I try to login into cas-management-app using cas-server-webapp and I have problems with certification path.
I generated keystore file:
"$JAVA_HOME/bin/keytool.exe" -genkey -alias tomcat -keyalg RSA
Enter keystore password: pass
Re-enter new password: pass
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: localhost
What is the name of your organization?
[Unknown]: localhost
What is the name of your City or Locality?
[Unknown]: Crc
What is the name of your State or Province?
[Unknown]: Lesser
What is the two-letter country code for this unit?
[Unknown]: PL
Is CN=localhost, OU=localhost, O=localhost, L=Crc, ST=Lesser, C=PL correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password): pass
Re-enter new password: pass
I changed Tomcat configuration:
server.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:/Users/Mateusz/.keystore" keystorePass="pass"
clientAuth="false" sslProtocol="TLS"/>
Value of keystoreFile is valid path.
In next step I exported (using browser) certificate to localhost.crt and added it to cacerts:
"$JAVA_HOME/bin/keytool.exe" -import -alias incommon -file <localhost.crt location> -keystore cacerts -storepass changeit
When I list cacerts everything is OK:
$ "$JAVA_HOME/bin/keytool.exe" -v -list -keystore cacerts -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: incommon
Creation date: 2015-11-02
Entry type: trustedCertEntry
Owner: CN=localhost, OU=localhost, O=localhost, L=Crc, ST=Lesser, C=PL
Issuer: CN=localhost, OU=localhost, O=localhost, L=Crc, ST=Lesser, C=PL
Serial number: 32432ba5
Valid from: Mon Nov 02 19:19:02 CET 2015 until: Sun Jan 31 19:19:02 CET 2016
Certificate fingerprints:
MD5: 9F:A6:4A:B0:F3:26:89:60:73:5C:CA:36:59:0A:32:F9
SHA1: 62:12:60:61:A9:3D:83:E8:1B:C5:3A:85:27:9A:7F:A7:D3:54:7D:D1
SHA256: F1:43:EE:6E:F7:D4:C6:DF:20:16:71:C1:0D:F5:88:5F:85:21:BE:E6:3C:E5:C1:8D:28:6A:51:BB:38:E7:A2:94
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B0 94 2A 98 B8 A4 21 71 EB 34 46 D4 16 67 24 E8 ..*...!q.4F..g$.
0010: 67 61 C4 D6 ga..
]
]
When I run Tomcat server, open https://localhost:8443/cas-management I can see login form. After writing user login and password I see message:
The CAS management webapp is unavailable.
There was an error trying to complete your request. Please notify your support desk or try again.
Log files give me information
SEVERE: Servlet.service() for servlet [default] in context with path [/cas-management] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I tried to install certs using InstallCert class but nothing changed. I also tried setup path to trust store (jssecacerts) using truststoreFile and truststorePass in Tomcat configuration.
I have no idea what next I can do to successfully configure SSL on my Tomcat server.
Related
I am trying to test 2 applications locally. One is a REST API server, the other is a REST client. The server runs on Open Liberty in eclipse. The client runs as a JUnit test in eclipse.
I have installed our company certificate in the truststores of the eclipse JRE and the server configuration. The unit test is configured to use the JRE which has the certificate installed and I also set the truststore location explicitly in the run configuration:
-Djavax.net.ssl.keyStore="C:\Program Files\Java\jre\lib\security\cacerts"
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.debug=all
The error message contains:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
... 57 more
I enabled SSL debugging and saw
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=OpenLibertyServer, O=ibm, C=us
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: <removed.....>
public exponent: 65537
Validity: [From: Thu Mar 19 15:08:27 CET 2020,
To: Fri Mar 19 15:08:27 CET 2021]
Issuer: CN=localhost, OU=OpenLibertyServer, O=ibm, C=us
SerialNumber: [ 21...29]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ...
]
The debugging also lists all of the certificates which are in the truststore, including the one I installed.
What might be wrong or missing here?
UPDATE
I set the truststore for the client to be the exact same truststore that the server uses and the problem is 'solved'. This is naturally not realistic solution and is probably an indication that a certificate is actually missing. At least I can continue with testing...
I'm not sure what's the cause of your problem but in my experience it's easier to import the trusted root certificate in the Windows store (it might already be pushed there by your company) and to add this JVM option:
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
"C:\Program Files\Java\jre\lib\security\cacerts" is the default java truststore, you need to add certificat chain in the java client cacerts.
