• RELEVANCY SCORE 4.94

    DB:4.94:Getting Certificates And Private Keys From Microsoft's Keystore fc





    Hi,

    I want to access certificates and keys in my Java application from the Microsoft Internet Explorer keystore, is there any way to do this?

    Regards,
    YK

    DB:4.94:Getting Certificates And Private Keys From Microsoft's Keystore fc

    Thanx for ur fruitful reply sir,

    Now I have found many solutions to do this work, If
    you also want these solutions you can ask, and you
    need not to pay even a single dollar to me sir.Why do I need to ask you if there is a Google? But anyway, you should consider to read this http://forum.java.sun.com/rewardFaq.jsp

  • RELEVANCY SCORE 4.42

    DB:4.42:How Tp Generate Keystores , Keys And Certificates Programatically... 9m





    Hi i need to manipulated the keys and certificates in a keystore.. Like generating keys, adding it to the keystore and generating certificates and importing certificates.. etc from a java program..

    Can anyone pls help me with this .. Is there some pliece of sample code some where can you pls give me the address to it.. or can you pls mail me at mich112@hotmail.com

    Thanks
    Rajeev

    DB:4.42:How Tp Generate Keystores , Keys And Certificates Programatically... 9m

    use keytool utility.

    you can use keytool.exe or use the same with java class sun.security.tools.KeyTool

    sample code to import a certificate :

    java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    String lParam [] = {"-import", "-alias",aAlias,"-file", aFileName,"keystore", aKeyStore, "-storepass",aStorePass,"-noprompt"};

    sun.security.tools.KeyTool.main(lParam);

  • RELEVANCY SCORE 3.98

    DB:3.98:Accessing Pgp Keys From Sap Pi Keystore Programatically In Sap Pi 7.0 xs






    Hi All,

    We are trying to implement PGP encryption and decryption using public and private keys.

    We have few queries regardgin the same.

    1) Can we upload PGP keys in SAP keystore?How do we upload them?

    2) How do we access PGP keys from keystore programatically? We tried accessing using the Keystore API

    Thanks in Advance,

    Rajesh

    DB:3.98:Accessing Pgp Keys From Sap Pi Keystore Programatically In Sap Pi 7.0 xs


    Hi ,

    PGP keys can not be loaded in to keystore. you may write some wrapper java class to convert the PGP key and load it to Keystore.

  • RELEVANCY SCORE 3.95

    DB:3.95:Unable To Import Certificate Into Keystore kd


    I'm not sure if this is more of a Tomcat question or a Java question, so I'm posting it to this forum as well as a Tomcat users forum...

    Configuration:

    Tomcat version: Tomcat 5.5.20
    JDK: 1.5.0_06
    OS: Windows Server 2003, Standard Edition

    Problem:

    We use Tomcat for B2B communication with one of our partners over HTTP / HTTPS, implementing some of the RosettaNet interfaces. Tomcat sometimes functions as a client, sometimes as a server for this purpose. For the SSL / HTTPS communications, we and our partners need to recognize each other's certificates. So the person who set this up originally for my company (I inherited this thing from a guy who's no longer here) imported our partner's certificates into our keystore, and things are working fine. Our partner now sends us a new certificate and tells us we need to import this new one. So I execute the following...

    keytool -import -alias keystore alias -keystore path to keystore\.keystore -file path to certificate\CompanynameProdCert.der

    Keytool asks me for our keystore password, which I supply, and then I get the following error:

    keytool error: java.lang.Exception: Public keys in reply and keystore don't match

    I am a complete and total novice regarding SSL and cryptography in general, so please don't lambaste me for not knowing the basics, but after having consulted Google, I'm pretty much at a loss regarding how to proceed.

    Any help will be very much appreciated.

    TIA,
    David

    DB:3.95:Unable To Import Certificate Into Keystore kd

    The server's certificate goes into the clients truststore, which is usually separate from its keystore.

  • RELEVANCY SCORE 3.93

    DB:3.93:Signing Multiple Jars cf


    Hi,I am going to create a set of trusted jar with a single certificate.Let me explain the steps I followed.Step 1 : keytool -genkey -dname "cn=oraclejar,ou=oraclejar,o=oraclejar,c=India" -alias oraclejar -keypass oraclejar -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -validity 365Step 2: keytool -list -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejarStep 3: jarsigner -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -keypass oraclejar mymenu.jar mytools.jar oraclejarIn the above step I'm trying to create 2 jars(mymenu.jar ,mytools.jar) as trusted with a single certificate. But the following error occurs,
    jarsigner: Certificate chain not found for: mytools.jar. mytools.jar must reference a valid KeyStore key containing a private key and corresponding public key certificate chain.
    I don't know where it goes wrong. Anyone please guide me.- Sep

    DB:3.93:Signing Multiple Jars cf

    Hi,I am going to create a set of trusted jar with a single certificate.Let me explain the steps I followed.Step 1 : keytool -genkey -dname "cn=oraclejar,ou=oraclejar,o=oraclejar,c=India" -alias oraclejar -keypass oraclejar -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -validity 365Step 2: keytool -list -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejarStep 3: jarsigner -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -keypass oraclejar mymenu.jar mytools.jar oraclejarIn the above step I'm trying to create 2 jars(mymenu.jar ,mytools.jar) as trusted with a single certificate. But the following error occurs,
    jarsigner: Certificate chain not found for: mytools.jar. mytools.jar must reference a valid KeyStore key containing a private key and corresponding public key certificate chain.
    I don't know where it goes wrong. Anyone please guide me.- Sep

  • RELEVANCY SCORE 3.77

    DB:3.77:No Trusted Certificate Found 7f


    Hello,

    one year ago I was setting up SSL certificates for my MySQL-Server like described on http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html.

