I need to communicate securely between two Tomcat servers running in two different environments. I have control of both servers.
I would like to do this through a simple REST call from Server-B to Server-A. On the server I am communicating to, Server-A, I can easily set up HTTPS with a self-signed certificate. If I import this certificate into the Java Keystore on Server-B, I can make a trusted HTTPS Rest call from my Java code on Server-B. Good instructions for doing this can be found here: https://blog.10pines.com/2017/09/25/how-to-communicate-via-https-between-two-tomcat-servers-using-a-self-signed-certificate/ I would also like to add a confirmation that the Rest call to Server-A is certainly coming from Server-B and the message has integrity. My plan is to generate a self-signed certificate on Server-B and import this certificate into the Java Keystore on Server-A. Then for any REST call from Server-B I will first generate an SHA-512 hash of the message and sign the hash with the private key associated with the Server-B certificate. When Server-A receives the message, the SHA-512 hash will be recalculated and checked for accuracy of the hash (no message tampering). I will then check the signature of the Hash against the public key of the certificate from Server-B. For a little bit of extra paranoia I may encrypt the REST message with the public key of the certificate from Server-A; for short messages this should be fine (no need for Symmetric encryption). Does this seem like a good plan? Thx in advance for any suggestions. Mike
