RMI ssl certs

[Scott Gray <le...@gmail.com>]

Hi All

I was wondering if anybody who knows how to do it, would mind updating 
the ssl certs for the rmi server?  I've been staring at the files for 
most of the day but i really have no idea about ssl, and what was going 
to be a quick browse through rmi is turning into a long browse through 
ssl.  Any help would be appreciated.

Thanks
Scott

Re: RMI ssl certs

[Scott Gray <le...@gmail.com>]

lol, I looked through the wiki but obviously I didn't look hard enough.  
This will do perfectly!  I've already learnt far more about ssl today 
than I care to know.

Thanks
Scott

Brett Palmer wrote:
> Scott,
>
> If you want to test out the RMI client try using it without SSL.  Here
> are my notes on how to get this to work.
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=UsingNonSSLRMI
>
>
> Brett
>
> On 7/8/06, Scott Gray <le...@gmail.com> wrote:
>> I'm trying to use the ExampleRemoteClient in
>> framework/service/src/org/ofbiz/service/rmi but the client won't connect
>> because the rmi server certificate has expired and i dont know how to
>> replace it.  I was hoping someone who knew how could replace it in 
>> the svn.
>>
>> BJ Freeman wrote:
>> > at what level.
>> > how to replace the JKS or how to create the JKS
>> > if you look in the base/config you will see all the jks file including
>> > the rmi.
>> >
>> >
>> > Scott Gray sent the following on 7/8/2006 8:54 PM:
>> >> Hi BJ
>> >>
>> >> I saw the thread when it came through, that's what made me want to
>> >> take a look at rmi.  The thread didn't seem to have anything to do
>> >> with expired certificates though, and that's what i was hoping
>> >> someone who knows how could do, replace the expired rmi server
>> >> certificate.
>> >> I also saw Andrew's discussion with David and Andy on the old list
>> >> from a year or two ago, but that didn't help me much either.
>> >>
>> >> Regards
>> >> Scott
>> >>
>> >> BJ Freeman wrote:
>> >>> there was a discussion last few days in the user mailing list 
>> about RMI
>> >>> Brett palmer gave some details.
>> >>>
>> >>>
>> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>> >>>> Hi All
>> >>>>
>> >>>> I was wondering if anybody who knows how to do it, would mind
>> >>>> updating the ssl certs for the rmi server?  I've been staring at
>> >>>> the files for most of the day but i really have no idea about ssl,
>> >>>> and what was going to be a quick browse through rmi is turning into
>> >>>> a long browse through ssl.  Any help would be appreciated.
>> >>>>
>> >>>> Thanks
>> >>>> Scott
>> >>>>
>> >>>
>> >>
>> >
>>
>

Re: RMI ssl certs

[Brett Palmer <br...@gmail.com>]

Scott,

If you want to test out the RMI client try using it without SSL.  Here
are my notes on how to get this to work.

http://ofbizwiki.go-integral.com/Wiki.jsp?page=UsingNonSSLRMI


Brett

On 7/8/06, Scott Gray <le...@gmail.com> wrote:
> I'm trying to use the ExampleRemoteClient in
> framework/service/src/org/ofbiz/service/rmi but the client won't connect
> because the rmi server certificate has expired and i dont know how to
> replace it.  I was hoping someone who knew how could replace it in the svn.
>
> BJ Freeman wrote:
> > at what level.
> > how to replace the JKS or how to create the JKS
> > if you look in the base/config you will see all the jks file including
> > the rmi.
> >
> >
> > Scott Gray sent the following on 7/8/2006 8:54 PM:
> >> Hi BJ
> >>
> >> I saw the thread when it came through, that's what made me want to
> >> take a look at rmi.  The thread didn't seem to have anything to do
> >> with expired certificates though, and that's what i was hoping
> >> someone who knows how could do, replace the expired rmi server
> >> certificate.
> >> I also saw Andrew's discussion with David and Andy on the old list
> >> from a year or two ago, but that didn't help me much either.
> >>
> >> Regards
> >> Scott
> >>
> >> BJ Freeman wrote:
> >>> there was a discussion last few days in the user mailing list about RMI
> >>> Brett palmer gave some details.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>> Hi All
> >>>>
> >>>> I was wondering if anybody who knows how to do it, would mind
> >>>> updating the ssl certs for the rmi server?  I've been staring at
> >>>> the files for most of the day but i really have no idea about ssl,
> >>>> and what was going to be a quick browse through rmi is turning into
> >>>> a long browse through ssl.  Any help would be appreciated.
> >>>>
> >>>> Thanks
> >>>> Scott
> >>>>
> >>>
> >>
> >
>

Re: RMI ssl certs

[Andrew Sykes <an...@sykesdevelopment.com>]

Scott,

Just so you know, certificate signing / chains are not required.