    Afterswards I added these lines to my MySQL-Config file and restarted the server:

    [mysqld]
    ssl-ca=/DIR/TO/OPENSSL/cacert.pem
    ssl-cert=/DIR/TO/OPENSSL/server-cert.pem
    ssl-key=/DIR/TO/OPENSSL/server-key.pem

    Somehow I created the truststore and the keystore file, but I don't know how I did it one year ago. Until now, everything worked fine and the connection between my Java Application an the MySQL-Server was encrypted.

    The Problem is: Now, the certificate has expired and I have to create new ones, so I did it again (on the MySQL-Server - a linux machine) like described on the mysql-page.
    Then I created the keystore and the truststore file with java-keytool (on a windows machine with java 1.4.2_06. On the windows system because on the MySQL-Server I have only java 1.3 and I red that creating a keystore / truststore is only possible with java version 1.4 or newer.

    Afterwards I started my Java Application and tried to connect to the MySQL-Server and got a SQL-Exception "No trusted certificate found".

    I am relatively sure, that I created the keystore and the truststore also with an openssl command on the system where I have my MySQL-Server, but I don't know how I did it. I am as sure, because on the MySQL-Server machine where I created the certificates, there is no keytool installed to create a keystore / truststore, but I do have these two files in my directory, where I created the certificates and keys (with openssh-command).

    So why should I have the truststore and the keystore file in this system, but I don't need them there ???

    Therefore I came to the conclusion, that I created the truststore and keystore - however i did it - on the Linux machine with openssl or something else, but not with the java keytool.

    Can anybody help me or give me a hint ?

    Thanks a lot!

    Regards,
    Thomas

    DB:3.77:No Trusted Certificate Found 7f

    Hello,

    one year ago I was setting up SSL certificates for my MySQL-Server like described on http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html.

    Afterswards I added these lines to my MySQL-Config file and restarted the server:

    [mysqld]
    ssl-ca=/DIR/TO/OPENSSL/cacert.pem
    ssl-cert=/DIR/TO/OPENSSL/server-cert.pem
    ssl-key=/DIR/TO/OPENSSL/server-key.pem

    Somehow I created the truststore and the keystore file, but I don't know how I did it one year ago. Until now, everything worked fine and the connection between my Java Application an the MySQL-Server was encrypted.

    The Problem is: Now, the certificate has expired and I have to create new ones, so I did it again (on the MySQL-Server - a linux machine) like described on the mysql-page.
    Then I created the keystore and the truststore file with java-keytool (on a windows machine with java 1.4.2_06. On the windows system because on the MySQL-Server I have only java 1.3 and I red that creating a keystore / truststore is only possible with java version 1.4 or newer.

    Afterwards I started my Java Application and tried to connect to the MySQL-Server and got a SQL-Exception "No trusted certificate found".

    I am relatively sure, that I created the keystore and the truststore also with an openssl command on the system where I have my MySQL-Server, but I don't know how I did it. I am as sure, because on the MySQL-Server machine where I created the certificates, there is no keytool installed to create a keystore / truststore, but I do have these two files in my directory, where I created the certificates and keys (with openssh-command).

    So why should I have the truststore and the keystore file in this system, but I don't need them there ???

    Therefore I came to the conclusion, that I created the truststore and keystore - however i did it - on the Linux machine with openssl or something else, but not with the java keytool.

    Can anybody help me or give me a hint ?

    Thanks a lot!

    Regards,
    Thomas

  • RELEVANCY SCORE 3.76

    DB:3.76:Problem With Generating/Storing Keys cm


    Sorry for the long code post below, but I'm having trouble with keystores. I need to be able to store and read public/private keys multiple times - if the client can't find a set of keys it has already generated, it makes a new set:
    Security.addProvider(new BouncyCastleProvider());
    try{
    this.userID=userID;

    //check if the keystore file for the user already exists
    File keyStoreFile=new File(userID+".ks");
    if(keyStoreFile.exists()){
    System.out.println("Client Side KeyStore for user "+userID+" exists. Using existing keys.");
    //read the keystore file
    ks=KeyStore.getInstance("JCEKS");
    char[] password="clientkspwd".toCharArray();
    FileInputStream ksFis=new FileInputStream(userID+".ks");
    ks.load(ksFis, password);
    ksFis.close();

    //fetch the private key
    KeyStore.PrivateKeyEntry pke=(KeyStore.PrivateKeyEntry) ks.getEntry("privatekey", new KeyStore.PasswordProtection(password));
    prikey=pke.getPrivateKey();

    //fetch the certificate, and in turn the public key
    //KeyStore.TrustedCertificateEntry tce=(KeyStore.TrustedCertificateEntry) ks.getCertificate("privatekey_certificate");
    X509Certificate cert=(X509Certificate)ks.getCertificate("privatekey_certificate");
    pubkey=cert.getPublicKey();
    System.out.println("Public Key: "+pubkey.getEncoded());
    System.out.println("Private Key: "+prikey.getEncoded());
    }
    else{
    //if the file doesn't exist, generate a new public/private keyset

    kpg=KeyPairGenerator.getInstance("RSA");
    kpg.initialize(1024, new SecureRandom());
    kp=kpg.generateKeyPair();

    System.out.println("Generating a new keyset..\n");
    pubkey=kp.getPublic(); System.out.println("Public Key is "+pubkey.getEncoded());
    prikey=kp.getPrivate(); System.out.println("Private Key is "+prikey.getEncoded());

