1 2 Previous Next 19 Replies Latest reply on Nov 6, 2003 5:05 PM by adrian.brock Go to original post
      • 15. Re: JMS over SSL

        Sorry that should be jndi name

        java:/jaas/SSL

        Regards,
        Adrian

        • 16. Re: JMS over SSL
          colinmadere

          Thanks for the full example Adrian. Working for me now, it was the client needing access to the truststore that was missing for me. (If I was fully versed in client SSL work I might have figured this out, but it's new to me).

          If anyone has a reference to how they handle this truststore situation (since clients aren't going to be on the server in most situations) with regards to getting or preinstalling a servers certificate and adding to a client truststore I'd appreciate it.

          • 17. Re: JMS over SSL

            It is in the java documentation.

            In simple terms, the truststore is like a keystore except in only
            contains the public keys.

            The other alternative is to get your public key signed
            by somebody like Verisign.
            cacerts in the jdb trusts Verisign.

            Incidently, you might want to change the password
            for cacaerts, it is "changeit" by default.

            Regards,
            Adrian

            • 18. Re: JMS over SSL
              colinmadere

               

              "colinmadere" wrote:
              Sorry, to be more clear. I know the docs say "run keytool blah blah, then copy the file and on the client run keytool -import blah blah".

              What I meant was a real solution to _managing_ this situation for a client application distribution. Obivously I'm not going to have my users (who are not programmers) running a bunch of things on the Windows command line. Was hoping to find a "patterned" solution for this.

              Now rereading your response, are you saying the only reason I have to set the trustStore sysproperty on the client is because I'm using my own generated certs?

              Also, if you have a simple 'yes' or 'no', can I in some clean way piggy-back on the browser's trusted CA list?
              (Have a client who will not be using default CA, but will have it registered in their installed browsers)

              Off to read more docs....


              • 19. Re: JMS over SSL

                Not sure what browsers has to do with this?

                certificates form a chain of trust.
                jre -> your certificate -> trusted signer

                If you just create your own certificate it won't be trusted.

                Get your certificated signed by a trust authority and the
                problem goes away.
                The default trust authorities are in cacerts in the jre

                Regards,
                Adrian

                1 2 Previous Next