Why not use JWT cookies/tokens? You sign your claims and only you can
validate the claims and ensure that it’s coming from the right place/user.


On Mon, 9 Sep 2019 at 19:26, Michael Duffy <mduffy...@gmail.com> wrote:

> I need to communicate securely between two Tomcat servers running in two
> different environments.  I have control of both servers.
> I would like to do this through a simple REST call from Server-B to
> Server-A.
> On the server I am communicating to, Server-A, I can easily set up HTTPS
> with a self-signed certificate.  If I import this certificate into the Java
> Keystore on Server-B, I can make a trusted HTTPS Rest call from my Java
> code on Server-B.
> Good instructions for doing this can be found here:
> https://blog.10pines.com/2017/09/25/how-to-communicate-via-https-between-two-tomcat-servers-using-a-self-signed-certificate/
> I would also like to add a confirmation that the Rest call to Server-A is
> certainly coming from Server-B and the message has integrity.
> My plan is to generate a self-signed certificate on Server-B and  import
> this certificate into the Java Keystore on Server-A.  Then for any REST
> call from Server-B I will first generate an SHA-512 hash of the message and
> sign the hash with the private key associated with the Server-B
> certificate.   When Server-A receives the message, the SHA-512 hash will be
> recalculated and checked for accuracy of the hash (no message tampering).
> I will then check the signature of the Hash against the public key of the
> certificate from Server-B.
> For a little bit of extra paranoia I may encrypt the REST message with the
> public key of the certificate from Server-A; for short messages this should
> be fine (no need for Symmetric encryption).
> Does this seem like a good plan?
> Thx in advance for any suggestions.
> Mike

Reply via email to