On Fri, Oct 30, 2009 at 4:10 AM, Scott Lawrence <[email protected]>wrote:
> On Thu, 2009-10-29 at 23:48 +0200, Mircea Mihai Carasel wrote: > > > > > > > > There is no guarantee on when and how truststore is accessed. > > Different JVM > > can probably do it in a different ways. I'd rather not rely on > > the fact > > that it can be changed after process is started. > > > > Besides sipXconfig is not the only application that is using > > sipXecs java > > truststore. Ranga externalized truststore creation and we > > should not mess > > with it. Or mess with Ranga ;-) > > > > There is something to be said about having all CAs a single > > place and > > treated equally. I think we should just treat sipXecs java > > truststore a > > specific format in which java services consume trusted CA > > certs. It's > > content should be always consistent with what we have in > > etc/sipxpbx/ssl/authorities > > > > I think I found a reasonable solution to match all goals > > The sipXconfig TrustStore: authorities.jks gets created when > > initial-config script is run. > > On the back-end initial-config runs gen-ssl-keys.sh that actually > > creates authorities.jks > > The Tapestry InitialConfigService runs initial-config script, that > > generates certificates, authorities.jks. Here we can safely add > > our code that copies the default CAs right after initial-config script > > run > > > > Also, initial-config script is responsible with certificates > > generation for all locations in the cluster, so all locations will > > have a complete authorities.jks > > > > What do you think - is that a reasonable solution ? > > The certificates can be changed or added to at any time after the > initial installation. > > Can we please have someone research how to get java applications to > import the certificates and authorities directly from the crt and key > files without all this conversion to truststore and keystore business? > I just do not believe that there isn't a way to do this. > Java can easily load/store certificates in truststore files using: java.security.KeyStore Also KeyStore.aliases() returns all available aliases found in the given keystore file. We can easily update the sipxconfig generated authorities.jks to add default JDK certificates (I made a small java program to test this and it is doable) A small example: http://www.exampledepot.com/egs/java.security/AddCert.html I was only proposing to use this Java mechanism to copy default JDK authorized certificates (from jssecacerts/cacerts JDK keystore file) into our authorities.jks right after initial-config script is run (handled by sipXconfig's Tapestry InitialConfigService). (initial-config script is responsible with sipx certificate and authorities.jks files creation for every host in the cluster) bin/sipxecs-setup script defines the required URL and calls this service during host certificate creation (for every host in the cluster) This seems to me the best place to do that (implement java mechanism and execute it in InitialConfigService after authorities.jks is created) For certificates that are saved in separate .crt files (not needed right now) we can easily do something like: InputStream inStream = new FileInputStream("fileName-of-cert"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); inStream.close(); In order to save this certificate in a dedicated KeyStore we would do: KeyStore ks ...load file ks.setCertificate(alias, cert) ...save updated keystore file ks.store(outputStream, password); Mircea
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