    //X509V1CertificateGenerator x5cg=new X509V1CertificateGenerator();
    X509V1CertificateGenerator x5cg=new X509V1CertificateGenerator();

    x5cg.setSerialNumber(BigInteger.valueOf(1));
    x5cg.setIssuerDN(new X509Principal("C=AU, O=BC, OU=BC Primary Certificate"));
    x5cg.setNotBefore(new Date(System.currentTimeMillis() -1000 *60*60*24*30));
    x5cg.setNotAfter(new Date(System.currentTimeMillis()+ (1000*60*60*24*30)));
    x5cg.setSubjectDN(new X509Principal("C=AU, O=BC, OU=BC Primary Certificate"));
    x5cg.setPublicKey(pubkey);
    x5cg.setSignatureAlgorithm("MD5WithRSAEncryption");

    System.out.println("Made Generator");
    X509Certificate cert=x5cg.generateX509Certificate(prikey);

    java.security.cert.X509Certificate[] certificates={ cert };

    KeyStore.PrivateKeyEntry pkEntry=new KeyStore.PrivateKeyEntry(prikey, certificates);

    //verify the public key against the private key
    PublicKey result=cert.getPublicKey(); if(pubkey.equals(result)) System.out.println("Keys are the same");

    //store the private key and certificate to a keystore file
    ks=KeyStore.getInstance("JCEKS");
    char[] password="clientkspwd".toCharArray();

    //save the keys to a keystore, "userID.ks"
    FileInputStream ksFis=null;
    ks.load(ksFis, password);

    //add the certificate to the keystore
    ks.setCertificateEntry("privatekey_certificate", cert);
    //add the private key to the keystore
    ks.setEntry("privatekey", pkEntry, new KeyStore.PasswordProtection(password));

    //write to a file
    FileOutputStream fo=new FileOutputStream(userID+".ks");
    ks.store(fo, password);
    fo.close();

    }My problem is, if I run the code while a keystore file doesn't exist, a new keypair is generated and printed. But, if I run it again, and the existing file is detected, the keys that it reports aren't the same at all:acws-1105% java KeyPairGen
    Generating a new keyset..

    Public Key is [B@4b4333
    Private Key is [B@128e20a
    Made Generator
    Keys are the same
    acws-1105% java KeyPairGen
    Client Side KeyStore for user 4029 exists. Using existing keys.
    Public Key: [B@16f8cd0
    Private Key: [B@85af80I have no idea why! But I think it's to do with the X509V1Certificate. There seems to be no good guide to using them. Any help/advice very much appreciated..
    :)

    DB:3.76:Problem With Generating/Storing Keys cm

    what you are seeing there is the addesses of byte arrays (result of '.getEncoded()') print out the contents of the arrays to see if they are the samebyte[] public = pubkey.getEncoded();
    for(int k = 0; k public.length; k++){
    ...
    } or "Arrays.equals()" i think. check the api for the exact name of that method.

  • RELEVANCY SCORE 3.74

    DB:3.74:Can A Cipher Use Any Type Of Key? sz


    I was wondering if it is possible to load a symmetric key from a keystore and use it in a cipher.
    Do ciphers only accept symmetric keys??
    I know that the jks keystore only supports asymmetric keys.
    Is there a Bouncy Castle keystore that stores symmetric keys?
    If so is there a tool that one can use to generate symmetric keys that can be placed in such a keystore (similar to keytool)?

    Any help on this would be greatly appreciated.

    Thank you,

    Blake

    DB:3.74:Can A Cipher Use Any Type Of Key? sz

    KeyStores can not store symmetric keys otherwise known as Secret Keys. They can only store asymmetric keys. And there are no providers out there that can really change that as the public API for KeyStore provides no means by which to implement one.

    As for ciphers. There are two types of ciphers. The first is symmetric such as DES, Blowfish, AES, DESede, etc... These ciphers use the same key to init for both encrypt and decrypt (aka the secret key). But there are also asymmetric ciphers of which RSA is by far the most common. In asymmetric ciphers you init the cipher with the public key for encryption and the private key for decryption.

    You will have to have a third party provider to use RSA as a cipher as Sun's JCE does not provide an RSA cipher impl. RSA also supports signatures which sun does support.

  • RELEVANCY SCORE 3.72

    DB:3.72:Working Code Snippet For Jsse 1.0.2 pz


    This code works only with JSSE 1.0.2. JSSE 1.0.1 has a bug I believe which give null cert chain
    error when using client authorization.

    Below is a java code snippet to create a SSL server and client sockets.
    SocketsFactory.java
    This class is an utility class which gets you the Secure Socket for server and the client.
    It reads from the properties file.

    public class SocketsFactory{

    /** Creates a SSL client socket. It uses the properties obtained from the
    * sslPropsFile to create the client socket.
    * @param sslPropsFile The ssl properties file that contains information about the provider etc.
    * @param host The host to connect to.
    * @param port The port on which this socket should attempt to connect
    * @throws IOException if there was any exceptions in creating the sockets or if the properties file
    * was not found or corrupted.
    * @return returns the socket that was created.
    */
    public static Socket createSecureSocket(final String sslPropsFile, String host,int port)throws IOException{
    Properties props = readPropertiesFile(sslPropsFile);
    SSLSocketFactory factory = null;
    System.setProperty("javax.net.ssl.trustStore",(String)props.get("com.ibm.idmg.ssl.keyStore"));
    //Getting a secure client socket using sun..
    try {
    addProvider(props);
    // Set up a key manager for client authentication
    // if asked by the server. Use the implementation's
    // default TrustStore and secureRandom routines.
    SSLContext ctx = getSSLContext(props);
    factory = ctx.getSocketFactory();
    }
    catch (Exception e) {
    e.printStackTrace();
    throw new IOException(e.getMessage());
    }
    SSLSocket client =(SSLSocket)factory.createSocket(host, port);
    client.startHandshake();
    return client;

