Home > Archive > Java Security > October 2006 > change keyStore and trustStore in SSL Communication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
change keyStore and trustStore in SSL Communication
|
|
| mcclintoc@gmx.net 2006-10-17, 8:00 am |
| Hello @ all,
I'm writing a framework for certificate-based authorization. As far as
the "workflow" is concerned the client connected to a
Certificate-Server via RMI over a SSL-secured connection. This
connection is secured via a machine-cert. Among other things I retrieve
a keystore-Object from the Certificate-Server containing the
Certificates for the User.
Currently I'm specifying the keystore and truststore for the
machine-cert via
System.setProperty("javax.net.ssl.[trustStore,keyStore]",<file> )
But after retrieving the user keystore any further communication has to
be based upon the new keystore.
My question is now how to change the keyStore/trustStore used for
SSL-based communication at runtime?
I dug deep into the web but haven't found anything helpful. Maybe
someone can throw me a bone, please?
A lot of thanks in advance,
Steven McClintoc
| |
| Ferenc Hechler 2006-10-30, 7:33 pm |
| mcclintoc@gmx.net schrieb:
> Currently I'm specifying the keystore and truststore for the
> machine-cert via
>
> System.setProperty("javax.net.ssl.[trustStore,keyStore]",<file> )
>
> But after retrieving the user keystore any further communication has to
> be based upon the new keystore.
>
> My question is now how to change the keyStore/trustStore used for
> SSL-based communication at runtime?
We have done something similiar with Client-Cert-Authentication for
Web-Services using Axis.
The solution was to merge all keystores together into one big keystore.
This is not quite easy, because keytool does not support merging private
keys. Have a look at http://www.comu.de/docs/tomcat_ssl.htm .
The ImportKey application has to be adapted to be nondestructive.
If this is relevant for you I can give you the modified src.
But this was not sufficient, because we had to decide which client-cert
to use based on some rules.
So we implemented our own JSSESocketFactory which has methods like
getKeyManagers() and getTrustManagers().
This was done setting the system-property "axis.socketSecureFactory".
I know this is axis specific, but there must be some standard-properties
for normal SSL-Factory (perhaps "ssl.SocketFactory.provider"?).
Best regards,
feri
Hint: you can use "-Djavax.net.debug=ssl,handshake" to trace the ssl
handshake
| |
|
| mcclintoc@gmx.net wrote:
> My question is now how to change the keyStore/trustStore used for
> SSL-based communication at runtime?
> I dug deep into the web but haven't found anything helpful. Maybe
> someone can throw me a bone, please?
All you have to do is create and initialize your own SSLContext with
your own KeyManagers etc. The Javadoc/Guide to Features/Security/JSSE
gives examples.
I'm curious about acquiring the keystores from a central place - I
wonder about the security, or the point, of this, and I have grave
reservations about RMI over SSL in the first place. Very grave.
| |
| Ronny Schuetz 2006-10-30, 7:33 pm |
| Hi,
you may implement your own X509KeyManager and X509TrustManager (see the
JSSE javadocs) and plug it in using SSLContext#init(). Inside the
keymanager you can load your key/certificates from whereever you want.
The trustmanager can be used to decide to trust a peer certificate chain
or not.
Ronny
|
|
|
|
|