X

Technology insights, news and tips.

  • Sun
    May 12, 2006

Glassfish with ECC

As computer hardware is getting more and more powerful, there is
a corresponding need to increase the encryption strength of the
key in cryptographic operations. There are several ways in which
this can be accomplished:
  • Increase the length of the encryption key. This may negatively
    impact performance.
  • Use a different encryption algorithm, for example, Elliptic Curve Cryptography (ECC). In next-generation key technology, RSA will be
    2048 bits and ECC will be 224 bits. Note that these two type of keys
    have the same ecnryption strength.

In this blog, I will summarize the steps needed for using HTTPS with ECC with the following configuration:


The following discussion assumes that GlassFish is installed in
c:\\export\\glassfish, JDK 6 is installed in
c:\\jdk6 and the NSS binaries are located in c:\\nss\\lib.
  • Configure your operation environment to run the GlassFish,
    JDK 6, and NSS.
    • For example in Windows, set the path variabled, as shown here:



        set path=c:\\jdk6\\bin;c:\\nss\\lib;c:\\export\\glassfish\\bin;%path%

    • For example, in Unix ksh, export these environment variables:



        export PATH=/jdk6/bin:/export/glassfish/$PATH


        export LD_LIBRARY_PATH=/nss/lib:$LD_LIBRARY_PATH

  • Create a provider configuration for NSS in c:\\ecc\\nss.cfg as follows:



      name=NSS


      nssLibraryDirectory=c:\\\\nss\\\\lib


      nssDbMode=noDb


      attributes=compatibility

  • Add the NSS provider to the JDK 6 configuration by adding the following line in the file
    c:\\jdk6\\jre\\lib\\security\\java.security :


      security.provider.10=sun.security.pkcs11.SunPKCS11 c:\\\\ecc\\\\nss.cfg
  • Create an ECC key in JKS keystore using keytool,
    where ${HOST} is hostname of your machine.



      c:
      cd \\export\\glassfish\\domains\\domain1\\config


      keytool -genkeypair -alias myecc -keyalg EC -keysize 224 -keystore keystore.jks -storepass changeit -dname "CN=${HOST}, OU=ECC Test 224, O=GlassFish" -keypass changeit

  • Update the version of the JDK used by GlassFish by updating
    the value of AS_JAVA in the file
    c:\\export\\glassfish\\config\\asenv.bat.
  • Start the GlassFish server if necessary.



      asadmin start-domain domain1

  • Update the certificate nickname of the HTTP listenser http-listener-2 to myecc using the
    Admin Console, which can be accessed by entering the following
    URL in your browser: http://serverName:4848

  • Stop and then restart the GlassFish server in order for the
    changes to become effective



      asadmin stop-domain domain1


      asadmin start-domain domain1

  • To access the HTTPS with ECC, install the latest versions of
    web browsers, as only the latest versions have support for ECC.
    The latest versions can be found in here.

    If you try access https://serverName:8181 using your
    existing browser, you will see an error message like this:

      cannot communicate securely because they have no
    common encryption algorithms
    .

  • Configure the latest version of the browser to use an ECC
    algorithm, for example,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, by following
    these steps:

    • Open your web browser.
    • Enter the following URL in the browser: accessing about:config.

    • In this window, set Filter to security.

    • Select and double click
      ssl3.ecdh_ecdsa_aes_128_sha

Now, you can access https://serverName:8181, the browser
will prompt for accepting the certificate and you can verify that
this is the ECC certificate that you just created.

A preliminary benchmark of HTTPS with ECC in GlassFish on the
Windows XP platform shows that the performance of ECC is double
that of RSA in next generation-key technology.

More details on using JDK 6 with NSS can be found in Andreas's blog:
Elliptic Curve Cryptography in Java.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.