• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

SSL Certificates Configuration

 
Ranch Hand
Posts: 403
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are developing SOAP based webservices and finalized to secure them using SSL certificates. I have gone through some of the tutorials on SSL Certificates. Below are my doubts regarding this:

1. If we have 5 SOAP webservice consumer and 1 producer, then how many certificates we need to use? All the consumers will be having the same certificate or all of them will use their unique certificate?

2. What is the difference between Key Store and Trust Store? Where should we install the certificates?

3. There are certificates with different extensions such as pem, p12, cert, etc. What is the difference between these? Which one is the best to use?
 
Saloon Keeper
Posts: 10498
224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Certificates are used to determine if the sender of a message really is who they say they are.

Typically it's not necessary for a web service to trust a client, because clients need to authenticate themselves before they can do anything. That means you need one certificate for the web service, and the clients decide whether they trust that web service based on the certificate.

Let's look at that using a silly analogue: William's place is an exclusive members-only club. Christine is looking to spend some of her money there, so she becomes a member and receives a password. When she shows up at the address, the place looks a bit shady, and she doesn't really trust it. When the doorman asks her for her password, she first asks him if this is the right place. He gives her a piece of paper that says the place is the real deal, and at the bottom is the signature of Albert, the owner of Members Only Weekly. Christina recognizes the signature because she's an avid reader, so she decides to trust it. She gives the doorman her password, and he lets her in.

Here, William's is the web service, Christine is the client, and Albert is the certificate authority. Christine trusts William because he has a certificate issued by Albert, and Christine trusts Albert. William trusts Christine, because she has a password to his place.

Christine stores the password on a card in her purse, as well as the keys to her home. This is her KeyStore. She stores the certificate the doorman gave to her with her collection of Members Only Weekly. This is her TrustStore.

After she gets to know William, he recommends another nice place to her, and when she shows up, the doorman there gives her a certificate signed by William. She trusts that place, because she trusts William, because she trusts Albert. This is called a certificate chain.

For the difference between certificate formats, you may check out the answers here: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
 
Sheriff
Posts: 21783
103
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Typically it's not necessary for a web service to trust a client, because clients need to authenticate themselves before they can do anything. That means you need one certificate for the web service, and the clients decide whether they trust that web service based on the certificate.


Not necessarily. It's also possible to use the client certificate for authentication. In that case, the client certificates acts like the username/password combination. It's one of the four supported authentication methods in servlets - it's the CLIENT-CERT in BASIC, DIGEST, FORM and CLIENT-CERT.

However, this requires quite a lot more to setup, so I'd only use a server certificate, have all clients use the same certificate and have the clients authenticate themselves in a different way. If you register the certificate at a proper certificate authority (CA) you don't even need to use a trust manager or key manager, it should just work out-of-the-box.
 
Barry's not gonna like this. Barry's not gonna like this one bit. What is Barry's deal with tiny ads?
professionally read, modify and write PDF files from Java
https://products.aspose.com/pdf/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!