Servoy and SSL: securing your web applications
Servoy and SSL: securing your web applications
Hello and welcome to another Servoy tech webinar. Today’s topic is going to be SSL Quick Start. We’re going to talk about how to enable SSL specifically for the NG client. And as always, if you have questions, there is the questions panel enter them there and at the end of the webinar, we will do our best to answer those questions. And with us, as always, is our fearless guru, Sean, who I will now hand the webinar over to. Good morning, Sean. Thanks. Good morning, Steve. Thank you. It’s, it’s, I think the second day of spring, but we got a, we got a snowstorm here. And we’re getting rain here in California. Yeah, it’s, it’s not a schedule. We did, we did announce the topic, the last webinar we’re trying to announce them in advance. And the last one we had announced was going to be sort of tuning the application server. But got some questions and some things coming in about setting up SSL. And I already have a typo on the first slide. Should be not SL, SSL. I swear everywhere else I say SSL it, it’ll be spelled correctly. And so I figured, you know, when I see a question once or twice, maybe that’s a good indicator that that’s a good topic for the webinars. So today we’re going to do just a bit of a quick start about SSL it can be a big topic, but we’ll try to condense it down into something which can also be demoed. So what I have on on tap here for the demo is we’re going to set up a patchy tomcat with HTTPS and SSL using a self science certificate. Now that’s not normally something you want to do for production purposes, but it demos more easily. But there are real use cases for, for doing this. One would be just for internal applications where you’re not really hitting a domain which would be registered, or for just testing locally. So we’ll do afterwards we’ll do an overview of what we did and we’ll do a few slides about, you know, doing SSL in production since I’m not really showing you the in production. So let’s jump over to my demo. I have here set up a patchy tomcat running just locally on port 8081 and as you can see I am not accessing it over HTTPS it’s it’s as you would normally get it when you open the box unencrypted. So what we’re going to do for the first step is to generate a self science certificate and then install it and and try to access this this website which normally you know would include all of your Servoy solutions over HTTPS. So the first step would be to generate a self science self science certificate. Fortunately, the Java runtime that you will have if you’re running tomcat or Servoy comes with a tool called called key tool and it’s located in the the bin directory of the Java runtime. So you can do a few things related to just managing certificates and key stores, but one thing it can do is generate a key so if you enter in this command to gen the gen key command and recommended to use our say algorithm, you can generate a key pair in a key store that you can use to to do the encryption. Now I’ve added an extra argument on the end the minus xt and the s a and argument and that’s that s a and stands for subject alternative name it’s when you want to specify multiple like sub domains or something. So it has a real world application but I’m actually using this to get around a bug that I discovered in Chrome where it it likes to warn you about when that’s not specified in a certificate so that’s just why that last argument is there. Once you once you start this it’s going to ask you for a password for your key store course you have to enter it twice. Then it’s going to ask you some things about your organization. So I’ll just put in some information here. We’ll be an Amsterdam today. And that’s it. And then Oh, I should this should be IP not DNS. It would be DNS if it was like example.com. Sean, are you also missing the name of the key store. Let’s see that argument. It’s true. It’ll generate a default name with like doc key store. Thank you. Yeah. So let me go through this again. That looks correct and it would ask me for for the password for for the key store. It’s the same. That also gives a recommendation here that you you change the format of your key store to a to a non sort of Java proprietary format. That doesn’t matter because we’re just giving this to Tomcat and it understands this format. It doesn’t have anything to do with the certificate itself. So if you get that warning don’t don’t worry about it. You don’t have to do it. If you do do it, it doesn’t matter. It’ll still work. So if we look in the file explorer here. In it generated the key store file in my user directory because that’s that’s like the working directory that I’m in. So you can see that it’s this dot key store file. Depending on your setup, it may put it in different place. So I’m going to copy this or. And bring it into my Tomcat installation. And I’m going to go into the right into the configuration folder and put it in there. And the next thing that I’m going to want to do is I’m going to edit the Tomcat server XML file. And I’m going to configure a connector for SSL HTTP. Now, the usually Tomcat will ship this file with a bunch of stuff commented out. So it makes it quite convenient to just sort of uncomment stuff and then edit it to make it your own. So I’m going to uncomment one of these blocks. This is about the connector port for SSL. There’s a couple implementations. There’s the NIO protocol. And there’s also the the NIO to protocol. This is the one that that has been around longer. And I think it works just fine. And the things you’ll have to put in here will be the actual path to your key store file. And that’s relative to your your Tomcat installation. And of course the password. And then when I save this, Tomcat should start to allow me to connect on this port with HTML. With HTTPS, I can test that in the browser. By putting in. 8 443. And you can see that, although I get a warning here, it is actually now open up that port for. For me to use HD to be as traffic. The reason that I get this warning is because an any browser will do this because the certificate of self sign. It’s really not meant for production and no browser will trust it because it’s not signed by a certification authority. So one of these companies that will verify that you are who you say you are that that your domain is. Which you say it is. So this is expected when you use a self sign certificate and