In Java "KeyStore" and "TrustStore" are different concepts. Your private keys should be in the "keystore", and certificates for your trusted authorities (CA's) should be in your "truststore".
________________________________ From: Miten Mehta <[email protected]> To: JETTY user mailing list <[email protected]> Sent: Tue, January 18, 2011 2:24:59 AM Subject: Re: [jetty-users] ssl setup Hi, Without the jetty alias private key in keystore how will jetty decrypt ssl communication ? I assume the server certificate public key will be used to sign content send to server and server would need to use private key to decrypt. Regards, Miten On Mon, Jan 17, 2011 at 8:47 PM, Justin Sands <[email protected]> wrote: Most likely your client certificate is self signed. This won't work. > >> javax.net.ssl.SSLException: Received fatal alert: unknown_ca >Your certificate authority (ca) must sign the client cert. The CA's >certificate >(not private key) >should be the only thing in your truststore. > > > ________________________________ From: Miten Mehta <[email protected]> >To: JETTY user mailing list <[email protected]> >Sent: Mon, January 17, 2011 7:45:38 AM >Subject: [jetty-users] ssl setup > > >Hi, > >I have c:\working\mykeystore\.jetty_keystore in which I created and imported >certificate using openssl and commands from > >http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html > >http://docs.codehaus.org/display/JETTY/How+to+configure+SSL > >The keystore imported pkcs12 as entry with alias 1 so I changed it to alias >jetty. I am trying clear text passwords but I am just doing things locally on >pc. > >The keystore is only keystore I have setup and I have jetty-ssl.xml as below: ><Call name="addConnector"> > <Arg> > <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> > <Set name="Port">8443</Set> > <Set name="maxIdleTime">30000</Set> > <Set name="Acceptors">2</Set> > <Set name="AcceptQueueSize">100</Set> > <Set name="Keystore">C:/working/mykeystore/.jetty_keystore</Set> > <Set name="Password">storePass123</Set> > <Set name="KeyPassword">password</Set> > <Set name="truststore">C:/working/mykeystore/.jetty_keystore</Set> > <Set name="trustPassword">storePass123</Set> > </New> > </Arg> > </Call> > > >is it a problem that both keystore and truststore are same ? > >I get below in jetty logs: > >2011-01-17 17:57:54.500:INFO::Started [email protected]:8443 >2011-01-17 17:57:54.500:DBUG::STARTED [email protected]:8443 >org.eclipse.jetty.server.Server@9e5c73 STOPPED > +-DebugHandler@4fc156 started > +-HandlerCollection@1a06e38 started > +-ContextHandlerCollection@2200d5 started > +-DefaultHandler@64ab4d started > >2011-01-17 17:57:54.500:DBUG::STARTED org.eclipse.jetty.server.Server@9e5c73 >2011-01-17 17:57:54.921:DBUG::loaded class >org.eclipse.jetty.io.nio.SelectorManager$SelectSet$2 from ContextLoader@Test >WebApp([file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/classes/, >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-client-7.1.4.v20100610.jar, >, >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-continuation-7.1.4.v20100610.jar, >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-http-7.1.4.v20100610.jar, >, >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-io-7.1.4.v20100610.jar, > >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-servlets-7.1.4.v20100610.jar, >file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-util-7.1.4.v20100610.jar]) >) / >StartLoader[file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/com.sun.el_1.0.0.v201004190952.jar, >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/ecj-3.6RC4.jar, > >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.el_2.1.0.v201004190952.jar, >, >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.servlet.jsp_2.1.0.v201004190952.jar, >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.servlet.jsp.jstl_1.2.0.v201004190952.jar, >, >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/jetty-jsp-2.1-7.1.4.v20100610.jar, > >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/org.apache.jasper.glassfish_2.1.0.v201004190952.jar, >file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/org.apache.taglibs.standard.glassfish_1.2.0.v201004190952.jar, >, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/resources/] >2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] channel=java.nio.channels.SocketChannel[connected >local=/127.0.0.1:8443 remote=/127.0.0.1:2856] >2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 158 >2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 0 >2011-01-17 18:00:17.955:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap unwrap Status = OK HandshakeStatus = >NEED_TASK|bytesConsumed = 158 bytesProduced = 0 >2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] fill wrap Status = OK HandshakeStatus = >NEED_UNWRAP|bytesConsumed = 0 bytesProduced = 1419 >2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] Flushed 1419/1419 >2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 0 >2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 7 >2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled -1 >2011-01-17 18:00:18.095:WARN::javax.net.ssl.SSLException: Received fatal >alert: >unknown_ca >2011-01-17 18:00:18.095:INFO::EXCEPTION >javax.net.ssl.SSLException: Received fatal alert: unknown_ca > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684) > > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298) > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211) > at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424) > at >org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489) > > at >org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) > at java.lang.Thread.run(Thread.java:619) >2011-01-17 18:00:18.095:INFO::EXCEPTION >javax.net.ssl.SSLException: Received fatal alert: unknown_ca > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684) > > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298) > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211) > at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424) > at >org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489) > > at >org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) > at java.lang.Thread.run(Thread.java:619) >2011-01-17 18:00:18.095:DBUG::EOF org.eclipse.jetty.io.EofException >2011-01-17 >18:00:55.096:DBUG::org.eclipse.jetty.io.nio.SelectorManager$SelectSet@bd09e8 >JVM >BUG(s) - cancelled keys 1 times >2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] channel=java.nio.channels.SocketChannel[connected >local=/127.0.0.1:8443 remote=/127.0.0.1:2884] >2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 0 >2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 158 >2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 0 >2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap unwrap Status = OK HandshakeStatus = >NEED_TASK|bytesConsumed = 158 bytesProduced = 0 >2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] fill wrap Status = OK HandshakeStatus = >NEED_UNWRAP|bytesConsumed = 0 bytesProduced = 1419 >2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] Flushed 1419/1419 >2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 0 >2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled 7 >2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, >SSL_NULL_WITH_NULL_NULL] unwrap filled -1 >2011-01-17 18:05:24.833:WARN::javax.net.ssl.SSLException: Received fatal >alert: >access_denied >2011-01-17 18:05:24.833:INFO::EXCEPTION >javax.net.ssl.SSLException: Received fatal alert: access_denied > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684) > > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298) > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211) > at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424) > at >org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489) > > at >org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) > at java.lang.Thread.run(Thread.java:619) >2011-01-17 18:05:24.833:INFO::EXCEPTION >javax.net.ssl.SSLException: Received fatal alert: access_denied > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995) > at >com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684) > > at >org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298) > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211) > at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424) > at >org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489) > > at >org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) > at java.lang.Thread.run(Thread.java:619) >2011-01-17 18:05:24.833:DBUG::EOF org.eclipse.jetty.io.EofException > > >Regards, > >Miten > > > >_______________________________________________ >jetty-users mailing list >[email protected] >https://dev.eclipse.org/mailman/listinfo/jetty-users > >
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
