Hi Joe, > Thanks for your comments. I'm wondering whether we should import > certificates to the default Java trusted store > (jre/lib/security/cacertificates) or to have a separate trusted key store > file for our application and import certificate to it? Which one is a better > solution from the security point of view?
I think if we maintain a key store for a application rather than adding to the default java trust store , it will be easy to manage. For example, if you have multiple applications with different trust relationships then we will have to anyway maintain a key store for each application. > The other question how can we show certificate to the user and then import > it programmatically the same way web-browsers do? Right now, Axis2 + Rampart doesn't show certificate information in the WSDL. At the moment, clients have to have the servers certificate and they can use the java keytool import it to a key store. But we can use XKMS to do the key management programaticaly. But right now Rampart doesn't support XKMS either. Take a look at the XKMS sample - [1] which comes with the WSO2 WSAS distribution. thanks, /nandana [1] - http://www.ibm.com/developerworks/xml/library/x-seclay3/ [2] - http://wso2.org/project/wsas/java/2.2.1/docs/xkms_sample_guide.html > Joe > > > > On Mon, Mar 3, 2008 at 10:09 AM, Nandana Mihindukulasooriya > <[EMAIL PROTECTED]> wrote: > > > > > > > > Hi Nuria, > > yes, you need to set a system property in the client side to > > add that key store containing that cert as a trusted key store. This > > can be simply done using > > > > System.setProperty("javax.net.ssl.trustStore", > "path/to/keystore.jks"); > > System.setProperty("javax.net.ssl.trustStorePassword", "password"); > > > > in the client side. > > > > thanks, > > nandana > > > > On Mon, Mar 3, 2008 at 8:14 PM, Nuria Rodríguez García > > > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hello: > > > > > > > > > > > > I'm using Axis2 and I need to use SSL to connect to a WS. > > > > > > In server side I do the following: > > > > > > > > > > > > I configure the server.xml file in tomcat. I have: > > > > > > <Connector port="8443" > > > > > > maxThreads="150" minSpareThreads="25" > maxSpareThreads="75" > > > > > > enableLookups="false" disableUploadTimeout="true" > > > > > > acceptCount="100" debug="0" scheme="https" secure="true" > > > > > > clientAuth="false" sslProtocol="TLS" /> > > > > > > > > > > > > Then I generate a server certificate doing the following: > > > > > > keytool -genkey -alias tomcat -keyalg RSA > > > > > > keytool -export -alias tomcat -storepass > changeit > > > -file server.cer > > > > > > keytool -import -v -trustcacerts -alias tomcat > -file > > > server.cer -keystore %JAVA_HOME%/jre/lib/security/cacerts -keypass > changeit > > > -storepass changeit > > > > > > > > > > > > I start-up tomcat and when I call the service using the EPR > > > "https://mymachine:8443/ ...." I receive the following exception: > > > > > > > > > > > > I/O exception (org.apache.axis2.AxisFault) > caught > > > when processing request: sun.security.validator.ValidatorException: PKIX > > > path building failed: > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > > valid certification path to requested target > > > > > > > > > > > > I don't know if I need to indicate something from the client side. > > > > > > > > > > > > Thanks, > > > > > > Nuria > > > > http://nandana83.blogspot.com/ > > http://nandanasm.wordpress.com/ > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