    }

    /** Creates a SSL server socket based on sun's implementation using JSSE. Uses the
    * sslPropsFile to get the keystore used for validating certificates and their
    * passwords.
    * @param sslPropsFile The properties file containing SSL provider, key passwords etc.,
    * @param port The port to which this socket should listen at.
    * @throws IOException If the properties file was not found or it was corrupted or if there was any
    * other errors while socket creation.
    * @return the serversocket object.
    */
    public static ServerSocket createSecureServerSocket(final String sslPropsFile,int port) throws IOException{
    Properties props = readPropertiesFile(sslPropsFile);
    String trustStore = (String)props.get("com.ibm.idmg.ssl.keyStore");
    System.setProperty("javax.net.ssl.trustStore",trustStore);
    //Getting a sun secure server socket

    SSLServerSocketFactory ssf = null;
    try {
    addProvider(props);
    // set up key manager to do server authentication
    SSLContext ctx = getSSLContext(props);
    ssf = ctx.getServerSocketFactory();
    } catch (Exception e) {
    e.printStackTrace();
    throw new IOException(e.getMessage());
    }
    SSLServerSocket socket = (SSLServerSocket)ssf.createServerSocket(port);
    socket.setNeedClientAuth(true);
    return socket;
    }
    /**
    * Internally used function to read a provider from the properties and
    * add it as the current ssl provider. The properties should have the
    * property icom.ibm.idmg.ssl.sslProvider/i defined. Otherwise
    * throws NullPointerException.
    */
    private static void addProvider(Properties props) throws Exception{
    String provider = (String)props.get("com.ibm.idmg.ssl.sslProvider");
    if (provider == null)
    throw new NullPointerException("com.ibm.idmg.ssl.sslProvider is not specified!");
    java.security.Security.addProvider((java.security.Provider)Class.forName(provider).newInstance());
    }
    /**
    * Internally used function to read a file and return it as java properties.
    * It uses java.util.Properties. Throws FileNotFoundException if the file
    * was not found. Otherwise returns the properties.
    */
    private static Properties readPropertiesFile(final String file) throws IOException{
    if (file == null)
    throw new IOException("SSL Context File name not specified!");
    FileInputStream in = new FileInputStream(file);
    Properties properties = new Properties();
    properties.load(in);
    in.close();
    in = null;
    return properties;
    }
    /**
    * Internal function used to retrieve a SSLContext object. It is used primarily
    * for creating SSL sockets that can authenticate each other based on the
    * keystores specified using the properties.
    */
    private static SSLContext getSSLContext(Properties props) throws Exception{
    SSLContext ctx;
    KeyManagerFactory kmf;
    KeyStore ks;
    String password = (String)props.get("com.ibm.idmg.ssl.keyStorePassword");
    if (password == null)
    password = System.getProperty("javax.net.ssl.keyStorePassword");

    char[] passphrase = password.toCharArray();
    ctx = SSLContext.getInstance("TLS");
    kmf = KeyManagerFactory.getInstance("SunX509");
    ks = KeyStore.getInstance("JKS");

    String keyStoreFile = (String)props.get("com.ibm.idmg.ssl.keyStore");
    if (keyStoreFile == null)
    keyStoreFile = System.getProperty("javax.net.ssl.keyStore");
    FileInputStream in = new FileInputStream(keyStoreFile);
    ks.load(in, passphrase);
    in.close();
    in = null;

    //All keys in the KeyStore must be protected by the same password.
    String keyPassword = (String)props.get("com.ibm.idmg.ssl.keyPassword");
    if (keyPassword != null)
    passphrase = keyPassword.toCharArray();

    kmf.init(ks, passphrase);
    ctx.init(kmf.getKeyManagers(), null, null);
    return ctx;
    }
    }

    The Server properties file looks like this.
    #Specify the SSL provider here.
    #Using sun's reference implementation for testing..
    com.ibm.idmg.ssl.sslProvider=com.sun.net.ssl.internal.ssl.Provider

    #Specify the keystore file that this ssl socket should use
    com.ibm.idmg.ssl.keyStore=server.ks

    #Specify the password for this keystore file
    com.ibm.idmg.ssl.keyStorePassword=servercanpass

    #Specify the password used to protect the keys in the keystore
    #Note: all the keys should have the same password
    com.ibm.idmg.ssl.keyPassword=icanpass

    The client properties file

    #Specify the SSL provider here.
    #Using sun's reference implementation for testing..
    com.ibm.idmg.ssl.sslProvider=com.sun.net.ssl.internal.ssl.Provider

    #Specify the keystore file that this ssl socket should use
    com.ibm.idmg.ssl.keyStore=client.ks

    #Specify the password for this keystore file
    com.ibm.idmg.ssl.keyStorePassword=clientshouldpass

    #Specify the password used to protect the keys in the keystore
    #Note: all the keys should have the same password
    com.ibm.idmg.ssl.keyPassword=canipass

    Now to create the certificates..
    Its a 5 step process
    1) Create the keystore file.

    keytool -genkey -alias mohan -dname "CN=Mohan Tera OU=IS O=IM L=sanjose S=NY C=US" -keystore server.ks -storepass servercanpass -validity 180 -keypass icanpass

