ATNA FAQ

From IHE Wiki
Revision as of 22:50, 10 April 2007 by DgvR3c (talk | contribs)
Jump to navigation Jump to search

The purpose of this FAQ is to describe the various steps I have taken to make Tomcat 5.X support TLS communications on Windows 2000 and Windows XP with Java Applications. Some of this information will also be of interest to Unix users, and may be of interest to C# and .NET programmers as well, as the same basic principles apply.

NOTE: This FAQ was last updated for the 2005-2006 Connectathon.

What is TLS?

The IHE ATNA and XDS Integration profiles require the use of the Transport Layer Security Protocol, or TLS. TLS was originally defined by RFC 2246 and updated by RFC 3546.

TLS is essentially the SSL protocol with certificates exchanged on both sides, instead of just one side when communicating to web servers to do any HTTP interactions. If you really didn't know any of this, you should seriously ask yourself why you are doing this and not someone else.

What Tools Do I Need?

Three tools are absolutely critical, A protocol Analyzer, Open SSL, and the J2SE Unlimited Cryptography policy files. The first will allow you to see what it happening when connecting to a server or client. The next, Open SSL, will let you see inside certificates. The J2SE policy files will enable support for the ATNA encryption option in the Java Virtual Machine. How can I see what is happening? The best way to see what is happening when you try to create a connection is to use a protocol analyzer. I use Ethereal, which has some support for parsing SSL and TLS packets. The next best way is to turn on the javax.net debugging features built into java. Just add the following line to your java command line, and you'll get loads of good stuff. 

-Djavax.net.debug=ssl,handshake,data,trustmanager,help

How come I don't see any traffic in my protocol analyzer?

Don't try to analyze traffic that never goes onto the wire, it won't work. If you are trying to analyze traffic from one system to itself, that traffic never hits the wire (it stays in memory), and so your protocol analyzer will never see it. You need at least two machines, one to act as a server, and one to act as a client. The protocol analyzer can run on either.

How can I create, or see what is in a certificate?

OpenSSL is a tool that will allow you to create and inspect certificates, and test servers and clients. A binary distribution for OpenSSL build for Windows 2000/XP is available from http://www.slproweb.com/products/Win32OpenSSL.html.

How do I support the ATNA Encryption Option?

In order to support encryption, you will need to install the Java Cryptographic Extension Unlimited Strength Jurisdiction Policy Files. For J2SE 1.4.2, these can be found at http://java.sun.com/j2se/1.4.2/download.html. For J2SE 1.5.0, these can be found at http://java.sun.com/j2se/1.5.0/download.html. Download these files, unzip them, and install them according to the instructions. This will enable use of TLS_RSA_WITH_AES_128_CBC_SHA (see ITI-TF 2:3.19.6.1).

Where is TLS_RSA_WITH_NULL_SHA

If you are using Sun's Java implementation, use SSL_RSA_WITH_NULL_SHA, which is the same thing. See [http://forum.java.sun.com/thread.jspa?threadID=579499

Retrieved from "http://wiki.ihe.net/index.php?title=ATNA_FAQ&oldid=3752"