WebSocket Server

HTTPS/SSL Support

This document describes the HTTPS/SSL support for the WebSocket server.

The SSL support is implemented using the Java Secure Socket Extension (JSSE), provided as standard with Java. JSSE supports:

  • SSL 3.0 and TLS 1.0
  • Most common SSL and TLS cipher suites
  • X.509-based key and trust manager

SSL Keystore

To initiate HTTPS/SSL a keystore file must be used. Two different kind of keystores are supported:

  • JKS (Java keystore)
  • PKCS12 (PKCS #12)
JKS or PKC12 will not be described in detail here. There are much information available on the internet describing this.

Using JKS

To generate a Java keystore, the keytool command provided with Java must be used. We will not describe keytool in general here but, an example how keytool can be used to generate a JKS keystore file:

    % keytool -genkeypair -alias server-cert -keyalg rsa \
    -dname "CN=server.example.com,O=example.com,C=US" \
    -keystore keystore.jks -keypass password -storepass kspassword

This will generate a Java keystore file: keystore.jks. To use this with the WebSocket server use the following properties in server.properties:

    # KeyStore typ (JKS or PKCS12)
    server.ssl.ksType=JKS
    # Path to keystore
    server.ssl.ksPath=/path/to/keystore.jks
    # Keystore password
    server.ssl.ksPassword=kspassword
    # Key password
    server.ssl.keyPassword=password

Using PKCS12

To generate a PKCS #12 keystore file OpenSSL may be used. We will not describe OpenSSL in general here, but an example how OpenSSL can be used to generate a PKCS #12 keystore file:

    # Generate CA
    % openssl genrsa -des3 -out ca.key -passout pass:capass 4096
    % openssl req -new -x509 -days 365 -key ca.key -out ca.crt -passin pass:capass

    # Generate Cert
    % openssl genrsa -des3 -out server.key -passout pass:serverpass 4096
    % openssl req -new -key server.key -out server.csr -passin pass:serverpass -passout pass:serverpass

    # Sign
    % openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt \
    -passin pass:capass

    # Convert to pkcs12
    % openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:serverpass \
    -passout pass:serverpass

This will generate several files and finally a PKCS #12 keystore file: server.p12. To use this with the WebSocket server use the following properties in server.properties:

    # KeyStore typ (JKS or PKCS12)
    server.ssl.ksType=PKCS12
    # Path to keystore
    server.ssl.ksPath=/path/to/server.p12
    # Keystore password
    server.ssl.ksPassword=serverpass
    # Key password
    server.ssl.keyPassword=serverpass
About Emblasoft

From innovation, to validation and smooth operation, our solutions help operators and equipment vendors deliver outstanding services and performance to their customers.

Emblasoft Test & Measurement AB
Hammarby allé 29
120 32 Stockholm, Sweden

Send us an email: contact@emblasoft.com

  • Linkedin
  • Twitter
Ready to talk to us?