Export the certificat chain in CER format with a tool or with Windows and add it in your default java truststore like this:
keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourCertAlias -file path\to\yourCertificatChain.cer
Alternatively if you want to switch of JRE easily you can put certificat chain in an external truststore and call it with :
-Djavax.net.ssl.trustStore=<truststore path> -javax.net.ssl.trustStorePassword=<truststorepassword>
I have the following application error when accessing https://..appRoot../TestJavaMongo/test/mongo/all by following the doc: https://medium.com/#blumareks/mongodb-for-you-a-hardcore-java-cloud-developer-f67b909834f4
I'm testing to connect the Mongo DB service from the Liberty Java CF app on IBM Cloud. How to resolve the error?
``` Error 500: com.mongodb.MongoTimeoutException: Timed out after
30000 ms while waiting for a server that matches
WritableServerSelector. Client view of cluster state is {type=UNKNOWN,
servers=[{address=sl-us-south-1-portal.16.dblayer.com:50233,
type=UNKNOWN, state=CONNECTING,
exception={com.mongodb.MongoSocketWriteException: Exception sending
message},
caused by {javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h:
PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by CN=********* is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error}, ...
$ keytool -list -v -keystore mongoKeyStore
Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mykey Creation date: 24/06/2017 Entry type:
trustedCertEntry
Owner: CN=mwsadows#us.ibm.com-0b24b0ff06b390e0cc5e803aecd5ec82 Issuer:
CN=mwsadows#us.ibm.com-0b24b0ff06b390e0cc5e803aecd5ec82 Serial number:
59491e1b Valid from: Tue Jun 20 23:07:39 AEST 2017 until: Sat Jun 20
23:00:00 AEST 2037 Certificate fingerprints: MD5:
A4:54:21:6A:52:E1:8B:CB:07:CC:25:A3:3B:1A:8B:05 SHA1:
BE:5D:AE:94:C3:A5:37:2D:43:B2:E7:FC:CF:39:19:EE:B8:10:29:9B SHA256:
D5:6B:EB:D6:88:36:D4:77:06:9B:8D:2B:83:39:9B:95:A5:E3:22:09:99:EF:32:89:31:E2:88:C2:86:58:83:62
Signature algorithm name: SHA512withRSA Version: 3
Extensions:
1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 65 2C 47 37 D6 4C B7 24 E9 A1 AA 14 01 4A 12
AD e,G7.L.$.....J.. 0010: 63 E0 7C 56
c..V ] ]
2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ]
3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ]
4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign ]
5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 65 2C 47 37 D6 4C B7 24 E9 A1 AA 14 01 4A 12
AD e,G7.L.$.....J.. 0010: 63 E0 7C 56
c..V ] ]
I recently had this same issue with our db provider, they sent me their .crt file and I had to create a keystore with it.
keytool -import -alias "name" -file "/path/to/file" -keystore "/path/to/keystore/file" -storetype pkcs12 -storepass "keystorepass"
then at my main class I defined truststore and truststore pass:
System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore/file");
System.setProperty("javax.net.ssl.trustStorePassword", "keystorepass");
Hope it helps.
As the error says, the certificate isn't trusted. I see that tutorial has a pretty substantial section on importing the certificate from the Mongo service into a keystore and setting it as the trustStore for Liberty. Double check those steps to make sure that you:
Correctly obtained and saved the certificate from the Mongo service, ie that it is not incomplete or corrupted or anything.
Check that you created a keystore using the keytool command in the correct location, and that you replaced the one from the repository if you checked that out, and that it includes the certificate you saved for the Mongo server. You can use keytool -list -v -keystore <path_to_keystore.jks> on your keystore to see what's inside.
Check that you configured Liberty correctly to use this keystore as your trust store. I think the tutorial is a little misleading, as it says
A typical application will also need to set several JVM system
properties to ensure that the client presents an TLS/SSL certificate
to the MongoDB server: javax.net.ssl.keyStore The path to a key store
containing the client’s TLS/SSL certificates
javax.net.ssl.keyStorePassword The password to access this key store
However, I think you actually need to set this keystore you created as the value for the javax.net.ssl.trustStore property (and set the trustStorePassword property accordingly) because the JVM uses the trustStore to check the public keys of hosts it is connecting to for trust.
Either way, make sure those properties are set appropriately and that Liberty is not throwing up any errors in the logs related to it on server start.
Once you have verified the whole chain (that you have exported the correct certificate, that you have created a keystore that contains that certificate, and that you have set that keystore as the truststore for the server,) you should have security set up to talk to the Mongo server correctly. If you have changed the existing truststore while the server is running you have to restart the server for it to pick up those changes.
Lets say I have a JAVA client app and it tries to connect to a server (example.com) over https. Client app has a trust store JKS , which has the server's certificate and some other certificates as well. In the hand shake process when server sends it certificate to this client app, how correct certificate will be picked up from the trust store jks. i.e based on what parameters java matches the certificate sent by the server with the certificates stored in JKS.
