Re: JDBC with SSL

On Wed, 07 Dec 2011 16:27:47 +0000, Bruno Harbulot wrote:

> On 07/12/2011 05:06, Craig Ringer wrote:
>> On 07/12/11 03:43, Walter Hurry wrote:
>>> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>>>
>>>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>>>> ------------------------------------------------------------- $ java
>>>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>>>>          -Djavax.net.ssl.keyStorePassword=changeit \
>>>>>          -Djavax.net.ssl.keyStoreType="jks" \
>>>>>
>>>> I thought you could only use a JECKS store when including private
>>>> keys?
>>> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean
>>> I have the keyStoreType wrong?
>>
>> JKS and JECKS are two different key store formats. Keytool understands
>> both. If my memory serves, JECKS is the encrypted keystore format,
>> intended for storing private key data. I think you can use JECKS for
>> both certificate and key data, but you can use JKS only for certificate
>> data, NOT  for key data.
>
> You can store certificates and/or private keys in both JKS and JECKS.
>
> PKCS12 is somewhat different in that, to store a certificate (or a
> certificate chain), it requires there to be a private key associated
> with this certificate. Java isn't the only implementation with this
> limitation, but I must admit I can't remember what the PKCS#12
> specification itself says about it.
>
>
> More details on JKS/JECKS, from:
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/
CryptoSpec.html#KeystoreImplementation
>
>> jceks" is an alternate proprietary keystore format to "jks" that uses
>> much stronger encryption in the form of Password-Based Encryption with
>> Triple-DES.
>
>
>
> The default keystore type with the Oracle security provider is JKS; you
> can check this using KeyStore.getDefaultType().
>
>
> If your initial key and certs where in PEM format (as used by psql), it
> might be easier to build a PKCS#12 store with OpenSSL:
>
>     openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
> usercreds.p12
>
>
> You can then use it with KeyStore type "PKCS12" (no #) from Java
> directly.
> You could also convert this PKCS#12 file into a JKS/JECKS keystore using
> keytool and its -importstore options (only in Java 6+).

Eureka! That nailed it (I used the pkcs12 file as it was, and didn't
bother to convert it). Very many thanks Bruno, and to everyone who
offered help. It is deeply appreciated.

$ java -Djavax.net.ssl.keyStore=$HOME/.postgresql/postgresql.p12 \
>        -Djavax.net.ssl.keyStorePassword=changeit \
>        -Djavax.net.ssl.keyStoreType=PKCS12 \
>        -Djavax.net.ssl.trustStore=$HOME/.postgresql/server.jceks \
>        -Djavax.net.ssl.trustStorePassword=changeit \
>        -Djavax.net.ssl.trustStoreType=jceks \
>        JDBCExample neptune misc
-------- PostgreSQL JDBC Connection Testing ------------
PostgreSQL JDBC driver registered
Getting connection to jdbc:postgresql://neptune/misc
Connection successful
$

Thanks again,
Walter