You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-user@db.apache.org by Thomas <Th...@t-online.de> on 2010/12/18 15:04:50 UTC
No available certificate or key corresponds to the SSL cipher suites which are enabled
Hi,
I am trying to use the same keystore file that I am successfully using in
conjunction with my Tomcat server also with the Apache Derby Network Server.
However while the keystore works fine with Tomcat, Derby doesn't like it and
throws the error 'No available certificate or key corresponds to the SSL cipher
suites which are enabled' when trying to start-up the server.
The keystore contains one keypair only. Below is the output of a keytool -v
-list. As long as I am using keytool to generate my keystore with a self-signed
certificate the server starts up using SSL as expected. However, when trying to
use a certificate signed by a CA - and as I am only doing this in a test
environment on my LAN I am acting as the CA - then I can only get Tomcat to
accept my keystore.
Here the keystore content:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: thmb
Creation date: Dec 11, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=x@t-online.de, CN=THMB, OU=IT, O=x, L=x, ST=x, C=DE
Issuer: EMAILADDRESS=x@t-online.de, CN=THMB CA, OU=IT, O=x, L=x, ST=x, C=DE
Serial number: 1
Valid from: Sat Dec 11 12:50:08 CET 2010 until: Sun Dec 11 12:50:08 CET 2011
Certificate fingerprints:
MD5: A8:27:6E:B4:81:E0:6B:23:B4:A7:4C:13:4B:16:80:EC
SHA1: B9:9F:2B:CA:03:40:00:A0:4B:03:A0:CD:E7:E7:8F:61:9D:B9:26:42
Signature algorithm name: SHA1withRSA
Version: 3
Certificate[2]:
Owner: EMAILADDRESS=x@t-online.de, CN=THMB CA, OU=IT, O=x, L=x, ST=x, C=DE
Issuer: EMAILADDRESS=x@t-online.de, CN=THMB CA, OU=IT, O=x, L=x, ST=x, C=DE
Serial number: 95e743a14724966f
Valid from: Sat Dec 11 12:44:17 CET 2010 until: Tue Dec 08 12:44:17 CET 2020
Certificate fingerprints:
MD5: 8D:D4:44:B6:37:EC:51:CD:25:85:E8:F1:0A:A9:30:2D
SHA1: E7:04:DB:FC:DA:16:FE:46:88:56:C5:0B:65:D5:0F:DF:AC:0E:A1:D7
Signature algorithm name: SHA1withRSA
Version: 3
Any help would be greatly appreciated.
Thanks
Thomas
Re: Problem solved
Posted by Thomas <Th...@t-online.de>.
I will try to summarise my experiences in the wiki once I have completed my full
round trip of what I am/was trying to achieve:
1) have a JAVA provider (in Germany) host a Derby Network Server for me - done
2) have them run the Derby Server using SSL encryption and peer authentication -
done
3) become my own CA to allow me to create and sign SSL *client* certificates
myself - done (and buy the server certificate from an official CA)
3) have my applications securely communicate with the database server either
direct (my java application - done) or via Tomcat (my java web application -
mostly done)
4) use SQL authorisation to protect my data base objects - done (also many
thanks to Dag and the team that with release 10.7.1 the possibility to execute
procedures with definer rights was introduced which was a concept I was missing
in the previous version)
5) migrate off from using the built-in user system to utilizing LDAP - work in
progress (and hoping this journey will be al lot shorter than my SSL endevours)
Regards
Re: Problem solved
Posted by Bryan Pendleton <bp...@gmail.com>.
On 12/30/2010 07:03 AM, Thomas wrote:
> After many hours of further investigation I have been able to overcome all road
> blocks and now successfully use SSL certificates (created and signed using
> openSSL and converted in jks keystores using keytool) and peer Authentication
> between server and client.
Excellent!
Would you be willing to contribute your experience to the Derby wiki?
http://wiki.apache.org/db-derby/HintsAndTips
I think the community could certainly benefit from the knowledge you
gained about the necessary configuration steps needed.
thanks,
bryan
Problem solved
Posted by Thomas <Th...@t-online.de>.
After many hours of further investigation I have been able to overcome all road
blocks and now successfully use SSL certificates (created and signed using
openSSL and converted in jks keystores using keytool) and peer Authentication
between server and client. I wish though the certificate expiry date would not
be ignored, but from what I read on other forums that seems to be intended
behaviour in the SUN implementation of JSSE.
No one able to help?
Posted by Thomas <Th...@t-online.de>.
Hi,
I am stuck with this problem and would appreciate any help.
Thanks
Thomas