Matching is done by the certificate's Subject.
E.g. if you browse https://www.google.com/ and look at their certificate, it shows a certificate chain with:
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Issued by: /C=US/O=Google Inc/CN=Google Internet Authority G2
Issued by: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Issues by: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
* Actually obtained using openssl s_client -connect www.google.com:443 -showcerts
The certificate will be trusted if any of these are in your truststore.
You can scan the truststore like this (assuming you have grep):
keytool -list -keystore /path/to/cacerts -storepass changeit -v | grep "CN=GeoTrust Global CA" -B 4 -A 8
To get this kind of output:
Alias name: geotrustglobalca
Creation date: Jul 18, 2003
Entry type: trustedCertEntry
Owner: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Serial number: 23456
Valid from: Tue May 21 00:00:00 EDT 2002 until: Sat May 21 00:00:00 EDT 2022
Certificate fingerprints:
MD5: F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
SHA1: DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
SHA256: FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A
Signature algorithm name: SHA1withRSA
Version: 3
I have followed the Oracle guide to try to import my PKCS#11 keystore in my smartcard into a JKS keystore in my filesystem, in Ubuntu 16.04. I have Oracle JDK 7 installed, and the driver file of my Izenpe card.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
And I have encountered this bug with Open JDK 7:
java keytool with opensc pkcs#11 provider only works with debug option enabled
stating that with Open JDK the implementation has a bug and you should get around it. The post doesn't solve my problem and I switch to Oracle JDK 7 and I can list the private key entry in my card:
keytool -keystore NONE -storetype PKCS11 \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg $JAVA_HOME/config.ini \
-v -list
where the config.ini is:
name=Izenpe-static
library=/usr/lib/libbit4ipki.so
showInfo=true
So, I get:
easternfox#easternfox-Ubuntu:~/下载/electronic-wechat-production$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/easternfox/文档/config.ini -v -list
Information for provider SunPKCS11-Izenpe-static
Library info:
cryptokiVersion: 2.20
manufacturerID: bit4id srl
flags: 0
libraryDescription: bit4id PKCS#11
libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00
manufacturerID: unknown
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: IZENPE
manufacturerID: Oberthur Technologies
model: Cosmo ID ONE (L)
serialNumber: 1550001000002654
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
......
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-Izenpe-static
Your keystore contains 1 entry
Alias name: CIUDADANO FICTICIO ACTIVO
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=92920000T, SURNAME=FICTICIO, GIVENNAME=CIUDADANO, CN=CIUDADANO FICTICIO ACTIVO, DNQ=-dni 92920000T, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Herritar ziurtagiria - Certificado de ciudadano, OU=Ziurtagiri onartua - Certificado reconocido, C=ES
Issuer: CN=Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (4), OU=NZZ Ziurtagiri publikoa - Certificado publico SCI, O=IZENPE S.A., C=ES
......
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 DE A8 79 08 14 F9 FA 05 2C BF 8B 65 99 69 91 ...y.....,..e.i.
0010: EA 5D 70 45 .]pE
]
]
*******************************************
*******************************************
And, when I try keytool -importkeystore, I have several errors:
Running keytool -importkeystore --help gives me a lot of useful information:
keytool -importkeystore [OPTION]...
Imports one or all entries from another keystore
Options:
-srckeystore <srckeystore> source keystore name
-destkeystore <destkeystore> destination keystore name
-srcstoretype <srcstoretype> source keystore type
-deststoretype <deststoretype> destination keystore type
-srcstorepass <arg> source keystore password
-deststorepass <arg> destination keystore password
-srcprotected source keystore password protected
-srcprovidername <srcprovidername> source keystore provider name
-destprovidername <destprovidername> destination keystore provider name
-srcalias <srcalias> source alias
-destalias <destalias> destination alias
-srckeypass <arg> source key password
-destkeypass <arg> destination key password
-noprompt do not prompt
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
Use "keytool -help" for all available commands
If I omit srckeypass/destkeypass, I have:
easternfox#easternfox-Ubuntu:$ keytool -srckeystore NONE -srcstoretype PKCS11 \
-destkeystore /home/easternfox/my.new.jks -deststoretype jks -deststorepass qwerqwer \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg $JAVA_HOME/config.ini
-v -importkeystore
Information for provider SunPKCS11-Izenpe-static
Library info:
cryptokiVersion: 2.20
manufacturerID: bit4id srl
flags: 0
libraryDescription: bit4id PKCS#11
libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00
manufacturerID: unknown
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: IZENPE
manufacturerID: Oberthur Technologies
model: Cosmo ID ONE (L)
serialNumber: 1550001000002654
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: 65535
....
