You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@harmony.apache.org by Wim Vander Schelden <wi...@fixnum.org> on 2008/03/18 22:21:12 UTC

SSL connections and cacerts

Hi,

Since I didn't find a user mailing list, and the IRC channel is pretty
much empty, I thought I'd ask here.
I've been using Harmony for a while for my Java work at University, and
I for my most recent assignment
I was told to create a web application. Since harmony is conveniently
packaged with Tomcat, I just couldn't
resist using the bundle from the site.

Everything works fine so far, but I need it to trust a few certificates
to send mails. I'd like it to do this automatically,
without me having to fiddle with KeyStores etc. From a quick web search
I learned that replacing the cacerts file
in the jre/lib/security/, but it doesn't seem to work.

Any ideas as to what I can do to get around this issue?

Kind regards,

Wim

Re: SSL connections and cacerts

Posted by Wim Vander Schelden <wi...@fixnum.org>.

On Thu, Mar 20, 2008 at 8:39 AM, Stepan Mishura <st...@gmail.com>
wrote:

> On 3/19/08, Wim Vander Schelden <wi...@fixnum.org> wrote:
>
>
> Theoretically, keytool is used to create the file with required
> certificates and the file is placed to default location (i.e.
> lib/security) and after that everything should work. But practically I
> don't know if it work or not - I didn't try it by myself and as I
> recall there were intentions and promises to create acceptable cacerts
> file for Hamony but I don't remember any report about the progress or
> failure. Also there was suggestion to convert existing cacerts file in
> JKS format into BKS format but that got stuck in legal
> questions/doubts. You may aslo wish to try to use SUN's provider
> (which understands JSK format) and JKS cacerts file with Harmony (I
> think if is work then this would be very exciting!)
>
> So you are free to experiment! And if you have any results please let us
> know.
>
> Thanks,
> Stepan.


Alright, but the keytool asks me to enter a password, and I assume I have to
use something specified by harmony so that it can be read without entering
the password to make an SSL connection?

kind regards,

Wim

Re: SSL connections and cacerts

Posted by Stepan Mishura <st...@gmail.com>.

On 3/19/08, Wim Vander Schelden <wi...@fixnum.org> wrote:
> Stepan Mishura wrote:
> > It sounds like you used cacerts file (RI's?) that is in JSK format.
> > This definitely doesn't work with Harmony because JKS is a Sun's
> > proprietary standard [1]. You should provide cacerts file in
> > PKCS12(IIRC) format. PKCS12 implemented in Bouncy Castle security
> > provider and used by Harmony.
> >
> So the easiest way to do this would be by using the keytool included in
> Harmony, I assume?
> Will Harmony look at the cacerts file in the lib/security directory, or
> do I need to instruct it to do
> so somehow? And what password should I use for the keystore?
>

Theoretically, keytool is used to create the file with required
certificates and the file is placed to default location (i.e.
lib/security) and after that everything should work. But practically I
don't know if it work or not - I didn't try it by myself and as I
recall there were intentions and promises to create acceptable cacerts
file for Hamony but I don't remember any report about the progress or
failure. Also there was suggestion to convert existing cacerts file in
JKS format into BKS format but that got stuck in legal
questions/doubts. You may aslo wish to try to use SUN's provider
(which understands JSK format) and JKS cacerts file with Harmony (I
think if is work then this would be very exciting!)

So you are free to experiment! And if you have any results please let us know.

Thanks,
Stepan.

> Is there a reason why such a file is not distributed with Harmony by
> default?
> > Thanks,
> > Stepan.
> Thanks for your help,
>
> Wim
>

Re: SSL connections and cacerts

Posted by Tim Ellison <t....@gmail.com>.

Wim Vander Schelden wrote:
> Stepan Mishura wrote:
>> It sounds like you used cacerts file (RI's?) that is in JSK format.
>> This definitely doesn't work with Harmony because JKS is a Sun's
>> proprietary standard [1]. You should provide cacerts file in
>> PKCS12(IIRC) format. PKCS12 implemented in Bouncy Castle security
>> provider and used by Harmony.
>>   
> So the easiest way to do this would be by using the keytool included in
> Harmony, I assume?
> Will Harmony look at the cacerts file in the lib/security directory, or
> do I need to instruct it to do
> so somehow? And what password should I use for the keystore?
> 
> Is there a reason why such a file is not distributed with Harmony by
> default?

Good question.  The cacerts file contains the certificates of various 
certification authorities (CAs).  It's not clear to me that Apache would 
be able to redistribute those without special agreement with the CAs.

We have not gone round collecting up CAs and signed up to their terms 
and conditions to check.

Regards,
Tim

Re: SSL connections and cacerts

Posted by Wim Vander Schelden <wi...@fixnum.org>.

Stepan Mishura wrote:
> It sounds like you used cacerts file (RI's?) that is in JSK format.
> This definitely doesn't work with Harmony because JKS is a Sun's
> proprietary standard [1]. You should provide cacerts file in
> PKCS12(IIRC) format. PKCS12 implemented in Bouncy Castle security
> provider and used by Harmony.
>   
So the easiest way to do this would be by using the keytool included in
Harmony, I assume?
Will Harmony look at the cacerts file in the lib/security directory, or
do I need to instruct it to do
so somehow? And what password should I use for the keystore?

Is there a reason why such a file is not distributed with Harmony by
default?
> Thanks,
> Stepan.
Thanks for your help,

Wim

Re: SSL connections and cacerts

Posted by Stepan Mishura <st...@gmail.com>.

On 3/19/08, Wim Vander Schelden <wi...@fixnum.org> wrote:
> Hi,
>
> Since I didn't find a user mailing list, and the IRC channel is pretty
> much empty, I thought I'd ask here.
> I've been using Harmony for a while for my Java work at University, and
> I for my most recent assignment
> I was told to create a web application. Since harmony is conveniently
> packaged with Tomcat, I just couldn't
> resist using the bundle from the site.
>
> Everything works fine so far, but I need it to trust a few certificates
> to send mails. I'd like it to do this automatically,
> without me having to fiddle with KeyStores etc. From a quick web search
> I learned that replacing the cacerts file
> in the jre/lib/security/, but it doesn't seem to work.
>
> Any ideas as to what I can do to get around this issue?
>

Hi Win,

It sounds like you used cacerts file (RI's?) that is in JSK format.
This definitely doesn't work with Harmony because JKS is a Sun's
proprietary standard [1]. You should provide cacerts file in
PKCS12(IIRC) format. PKCS12 implemented in Bouncy Castle security
provider and used by Harmony.

[1] http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#KeyManagement
[2] http://www.bouncycastle.org

Thanks,
Stepan.

> Kind regards,
>
> Wim
>
>