JDK Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.32, 2006

SSL - Client Authentication

Part:   1  2  3  4  5  

JDK Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

Internationalization

Character Set and Encoding

Socket Communication

Document Object Model (DOM)

XSD Validation in Java

XSL - Transformer in Java

JCA - Private and Public Key Pairs

JCE - Secret Key

SSL (Secure Socket Layer)

SSL - Client Authentication

... Table of Contents

(Continued from previous part...)

Running Client Authentication Programs

With SslReverseEchoerRevised.java and server.jks prepared on the server side, I am ready to start the server program: 

>java -cp . SslReverseEchoerRevised server.jks ServerJKS ServerKey

Server socket class: 
   class com.sun.net.ssl.internal.ssl.SSLServerSocketImpl
   Socker address = 0.0.0.0/0.0.0.0
   Socker port = 8888
   Need client authentication = true
   Want client authentication = false
   Use client mode = false

Now switch to the client side, and run the client program: 

java -cp . SslSocketClientRevised client.jks ClientJKS ClientKey

Socket class: class com.sun.net.ssl.internal.ssl.SSLSocketImpl
   Remote address = localhost/127.0.0.1
   Remote port = 8888
   Local socket address = /127.0.0.1:1418
   Local address = /127.0.0.1
   Local port = 1418
   Need client authentication = false
Session class: class com.sun.net.ssl.internal.ssl.SSLSessionImpl
   Cipher suite = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   Protocol = TLSv1
   PeerPrincipal = CN=my.server.com,OU=My Unit,O=My Home,L=My City...
   LocalPrincipal = CN=my.client.com,OU=My Unit,O=My Home,L=My Cit...

Welcome to SSL Reverse Echo Server. Please type in some words.
Client authentication is working!
!gnikrow si noitacitnehtua tneilC
.

Looking at the server side again, you will see messages: 

Socket class: class com.sun.net.ssl.internal.ssl.SSLSocketImpl
   Remote address = /127.0.0.1
   Remote port = 1418
   Local socket address = /127.0.0.1:8888
   Local address = /127.0.0.1
   Local port = 8888
   Need client authentication = true
Session class: class com.sun.net.ssl.internal.ssl.SSLSessionImpl
   Cipher suite = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   Protocol = TLSv1
   PeerPrincipal = CN=my.client.com,OU=My Unit,O=My Home,L=My City...
   LocalPrincipal = CN=my.server.com,OU=My Unit,O=My Home,L=My Cit...

Wonderful! Everything worked I expected. Client program authenticated the server's identity ok, and server program authenticated the client's identity ok too.

Conclusion

  • SSL server authentication seems to be required by default.
  • SSL client authentication is optional.
  • Client authentication is a mirror process of server authentication.
  • JSSE uses SSLContext and KeyManager to access the "full" certificate on the local side.
  • JSSE uses system properties to supply remote (peer) "public" certificates as trusted, if remote certificates are not issued by recognized certificate authorities.

Part:   1  2  3  4  5  

Dr. Herong Yang, updated in 2006
JDK Tutorials - Herong's Tutorial Notes - SSL - Client Authentication