PKI in Java causes trouble for even the most seasoned Java developers
and sysadmins. There are two fundamental credential stores you need
to consider in any PKI setup:
- keystore - contains keys and certs that _you_ use to identify
yourself to others
- truststore - contains certificates you trust for _others_ to
identify themselves
Your problem is most certainly a truststore-related issue as you can
do HTTPS (requiring a keystore keypair), but the server fails to
connect to another host due to insufficient trust ("PKIX path building
failed").
The CASUM demo puts the keypair in the system keystore, which is used
as _both_ a keystore and truststore by default. In JBoss, on the
other hand, the keystore and truststore are configured (by default I
believe) to point to separate files. You could likely solve your
problem by pointing both the keystore and truststore to the same file
containing the self-signed test cert you generated according to the
CASUM directions.
I would avoid the habit of importing self-signed certificates into the
system keystore except for testing and development purposes. The
CASUM instructions clearly assume testing and development, and are
reasonable in that light only.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
