In my case, I have one client which access many servers. I did not have to do anything in the client code for it to happen. It just works. I think underlying ssl implementation figures out which certificate to use, based on which certificate does the server presents.
I am using sun's implementation. My understanding is when ssl communication begins, server presents it's certificate and than the client has to decide if it wants to trust that certificate. It does so by looking into the trust store file. I saw some questions about server choosing a particular certificate for a client. I do not have any knowledge how to do that. You just need to use the alias for each certificate in truststore to manage it. E.g. replace, remove etc. BTW, did you like the J2EE security book by Pankaj Kumar. I looked at the sample chapter and liked it so planning to buy it. Soniya -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Τετάρτη, 11 Φεβρουαρίου 2004 1:08 μμ To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: RE: how to sepcify certificate alias I can give different aliases to different certificates. The problem is that the first one that CA recognize will be taken no matter which client is accessing the server. How did you tell the implemenation the alias value? I went to the bookstore and found in the book "J2EE Security" by Pankaj Jumar. The book basically said that with the default implementation, you can not: 1) use different password from the keystore file for certificate 2) the first "valid" certificate (from the CA on the server side) will be picked up by the default implementation. The second one or any other one doesn't have a chance to be used. The solution is to implement the KeyManager and KeyManagerFactory. "Shah, Soniya M. [RA]" To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> <[EMAIL PROTECTED] cc: .com> Subject: RE: how to sepcify certificate alias 11/02/2004 12:44 PM Please respond to axis-user I use a different alias for each certificate and it is working. I have about 10 certificates in the trust store file and the client can talk to each of those server. Soniya -----Original Message----- From: bethana kumar [mailto:[EMAIL PROTECTED] Sent: Τετάρτη, 11 Φεβρουαρίου 2004 12:08 μμ To: [EMAIL PROTECTED] Subject: RE: how to sepcify certificate alias Hi I really do not understand how come JSSE does not allow specifying the alias while the keystore file can store multiple certificates U can give different alias name for each certificate....if u give different names then we can store multiple certfictes in same keystore. Why dont u read application specific parameters from web.xml...we have done this type .. what we made is that in our web.xml we made CERTIFICATE FILE as a key and its values are different for different application Ex: CERTIFICATE FILE= ../webapps/location/WEB-INF/dialogsKeystore.bin../webapps/location/WEB-INF/d ialogsKeystore.bin passPhrase="abcd"; //password for this keystore. here dialogsKeystore.bin contains all certificates relevant to this application. In your code u can write like this Security.setProperty("javax.net.ssl.trustStore",CERTIFICATEFILE); Security.setProperty("javax.net.ssl.trustStorePassword",passPhrase); [EMAIL PROTECTED] wrote: We are using IBM implementation. We want to deploy two applications into the same JVM and what we have done so far is to define the system properties directly as JVM parameters. So both applications share the same system properties, and hence the same keystore file path. Even we put these definitions into the application code, I think that won't work either because the second application that runs the code for setting system properties will change the system properties values set by the first application at run time (the first application refers to the application that runs the system properties values setting code first). I really do not understand how come JSSE does not allow specifying the alias while the keystore file can store multiple certificates. Thanks for the comments. Jian Leo de Blaauw > cc: Subject: RE: how to sepcify certificate alias 11/02/2004 02:44 AM Please respond to axis-user Hi, Well the short answer is it depends on the ssl library you use, for instance sun or ibm. Both, as far as i know, dont allow you to do this out of the box. In my experience they they both take the first client certificate found in the key store. We just use a different key store per client. You could write your own keymanager class wich subclasses the keymanager of your ssl implementation, but i have not found a working way yet on using that from within axis. Greetz Leo -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Verzonden: dinsdag, februari 2004 20:53 Aan: [EMAIL PROTECTED] Onderwerp: how to sepcify certificate alias I have two applications that access a web service. We use HTTPS for authenticatoin and encryption. We can get these applications access the service with one certificate stored in one keystore file, but we want them to use two different certificats. The two certificates can be saved in one keystore file. Both applications run inside the same application server instance (JVM). The problem is that we can use system property to specify where the keystore file is, but I can not find in JSSE document how a certificate alias is specified to tell which applicaiton is using which certificate. Any idea? Thanks Jian De informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. Indien dit bericht niet voor u bestemd is, verzoeken wij u vriendelijk dit bericht te retourneren zodat dit in de toekomst kan worden voorkomen. Ondanks het feit dat IZA Nederland al haar e-mail berichten controleert op virussen, staat zij niet in voor het virusvrij verzenden c.q. ontvangen van deze berichten. Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online