we’re going to take some steps to get around that in just a minute. The next thing that I would want to do though, I had to type in. This port and if I were to go back to. The unencrypted version here, then I’m still allowed to access it. So I have now two ways to access it one is the regular way the other way is over HTTPS. And of course what you want to do is you want to force most traffic to HTTPS. So if we go back to our Tomcat installation directory and go to the web.xml file. What we want to do is add a what’s called a security constraint. That doesn’t look right. We want to add a security constraint and I have something down here commented out. So I’m an uncommon that and I’ll sort of explain it to you here. So this first part is just saying that we want to require HTTPS only and the URL pattern is for everything. So everything requires HTTPS. Then down below, I add another constraint which says I can do both HTTPS or HTTP and you know we put in some patterns. So okay, you can access these. You know these folders or something without with out HTTPS. It’s common that you might want to do that for certain. For certain data types or certain paths. So after we add this and we save it. I think I have to restart Tomcat but let me just try it without. If I now reload this. I know it works. I didn’t have to restart Tomcat. So you can see that now by trying to access you know local host. So if you have a security constraint and you have to go over HTTPS and it routed me to the HTTPS connector port. So now the website or the application is secure and it forces everything over HTTPS. So the next step would be how do we get around the fact that the browser is. Obviously the first thing you could do is you could go here and say I just want to go forward and you know and then it’s unsafe. What will happen is it’ll let you in. But you always have this warning up here says it’s not secure. So what I can do is install a install my certificate as something that that my browser is going to trust and then it will no longer warn me about this. So the way that I do this is you can actually access the certificate right here at least in Chrome by clicking up here and then you can look at the certificate this way. Another way you can do it is if you’re doing developer tools. You can go. Oops. Bring up your developer tools and go to the security tab and it’ll give you more information about the certificate things that it likes things that it doesn’t like. There may be multiple errors that it sees. In this case the primary errors that that certificate is the certification authority is invalid. It doesn’t trust. It’s not the first to be able to get the certificate to the application. So if you click here you can do certificate and access it that way. Now what we want to do is export the certificate into a format that we can import into Chrome and tell it to trust it. So if you go to the details and click copy to file and walk through the process here you want to pick the. Just browse to a location where you want to save it. I had already saved it out once before so I’ll overwrite over right that. Okay, and then the next thing that I want to do is go to my Chrome settings. And if you search your Chrome settings for certificates you can see you find this managed certificates if you don’t search you go to advanced and. And scroll farther down and you can find it. And if you click this dialog. You get information about all the all the certificates that your browser trust by default. And it’s really in here the trusted root certification authority. So this is the reason why your browser doesn’t just trust any old certificate that the server is serving up. It needs to take a look at that certificate and say is it signed by someone that I trust. So what we want to do is add ourselves to that list. So we’re going to click the import button. And browse to that file. And then the next thing is important. It will give you an option of sort of where you want to import it to. And it may default to this personal which won’t really have any effect. You really want to make sure that it’s trusted root certification authorities. That’ll put it in that that white list. When you finish it’ll give you a warning because it’s saying hey you really added something it’s you know you really have to make sure that you you trust this we can’t verify this for you. That’s okay. And then. I’m going to try. This one more time. I think you have to restart the the browser. I don’t know why it’s stuck there. Try that again. And so now. I try to access it. It forces me over SSL and now it likes the certificate. So, of course this is a burden on on the person who’s accessing it because they have to set this up. So again this would be for testing purposes or internal applications you would want to deploy this in the wild because none of your customers are going to. Or going to accept it by default unless you train them to do this on every browser that they’re going to use. But that’s that’s the basic steps. Let’s do a quick recap. I got to bring up my. My. Presentation again because I closed it. And let’s just run through sort of what we just saw and we’ll also talk about SSL and production. So the first thing we did is we generated that self science certificate using the Java key tool that’s distributed by default with any Java runtime. And you can just bring that up through command line. So I did add that that one extra argument there I have highlighted in yellow that’s to work around a Chrome warning it doesn’t like it if your certificate doesn’t have alternative names. And I put in the IP address of you know the local host IP address and then it likes it. And the next thing you want to do is configure Tomcat and this step is important because even in production with a real certificate assigned by real certification authority. You’re going to have to set up Tomcat to. To serve up that’s encrypted that certificate. So you just make an entry in the server XML file in the Tomcat configuration directory. And you want to make sure you reference that that key store that you generated with the self science certificate or the certificate that you got from a certification authority. The other thing I did was I edited the web dot XML file and I added the security constraint which forces all traffic all traffic over HTTPS. It’s that HTTPS only parameter there that specifies that the one below it is the URL pattern that you want to enforce that for and