundamental to establishing trust and privacy
in transactions. For example, using SSL, the server computes a value and encrypts it by
using its private key. The encrypted value is called a
digital signature
. The client decrypts
the encrypted value by using the server's public key and compares the value to its own
computed value. If the two values match, the client can trust that the signature is authent-
ic, because only the private key could have been used to produce such a signature.
Digital certificates are used with HTTPS to authenticate web clients. The HTTPS service
of most web servers will not run unless a digital certificate has been installed. Use the pro-
cedure outlined in the next section to set up a digital certificate that can be used by your
application or web server to enable SSL.
One tool that can be used to set up a digital certificate is
keytool
, a key and certificate
management utility that ships with the JDK. This tool enables users to administer their
own public/private key pairs and associated certificates for use in self-authentication,
whereby the user authenticates himself or herself to other users or services, or data in-
tegrity and authentication services, using digital signatures. The tool also allows users to
cache the public keys, in the form of certificates, of their communicating peers.
Creating a Server Certificate
A server certificate has already been created for the GlassFish Server and can be found
in the
domain-dir
/config/
directory. The server certificate is in
keystore.jks
. The
cacerts.jks
file contains all the trusted certificates, including client certificates.
If necessary, you can use
keytool
to generate certificates. The
keytool
utility stores
the keys and certificates in a file termed a
keystore
, a repository of certificates used for
identifying a client or a server. Typically, a keystore is a file that contains one client's or
one server's identity. The keystore protects private keys by using a password.