Working With Digital Certificates

Start course
2h 6m

This course takes an in-depth look at security in Java Enterprise Edition. We'll cover a wide range of topics as listed below. Finally, we'll round off the course by taking a look at some example exam questions similar to those you can expect to find on the Oracle Certified Java EE exams.

Learning Objectives

  • Understand the fundamentals of security in Java EE
  • Learn the following concepts and features:
    • Securing GlassFish server
    • Working with users, groups, and roles
    • SSL
    • Securing your web applications
    • Securing enterprise beans
    • Digital certificates
    • Security architecture
    • Security threats
    • And much more...

Intended Audience

This course is intended for anyone who already has basic knowledge of Java and now wants to learn about Java Enterprise Edition.


Basic knowledge of Java programming


Working with digital certificates. Digital certificates for the GlassFish server have already been generated and can be found in the directory domain dIr config. We can locate this folder like this. These digital certificates are self-signed and are intended for use in a development environment. They are not intended for production purposes. For production purposes, generate your own certificates and have them signed by a certificate authority. To use the secure sockets layer, an application or web server must have an associated certificate for each external interface or IP address that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a digital driver's license for an internet address. The certificate states with which company the site is associated along with some basic contact information about the site owner or administrator. The digital certificate is cryptographically signed by its owner and is difficult for anyone else to forge.

For sites involved in e commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well known CA such as Verisign or Thawte. If your server certificate is self-signed, you must install it in the GlassFish server keystore file. That file is keystore.jks. If your client certificate is self-signed, you should install it in the GlassFish server truststore file. That file is cacerts.jks. Sometimes authentication is not really a concern. For example, an administrator might simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection. In such cases, you can save the time and expense involved in obtaining a CA certificate and simply use a sel-fsigned certificate. SSL uses public key cryptography which is based on key pairs. Key pairs contain one public key and one private key. Data encrypted with one key can be decrypted only with the other key of the pair.

This property is fundamental to establishing trust and privacy in transactions. For example, using SSL, the server computes a value and encrypts it by using its private key. The encrypted value is called a digital signature. The client decrypts the encrypted value by using the server's public key and compares the value to its own computed value. If the two values match, the client can trust that the signature is authentic because only the private key could have been used to produce such a signature. Digital certificates are used with h to authenticate web clients. The https service of most web servers will not run unless a digital certificate has been installed. A tool that can be used to set up a digital certificate is a key tool, a key and certificate management utility that ships with the jdk. This tool enables users to administer their own public or private key pairs and associated certificates for use in self authentication, whereby the user authenticates himself or herself to other users or services or data integrity and authentication services using digital signatures. The tool also allows users to cache the public keys in the form of certificates of their communicating peers. Creating a server certificate. A server certificate has already been created for the GlassFish server and can be found in the domain-DIR/config/directory. The server certificate is in keystore.jks. The CA certs.jks file contains all the trusted certificates, including client certificates.

If necessary, you can use key tool to generate certificates. The key tool utility stores the keys and certificates in a file termed a keystore. A repository of certificates used for identifying a client or server. Typically, a keystore is a file that contains one client's or one server's identity. The keystore protects private keys by using a password. If you don't specify a directory when specifying the keystore file name, the keystores are created in the directory from which the key tool command is run. This can be the directory where the application resides or it can be a directory common to many applications. The general steps for creating a server certificate are as follows. One; create the keystore. Two; export the certificate from the keystore. Three; sign the certificate. Other authorized companies can sign your certificate or you can sign them simply using open SSL tool. Four; import the certificate into a truststore, a repository of certificates from parties with which you expect to communicate, or from certificate authorities that you trust to identify parties. The truststore is used by the client to verify the certificate that is sent by the server. A truststore typically contains more than one certificate.


About the Author
Learning Paths

OAK Academy is made up of tech experts who have been in the sector for years and years and are deeply rooted in the tech world. They specialize in critical areas like cybersecurity, coding, IT, game development, app monetization, and mobile development.

Covered Topics