secure HTTP communication for components of commercial product

Question

Let's say I want to ship a commercial product that has two components, written in Java, communicating with each other on a local network using a RESTful API. It could be a music manager, a contact database, a cookbook --- what's important is that this is a reasonable and extremely likely scenario.

Note that I am talking about two components talking to each other over a local network --- not about communicating back to my server.

So how do I make the communication secure?

I know if I go set up an HTTP server for the world that I can (even cheaply) buy an SSL certificate. I've done it. But I can't tell the user to go buy a certificate --- they will have no idea what I'm talking about, and could never figure out how to install it.

So what do I do? Ship everybody my own self-signed certificate and do a Very Bad Thing like disable certificate validation in Java? Horrible, I know. But at least the information won't be going over the line in plain text.

Anyone have any better solutions?

Answer 1

Updated Sep 20 '15 to clarify the points raised in comments

To understand how this can be done, let us examine a possible deployment scenario of such an application. Assume that the application in question comprises two components - the client part and the server part, meant to be installed onto different computers on a local network. We want our server part to accept secure connections only, so the local network is considered hostile.

1. Install the server part. At the time of the installation, programmatically create a self-signed certificate using the hostname of a target computer. If there is no DNS record for the computer (like myserver.mycorp.com), use its IP address - it has to be static since we need to point the client part to it. You can use Bouncy Castle API to create a certificate in code.

2. Install the client part onto another computer, and copy the generated certificate to the installation folder. Doing this manually is effectively establishing trust between the server and client. Trying to do this automatically via an unencrypted connection over a hostile network would be defeating the purpose.

3. Since you are securing communication strictly beetween your own application parts, you are in full control of what certificates the application in question trusts. On the client, create a keystore, and add the generated certificate to it:

   FileInputStream fis = new FileInputStream(yourCertificateFile);
   CertificateFactory cf = CertificateFactory.getInstance("X.509");
   X509Certificate c = (X509Certificate)cf.generateCertificate(fis);
   
   KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
   ks.load(null, aRandomKeystorePasswordCharArray);
   ks.setCertificateEntry(aUniqueNameForYourCertificate, c);
   
   FileOutputStream fos = new FileOutputStream(aRandomKeystoreFileName);
   ks.store(fos, aRandomKeystorePasswordCharArray);
   fos.close();
   

   Tell the JVM that your application is only going to trust certificates from its own keystore.

   // replace backslashes '\' with slashes '/' in aRandomKeystoreFileName on Windows
   System.setProperty("javax.net.ssl.trustStore", aRandomKeystoreFileName);
   System.setProperty("javax.net.ssl.trustStorePassword", aRandomKeystorePassword);
   

Answer 2

Look to OAuth 2.0 for securing your services and you should only provide tokens to your clients instead of two way SSL. Facebook,Google etc. uses it.

https://en.wikipedia.org/wiki/OAuth