    2) Create a self signed certificate. If you need to get it signed from
    verisign then you have to create a certificate request. For testing purposes,
    you can create a self signed certificate.

    keytool -selfcert -alias mohan -dname "CN=Mohan Tera OU=IS O=IM L=sanjose S=NY C=US" -keystore server.ks -storepass servercanpass -validity 180 -keypass icanpass

    3) Export the public key from the keystore to a certificate file that is to be imported to the client keystore.

    keytool -export -alias mohan -file fromserver.cer -keystore server.ks -storepass servercanpass

    4) Repeat the above steps for the client also..

    a)
    keytool -genkey -alias moks -dname "CN=Jennifer Poda OU=Javasoft O=Sun L=Edison S=NJ C=US" -keystore client.ks -storepass clientshouldpass -validity 180 -keypass canipass
    b)
    keytool -selfcert -alias moks -dname "CN=Jennifer Poda OU=Javasoft O=Sun L=Edison S=NJ C=US" -keystore client.ks -storepass clientshouldpass -validity 180 -keypass canipass
    c)
    keytool -export -alias moks -file fromclient.cer -keystore client.ks -storepass clientshouldpass

    5) Import the certificates that were exported in steps 3 and 4c in client and server keystore respectively.

    keytool -import -trustcacerts -alias new -file fromserver.cer -keypass keypass -storepass clientshouldpass -keystore client.ks
    keytool -import -trustcacerts -alias new -file fromclient.cer -keypass keypass -storepass servercanpass -keystore server.ks

    And voila you are all set to go..
    Hope this explains to all the people who are struggling with JSSE..
    Regards,
    Moks

    DB:3.72:Working Code Snippet For Jsse 1.0.2 pz

    when i using your method in my code i get the following exception
    pl. help me.
    java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103
    )
    at java.security.KeyStore.getKey(KeyStore.java:289)
    at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275)
    at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6
    275)
    at javax.net.ssl.KeyManagerFactory.init(DashoA6275)
    at ClassFileServer.getServerSocketFactory(ClassFileServer.java:145)
    at ClassFileServer.main(ClassFileServer.java:115)
    Exception in thread "main" java.lang.NullPointerException
    at ClassFileServer.main(ClassFileServer.java:117)

  • RELEVANCY SCORE 3.70

    DB:3.70:Problem In Accessing 2 Certificates In Smart Card Using Sun Pkcs11 Provider jk


    I have stored 2 certificates in iKey. To acess and use them in Java I am using Sun PKCS11 Provider.

    The program is .
    1. The keyStore.aliases() is returning 1 alias only(instead of 2).
    2. Throwing following error when accessing the private key using
    code: PrivateKey pvt = keyStore.getKey(alias, null);

    Error Message Detail:
    "KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0x00"
    at Sun .. P11KeyStore.getTokenObject(P11KeyStore.java:2135)
    at ...P11KeyStore.engineGetKey(P11KeyStore.java:292

    DB:3.70:Problem In Accessing 2 Certificates In Smart Card Using Sun Pkcs11 Provider jk

    Did you look at this, Does it help you, Since no one has answered all day, and I will assume you searched for that error first, perhaps you could provide some more detail?

    http://forum.java.sun.com/thread.jspa?threadID=5195275tstart=15

    Message was edited by:
    mdares

  • RELEVANCY SCORE 3.66

    DB:3.66:Help With Client-Server Authentication Design kk


    Hi,

    I would appreciate your help in reviewing this proposed security
    authentication design.

    I am building a client-server application where the user must be authenticated
    regardless whether the client is running in off-line or on-line mode. In
    off-line mode the client reads data from a local cache. In on-line mode the
    client has a network connection to the server and reads writes to the server
    and updates the local cache. In some cases, the network connection will not be
    encrypted via SSL therefore any client-server on-line authentication should not
    send passwords in the clear.

    I propose to use a java.security.KeyStore as the primary means of local
    authentication. A keystore contains public keys, private keys and secret keys.
    A keystore and its entries can be encrypted via passwords. To set up a client
    keystore, I will create a keystore that has the following characteristics:

    - Keystore is encrypted with the user's password.

    - Keystore contains a secret key entry named "username" and contains
    the user's username as the value.

    - Keystore contains other keys, SSL keys, certificates, etc as needed.

    The off-line authentication sequence will be:

    - Prompt for username and password

    - Load keystore using password. If fails to load then the password is wrong.

    - Read secret key entry "username" and insure that it contains the actual
    user's username.

    The on-line authentication sequence will be:

    - Prompt for username and password

    - Load keystore using password. If fails to load then the password is wrong.

    - Read secret key entry "username" and insure that it contains the actual
    user's username.

    - Connect to remote server and authenticate by a challenge-response method that
    exchanges secure hashes. See http://www.developerfusion.co.uk/show/4679/4/
    for an explanation of the challenge-response method - system #5 on the page.
    I believe that this authentication mechanism will by sufficiently secure
    even if the network connection is not encrypted via SSL.

    I realize that if SSL was used for all networking then I could issue individual
    client certificates to each user. The client certificates could then be
    validated by the server. This is probably the most secure on-line
    authentication, certainly more secure than the challenge-response mentioned
    above. Unfortunately the labor involved in creating and managing individual
    certificates and user keystores is deemed too costly in many situations. If SSL
    networking is required, I plan to create a single client certificate and store
    it in a template keystore file with a default keystore password. When the
    client program is installed on the user's computer, the keystore password will
    be reset to a new value and the username secret key entry will be added.

    On-line mode is required when changing a password because both the keystore
    and remote authentication information must be changed simultaneously.

