Tuesday, February 11, 2014

Apache Thrift: Securing the Cilent Server Communication using SSL

This is my second post on Apache Thrift. It's been a very informative ride so far with Apache Thrift.
In this post, I'm going to talk about securing oneway client-server communication using SSL.

The code is available at github [1]

We use the JDK provided keytool to generate the necessary certificates.

Concepts involved:

Public-key encryption ( SSL) : [2]

Keystore: Keystore contains all the private keys and their corresponding certificates with the public keys.

Truststore: Truststore contains the certificates that you TRUST.

Basically the server has its private key ( in the keystore). We need to create the corresponding certificate of that private key and add it to the TRUSTSTORE of the client ( ie public-key encryption).

Managing the keystore

To create these keys and keystores you need to go to the $JAVA_HOME/bin directory. There, you have a tool called the keytool.

1. Create the private key
keytool -genkeypair -alias mykey -keyalg RSA -validity 7 -keystore keystore.jks

2. Export the corresponding certificate
keytool -export -alias mykey -keystore keystore.jks -rfc -file certificate.cer

3. Import that certificate to the client truststore.
   Note that in this example, the server and the client are in the same host ( localhost), that's why we are   importing the certificates in the same host.

keytool -import -alias mykey -file certificate.cer -keystore truststore.jks


I have added the SSL secured code to my github project as well.
Set your keystore, truststore, and passwords in the respective property files found in /resources.
Then run the SecuredCalculatorTest.

Code changes from the first Post:

  • CalculatorClientService has a special init method for the SSL initiation ( secure_init()).
  • SecureCalculatorServer
  • SecureCalculatorClient

Adding SSL capability

These lines shows how to add the SSL capability to the server.

   //for the secure communication
   TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters();
   params.setKeyStore(serverKeyStore, keystorePassword);

   TServerSocket serverTransport = TSSLTransportFactory.getServerSocket(
        4030, 10000, InetAddress.getByName("localhost"), params);

These changes show the addition of SSL capability to the client.

    TSSLTransportFactory.TSSLTransportParameters params =
             new TSSLTransportFactory.TSSLTransportParameters()
    params.setTrustStore(clientTrustStore, truststorePassword);
    transport = TSSLTransportFactory.getClientSocket("localhost", 4030, 10000, params);

Notice that here, you don't have to open the transport.


[1] https://github.com/swsachith/SimpleThriftCalc
[2] http://computer.howstuffworks.com/encryption4.htm
[3] http://chamibuddhika.wordpress.com/2011/10/03/securing-a-thrift-service/

No comments:

Post a Comment