Hey, Well I also found this on the IBM developer domain website:
http://www-106.ibm.com/developerworks/java/library/j-customssl/ pretty good stuff on writing your own keymanager stuff ! But only half of the road as far as using it trough axis.. no news there.. Greetz Leo ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 11, 2004 9:44 PM Subject: RE: how to sepcify certificate alias > > > I went through couple of books, two are security (forgot the title, but I > think it is Java Security, > there is a lot of low-level stuff that you might not be very interested as > J2EE applications developer), > and couple of J2EE books in general. > > This is the only one that I found discussed on KeyManager, etc. The book > review on amazon.com is here: > http://www.amazon.com/exec/obidos/tg/detail/-/0131402641/qid=1076532091/sr=1 -1/ref=sr_1_1/102-0186328-5350516?v=glance&s=books > > Kind of controversial. I have not spent enough time to give worthy > feedback. > > Jian > > > > > "Shah, Soniya M. > [RA]" To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > <[EMAIL PROTECTED] cc: > .com> Subject: RE: how to sepcify certificate alias > > 11/02/2004 02:41 > PM > Please respond to > axis-user > > > > > > > > In my case, I have one client which access many servers. > > I did not have to do anything in the client code for it to happen. It just > works. I think underlying ssl implementation figures out which certificate > to use, based on which certificate does the server presents. > > I am using sun's implementation. > > My understanding is when ssl communication begins, server presents it's > certificate and than the client has to decide if it wants to trust that > certificate. It does so by looking into the trust store file. I saw some > questions about server choosing a particular certificate for a client. I do > not have any knowledge how to do that. > > You just need to use the alias for each certificate in truststore to manage > it. E.g. replace, remove etc. > > BTW, did you like the J2EE security book by Pankaj Kumar. I looked at the > sample chapter and liked it so planning to buy it. > > Soniya > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Τετάρτη, 11 Φεβρουαρίου 2004 1:08 μμ > To: [EMAIL PROTECTED] > Cc: '[EMAIL PROTECTED]' > Subject: RE: how to sepcify certificate alias > > > > > I can give different aliases to different certificates. > The problem is that the first one that CA recognize will be taken no matter > which client is accessing the server. > > How did you tell the implemenation the alias value? > > I went to the bookstore and found in the book "J2EE Security" by Pankaj > Jumar. The book basically said that with the default implementation, you > can > not: > 1) use different password from the keystore file for certificate > 2) the first "valid" certificate (from the CA on the server side) will be > picked up by the default implementation. > The second one or any other one doesn't have a chance to be used. > > The solution is to implement the KeyManager and KeyManagerFactory. > > > > > > > "Shah, Soniya M. > > [RA]" To: > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > <[EMAIL PROTECTED] cc: > > .com> Subject: RE: how to sepcify > certificate alias > > > 11/02/2004 12:44 > > PM > > Please respond to > > axis-user > > > > > > > > > > > I use a different alias for each certificate and it is working. I have > about > 10 certificates in the trust store file and the client can talk to each of > those server. > > Soniya > -----Original Message----- > From: bethana kumar [mailto:[EMAIL PROTECTED] > Sent: Τετάρτη, 11 Φεβρουαρίου 2004 12:08 μμ > To: [EMAIL PROTECTED] > Subject: RE: how to sepcify certificate alias > > Hi > I really do not understand how come JSSE does not allow specifying > the > alias > while the keystore file can store multiple certificates > > > > > > U can give different alias name for each certificate....if u give > different names then we can store multiple certfictes in same > keystore. > > > > > > Why dont u read application specific parameters from web.xml...we > have done this type .. > > > what we made is that in our web.xml we made CERTIFICATE FILE as a > key and its values are different for different application > > > Ex: CERTIFICATE FILE= > > ../webapps/location/WEB-INF/dialogsKeystore.bin../webapps/location/WEB-INF/d > > ialogsKeystore.bin > > > passPhrase="abcd"; //password for this keystore. > > > here dialogsKeystore.bin contains all certificates relevant to this > application. > > > In your code u can write like this > > > Security.setProperty("javax.net.ssl.trustStore",CERTIFICATEFILE); > > > Security.setProperty("javax.net.ssl.trustStorePassword",passPhrase); > > > > > > > > [EMAIL PROTECTED] wrote: > > We are using IBM implementation. > > We want to deploy two applications into the same JVM and what we > have done > so far is > to define the system properties directly as JVM parameters. So both > applications share the > same system properties, and hence the same keystore file path. > > Even we put these definitions into the application code, I think > that won't > work either > because the second application that runs the code for setting system > properties will > change the system properties values set by the first application at > run > time (the first > application refers to the application that runs the system > properties > values setting code first). > > I really do not understand how come JSSE does not allow specifying > the > alias > while the keystore file can store multiple certificates. > > Thanks for the comments. > > Jian > > > > > > Leo de Blaauw > > > cc: > Subject: RE: how to sepcify certificate alias > 11/02/2004 02:44 > AM > Please respond to > axis-user > > > > > > > Hi, > > > Well the short answer is it depends on the ssl library you use, for > instance sun or ibm. > Both, as far as i know, dont allow you to do this out of the box. In > my > experience they > they both take the first client certificate found in the key store. > We just > use a different > key store per client. You could write your own keymanager class wich > subclasses the > keymanager of your ssl implementation, but i have not found a > working way > yet on > using that from within axis. > > > Greetz > Leo > > > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Verzonden: dinsdag, februari 2004 20:53 > Aan: [EMAIL PROTECTED] > Onderwerp: how to sepcify certificate alias > > > > > > I have two applications that access a web service. We use HTTPS for > authenticatoin and encryption. > We can get these applications access the service with one > certificate > stored in one keystore file, > but we want them to use two different certificats. The two > certificates can > > be saved in one keystore file. > Both applications run inside the same application server instance > (JVM). > > > The problem is that we can use system property to specify where the > keystore file is, but I can not find > in JSSE document how a certificate alias is specified to tell which > applicaiton is using which certificate. > > > > > > Any idea? > > > Thanks > > > Jian > > > > > > > > De informatie verzonden met dit e-mail bericht is uitsluitend > bestemd voor > de > geadresseerde. Openbaarmaking, vermenigvuldiging, verspreiding en/of > verstrekking > van deze informatie aan derden is niet toegestaan. Indien dit > bericht niet > voor u > bestemd is, verzoeken wij u vriendelijk dit bericht te retourneren > zodat > dit in de > toekomst kan worden voorkomen. Ondanks het feit dat IZA Nederland al > haar > e-mail > berichten controleert op virussen, staat zij niet in voor het > virusvrij > verzenden c.q. > ontvangen van deze berichten. > > > > > > > Do you Yahoo!? > Yahoo! Finance: Get your refund fast by filing online > > > > > > > > > >
