Secure HTTP Bundle

The Secure HTTP Bundle provides the same functionality as the HTTP Bundle and additionally supports secure connection.

Contents:

Bundle Information
- Bundle JAR
- Import
- Export
Main Features
- Configuring the Secure HTTP Bundle to Use JVM's JSSE
- Configuring the Secure HTTP Bundle to Use mBS JSSE
Services
Installation Issue
Configuration

Bundle Information

Bundle JAR

The JAR file of the Secure HTTP Bundle is https.jar, and is found in the bundles folder.

Import

The Secure HTTP Bundle imports the same packages as the HTTP Bundle, and several additional packages, because it uses the JSSE API to realize its security functions.

Package	Exporter	Description
`javax.crypto`	Base Security API Bundle (Security Package) / Used Java Virtual Machine	Holds classes for opening client and server sockets.
`javax.crypto.spec`		Holds classes for opening secure sockets to establish SSL-based communication.
`javax.net`		Provides cryptographic operations for data encryption, key generation and key agreement, and Message Authentication Code (MAC) generation.
`javax.net.ssl`		Contains key specifications for Diffie-Hellman public and private keys, as well as key specifications for DES, Triple DES, and PBE secret keys.

Export

The Secure HTTP Bundle exports the same package as the HTTP Bundle - com.prosyst.mbs.services.http.

Main Features

The Secure HTTP Bundle supports secure connection using the Secure Socket Layer (SSL). It employs SSL secure sockets over the Java Secure Socket Extension (JSSE) API. SSL is an application independent security mechanism that combines several encrypting algorithms for safe exchange of information between two parties. Applications act over SSL transparently without the necessity to track the SSL sessions. SSL is an integral part of most of the Web browsers.

The SSL runs on the TCP/IP network technology. HTTP with SSL reserves port 443 for communication.

Meanwhile, the server continues to use port 80 for regular connections.

An HTTP client requests a secure HTTP connection session by adding an s suffix after http in the HTTP request line. For example: https://127.0.0.1:443.

You can use the default JSSE implementation of your JVM or use the JSSE implementation from the mBS Security Package.

Note that when using SSL, the communication speed slows down. This is natural since resources are taken in order to exchange keys and certificates, and to encrypt and decrypt information.

Configuring the Secure HTTP Bundle to Use JVM's JSSE

To use the default JVM JSSE implementation, set the following system properties:

mbs.syspackages to contain the JSSE packages, namely javax.net, javax.net.ssl, javax.crypto and javax.crypto.spec.
javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword, defined by the JSSE specification, to contain respectively the path to a keystore file to load private credentials from and the password for the keystore file.

The properties should not be set in default.prs. In case your are launching the framework through its starting script (bin/vms/<vm_name>/server), these JVM system properties should be set either in the starting script or be added to the VM_ARGS environment variable prior to calling the script.

For example for JDK:

set VM_ARGS=%VM_ARGS% -Dmbs.syspackages=javax.net;version=1.0.3,javax.net.ssl;version=1.0.3, javax.crypto;version=1.2.2,javax.crypto.spec;version=1.2.2 set VM_ARGS=%VM_ARGS% -Djavax.net.ssl.keyStore=https.keystore set VM_ARGS=%VM_ARGS% -Djavax.net.ssl.keyStorePassword=testpass

Configuring the Secure HTTP Bundle to Use mBS JSSE

To use the JSSE-based TLS server included in the Security package in the secure HTTP server, the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword system properties should not be specified and the major bundles of the mBS Security Package must be deployed prior to activating the Secure HTTP Bundle (see "Installation Issues").

When the Secure HTTP Bundle uses the TLS server from the Security package, you can configure the runtime parameters (behavior at establishing connection, private credentials for authentication to the client and trust of client certificate chains) related to TLS or SSL by using the APIs and system properties accepted by the TLS/SSL Bundle. Refer to the user documentation of the Security mBS package for more information about the ProSyst JSSE TLS server.

Installation Issue

To have the Secure HTTP Bundle processing secured client requests by using the mBS JSSE provider, you should also have the TLS/SSL Bundle from the Security Package running in the framework. Hence, first you should provide TLS/SSL support in the framework and then install the Secure HTTP Bundle. For easier installation, the Framework Professional Edition and Security Packages contain install scripts for installing first the TLS/SSL Bundle (bin/pscripts/securitynew.txt) and then the Secure HTTP Bundle (bin/pscripts/https.txt), which are executable through the Kit Manager.

Services

The Secure HTTP Bundle registers the same services as the HTTP Bundle and one additional Managed Service. Read in the "HTTP Bundle" document about the HTTP Service, HTTP Helper service, the Pluggable Commands service and the description of the registered commands, and the identical Managed Services, but with different PIDs: mbs.https.pid and mbs.https.plain.

The Secure HTTP Bundle registers one additional Managed Service - HTTP Secure Server Configuration, with PID mbs.https.secure. It holds the configuration for secure connection through HTTP. See the "Configuration" chapter below for details on configuration properties for this service.

Configuration

Configuration Resources

The Secure HTTP Bundle registers three Managed Services. The first two of them - the Common and the Plain configurations have the same configuration properties as the correspondent services of the HTTP bundle.

The properties of the HTTP Secure Server Configuration configuration are the same as the ones of the Plain Server Configuration, with the difference that the default value for the port is 443. The Secondary Port optional property is not loaded by default. You may set it using a runtime console command like the following one:

config.setvalue -a mbs.https.secure port 4434

You may also set it using mConsole. The default value for this option is 4433.

Visual Administration

User-friendly visual administration on the Secure HTTP Bundle is performed through mConsole application. Read about configuring HTTP Aliases, HTTP Plain Server Configuration and HTTP Common Configuration in the "HTTP Bundle" document.

HTTP Secure Server Configuration. The HTTP Server Configuration allows configuring the attributes of secure HTTP communication. The configuration is performed the same way as with the other general property editors.

Figure 1: Service Properties for secure connection

Note: A prerequisite to use security in HTTP is to activate the TLS Server Bundle situated in the Security package.

System Properties

All of the VM system properties considered by the HTTP Bundle are significant for the Secure HTTP Bundle too. There are three additional properties. The last one is optional and is considered in case there is no update from the OSGi Configuration Admin service (Config Bundle).

System Property Default Value Description

mbs.http.certificateCheck

none

Defines the way in which the servlet engine returns the client's certificate chain to ServletRequest users, when communicating over HTTPS.

Values:

none: certificate chain is not added to request attributes
jdk12: certificates are returned as java.security.cert.X509Certificate
instances as defined in Java Servlet Specification. They are added to the request attributes with key javax.servlet.request.X509Certificate and value - an Object array with elements of type java.security.cert.X509Certificate.

mbs.cookies.encrypt false Turns on and off the support for encrypted cookies.

org.osgi.service.http.port.secure 443 The port for secure HTTP connection.

Tip: To learn more about using system properties in the mBS framework, refer to the "System Properties" document from the "Getting Started" chapter.

OSGi Bundles