    In the event that a single workstation is shared by multiple users, each user
    must use a different keystore file.

    Any comments regarding the validity and robustness of this proposed design would
    be appreciated.

    Thanks,

    Vick

    DB:3.66:Help With Client-Server Authentication Design kk

    Hi,

    I would appreciate your help in reviewing this proposed security
    authentication design.

    I am building a client-server application where the user must be authenticated
    regardless whether the client is running in off-line or on-line mode. In
    off-line mode the client reads data from a local cache. In on-line mode the
    client has a network connection to the server and reads writes to the server
    and updates the local cache. In some cases, the network connection will not be
    encrypted via SSL therefore any client-server on-line authentication should not
    send passwords in the clear.

    I propose to use a java.security.KeyStore as the primary means of local
    authentication. A keystore contains public keys, private keys and secret keys.
    A keystore and its entries can be encrypted via passwords. To set up a client
    keystore, I will create a keystore that has the following characteristics:

    - Keystore is encrypted with the user's password.

    - Keystore contains a secret key entry named "username" and contains
    the user's username as the value.

    - Keystore contains other keys, SSL keys, certificates, etc as needed.

    The off-line authentication sequence will be:

    - Prompt for username and password

    - Load keystore using password. If fails to load then the password is wrong.

    - Read secret key entry "username" and insure that it contains the actual
    user's username.

    The on-line authentication sequence will be:

    - Prompt for username and password

    - Load keystore using password. If fails to load then the password is wrong.

    - Read secret key entry "username" and insure that it contains the actual
    user's username.

    - Connect to remote server and authenticate by a challenge-response method that
    exchanges secure hashes. See http://www.developerfusion.co.uk/show/4679/4/
    for an explanation of the challenge-response method - system #5 on the page.
    I believe that this authentication mechanism will by sufficiently secure
    even if the network connection is not encrypted via SSL.

    I realize that if SSL was used for all networking then I could issue individual
    client certificates to each user. The client certificates could then be
    validated by the server. This is probably the most secure on-line
    authentication, certainly more secure than the challenge-response mentioned
    above. Unfortunately the labor involved in creating and managing individual
    certificates and user keystores is deemed too costly in many situations. If SSL
    networking is required, I plan to create a single client certificate and store
    it in a template keystore file with a default keystore password. When the
    client program is installed on the user's computer, the keystore password will
    be reset to a new value and the username secret key entry will be added.

    On-line mode is required when changing a password because both the keystore
    and remote authentication information must be changed simultaneously.

    In the event that a single workstation is shared by multiple users, each user
    must use a different keystore file.

    Any comments regarding the validity and robustness of this proposed design would
    be appreciated.

    Thanks,

    Vick

  • RELEVANCY SCORE 3.65

    DB:3.65:Access Adobe Keystore With Java jk



    Hi,

    is there a way to access the Adobe Reader (maybe Adobe Acrobat) Keystore (where the digital ID's and Certificates are stored) with Java or an other language like C#?

    Thanks!

    DB:3.65:Access Adobe Keystore With Java jk


    Adobe Support is very bad! need help please.

  • RELEVANCY SCORE 3.65

    DB:3.65:Get Certificate From Keystore Without The Alias? x9


    Hello

    I am using Java KeyStore with "ms-capi" to access the Windows keystore.

    Some one managed to get certificates on the Windows keystore with the same "alias".

    This as nothing to do with me, I just need to list all certificates regardless of the alias.

    The current problem is that I list the alias in the Windows keystore and then use them to present the user a list of those certificates (by using KeyStore.getCertificate(String alias)).

    However, this is working is not effective when two or more certs share the same alias because the returned certificate will always be the same.

    So, is there another way to get certificates in the Windows keystore without relying on the alias?

    Thank you
    Cad

    DB:3.65:Get Certificate From Keystore Without The Alias? x9

    Ty for the tip ghstark

    I managed to find a bug report about this, and in there it can be seen at least one "WorkAround" of this bug

    It is not very pretty but works, it can be consulted in: [http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6672015|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6672015] in the bottom of the page in the section "CUSTOMER SUBMITTED WORKAROUND :"

    Cheers
    Cad

  • RELEVANCY SCORE 3.64

    DB:3.64:Complete List Of Pre-Installed Root Certificates In Java Keystore? 39


    I need a complete list of from which version and update of JDK, J2SE, Java SE etc different root certificates are pre-installed in the keystore.

    Someone that can help?

    DB:3.64:Complete List Of Pre-Installed Root Certificates In Java Keystore? 39

    levhal wrote:
    No.

    What I need is a list of when the different root certificates was supported by Java. An example could be:

    "Thawte Premium Server CA" was preinstalled since J2SE 1.3
    "GlobalSign Root CA" was preinstalled since J2SE 1.4.2 update 16Write to Sun/Oracle since I doubt if anyone visiting this site has such a list or has access to the information required to create such a list.