Best of luck with it.

- Andrew

On Mon, 2006-07-10 at 18:16 +1200, Scott Gray wrote:
> Hi Andrew
> 
> Thanks for the advice, i had figured most of it out already but couldn't 
> quite get there.  I wasn't sure what to do with ofbiztrust.jks as it 
> looked like ofbizrmi.jks and ofbizcerts.jks covered the keys i needed.  
> I deleted the respective client/server trustcerts and keys from those 2 
> keystores and then created new keys and exported the public certs, but 
> that didn't work.  When it looked like i needed to start signing the 
> keys (because the default ones have a cert chain?) thats when i gave up. 
> 
> But anyway all i wanted to do was have a go with rmi and see how i could 
> get it to do a few things i need doing, production isn't even a dot on 
> the horizon at this stage.
> 
> Thanks for your help
> Scott
> 
> 
> Andrew Sykes wrote:
> > Scott,
> >
> > You really don't want to use the SSL cert straight out of SVN, as this
> > would allow anyone else with a default cert to connect to your server.
> >
> > It's we'll worth looking at the instructions to make sure you can
> > generate certs for yourself.
> >
> > One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> > setup at both ends.
> >
> > For testing, the easiest way is to create a certificate export it to the
> > trust store and then just copy both these files to the other instance.
> >
> > For production, remember that the truststore of the "client" would hold
> > the public key exported from the keystore of the "server". Conversely
> > the truststore of the "server" would hold the public key exported from
> > the keystore of the "client".
> >
> > Making the keystore and truststore identical on both sides makes life a
> > bit easier for testing, but make sure you toughen things up before you
> > go into production!!!
> >
> > - Andrew
> >
> > On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
> >   
> >> I'm trying to use the ExampleRemoteClient in 
> >> framework/service/src/org/ofbiz/service/rmi but the client won't connect 
> >> because the rmi server certificate has expired and i dont know how to 
> >> replace it.  I was hoping someone who knew how could replace it in the svn.
> >>
> >> BJ Freeman wrote:
> >>     
> >>> at what level.
> >>> how to replace the JKS or how to create the JKS
> >>> if you look in the base/config you will see all the jks file including 
> >>> the rmi.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:54 PM:
> >>>       
> >>>> Hi BJ
> >>>>
> >>>> I saw the thread when it came through, that's what made me want to 
> >>>> take a look at rmi.  The thread didn't seem to have anything to do 
> >>>> with expired certificates though, and that's what i was hoping 
> >>>> someone who knows how could do, replace the expired rmi server 
> >>>> certificate.
> >>>> I also saw Andrew's discussion with David and Andy on the old list 
> >>>> from a year or two ago, but that didn't help me much either.
> >>>>
> >>>> Regards
> >>>> Scott
> >>>>
> >>>> BJ Freeman wrote:
> >>>>         
> >>>>> there was a discussion last few days in the user mailing list about RMI
> >>>>> Brett palmer gave some details.
> >>>>>
> >>>>>
> >>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>>>           
> >>>>>> Hi All
> >>>>>>
> >>>>>> I was wondering if anybody who knows how to do it, would mind 
> >>>>>> updating the ssl certs for the rmi server?  I've been staring at 
> >>>>>> the files for most of the day but i really have no idea about ssl, 
> >>>>>> and what was going to be a quick browse through rmi is turning into 
> >>>>>> a long browse through ssl.  Any help would be appreciated.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Scott
> >>>>>>
> >>>>>>             
-- 
Kind Regards
Andrew Sykes <an...@sykesdevelopment.com>
Sykes Development Ltd
http://www.sykesdevelopment.com

Re: RMI ssl certs

[Scott Gray <le...@gmail.com>]

Hi Andrew

Thanks for the advice, i had figured most of it out already but couldn't 
quite get there.  I wasn't sure what to do with ofbiztrust.jks as it 
looked like ofbizrmi.jks and ofbizcerts.jks covered the keys i needed.  
I deleted the respective client/server trustcerts and keys from those 2 
keystores and then created new keys and exported the public certs, but 
that didn't work.  When it looked like i needed to start signing the 
keys (because the default ones have a cert chain?) thats when i gave up. 

But anyway all i wanted to do was have a go with rmi and see how i could 
get it to do a few things i need doing, production isn't even a dot on 
the horizon at this stage.

