How to create a secure Socket (SSL) in Java?

First ... To understand this post, you have to know "How to create a Socket in Java?".

A secure socket is just a special socket that implements all the mechanism and methods for complete the "SSL handshake" with the server. After this handshake, the server and the client shares messages securely through an encripted communication handled by this special socket. In practice (I mean code), a SSL Socket is handled like a regular or raw Socket but the Socket instantiation is very different.

________________________________________________
A raw ServerSocket instantiation is something like this:

//Create the raw server socket
ServerSocket serverSocket = new ServerSocket(port);

A secure ServerSocket instantiation is like this:

//An SSL socket can't be created from scratch. We need a Factory (Design Pattern) that //handles the underlying logic that allows create a SSL socket
//(open a certificate store or repository, find the certificate, etc)
ServerSocketFactory ssocketFactory = SSLServerSocketFactory.getDefault();

//Create a SSL server socket
ServerSocket serverSocket = ssocketFactory.createServerSocket(port);

________________________________________________
A raw Socket instantiation (client side) is something like this:

//The raw socket that allow the client application interact with the server
Socket socket = null;

//Create a raw socket from scratch
socket = new Socket(host, port);

A secure client Socket instatiation is like this:

//An SSL socket can't be created from scratch. We need a Factory (Design Pattern) that
//handles the underlying logic that allows create a SSL socket
SocketFactory socketFactory = SSLSocketFactory.getDefault();

//The SSL socket that allow the client application interact with the server
SSLSocket socket = null;

//Get the socket from the Factory
socket = (SSLSocket) socketFactory.createSocket(host, port);
The rest of the communication (read and write data) can be handled like a raw or regular Socket. In fact, if you are a good programmer, you will note that the SSLSocket is a sub-class of Socket, and with this knowledge you must implement a communication mecanism that doesn't know if the socket is secure or not, and it will works fine for both.

Do you think this is enough? What about the certificate that the SSL handshake uses? Is time to talk about the runtime variables that a secure Socket will use.

The Java Runtime Enviorement (JRE) has a tool that handles certificates. The "keytool" script (or command) allows read, create, export and import certificates to a "certificates repository" (In fact, keytool allows repository creation).

At runtime, by default, the JRE doesn't have a "certificate repository" attached, so any SSL socket doesn't work if you don't attach it "first".

To attach a "certificate repository" to a JRE instance, you must add two runtime variables, like this:

SERVER SIDE (at runtime)
$ java -Djavax.net.ssl.keyStore=relative or absolute route to the repository file -Djavax.net.ssl.keyStorePassword=repository password -jar jar file

The previous command line only allows create server sockets with the given repository. The client doesn't need one. But, if you want to trust in a SSL connection, you must have the server certificate in the trust store of the JRE (by default the JRE trust store is jre install folder/lib/security/cacerts)

To import a certificate to a "certificate repository" (like the cacerts) you can use this command line:

CLIENT SIDE (before runtime)
keytool -import -alias certificate alias -file relative or absolute route to the certificate file -keystore relative or absolute route to the repository file

If you download this, you will see a complete socket example. If you want to know about it before download it, check the documentation