I did slash star so that’s everything. And in the other example I also over wrote it with some other patterns that didn’t have to do HTTPS so you have some nuance there that you can do. Of course that that worked but then the browser doesn’t accept it because it’s not trusted so you can configure your browser to accept self science certificates you can also do this on. If you’re if you’re using a Microsoft browser you can do it sort of on the operating system level for the default browser and it will work the same way the process is similar but a little bit different. I show this on chrome. Basically you want to take the certificate view it export it to a file and then you want to import it back into the browser as a trusted root certification authority so then once you. And then you can get it all it’ll actually show up in that list and you can look at the information about the certificate and it’ll always like that certificate you got to restart chrome but then the warnings should go away. In terms of how to do this for production so it’s kind of was more difficult to demonstrate doing a production certificate. Why we did self science certificate so normally what you would do is you would obtain a commercial certificate from a real certification authority or you would create a certificate. A signing request with an existing key pair and then then they would sign it. And what those organizations do is they prove that you really control the domain that you are who you say you are. You don’t have that in the browsers you know aren’t checking that and that’s how those man in the middle of tax app and where you think you’re talking to Facebook but you’re really talking to some shadow server that’s you know, skimming all your information or something. These these commercial certificates generally cost a few hundred to a few thousand dollars and they come with different bells and whistles and things. The good news is that they’re free options available the technology is really nothing sophisticated so it’s really these are you know trusted authorities and that’s what you’re paying for you’re paying because the browsers already trust them. But there is a free option. Let’s encrypt.org is a newer organization and it’s a non profit organization that’s just to. Support proliferation of you know secure websites and. The way it works is it’s it’s a trusted certification authority it’s in that list that your browser likes and. They have a they have a setup where you can automate the. The certification process so it works over something called the Acme protocol which is community communication protocol between the certification authorities and web servers that. want to want to use certificates to do encrypted transport. And what it will do is it will automate the process of deploying the public key infrastructure so. Basically you put a piece of agent software like cert bought on the web server. That’s your domain and what it’ll do is it’ll generate a private key and then. Let’s encrypt will try to talk to it and and verify it is who say it is and then it’ll it’ll generate the public portion of that and sign it and. And you know don’t want to get into the details but it it basically automates the process of getting that certificate at the end of the whole process when your agent runs. It’ll it’ll end up with a certificate file that you can then stick you know in tomcat and configure. So once you get that once you get that file the process is the same. And you don’t have to do anything different except you might have to add the key store type to the configuration so. most of the certification authorities issue a dot pfx file. And as of it used to be in the old days you had to get that file and imported into a. A job a key store which required the key tool command again or some other. Sort of certificate management tool, but nowadays I think from tomcat a five I heard. And above you can just reference a pfx file directly just specify the key store type and it knows how to. How to read that and then from there the process is the same and you don’t have to of course do anything to your browser to get it to accept it already likes the certification authority. So that’s pretty much the the quick start overview Steve do we have any questions. We do but I wanted to make one comment I’ve had to do this several dozen times with different servers and one resource that I always found very valuable is the Servoy wiki. There is actually a tutorial there called creating a key store with a sign certificate and it walks through a lot of these procedures that we just did, but it also includes. How you can actually authorize a self sign certificate with a trusted third party certificate authority and it’s really good because it goes through the procedure of not only creating the self sign certificate, but then using that to create a certificate signing request that is generally required when you’re. purchasing an SSL certificate online and if you want I can probably put that in the chat here. I don’t know if anybody can see that but there’s a link in the chat it’s wiki. Servoy.com slash display slash tutorials and then you’ll see at the very top there’s a link to the creating a key store tutorial. And I’ve always found that very helpful not only for enabling HTTPS but also enabling SSL and and just because for the few times that I have to do this I never do. I never can remember all of the steps that are involved and so it’s nice to have a pretty clear guide on how to do that. So with that said there are. There is one question from Thomas he has always chrome does it also work in Firefox. Yeah, the same process works in Firefox and in fact Firefox doesn’t have that bug about it wanting the certificate to have that subject alternative name so you can leave that argument out that was for Chrome. So if you’re going to have a certificate and a bug or something and I don’t know if it’s a bug or a policy that they have but it’s annoying so. I know it might. Most browsers do have some man some way to be able to manage certificates either either by clicking on the little certificate icon just to the left of the of the URL itself. And then you can go through various boxes to get to that or somewhere in either settings or advanced settings and most browsers there’s someplace where you can manage certificates. Yeah, absolutely absolutely Firefox supports the importing of a new trusted route certification authority right now.