Thanks for your help
Scott


Andrew Sykes wrote:
> Scott,
>
> You really don't want to use the SSL cert straight out of SVN, as this
> would allow anyone else with a default cert to connect to your server.
>
> It's we'll worth looking at the instructions to make sure you can
> generate certs for yourself.
>
> One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> setup at both ends.
>
> For testing, the easiest way is to create a certificate export it to the
> trust store and then just copy both these files to the other instance.
>
> For production, remember that the truststore of the "client" would hold
> the public key exported from the keystore of the "server". Conversely
> the truststore of the "server" would hold the public key exported from
> the keystore of the "client".
>
> Making the keystore and truststore identical on both sides makes life a
> bit easier for testing, but make sure you toughen things up before you
> go into production!!!
>
> - Andrew
>
> On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
>   
>> I'm trying to use the ExampleRemoteClient in 
>> framework/service/src/org/ofbiz/service/rmi but the client won't connect 
>> because the rmi server certificate has expired and i dont know how to 
>> replace it.  I was hoping someone who knew how could replace it in the svn.
>>
>> BJ Freeman wrote:
>>     
>>> at what level.
>>> how to replace the JKS or how to create the JKS
>>> if you look in the base/config you will see all the jks file including 
>>> the rmi.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:54 PM:
>>>       
>>>> Hi BJ
>>>>
>>>> I saw the thread when it came through, that's what made me want to 
>>>> take a look at rmi.  The thread didn't seem to have anything to do 
>>>> with expired certificates though, and that's what i was hoping 
>>>> someone who knows how could do, replace the expired rmi server 
>>>> certificate.
>>>> I also saw Andrew's discussion with David and Andy on the old list 
>>>> from a year or two ago, but that didn't help me much either.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> BJ Freeman wrote:
>>>>         
>>>>> there was a discussion last few days in the user mailing list about RMI
>>>>> Brett palmer gave some details.
>>>>>
>>>>>
>>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>>>           
>>>>>> Hi All
>>>>>>
>>>>>> I was wondering if anybody who knows how to do it, would mind 
>>>>>> updating the ssl certs for the rmi server?  I've been staring at 
>>>>>> the files for most of the day but i really have no idea about ssl, 
>>>>>> and what was going to be a quick browse through rmi is turning into 
>>>>>> a long browse through ssl.  Any help would be appreciated.
>>>>>>
>>>>>> Thanks
>>>>>> Scott
>>>>>>
>>>>>>             

Re: RMI ssl certs

["A. Zeneski" <ja...@ofbiz.org>]

Exactly.

On Jul 9, 2006, at 6:55 AM, Andrew Sykes wrote:

> Scott,
>
> You really don't want to use the SSL cert straight out of SVN, as this
> would allow anyone else with a default cert to connect to your server.
>
> It's we'll worth looking at the instructions to make sure you can
> generate certs for yourself.
>
> One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> setup at both ends.
>
> For testing, the easiest way is to create a certificate export it  
> to the
> trust store and then just copy both these files to the other instance.
>
> For production, remember that the truststore of the "client" would  
> hold
> the public key exported from the keystore of the "server". Conversely
> the truststore of the "server" would hold the public key exported from
> the keystore of the "client".
>
> Making the keystore and truststore identical on both sides makes  
> life a
> bit easier for testing, but make sure you toughen things up before you
> go into production!!!
>
> - Andrew
>
> On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
>> I'm trying to use the ExampleRemoteClient in
>> framework/service/src/org/ofbiz/service/rmi but the client won't  
>> connect
>> because the rmi server certificate has expired and i dont know how to
>> replace it.  I was hoping someone who knew how could replace it in  
>> the svn.
>>
>> BJ Freeman wrote:
>>> at what level.
>>> how to replace the JKS or how to create the JKS
>>> if you look in the base/config you will see all the jks file  
>>> including
>>> the rmi.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:54 PM:
>>>> Hi BJ
>>>>
>>>> I saw the thread when it came through, that's what made me want to
>>>> take a look at rmi.  The thread didn't seem to have anything to do
>>>> with expired certificates though, and that's what i was hoping
>>>> someone who knows how could do, replace the expired rmi server
>>>> certificate.
>>>> I also saw Andrew's discussion with David and Andy on the old list
>>>> from a year or two ago, but that didn't help me much either.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> BJ Freeman wrote:
>>>>> there was a discussion last few days in the user mailing list  
>>>>> about RMI
>>>>> Brett palmer gave some details.
>>>>>
>>>>>
>>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>>>> Hi All
>>>>>>
>>>>>> I was wondering if anybody who knows how to do it, would mind
>>>>>> updating the ssl certs for the rmi server?  I've been staring at
>>>>>> the files for most of the day but i really have no idea about  
>>>>>> ssl,
>>>>>> and what was going to be a quick browse through rmi is turning  
>>>>>> into
>>>>>> a long browse through ssl.  Any help would be appreciated.
>>>>>>
>>>>>> Thanks
>>>>>> Scott
>>>>>>
>>>>>
>>>>
>>>
> -- 
> Kind Regards
> Andrew Sykes <an...@sykesdevelopment.com>
> Sykes Development Ltd
> http://www.sykesdevelopment.com
>

Re: RMI ssl certs

[Andrew Sykes <an...@sykesdevelopment.com>]

Scott,

You really don't want to use the SSL cert straight out of SVN, as this
would allow anyone else with a default cert to connect to your server.