  • RELEVANCY SCORE 3.64

    DB:3.64:Signing Multiple Jars fc


    Hi,I am going to create a set of trusted jar with a single certificate.Let me explain the steps I followed.Step 1 : keytool -genkey -dname "cn=oraclejar,ou=oraclejar,o=oraclejar,c=India" -alias oraclejar -keypass oraclejar -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -validity 365Step 2: keytool -list -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejarStep 3: jarsigner -keystore C:\Oracle\Middleware\jdk160_24\certificates\keystore -storepass oraclejar -keypass oraclejar mymenu.jar mytools.jar oraclejarIn the above step I'm trying to create 2 jars(mymenu.jar ,mytools.jar) as trusted with a single certificate. But the following error occurs,jarsigner: Certificate chain not found for: mytools.jar. mytools.jar must reference a valid KeyStore key containing a private key and corresponding public key certificate chain.I don't know where it goes wrong. Anyone please guide me.- Sep

    DB:3.64:Signing Multiple Jars fc

    Thank you Timo, I understood.I have 2 dozens of jar, I want to make those jars as trusted with a single certificate rather than creating seperate certificate for each. Do you think Is that possible?Oracle provides jars such as, frmall.jar,frmgeneric.jar,frmwebutil.jar,oraclelaf.jar,etc. These jars are signed with a single certificate.-SepMessage was edited by: user_sep

  • RELEVANCY SCORE 3.63

    DB:3.63:Smartcards And Sunmscapi - Windows-My 9z


    Hi!

    I just want to confirm a few things:

    If I have a SmartCard Reader fully configured on my pc, and I can see the certificates stored on a SmartCard. (I can see them via Internet Explorer options)

    its possible to retrieve the certificates from the SmartCard with the SunMSCAPI provider?

    I tried something like this (with the SmartCard in)
    KeyStore keyStore = KeyStore.getInstance("Windows-MY");
    keyStore.load(null, null); And the keyStore was loaded with the certificates from my personal windows store, but no with the certificates from the SmartCard.

    I'm asking 'cause well, since on Internet Explorer the SmartCard's certificates appear inside the Personal Store, I thought that getting "Windows-My" will get those too. (Basically I just want to know if its possible to use the SmartCart's certificates using "Windows-My".)

    Thanks in advance!

    Edited by: FabianIB on Aug 28, 2009 9:10 AM

    DB:3.63:Smartcards And Sunmscapi - Windows-My 9z

    Ok, its kind of a late answer, but, didn't have time to get back and post it.

    So, it is possible to read the SmartCard Certificates using the Windows-My store, as long as the driver installed for the SmartCard loaded
    the certificates to the Root store, Java will get them.

  • RELEVANCY SCORE 3.62

    DB:3.62:Re: How Can I Read Peer Certificates From Fipsdb/Nss In Java Using Pkcs11? km


    My understanding is that there is a key db nd a trust db. The key db would give me keys and certs signed with those keys - my certs. The trust db would give me the other certs.You're loading both the KeyStore and the TrustStore from the same device. Does it contain both these db's?

    Actually the trusted certificates don't need to be in the HSM, I don't know why you're doing that. Normally they are in the JDK cacerts or jssecacerts file, or a custom JKS one of your own. There's nothing secret about them.

    DB:3.62:Re: How Can I Read Peer Certificates From Fipsdb/Nss In Java Using Pkcs11? km

    That is another option we discussed. We would prefer to rely on the presence of certificates in the NSS database. This way we deal with one entity for both authentication and authorization, and we deal with one database.It's not 'another option'. It's the only correct way to do it. Relying on the presence of certificates in the truststore for authorization is fallacious. It is exactly the mistake I am trying to warn you against.

  • RELEVANCY SCORE 3.58

    DB:3.58:Jaas Auth And Keystore 7j



    I want somewhere to store secret keys securely - presumably keystore is the place.I want the secret keys to be associated with individual users - I can identify the users through with Principal (previously authenticated).Is it possible to generate and retreve secret keys in the keystore under the identity of the logged in principal?I am hoping access to keystore can be confgured in a similar way to having access to datasources can be configured based on securitydomain.This idea is a bit fuzzy, but am I thinking along the right line?Scott? anyone?ThanksMartin

    DB:3.58:Jaas Auth And Keystore 7j


    I suppose a "signed" Principal would be good - signed by the login module, and the keystore has the public key of the login module, but then I'm back to the problem of securing the login module's private key., Plus the container would have to understand the "signed" Principal, so that idea doesn't fly :-(

  • RELEVANCY SCORE 3.58

    DB:3.58:Anyrelation Between The .Keystore Exisitng In The System And Tomcat Keystor az


    there is a .keystore under documents settings\ username\

    by default for getting digital certificates we need to create a keystore.

    when i created a keystore of my own name it showed some error.
    i then created a keystore with name .keystore and password changeit.

    it worked when i replaced my keystore over the exisitng .keystore under documents and settings...

    no body know abt the signature and all when i posted.

    atleast someone can help me..

    my doubts are:

    1) whats the existing keystore?. can i use it for generating CSR?
    2) what shld i do when i want to create a keystore of my name.. any extension is needed?... where shld i place it...how shld i edit the server.xml? i tried using the admin tool and my server.xml got correpted.. showed lifecycle exception while starting tomcat.
    3) i got a mail from verisign at the bottom they had something like the content in my CSR file. but they have given some installation instructions above that..and many links each of that pointed to 3 different such certificates..and i got confused.. which one to choose.
    when i followed the tomcat ssl intruction and copied the thing which i saw at the bottom of my mail i was able to view the page using https. and asked for certificate installation

    can some one pls direct me correctly

    DB:3.58:Anyrelation Between The .Keystore Exisitng In The System And Tomcat Keystor az

    there is a .keystore under documents settings\ username\

    by default for getting digital certificates we need to create a keystore.

    when i created a keystore of my own name it showed some error.
    i then created a keystore with name .keystore and password changeit.

    it worked when i replaced my keystore over the exisitng .keystore under documents and settings...

    no body know abt the signature and all when i posted.

    atleast someone can help me..

    my doubts are:

