Java（RMI）服务器到服务器的身份验证方法？

Question

I'm working on a server-to-server authentication via RMI. There's on application-server (server part) and several web-servers (client part) which communicate via RMI. The web-server(s) must authenticate on the application-server. The simplest way would be to use a password which is stored in the web-server's config-file (clear text), but that's obviously very bad practice.

My idea is to use a public/private-key which is generated on the web-server (client). The privateKey is stored in keystore and the publicKey is published to the app-server. To authenticate the client, a generated, random String is signed with the privateKey (create a Signature) and both, the signature und the String are send to the server. The server verifies the String with the signature and it's publicKey.
Good idea?
I know this is not very secure but even better than storing clear text password.

Any suggestions for that?
There's no need to make it 100% secure, just a good alternative for password protection.

Thanks and have a nice day.

Answer 1

Public /private key encryption should be good enough. Other alternatives would be to store the password in an LDAP server and give access to both the server as well as the clients to the LDAP. However, this would add a burden of one more server and some more network usage. The ultimate security will be to use Secure RMI, this will protect your RMI messages as well as protect the connections to the server.