Reputation: 4512
Java (RMI) server-to-server authentication methods?
I'm working on a server-to-server authentication via RMI. There's on application-server (server part) and several web-servers (client part) which communicate via RMI. The web-server(s) must authenticate on the application-server. The simplest way would be to use a password which is stored in the web-server's config-file (clear text), but that's obviously very bad practice.
My idea is to use a public/private-key which is generated on the web-server (client). The privateKey is stored in keystore and the publicKey is published to the app-server. To authenticate the client, a generated, random String is signed with the privateKey (create a Signature) and both, the signature und the String are send to the server. The server verifies the String with the signature and it's publicKey.
Good idea?
I know this is not very secure but even better than storing clear text password.
Any suggestions for that?
There's no need to make it 100% secure, just a good alternative for password protection.
Thanks and have a nice day.
Upvotes: 0
Views: 697
Answers (1)
Reputation: 1832
Public /private key encryption should be good enough. Other alternatives would be to store the password in an LDAP server and give access to both the server as well as the clients to the LDAP. However, this would add a burden of one more server and some more network usage. The ultimate security will be to use Secure RMI, this will protect your RMI messages as well as protect the connections to the server.
Upvotes: 2
Related Questions
- Simple RMI Server with SSL
- Implementing Collaborative Authentication in Java Web Application
- Client/server username/password authentication
- Secure Remote Password protocol on application level
- SSL Client authentication, but no server authentication?
- Writing a secure RMI server-client application
- java keystore at client site
- Programmatic authentication in Java EE 6
- Socket Authentication Server?
- Client authentication by a server