Apache Thrift: Securing the Cilent Server Communication using SSL
This is my second post on Apache Thrift. It's been a very informative ride so far with Apache Thrift.
In this post, I'm going to talk about securing oneway client-server communication using SSL.
The code is available at github [1]
We use the JDK provided keytool to generate the necessary certificates.
Keystore: Keystore contains all the private keys and their corresponding certificates with the public keys.
Truststore: Truststore contains the certificates that you TRUST.
Basically the server has its private key ( in the keystore). We need to create the corresponding certificate of that private key and add it to the TRUSTSTORE of the client ( ie public-key encryption).
1. Create the private key
[1] https://github.com/swsachith/SimpleThriftCalc
[2] http://computer.howstuffworks.com/encryption4.htm
[3] http://chamibuddhika.wordpress.com/2011/10/03/securing-a-thrift-service/
In this post, I'm going to talk about securing oneway client-server communication using SSL.
The code is available at github [1]
We use the JDK provided keytool to generate the necessary certificates.
Concepts involved:
Public-key encryption ( SSL) : [2]Keystore: Keystore contains all the private keys and their corresponding certificates with the public keys.
Truststore: Truststore contains the certificates that you TRUST.
Basically the server has its private key ( in the keystore). We need to create the corresponding certificate of that private key and add it to the TRUSTSTORE of the client ( ie public-key encryption).
Managing the keystore
To create these keys and keystores you need to go to the $JAVA_HOME/bin directory. There, you have a tool called the keytool.1. Create the private key
keytool -genkeypair -alias mykey -keyalg RSA -validity 7 -keystore keystore.jks2. Export the corresponding certificate
keytool -export -alias mykey -keystore keystore.jks -rfc -file certificate.cer3. Import that certificate to the client truststore.
Note that in this example, the server and the client are in the same host ( localhost), that's why we are importing the certificates in the same host.
keytool -import -alias mykey -file certificate.cer -keystore truststore.jks
Code
I have added the SSL secured code to my github project as well.
Set your keystore, truststore, and passwords in the respective property files found in /resources.
Then run the SecuredCalculatorTest.
Code changes from the first Post:
- CalculatorClientService has a special init method for the SSL initiation ( secure_init()).
- SecureCalculatorServer
- SecureCalculatorClient
Adding SSL capability
These lines shows how to add the SSL capability to the server.
//for the secure communication
TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters();
params.setKeyStore(serverKeyStore, keystorePassword);
TServerSocket serverTransport = TSSLTransportFactory.getServerSocket(
4030, 10000, InetAddress.getByName("localhost"), params);
These changes show the addition of SSL capability to the client.
TSSLTransportFactory.TSSLTransportParameters params =
new TSSLTransportFactory.TSSLTransportParameters()
params.setTrustStore(clientTrustStore, truststorePassword);
transport = TSSLTransportFactory.getClientSocket("localhost", 4030, 10000, params);
Notice that here, you don't have to open the transport.
Resources
[2] http://computer.howstuffworks.com/encryption4.htm
[3] http://chamibuddhika.wordpress.com/2011/10/03/securing-a-thrift-service/
Comments
Post a Comment