| From: | Bruno Harbulot <bruno(at)distributedmatter(dot)net> |
|---|---|
| To: | pgsql-jdbc(at)postgresql(dot)org |
| Cc: | Craig Ringer <ringerc(at)ringerc(dot)id(dot)au> |
| Subject: | Re: JDBC with SSL |
| Date: | 2011-12-07 16:27:47 |
| Message-ID: | 4EDF9403.9060400@distributedmatter.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 07/12/2011 05:06, Craig Ringer wrote:
> On 07/12/11 03:43, Walter Hurry wrote:
>> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>>
>>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>>> ------------------------------------------------------------- $ java
>>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>>> -Djavax.net.ssl.keyStorePassword=changeit \
>>>> -Djavax.net.ssl.keyStoreType="jks" \
>>>>
>>> I thought you could only use a JECKS store when including private keys?
>> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I
>> have the keyStoreType wrong?
>
> JKS and JECKS are two different key store formats. Keytool understands
> both. If my memory serves, JECKS is the encrypted keystore format,
> intended for storing private key data. I think you can use JECKS for
> both certificate and key data, but you can use JKS only for certificate
> data, NOT for key data.
You can store certificates and/or private keys in both JKS and JECKS.
PKCS12 is somewhat different in that, to store a certificate (or a
certificate chain), it requires there to be a private key associated
with this certificate. Java isn't the only implementation with this
limitation, but I must admit I can't remember what the PKCS#12
specification itself says about it.
More details on JKS/JECKS, from:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation
> jceks" is an alternate proprietary keystore format to "jks" that uses much stronger encryption in the form of Password-Based Encryption with Triple-DES.
The default keystore type with the Oracle security provider is JKS; you
can check this using KeyStore.getDefaultType().
If your initial key and certs where in PEM format (as used by psql), it
might be easier to build a PKCS#12 store with OpenSSL:
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
usercreds.p12
You can then use it with KeyStore type "PKCS12" (no #) from Java directly.
You could also convert this PKCS#12 file into a JKS/JECKS keystore using
keytool and its -importstore options (only in Java 6+).
Best wishes,
Bruno.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruno Harbulot | 2011-12-07 16:34:02 | Re: JDBC with SSL |
| Previous Message | pharoz | 2011-12-07 15:10:25 | Re: Problems with Hibernate Discriminators and 9.0-801.jdbc4 |