You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-user@db.apache.org by Reda Jazouli <re...@gmail.com> on 2008/11/03 17:15:29 UTC
Starting the derby sever with ssl
Hi,
As mentioned in the Derby tuning guide, its possible to start the derby
server in the way that is accepts only ssl connections.
Its only required to give at startup a java keystore and a the keystores
password.
My question is, how does the server know wich key is to use from the given
keystore ??
I thought that there is a java property that has to be set before startup
and that indicates wich key from the given keystore, has to be used.
Thanks im advance.
Reda
--
View this message in context: http://www.nabble.com/Starting-the-derby-sever-with-ssl-tp20305614p20305614.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.
Re: Starting the derby sever with ssl
Posted by Reda Jazouli <re...@gmail.com>.
Many many thanks Rick, this is excactly what i was searching for.
I really didnt except to obtain so quickly an answer.
Thanks Rick. :handshake:
Rick Hillegas-2 wrote:
>
> Hi Reda,
>
> I'm not an expert on the internals of Java's SSL support. Perhaps we'll
> get a response from someone who knows more than I do. My understanding
> was that the default key manager picks the first usable entry from the
> keystore and, for this reason, it's typical for a keystore to hold only
> one object. You can override this behavior by writing your own key
> manager. The following link may be useful:
>
> http://books.google.com/books?id=EhX9BjHj9M4C&pg=PA314&lpg=PA314&dq=java+keystore+vs+truststore&source=web&ots=sNVm3qmI-U&sig=UOihfFE_1MJC625sAVhd1yrUUJQ#PPA328,M1
>
> Hope this helps,
> -Rick
>
> Reda Jazouli wrote:
>> Hi Rick,
>> thank you for your reply, but my question is how does java knows wich key
>> it
>> has to choose from the given keystore ?
>>
>> Thanks in advance
>>
>> Rick Hillegas-2 wrote:
>>
>>> Hi Reda,
>>>
>>> The documentation on Derby's security features is scattered and hard to
>>> follow. You will find more information on how to configure SSL in the
>>> Derby Server and Administration Guide in a section titled "Network
>>> encryption and authentication with SSL/TLS". You will probably want to
>>> set several startup options. Something like the following:
>>>
>>> java -Djavax.net.ssl.keyStore=serverKeyStore.key \
>>> -Djavax.net.ssl.keyStorePassword=qwerty \
>>> -Djavax.net.ssl.trustStore=serverTrustStore.key \
>>> -Djavax.net.ssl.trustStorePassword=qwerty \
>>> -jar derbyrun.jar server start -ssl peerAuthentication
>>>
>>> More examples of how to configure Derby's SSL support can be found in
>>> the security white paper located here:
>>> http://developers.sun.com/javadb/reference/whitepapers/index.jsp
>>>
>>> Hope this helps,
>>> -Rick
>>>
>>> Reda Jazouli wrote:
>>>
>>>> Hi,
>>>> As mentioned in the Derby tuning guide, its possible to start the derby
>>>> server in the way that is accepts only ssl connections.
>>>>
>>>> Its only required to give at startup a java keystore and a the
>>>> keystores
>>>> password.
>>>>
>>>> My question is, how does the server know wich key is to use from the
>>>> given
>>>> keystore ??
>>>> I thought that there is a java property that has to be set before
>>>> startup
>>>> and that indicates wich key from the given keystore, has to be used.
>>>>
>>>> Thanks im advance.
>>>>
>>>> Reda
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>
:handshake:
--
View this message in context: http://www.nabble.com/Starting-the-derby-sever-with-ssl-tp20305614p20311693.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.
Re: Starting the derby sever with ssl
Posted by John Embretsen <Jo...@Sun.COM>.
Hi Reda, Rick,
Indeed, I believe Rick's understanding is correct. Some caveats I
noticed when experimenting with SSL and Sun's keytool and JCE
implementation a while ago:
- The keystore must contain only one key pair, or the key pair to be
used must be listed first in the keystore (it seems). Otherwise the
implementation will pick the wrong key (there is no way to specify a
specific key), and clients may see an exception message such as "unable
to find valid certification path to requested target."
- The password of the private key in the keystore must be the same as
the password of the keystore, since there is no way to specify a
key-specific password.