Enter source keystore password:
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: non-null password required to create PrivateKeyEntry.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
Do you want to quit the import process? [no]: n
Import command completed: 0 entries successfully imported, 1 entries failed or cancelled
[Storing /home/easternfox/my.new.jks]
So, I see the non-null password required error, and I try to specify the srckeypass and destkeypass, and get another error:
keytool error: java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1864)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:1024)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
So, I must add srcalias. So I do it, and:
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
[Storing /home/easternfox/my.new.jks]
Another error has occurred, suggesting that the private key in the card is not PKCS#8 encoded.
How to solve this? Is this a bug? Or just manufacturer-related issue?
What I have tried:
I tried to specifying the argument -providerpath to change to another sunpkcs11.jar, of Oracle JDK 8, to no avail.
I changed the driver coming with the card to another version. Not working.
EDIT:
I have tried to code a little and get the same error, with some stacktraces:
java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:259)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.constructJKSKeyStore(PKCS11KeyStoreConstuctor.java:66)
at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.main(PKCS11KeyStoreConstuctor.java:22)
I have a socket client and server socket. The server has a keystore with a key in it.
keytool -genkey -alias mystuff -keyalg RSA -keystore keystore.jks -keysize 2048
This page says that it generates a key pair when the above command is run. https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
When I run this command:
keytool -list -v -keystore keystore.jks
I can see:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mystuff
Creation date: 25-Jun-2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Richard, OU=OSS, O=OSS, L=Yat, ST=Hamp, C=GB
Issuer: CN=Richard, OU=OSS, O=OSS, L=Yat, ST=Hamp, C=GB
Serial number: 48ee5103
Valid from: Thu Jun 25 17:09:18 BST 2015 until: Sun Jun 19 17:09:18 BST 2016
Certificate fingerprints:
MD5: 60:63:F2:41:A3:AB:DB:E0:63:F9:B0:E4:C8:2C:90:D4
SHA1: 52:8A:F7:76:82:B7:E9:BE:D3:4E:4A:3C:DD:CF:8A:58:A6:9F:70:DE
SHA256: 3C:80:C1:0E:E7:30:DD:69:9F:97:A9:02:F9:4E:6E:57:84:82:C5:22:0E:7F:7A:EE:C1:D2:7A:8A:45:A3:86:79
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 42 4F 07 15 3A 9A 8C 59 6A 65 EB B6 62 FD 77 C5 BO..:..Yje..b.w.
0010: AC E3 B2 4F ...O
]
]
What I am seeing there is the certificate but what does the entrytype: PrivateKeyEntry mean ?
So ... when I load the Java Server:
java -Djavax.net.ssl.keyStore=keystore.jks -Djavax.net.ssl.keyStorePassword=somepassword EchoServer
I can point it to the keystore so it can be used in setting up the SSLServerSocket.
Now on the client side does the client just need the exported crt from that key store using this command ?
keytool -export -alias mystuff -file mystuff.crt -keystore keystore.jks
Or is something else required to enable secure SSL between the Java Sockets.
Additional Information
Standard Java Notes
Running server and client using SSL
http://stilius.net/java/java_ssl.php
First copy certificate file that you created before into working directory and run server with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:
java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 EchoServer
And now again copy certificate file that you created before into working directory and run client with these parameters (notice that you have to change keyStore name and/or trustStrorePassword if you specified different options creating certificate:
java -Djavax.net.ssl.trustStore=mySrvKeystore -Djavax.net.ssl.trustStorePassword=123456 EchoClient
If you want SSL debug information just add these parameters when running server and/or client:
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl
javax.net.ssl.keyStore- Location of the Java keystore file containing an application process's own certificate and private key. On Windows, the specified pathname must use forward slashes, /, in place of backslashes.
javax.net.ssl.keyStorePassword - Password to access the private key from the keystore file specified by javax.net.ssl.keyStore. This password is used twice: To unlock the keystore file (store password), and To decrypt the private key stored in the keystore (key password).
javax.net.ssl.trustStore - Location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). On Windows, the specified pathname must use forward slashes, /, in place of backslashes, .
If a trust store location is not specified using this property, the SunJSSE implementation searches for and uses a keystore file in the following locations (in order):
$JAVA_HOME/lib/security/jssecacerts
$JAVA_HOME/lib/security/cacerts
javax.net.ssl.trustStorePassword - Password to unlock the keystore file (store password) specified by javax.net.ssl.trustStore.
javax.net.ssl.trustStoreType - (Optional) For Java keystore file format, this property has the value jks (or JKS). You do not normally specify this property, because its default value is already jks.
javax.net.debug - To switch on logging for the SSL/TLS layer, set this property to ssl.
Richard