You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Marcus Carlson <to...@tajt.nu> on 2009/04/07 15:49:23 UTC

Truststore and keystore per application

Hi,

I've developed an application that sets up an encrypted socket in a 
separate thread when running init() on my servlet. However, I have no 
idea how to set up the truststore and keystore just for this 
application. Is this possible at all?

TIA,
Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Truststore and keystore per application

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcus,

So, my original code was missing some important stuff (the ??? parts)
and was incorrect in one place (the first two arguments to
SSLContext.init() are arrays, not scalars).

The following code compiles and executes on my machine. You'll need to
change the password, of course, and there are a whole slew of exceptions
that will need to be handled as well. Enjoy!

- -chris

import java.io.FileInputStream;
import java.io.IOException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManager;
import java.security.KeyStore;
import java.security.SecureRandom;

        String keyStoreFilename = "my.app.keystore";
        char[] keyStorePassword = "secret".toCharArray();

        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

        FileInputStream in = null;

        try
        {
            in = new FileInputStream(keyStoreFilename);
            keyStore.load(in, keyStorePassword);
        }
        finally
        {
            if(null != in) try { in.close(); } catch (IOException ioe)
            { ioe.printStackTrace(); }
        }

        String algorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
        tmf.init(keyStore);

        TrustManager[] trustManagers = tmf.getTrustManagers();

        algorithm = KeyManagerFactory.getDefaultAlgorithm();
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
        kmf.init(keyStore, keyStorePassword);

        KeyManager[] keyManagers = kmf.getKeyManagers();

        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(keyManagers, trustManagers, new SecureRandom());

        SSLServerSocketFactory sssf = sc.getServerSocketFactory();

        SSLServerSocket socket =
(SSLServerSocket)sssf.createServerSocket(8080);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAknbuH8ACgkQ9CaO5/Lv0PBSLQCePnaut3PSF7RrNszXjSNrojid
CL4AoLCv94ijdwwGiJMHp2OnTY9HNqLu
=ZrpN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Truststore and keystore per application

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcus,

On 4/7/2009 9:49 AM, Marcus Carlson wrote:
> I've developed an application that sets up an encrypted socket in a
> separate thread when running init() on my servlet. However, I have no
> idea how to set up the truststore and keystore just for this
> application. Is this possible at all?

I think this is possible, though I've never actually wrote code to open
my own TrustStore file. Maybe this can get you on the right path: you
have to flip everything around that you are probably already doing, like
just doing "new SSLServerSocket(...)". Instead, you have to create a new
SSLContext and SSLSocketFactory, etc.:

import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManager;

SSLContext sc = SSLContext.getInstance("SSL"); // or TLS?

KeyManager keyMgr = ???;
TrustManager trustMgr = ???;

sc.init(keyMgr, trustMgr, new java.security.SecureRandom());

SSLSocketFactory factory = sc.getSocketFactory();

SSLServerSocket socket = (SSLServerSocket)factory.createSocket(...);

I hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAknbsUAACgkQ9CaO5/Lv0PDKCQCeMlv/fAI3zhDTW91Np3s5Bceq
xZYAoJhdErGUFnytVMLyxK4RXEU00a6w
=4y47
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org