--
John
Rick Hillegas wrote:
> Hi Reda,
>
> I'm not an expert on the internals of Java's SSL support. Perhaps we'll
> get a response from someone who knows more than I do. My understanding
> was that the default key manager picks the first usable entry from the
> keystore and, for this reason, it's typical for a keystore to hold only
> one object. You can override this behavior by writing your own key
> manager. The following link may be useful:
>
> http://books.google.com/books?id=EhX9BjHj9M4C&pg=PA314&lpg=PA314&dq=java+keystore+vs+truststore&source=web&ots=sNVm3qmI-U&sig=UOihfFE_1MJC625sAVhd1yrUUJQ#PPA328,M1
>
>
> Hope this helps,
> -Rick
>
> Reda Jazouli wrote:
>> Hi Rick, thank you for your reply, but my question is how does java
>> knows wich key it
>> has to choose from the given keystore ?
>>
>> Thanks in advance
>>
>> Rick Hillegas-2 wrote:
>>
>>> Hi Reda,
>>>
>>> The documentation on Derby's security features is scattered and hard
>>> to follow. You will find more information on how to configure SSL in
>>> the Derby Server and Administration Guide in a section titled
>>> "Network encryption and authentication with SSL/TLS". You will
>>> probably want to set several startup options. Something like the
>>> following:
>>>
>>> java -Djavax.net.ssl.keyStore=serverKeyStore.key \
>>> -Djavax.net.ssl.keyStorePassword=qwerty \
>>> -Djavax.net.ssl.trustStore=serverTrustStore.key \
>>> -Djavax.net.ssl.trustStorePassword=qwerty \
>>> -jar derbyrun.jar server start -ssl peerAuthentication
>>>
>>> More examples of how to configure Derby's SSL support can be found in
>>> the security white paper located here:
>>> http://developers.sun.com/javadb/reference/whitepapers/index.jsp
>>>
>>> Hope this helps,
>>> -Rick
>>>
>>> Reda Jazouli wrote:
>>>
>>>> Hi, As mentioned in the Derby tuning guide, its possible to start
>>>> the derby
>>>> server in the way that is accepts only ssl connections.
>>>>
>>>> Its only required to give at startup a java keystore and a the
>>>> keystores
>>>> password.
>>>>
>>>> My question is, how does the server know wich key is to use from the
>>>> given
>>>> keystore ?? I thought that there is a java property that has to be
>>>> set before startup
>>>> and that indicates wich key from the given keystore, has to be used.
>>>>
>>>> Thanks im advance.
>>>>
>>>> Reda
>>>>
>>>
>>>
>>
>>
>
--
John H. Embretsen
Senior QA Engineer (MySQL/Falcon)
Sun Microsystems, Database Group
Haakon VII gt. 7b, N-7485 Trondheim, Norway
Tel: x43447/+47 73842147 Cell: +47 97061091
Re: Starting the derby sever with ssl
Posted by Rick Hillegas <Ri...@Sun.COM>.
Hi Reda,
I'm not an expert on the internals of Java's SSL support. Perhaps we'll
get a response from someone who knows more than I do. My understanding
was that the default key manager picks the first usable entry from the
keystore and, for this reason, it's typical for a keystore to hold only
one object. You can override this behavior by writing your own key
manager. The following link may be useful:
http://books.google.com/books?id=EhX9BjHj9M4C&pg=PA314&lpg=PA314&dq=java+keystore+vs+truststore&source=web&ots=sNVm3qmI-U&sig=UOihfFE_1MJC625sAVhd1yrUUJQ#PPA328,M1
Hope this helps,
-Rick
Reda Jazouli wrote:
> Hi Rick,
> thank you for your reply, but my question is how does java knows wich key it
> has to choose from the given keystore ?
