Re: JDBC with SSL

Поиск
Список
Период
Сортировка
От Bruno Harbulot
Тема Re: JDBC with SSL
Дата
Msg-id 4EDF9403.9060400@distributedmatter.net
обсуждение исходный текст
Ответ на Re: JDBC with SSL  (Craig Ringer <ringerc@ringerc.id.au>)
Ответы Re: JDBC with SSL  (Bruno Harbulot <bruno@distributedmatter.net>)
Список pgsql-jdbc
On 07/12/2011 05:06, Craig Ringer wrote:
> On 07/12/11 03:43, Walter Hurry wrote:
>> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>>
>>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>>> ------------------------------------------------------------- $ java
>>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>>>          -Djavax.net.ssl.keyStorePassword=changeit \
>>>>          -Djavax.net.ssl.keyStoreType="jks" \
>>>>
>>> I thought you could only use a JECKS store when including private keys?
>> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I
>> have the keyStoreType wrong?
>
> JKS and JECKS are two different key store formats. Keytool understands
> both. If my memory serves, JECKS is the encrypted keystore format,
> intended for storing private key data. I think you can use JECKS for
> both certificate and key data, but you can use JKS only for certificate
> data, NOT  for key data.

You can store certificates and/or private keys in both JKS and JECKS.

PKCS12 is somewhat different in that, to store a certificate (or a
certificate chain), it requires there to be a private key associated
with this certificate. Java isn't the only implementation with this
limitation, but I must admit I can't remember what the PKCS#12
specification itself says about it.


More details on JKS/JECKS, from:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation

> jceks" is an alternate proprietary keystore format to "jks" that uses much stronger encryption in the form of
Password-BasedEncryption with Triple-DES. 



The default keystore type with the Oracle security provider is JKS; you
can check this using KeyStore.getDefaultType().


If your initial key and certs where in PEM format (as used by psql), it
might be easier to build a PKCS#12 store with OpenSSL:

    openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
usercreds.p12


You can then use it with KeyStore type "PKCS12" (no #) from Java directly.
You could also convert this PKCS#12 file into a JKS/JECKS keystore using
keytool and its -importstore options (only in Java 6+).


Best wishes,

Bruno.

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: pharoz
Дата:
Сообщение: Re: Problems with Hibernate Discriminators and 9.0-801.jdbc4
Следующее
От: Bruno Harbulot
Дата:
Сообщение: Re: JDBC with SSL