Core java security interview questions and answers for java developer

Here are some of the core java interview questions related to java security that you could expect in an interview for a Java developer.

Q What is the difference between a keystore and a truststore?

      The truststore contains the trusted entries and root certificates. The keystore contains the private keys. They both have the same file name extension (.jks).

Q What does JKS stand for?

     Java key store

Q What are the other standards for managing keystores that you know of?

     Java understands only JKS. Other systems include PKCS12 and others typically well known in non-java world.

Q Do I always need a keystore?

     No; you need it only if you intend to authenticate yourself against the server.

Q What are the contents of a jks file?

    A jks file typically contains private/public key pairs, public keys/certificates, root certificate authority entries.

Q Is there a default truststore?

    Each java installation will have a /lib/security/cacerts which contains certificates of all the popular root certificate authorities.

Q Is this same as the certificate repository used by browsers?

   No; each browser has their own certificate repository which contains the popular root certificate authorities whom the browser trust.

Q Can I use same jks file as both truststore and keystore?

Yes; you can. In this case, the jks file contains private keys and trusted certificates/ca entries.

Q How do you configure truststore in your web application?

   The default truststore/keystore could set by setting VM parameter (-D option) or invoke System.setProperty() for the following properties:-

Keystore: -Djavax.net.ssl.keyStore -Djavax.net.ssl.keystorePassword 

Truststore: -Djavax.net.ssl.truststore -Djavax.net.ssl.truststorePassword

Q What is 2 way SSL ?

    In one way SSL  (aka typical https connection), the server authenticates itself to the client using server certificate. In 2 way SSL , in addition to the above step, the client authenticates itself to the server.

Q How do you configure it?

   This involves additional configuration of setting the keystore in addition to setting the truststore.

Q What is a SSLContext?

    SSLContext is java class that acts as factory for secure socket factories. To configure a custom keystore/truststore, you get an instance of it and intialize it with keystore and truststore.

Q How do you configure a specific truststore for a https connection?

    If you need to configure a specific truststore for a particular https connection (be it a web service or https get/post url), you could define a SSLContext with a keystore and truststore. The new SSLContext object will be set in the https connection. 

Q What are the errors that you have encountered during your development?

    The common errors are

       1. certificate_unknown
       2. java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
       3. unable to find valid certification path to requested target

Q When do you get a certificate unknown error?

    If the server side certificate is not present in your truststore, this error will occur. One of the most common reasons for this would be a custom truststore that does not contain the certificates or the server presents itself with self-signed certificate or a certificate signed by non-public certificate issuing authority. Most organizations will have their own root ca's to issue certificates for testing environments and internal use.

Q How do you solve the certificate unknown error?

    Get the certificate presented by the server; import it to your truststore. There are 2 ways to do this. The simplest approach is to give the URL in the browser, view the certificate, export it and import the same to your truststore. The second approach would be to write a sample piece of code that connects to https url and write the certificate contents into file; This could be imported to your truststore.

Q How do you debug a SSL handshake issue?

    To debug the issues during a ssl handshake, we need to set the VM parameter -Djavax.net.debug=all. This will spit out the debug information in your log file.