Recent Changes - Search:

edit SideBar

Main /

Certificates

This is about Security, public key encryption etc

JDK cacerts file

In the SSL Sockets example, if the NetClientOptions trustAll setting is false (which is good), then Java will look for the cacerts file.

The cacerts file is in the JDK directory. Under Mac OS X, it is at /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts.

As root, to add a self-signed cert to the cacerts file:

keytool -export -rfc -alias selfsigned -keystore $PTII/org/terraswarm/accessor/demo/SecureSocket/keystore.jks > /tmp/selfsigned.cer
keytool -import -alias selfsigned -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -file /tmp/selfsigned.cer
[$[Get Code]]

Note that $PTII/org/terraswarm/accessor/demo/SecureSocket/keystore.jks includes the private key and has no password, which is very insecure.

Alternative cacerts file

The goal here is to use an alternative cacerts file.

First, as root, remove what was added above:

ealmac23:~ root# keytool -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -list
<k1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -list
Enter keystore password:  changeit

selfsigned, Nov 24, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): CD:BF:47:05:A6:0A:43:8A:CD:C7:74:59:24:29:4E:F4:17:F9:0C:7C
ealmac23:~ root# keytool -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -dele\
te
<k1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -delete
Enter keystore password:  changeit

ealmac23:~ root# keytool -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -list
<k1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -alias selfsigned -list
Enter keystore password:  


*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

keytool error: java.lang.Exception: Alias <selfsigned> does not exist
ealmac23:~ root#
[$[Get Code]]

Setting the javax.net.ssl.trustStore property works: (:source lang="bash":) export JAVAFLAGS=-Djavax.net.ssl.trustStore=$PTII/org/terraswarm/accessor/demo/SecureSocket/keystore.jks

SeeAlso
Edit - History - Print - Recent Changes - Search
Page last modified on November 25, 2015, at 07:37 pm