How to Implement 2 Way Authentication using SSL

Every web application needs to be protected. There could be different solutions to choose from depending up on your requirement and feasibility. Some may choose basic form based authentication or some may go all the way to Oauth2. In this article we will see how we can implement 2 Way Authentication using SSL.

In 2 Way Authentication or mutual authentication, the Server and Client does a digital handshake, where Server needs to present a certificate to authenticate itself to the Client and vice-versa. Once this handshake is successful then only further communication is allowed.

We will see step by step how to generate self signed certificate and configure that to our application and tomcat server. The image will give you brief idea on what I meant by above.
Software used in this sample

  • Java 1.8
  • Spring Boot 1.5.2.RELEASE
  • Tomcat 8.5

We will use Java Key Store utility to generate and store our self signed certificates.

Create Self Signed Certificate for Server and Client

As we are using Keytool,  please check in your environment this command or utility is available.

Create a JKS file for Server with below command on your shell or command prompt. Please make sure to change the information like company, location etc as per your need

Now we need  a certificate file that can be distributed as public certificate to clients. Run below command to extract that certificate. It will ask for the password which you have supplied above while creating JKS

Similar steps needs to be followed for Client JKS file and Client Public Certificate

For Client Certificate

Now we have all the keystores and public certificates. In order for 2 Way Authentication to work we need to make sure that Server recognizes clients public certificate and Client is aware of Servers certificate.

At this point we have all our JKS and Certificates ready. We will configure these to our Tomcat 8.5

Configure Tomcat for SSL

As we need mutual authenticate we need to configure tomcat to request for certificate from all the clients who wants to communicate. This can be done by adding or updating existing connector in tomcats server.xml. Please make sure you keep a backup of existing settings and file.

Copy the MyServer.jks to appropriate directory and configure the connector as below

Restart Tomcat so above changes will come in to effect.

Configure Server and Client App for 2 Way Authentication

Server App

For Server application we will have only a simple Rest Controller, that will be available at /hello resource.

The Server App will be hosted on the tomcat which we configure in above.

Client App

The client app is also Simple Spring Boot Application, which does a rest call to server resource as hosted above.

Apart from this we need to specify the client JKS as system properties. That can be done as below

You can see that I have specified all debugging for SSL. So you will see how server and client do a digital handshake.  To load the server resource I have added simple Spring Boot command line runner as.

Results

Regarding the results, if you try and load the url in browser it will fail.

On the other hand, If I run the client where I am passing certificate details, I get correct response.

You can see that I am getting correct response. The response is sent only after digital handshake is successful. The server and client exchange information that will be visible on console.

Conclusion

You have successfully implemented the 2 Way Authentication using SSL certificates. Please feel free to get back to me if you have any questions. You can download the code from our repository mentioned below.

Download From Git

 

Add a Comment

Your email address will not be published. Required fields are marked *