Glassfish with ECC

As computer hardware is getting more and more powerful, there is a corresponding need to increase the encryption strength of the key in cryptographic operations. There are several ways in which this can be accomplished:
  • Increase the length of the encryption key. This may negatively impact performance.
  • Use a different encryption algorithm, for example, Elliptic Curve Cryptography (ECC). In next-generation key technology, RSA will be 2048 bits and ECC will be 224 bits. Note that these two type of keys have the same ecnryption strength.

In this blog, I will summarize the steps needed for using HTTPS with ECC with the following configuration:

The following discussion assumes that GlassFish is installed in c:\\export\\glassfish, JDK 6 is installed in c:\\jdk6 and the NSS binaries are located in c:\\nss\\lib.
  • Configure your operation environment to run the GlassFish, JDK 6, and NSS.
    • For example in Windows, set the path variabled, as shown here:
        set path=c:\\jdk6\\bin;c:\\nss\\lib;c:\\export\\glassfish\\bin;%path%
    • For example, in Unix ksh, export these environment variables:
        export PATH=/jdk6/bin:/export/glassfish/$PATH
        export LD_LIBRARY_PATH=/nss/lib:$LD_LIBRARY_PATH
  • Create a provider configuration for NSS in c:\\ecc\\nss.cfg as follows:
      name=NSS
      nssLibraryDirectory=c:\\\\nss\\\\lib
      nssDbMode=noDb
      attributes=compatibility
  • Add the NSS provider to the JDK 6 configuration by adding the following line in the file c:\\jdk6\\jre\\lib\\security\\java.security :
      security.provider.10=sun.security.pkcs11.SunPKCS11 c:\\\\ecc\\\\nss.cfg
  • Create an ECC key in JKS keystore using keytool, where ${HOST} is hostname of your machine.
      c:
      cd \\export\\glassfish\\domains\\domain1\\config
      keytool -genkeypair -alias myecc -keyalg EC -keysize 224 -keystore keystore.jks -storepass changeit -dname "CN=${HOST}, OU=ECC Test 224, O=GlassFish" -keypass changeit
  • Update the version of the JDK used by GlassFish by updating the value of AS_JAVA in the file c:\\export\\glassfish\\config\\asenv.bat.
  • Start the GlassFish server if necessary.
      asadmin start-domain domain1
  • Update the certificate nickname of the HTTP listenser http-listener-2 to myecc using the Admin Console, which can be accessed by entering the following URL in your browser: http://serverName:4848

  • Stop and then restart the GlassFish server in order for the changes to become effective
      asadmin stop-domain domain1
      asadmin start-domain domain1
  • To access the HTTPS with ECC, install the latest versions of web browsers, as only the latest versions have support for ECC. The latest versions can be found in here.

    If you try access https://serverName:8181 using your existing browser, you will see an error message like this:
      cannot communicate securely because they have no common encryption algorithms.

  • Configure the latest version of the browser to use an ECC algorithm, for example, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, by following these steps:
    • Open your web browser.
    • Enter the following URL in the browser: accessing about:config.
    • In this window, set Filter to security.
    • Select and double click ssl3.ecdh_ecdsa_aes_128_sha

Now, you can access https://serverName:8181, the browser will prompt for accepting the certificate and you can verify that this is the ECC certificate that you just created.

A preliminary benchmark of HTTPS with ECC in GlassFish on the Windows XP platform shows that the performance of ECC is double that of RSA in next generation-key technology.

More details on using JDK 6 with NSS can be found in Andreas's blog: Elliptic Curve Cryptography in Java.

Comments:

Post a Comment:
Comments are closed for this entry.
About

Shing Wai Chan

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today