It's we'll worth looking at the instructions to make sure you can
generate certs for yourself.

One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
setup at both ends.

For testing, the easiest way is to create a certificate export it to the
trust store and then just copy both these files to the other instance.

For production, remember that the truststore of the "client" would hold
the public key exported from the keystore of the "server". Conversely
the truststore of the "server" would hold the public key exported from
the keystore of the "client".

Making the keystore and truststore identical on both sides makes life a
bit easier for testing, but make sure you toughen things up before you
go into production!!!

- Andrew

On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
> I'm trying to use the ExampleRemoteClient in 
> framework/service/src/org/ofbiz/service/rmi but the client won't connect 
> because the rmi server certificate has expired and i dont know how to 
> replace it.  I was hoping someone who knew how could replace it in the svn.
> 
> BJ Freeman wrote:
> > at what level.
> > how to replace the JKS or how to create the JKS
> > if you look in the base/config you will see all the jks file including 
> > the rmi.
> >
> >
> > Scott Gray sent the following on 7/8/2006 8:54 PM:
> >> Hi BJ
> >>
> >> I saw the thread when it came through, that's what made me want to 
> >> take a look at rmi.  The thread didn't seem to have anything to do 
> >> with expired certificates though, and that's what i was hoping 
> >> someone who knows how could do, replace the expired rmi server 
> >> certificate.
> >> I also saw Andrew's discussion with David and Andy on the old list 
> >> from a year or two ago, but that didn't help me much either.
> >>
> >> Regards
> >> Scott
> >>
> >> BJ Freeman wrote:
> >>> there was a discussion last few days in the user mailing list about RMI
> >>> Brett palmer gave some details.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>> Hi All
> >>>>
> >>>> I was wondering if anybody who knows how to do it, would mind 
> >>>> updating the ssl certs for the rmi server?  I've been staring at 
> >>>> the files for most of the day but i really have no idea about ssl, 
> >>>> and what was going to be a quick browse through rmi is turning into 
> >>>> a long browse through ssl.  Any help would be appreciated.
> >>>>
> >>>> Thanks
> >>>> Scott
> >>>>
> >>>
> >>
> >
-- 
Kind Regards
Andrew Sykes <an...@sykesdevelopment.com>
Sykes Development Ltd
http://www.sykesdevelopment.com

Re: RMI ssl certs

[Scott Gray <le...@gmail.com>]

I'm trying to use the ExampleRemoteClient in 
framework/service/src/org/ofbiz/service/rmi but the client won't connect 
because the rmi server certificate has expired and i dont know how to 
replace it.  I was hoping someone who knew how could replace it in the svn.

BJ Freeman wrote:
> at what level.
> how to replace the JKS or how to create the JKS
> if you look in the base/config you will see all the jks file including 
> the rmi.
>
>
> Scott Gray sent the following on 7/8/2006 8:54 PM:
>> Hi BJ
>>
>> I saw the thread when it came through, that's what made me want to 
>> take a look at rmi.  The thread didn't seem to have anything to do 
>> with expired certificates though, and that's what i was hoping 
>> someone who knows how could do, replace the expired rmi server 
>> certificate.
>> I also saw Andrew's discussion with David and Andy on the old list 
>> from a year or two ago, but that didn't help me much either.
>>
>> Regards
>> Scott
>>
>> BJ Freeman wrote:
>>> there was a discussion last few days in the user mailing list about RMI
>>> Brett palmer gave some details.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>> Hi All
>>>>
>>>> I was wondering if anybody who knows how to do it, would mind 
>>>> updating the ssl certs for the rmi server?  I've been staring at 
>>>> the files for most of the day but i really have no idea about ssl, 
>>>> and what was going to be a quick browse through rmi is turning into 
>>>> a long browse through ssl.  Any help would be appreciated.
>>>>
>>>> Thanks
>>>> Scott
>>>>
>>>
>>
>

Re: RMI ssl certs

[BJ Freeman <bj...@free-man.net>]

at what level.
how to replace the JKS or how to create the JKS
if you look in the base/config you will see all the jks file including 
the rmi.


