Re: Client Certificate Authentication

On 03/16/2013 01:21 AM, "Gabriel E. Sánchez Martínez" wrote:
> I have a PostgreSQL database on a server. For security reasons, all
> client access from outside the server is restricted to certificate
> mode, i.e. the client sends SSL certificates rather than a password.
> Connecting with pgAdmin works well. Is there a way of creating a Java
> application that connects to this database with certificates? Any
> how-to guides, examples, or pointers on how to achieve this?
In most cases you can set the JSEE keystore and truststore properties to
get Java to use an existing keystore and truststore with your private
key and the server's public certificate installed. In particular, see:

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores

The keystore must be in JECKS format. You can create it with keytool.
Import the user's client certificate into it; you'll most likely have a
pkcs#12 format cert (.p12 file) but you might instead have separate PEM
format key and certs.

The truststore is optional and may be in JKS format if provided. If you
don't provide a truststore the system wide SSL root certificate trust
store for Java is used. That's fine unless your server is using a
self-signed cert for the server, in which case you'll want to either add
your private CA cert to the system truststore or specify your own
truststore as a jvm system property.

If you cannot use the system properties for whatever reason then you
need to provide your own SSLSocketFactory that uses the JSSE APIs to
load a keystore and truststore.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services