|
|
change keyStore and trustStore in SSL Communication
Hello @ all,
I'm writing a framework for certificate-based authorization. As far as
the "workflow" is concerned the client connected to a
Certificate-Server via RMI over a SSL-secured connection. This
connection is secured via a machine-cert. Among other things I retrieve
a keystore-Object from the Certificate-Server containing the
Certificates for the User.
Currently I'm specifying the keystore and truststore for the
machine-cert via
System.setProperty("javax.net.ssl.[trustStore,keyStore]",<file>)
But after retrieving the user keystore any further communication has to
be based upon the new keystore.
My question is now how to change the keyStore/trustStore used for
SSL-based communication at runtime?
I dug deep into the web but haven't found anything helpful. Maybe
someone can throw me a bone, please?
A lot of thanks in advance,
Steven McClintoc
|
|
0
|
|
|
|
Reply
|
 mcclintoc (2)
|
10/17/2006 12:16:25 PM |
|
mcclintoc@gmx.net schrieb:
> Currently I'm specifying the keystore and truststore for the
> machine-cert via
>
> System.setProperty("javax.net.ssl.[trustStore,keyStore]",<file>)
>
> But after retrieving the user keystore any further communication has to
> be based upon the new keystore.
>
> My question is now how to change the keyStore/trustStore used for
> SSL-based communication at runtime?
We have done something similiar with Client-Cert-Authentication for
Web-Services using Axis.
The solution was to merge all keystores together into one big keystore.
This is not quite easy, because keytool does not support merging private
keys. Have a look at http://www.comu.de/docs/tomcat_ssl.htm .
The ImportKey application has to be adapted to be nondestructive.
If this is relevant for you I can give you the modified src.
But this was not sufficient, because we had to decide which client-cert
to use based on some rules.
So we implemented our own JSSESocketFactory which has methods like
getKeyManagers() and getTrustManagers().
This was done setting the system-property "axis.socketSecureFactory".
I know this is axis specific, but there must be some standard-properties
for normal SSL-Factory (perhaps "ssl.SocketFactory.provider"?).
Best regards,
feri
Hint: you can use "-Djavax.net.debug=ssl,handshake" to trace the ssl
handshake
|
|
|
0
|
|
|
|
Reply
|
 Ferenc
|
10/24/2006 8:49:23 PM
|
|
Hi,
you may implement your own X509KeyManager and X509TrustManager (see the
JSSE javadocs) and plug it in using SSLContext#init(). Inside the
keymanager you can load your key/certificates from whereever you want.
The trustmanager can be used to decide to trust a peer certificate chain
or not.
Ronny
|
|
|
0
|
|
|
|
Reply
|
Ronny
|
10/25/2006 6:57:31 PM
|
|
mcclintoc@gmx.net wrote:
> My question is now how to change the keyStore/trustStore used for
> SSL-based communication at runtime?
> I dug deep into the web but haven't found anything helpful. Maybe
> someone can throw me a bone, please?
All you have to do is create and initialize your own SSLContext with
your own KeyManagers etc. The Javadoc/Guide to Features/Security/JSSE
gives examples.
I'm curious about acquiring the keystores from a central place - I
wonder about the security, or the point, of this, and I have grave
reservations about RMI over SSL in the first place. Very grave.
|
|
|
0
|
|
|
|
Reply
|
EJP
|
10/26/2006 3:33:36 AM
|
|
|
3 Replies
313 Views
(page loaded in 0.684 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1258 articles. 
2 followers. 