Hi Andrew
Thanks for the advice, i had figured most of it out already but couldn't
quite get there. I wasn't sure what to do with ofbiztrust.jks as it
looked like ofbizrmi.jks and ofbizcerts.jks covered the keys i needed.
I deleted the respective client/server trustcerts and keys from those 2
keystores and then created new keys and exported the public certs, but
that didn't work. When it looked like i needed to start signing the
keys (because the default ones have a cert chain?) thats when i gave up.
But anyway all i wanted to do was have a go with rmi and see how i could
get it to do a few things i need doing, production isn't even a dot on
the horizon at this stage.
Thanks for your help
Scott
Andrew Sykes wrote:
Scott,
You really don't want to use the SSL cert straight out of SVN, as this
would allow anyone else with a default cert to connect to your server.
It's we'll worth looking at the instructions to make sure you can
generate certs for yourself.
One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
setup at both ends.
For testing, the easiest way is to create a certificate export it to the
trust store and then just copy both these files to the other instance.
For production, remember that the truststore of the "client" would hold
the public key exported from the keystore of the "server". Conversely
the truststore of the "server" would hold the public key exported from
the keystore of the "client".
Making the keystore and truststore identical on both sides makes life a
bit easier for testing, but make sure you toughen things up before you
go into production!!!
- Andrew
On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
I'm trying to use the ExampleRemoteClient in
framework/service/src/org/ofbiz/service/rmi but the client won't connect
because the rmi server certificate has expired and i dont know how to
replace it. I was hoping someone who knew how could replace it in the svn.
BJ Freeman wrote:
at what level.
how to replace the JKS or how to create the JKS
if you look in the base/config you will see all the jks file including
the rmi.
Scott Gray sent the following on 7/8/2006 8:54 PM:
Hi BJ
I saw the thread when it came through, that's what made me want to
take a look at rmi. The thread didn't seem to have anything to do
with expired certificates though, and that's what i was hoping
someone who knows how could do, replace the expired rmi server
certificate.
I also saw Andrew's discussion with David and Andy on the old list
from a year or two ago, but that didn't help me much either.
Regards
Scott
BJ Freeman wrote:
there was a discussion last few days in the user mailing list about RMI
Brett palmer gave some details.
Scott Gray sent the following on 7/8/2006 8:19 PM:
Hi All
I was wondering if anybody who knows how to do it, would mind
updating the ssl certs for the rmi server? I've been staring at
the files for most of the day but i really have no idea about ssl,
and what was going to be a quick browse through rmi is turning into
a long browse through ssl. Any help would be appreciated.
Thanks
Scott
