I need to communicate securely between two Tomcat servers running in two
different environments.  I have control of both servers.

I would like to do this through a simple REST call from Server-B to

On the server I am communicating to, Server-A, I can easily set up HTTPS
with a self-signed certificate.  If I import this certificate into the Java
Keystore on Server-B, I can make a trusted HTTPS Rest call from my Java
code on Server-B.

Good instructions for doing this can be found here:

I would also like to add a confirmation that the Rest call to Server-A is
certainly coming from Server-B and the message has integrity.

My plan is to generate a self-signed certificate on Server-B and  import
this certificate into the Java Keystore on Server-A.  Then for any REST
call from Server-B I will first generate an SHA-512 hash of the message and
sign the hash with the private key associated with the Server-B
certificate.   When Server-A receives the message, the SHA-512 hash will be
recalculated and checked for accuracy of the hash (no message tampering).
I will then check the signature of the Hash against the public key of the
certificate from Server-B.

For a little bit of extra paranoia I may encrypt the REST message with the
public key of the certificate from Server-A; for short messages this should
be fine (no need for Symmetric encryption).

Does this seem like a good plan?

Thx in advance for any suggestions.


Reply via email to