Scott Gray sent the following on 7/8/2006 8:54 PM:
> Hi BJ
> 
> I saw the thread when it came through, that's what made me want to take 
> a look at rmi.  The thread didn't seem to have anything to do with 
> expired certificates though, and that's what i was hoping someone who 
> knows how could do, replace the expired rmi server certificate.
> I also saw Andrew's discussion with David and Andy on the old list from 
> a year or two ago, but that didn't help me much either.
> 
> Regards
> Scott
> 
> BJ Freeman wrote:
>> there was a discussion last few days in the user mailing list about RMI
>> Brett palmer gave some details.
>>
>>
>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>> Hi All
>>>
>>> I was wondering if anybody who knows how to do it, would mind 
>>> updating the ssl certs for the rmi server?  I've been staring at the 
>>> files for most of the day but i really have no idea about ssl, and 
>>> what was going to be a quick browse through rmi is turning into a 
>>> long browse through ssl.  Any help would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>
> 

Re: RMI ssl certs

[Scott Gray <le...@gmail.com>]

Hi BJ

I saw the thread when it came through, that's what made me want to take 
a look at rmi.  The thread didn't seem to have anything to do with 
expired certificates though, and that's what i was hoping someone who 
knows how could do, replace the expired rmi server certificate. 

I also saw Andrew's discussion with David and Andy on the old list from 
a year or two ago, but that didn't help me much either.

Regards
Scott

BJ Freeman wrote:
> there was a discussion last few days in the user mailing list about RMI
> Brett palmer gave some details.
>
>
> Scott Gray sent the following on 7/8/2006 8:19 PM:
>> Hi All
>>
>> I was wondering if anybody who knows how to do it, would mind 
>> updating the ssl certs for the rmi server?  I've been staring at the 
>> files for most of the day but i really have no idea about ssl, and 
>> what was going to be a quick browse through rmi is turning into a 
>> long browse through ssl.  Any help would be appreciated.
>>
>> Thanks
>> Scott
>>
>

Re: RMI ssl certs

[BJ Freeman <bj...@free-man.net>]

there was a discussion last few days in the user mailing list about RMI
Brett palmer gave some details.


Scott Gray sent the following on 7/8/2006 8:19 PM:
> Hi All
> 
> I was wondering if anybody who knows how to do it, would mind updating 
> the ssl certs for the rmi server?  I've been staring at the files for 
> most of the day but i really have no idea about ssl, and what was going 
> to be a quick browse through rmi is turning into a long browse through 
> ssl.  Any help would be appreciated.
> 
> Thanks
> Scott
> 

Re: RMI ssl certs

[Scott Gray <le...@gmail.com>]

Thanks Brett, I'll give it a try

Brett Palmer wrote:
> Scott,
>
> I've generated my own certificates a handful of times and each time I
> have to look up how to do it.  This is why I stopped using the SSL RMI
> component because I got tired of copying the certificates around
> whenever I go a new download of ofbiz.  Here are some basic
> instructions on how to generate your own certificates:
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL
>
> and here some good notes on the ofbiz RMI stuff:
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=RMIDispatcher
>
>
> Hope that helps.
>
>
> Brett
>
> On 7/8/06, Scott Gray <le...@gmail.com> wrote:
>> Hi All
>>
>> I was wondering if anybody who knows how to do it, would mind updating
>> the ssl certs for the rmi server?  I've been staring at the files for
>> most of the day but i really have no idea about ssl, and what was going
>> to be a quick browse through rmi is turning into a long browse through
>> ssl.  Any help would be appreciated.
>>
>> Thanks
>> Scott
>>
>

Re: RMI ssl certs

[Brett Palmer <br...@gmail.com>]

Scott,

I've generated my own certificates a handful of times and each time I
have to look up how to do it.  This is why I stopped using the SSL RMI
component because I got tired of copying the certificates around
whenever I go a new download of ofbiz.  Here are some basic
instructions on how to generate your own certificates:

http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL

and here some good notes on the ofbiz RMI stuff:

http://ofbizwiki.go-integral.com/Wiki.jsp?page=RMIDispatcher


Hope that helps.


Brett

On 7/8/06, Scott Gray <le...@gmail.com> wrote:
> Hi All
>
> I was wondering if anybody who knows how to do it, would mind updating
> the ssl certs for the rmi server?  I've been staring at the files for
> most of the day but i really have no idea about ssl, and what was going
> to be a quick browse through rmi is turning into a long browse through
> ssl.  Any help would be appreciated.
>
> Thanks
> Scott
>