db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Embretsen <John.Embret...@Sun.COM>
Subject Re: Starting the derby sever with ssl
Date Tue, 04 Nov 2008 08:33:06 GMT
Hi Reda, Rick,

Indeed, I believe Rick's understanding is correct. Some caveats I
noticed when experimenting with SSL and Sun's keytool and JCE
implementation a while ago:

 - The keystore must contain only one key pair, or the key pair to be
used must be listed first in the keystore (it seems). Otherwise the
implementation will pick the wrong key (there is no way to specify a
specific key), and clients may see an exception message such as "unable
to find valid certification path to requested target."

 - The password of the private key in the keystore must be the same as
the password of the keystore, since there is no way to specify a
key-specific password.


Rick Hillegas wrote:
> Hi Reda,
> I'm not an expert on the internals of Java's SSL support. Perhaps we'll
> get a response from someone who knows more than I do. My understanding
> was that the default key manager picks the first usable entry from the
> keystore and, for this reason, it's typical for a keystore to hold only
> one object. You can override this behavior by writing your own key
> manager. The following link may be useful:
> http://books.google.com/books?id=EhX9BjHj9M4C&pg=PA314&lpg=PA314&dq=java+keystore+vs+truststore&source=web&ots=sNVm3qmI-U&sig=UOihfFE_1MJC625sAVhd1yrUUJQ#PPA328,M1
> Hope this helps,
> -Rick
> Reda Jazouli wrote:
>> Hi Rick, thank you for your reply, but my question is how does java
>> knows wich key it
>> has to choose from the given keystore ?
>> Thanks in advance
>> Rick Hillegas-2 wrote:
>>> Hi Reda,
>>> The documentation on Derby's security features is scattered and hard
>>> to follow. You will find more information on how to configure SSL in
>>> the Derby Server and Administration Guide in a section titled
>>> "Network encryption and authentication with SSL/TLS". You will
>>> probably want to set several startup options. Something like the
>>> following:
>>> java -Djavax.net.ssl.keyStore=serverKeyStore.key \
>>>      -Djavax.net.ssl.keyStorePassword=qwerty \
>>>      -Djavax.net.ssl.trustStore=serverTrustStore.key \
>>>      -Djavax.net.ssl.trustStorePassword=qwerty \
>>>      -jar derbyrun.jar server start -ssl peerAuthentication
>>> More examples of how to configure Derby's SSL support can be found in
>>> the security white paper located here:
>>> http://developers.sun.com/javadb/reference/whitepapers/index.jsp
>>> Hope this helps,
>>> -Rick
>>> Reda Jazouli wrote:
>>>> Hi, As mentioned in the Derby tuning guide, its possible to start
>>>> the derby
>>>> server in the way that is accepts only ssl connections.
>>>> Its only required to give at startup a java keystore and a the
>>>> keystores
>>>> password.
>>>> My question is, how does the server know wich key is to use from the
>>>> given
>>>> keystore ?? I thought that there is a java property that has to be
>>>> set before startup
>>>> and that indicates wich key from the given keystore, has to be used.
>>>> Thanks im advance.
>>>> Reda

John H. Embretsen

Senior QA Engineer (MySQL/Falcon)
Sun Microsystems, Database Group
Haakon VII gt. 7b, N-7485 Trondheim, Norway
Tel: x43447/+47 73842147  Cell: +47 97061091

View raw message