>
> Thanks in advance
>
> Rick Hillegas-2 wrote:
>
>> Hi Reda,
>>
>> The documentation on Derby's security features is scattered and hard to
>> follow. You will find more information on how to configure SSL in the
>> Derby Server and Administration Guide in a section titled "Network
>> encryption and authentication with SSL/TLS". You will probably want to
>> set several startup options. Something like the following:
>>
>> java -Djavax.net.ssl.keyStore=serverKeyStore.key \
>> -Djavax.net.ssl.keyStorePassword=qwerty \
>> -Djavax.net.ssl.trustStore=serverTrustStore.key \
>> -Djavax.net.ssl.trustStorePassword=qwerty \
>> -jar derbyrun.jar server start -ssl peerAuthentication
>>
>> More examples of how to configure Derby's SSL support can be found in
>> the security white paper located here:
>> http://developers.sun.com/javadb/reference/whitepapers/index.jsp
>>
>> Hope this helps,
>> -Rick
>>
>> Reda Jazouli wrote:
>>
>>> Hi,
>>> As mentioned in the Derby tuning guide, its possible to start the derby
>>> server in the way that is accepts only ssl connections.
>>>
>>> Its only required to give at startup a java keystore and a the keystores
>>> password.
>>>
>>> My question is, how does the server know wich key is to use from the
>>> given
>>> keystore ??
>>> I thought that there is a java property that has to be set before startup
>>> and that indicates wich key from the given keystore, has to be used.
>>>
>>> Thanks im advance.
>>>
>>> Reda
>>>
>>>
>>
>>
>
>
Re: Starting the derby sever with ssl
Posted by Reda Jazouli <re...@gmail.com>.
Hi Rick,
thank you for your reply, but my question is how does java knows wich key it
has to choose from the given keystore ?
Thanks in advance
Rick Hillegas-2 wrote:
>
> Hi Reda,
>
> The documentation on Derby's security features is scattered and hard to
> follow. You will find more information on how to configure SSL in the
> Derby Server and Administration Guide in a section titled "Network
> encryption and authentication with SSL/TLS". You will probably want to
> set several startup options. Something like the following:
>
> java -Djavax.net.ssl.keyStore=serverKeyStore.key \
> -Djavax.net.ssl.keyStorePassword=qwerty \
> -Djavax.net.ssl.trustStore=serverTrustStore.key \
> -Djavax.net.ssl.trustStorePassword=qwerty \
> -jar derbyrun.jar server start -ssl peerAuthentication
>
> More examples of how to configure Derby's SSL support can be found in
> the security white paper located here:
> http://developers.sun.com/javadb/reference/whitepapers/index.jsp
>
> Hope this helps,
> -Rick
>
> Reda Jazouli wrote:
>> Hi,
>> As mentioned in the Derby tuning guide, its possible to start the derby
>> server in the way that is accepts only ssl connections.
>>
>> Its only required to give at startup a java keystore and a the keystores
>> password.
>>
>> My question is, how does the server know wich key is to use from the
>> given
>> keystore ??
>> I thought that there is a java property that has to be set before startup
>> and that indicates wich key from the given keystore, has to be used.
>>
>> Thanks im advance.
>>
>> Reda
>>
>
>
>
--
View this message in context: http://www.nabble.com/Starting-the-derby-sever-with-ssl-tp20305614p20306917.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.
Re: Starting the derby sever with ssl
Posted by Rick Hillegas <Ri...@Sun.COM>.
Hi Reda,
The documentation on Derby's security features is scattered and hard to
follow. You will find more information on how to configure SSL in the
Derby Server and Administration Guide in a section titled "Network
encryption and authentication with SSL/TLS". You will probably want to
set several startup options. Something like the following:
java -Djavax.net.ssl.keyStore=serverKeyStore.key \
-Djavax.net.ssl.keyStorePassword=qwerty \
-Djavax.net.ssl.trustStore=serverTrustStore.key \
-Djavax.net.ssl.trustStorePassword=qwerty \
-jar derbyrun.jar server start -ssl peerAuthentication
More examples of how to configure Derby's SSL support can be found in
the security white paper located here:
http://developers.sun.com/javadb/reference/whitepapers/index.jsp
Hope this helps,
-Rick
Reda Jazouli wrote:
> Hi,
> As mentioned in the Derby tuning guide, its possible to start the derby
> server in the way that is accepts only ssl connections.
>
> Its only required to give at startup a java keystore and a the keystores
> password.
>
> My question is, how does the server know wich key is to use from the given
> keystore ??
> I thought that there is a java property that has to be set before startup
> and that indicates wich key from the given keystore, has to be used.
>
> Thanks im advance.
>
> Reda
>