    1) whats the existing keystore?. can i use it for generating CSR?
    2) what shld i do when i want to create a keystore of my name.. any extension is needed?... where shld i place it...how shld i edit the server.xml? i tried using the admin tool and my server.xml got correpted.. showed lifecycle exception while starting tomcat.
    3) i got a mail from verisign at the bottom they had something like the content in my CSR file. but they have given some installation instructions above that..and many links each of that pointed to 3 different such certificates..and i got confused.. which one to choose.
    when i followed the tomcat ssl intruction and copied the thing which i saw at the bottom of my mail i was able to view the page using https. and asked for certificate installation

    can some one pls direct me correctly

  • RELEVANCY SCORE 3.57

    DB:3.57:Keystore Password p8


    Hi,

    We can reach our keys in a keystore by supplying correct alias and plaintext password. I wonder if it is possible to use hashed password instead of plaintext password to get the my secret or privatekey.

    regards

    Emin

    DB:3.57:Keystore Password p8

    The answer is no. Because this password is used for the decryption but not for the validation.

    Hash-based password is only suitable for the use case when you need to validate login/password.

  • RELEVANCY SCORE 3.57

    DB:3.57:How Do I Set The Default Keystore Password? m7


    The following code is currently failing with the exception below.

    private X509Certificate getX509Certificate(String alias)
    throws CertificateException {
    // NOTE The default keystore password is "**********", as specified in the Sun KeyStore documentation
    // NOTE For more information, read the Sun documentation at http://java.sun.com
    X509Certificate cert = null;
    String keystore = "keystore";
    try {
    cert = getX509Certificate(alias, keystore, "**********");
    }

    catch(KeyStoreException exception) {
    // A keystore exception occurred in the call to getX509Certificate, which could be indicative of a
    // bad installation
    throw new CertificateException("A keystore exception occurred accessing the default keystore."
    + " Check your keystore installation, ensuring that the default keystore password"
    + " is the standard Java keystore password\r\n"
    + exception.getMessage());
    }+[04/12/07 15:02:57:827 GMT] 0000001f SystemErr R java.security.cert.CertificateException: A keystore exception occurred accessing the default keystore. Check your keystore installation, ensuring that the default keystore password is the standard Java keystore password+
    A keystore exception occurred accessing the default keystore. Check your keystore installation, ensuring that the default keystore password is the standard Java keystore password
    The provider 'SUN' has not been configured
    no such provider: SUN

    So it looks like my default keystore password is not the same as that in the code above (I've replaced it with ******). How do I set the default keystore to be the same as in the code above? Please note the exact same code works for another application - and so I would like to use the same class file rather than having to change the code above.

    DB:3.57:How Do I Set The Default Keystore Password? m7

    You define the password for a keystore when you create it.

    There is no default.

    There is a default on the 'cacerts' truststore provided for JSSE: see
    http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

  • RELEVANCY SCORE 3.56

    DB:3.56:Closing A Keystore File cz


    My apologies if this is not a well-formed post. It is my first time posting on a java forum, and I tried to find a relevant topic heading among the many available - I figured that creating keystores and certificates for SSL connections could be considered networking-related.

    I am using the KeyStore class to create a collection of keys and certificates. Within my program I want to:
    - create a new keystore
    - set key and certificate entries
    - add the keystore file to a zip file and delete the original keystore file

    Create an empty keystore:
    newKS.load(null, password.toCharArray());

    Then store the keystore to the output stream fos and close the output stream:
    FileOutputStream fos = new FileOutputStream(storeFile);
    newKS.store(fos, password.toCharArray());
    fos.close();

    However, this does not close the file storeFile, and I am therefore unable to delete it within my program. I think this is probably a simple issue, but I have not been able to figure out how to close and delete the keystore files within my program. From what I understand you load KeyStores from input streams and store them to output streams but closing the streams does not close the files..? Clarification/assistance would be greatly appreciated. I'm probably just missing something simple.

    DB:3.56:Closing A Keystore File cz

    One of the specifications program is that the user has the option of creating a zip file and the option of deleting the files. Problem solved though. It's doing what it needs to do. Thanks.

  • RELEVANCY SCORE 3.54

    DB:3.54:Keystore Question jf


    Hi

    I want to create an empty JKS keystore file either inline or using keytool. Is that possible? In my application Java clients create their own public/private keys - send certificate signing requests to server - server sends back certificates. Then I want the client to save the certificate plus its keys in the keystore.

    Is it possible to create a keystore file (for client) including some other trusted certificate (server), where you add your own certificate later?

    Thanks!

  • RELEVANCY SCORE 3.52

    DB:3.52:Keytool Problem mm


    Hello,

    I have a keystore and its instance is ("JCEKS","SunJCE"). I am creating secret keys and privatekeys and store them inside my keystore.

    When I try to reach this keystore by using "keytool" application, I get the following error:
    java.io.IOException: Invalid keystore format

    So, what instances does keytool support and which tool can I use to reach my keystore?

    regards

    DB:3.52:Keytool Problem mm

    I found the solution. As follows:

    keytool -list -keytool keytoolfile -storetype jceks

  • RELEVANCY SCORE 3.51

    DB:3.51:Re: How To Use "Keytool" Generated Certificates In B2b sk


    Hi,

    If you are generating key/certficates may be you could make the "keytool" to generate the keystore in PKCS12 format. This format can be opened using Oracle Wallet Manager. Here's the command,

    keytool -genkey -keyalg "RSA" -keystore ewallet.p12 -storepass welcome1 -storetype PKCS12

    The above command would create a wallet in the current directory and the same can be opened in the "Oracle wallet manager".

    Other Approach:

    If you want to export just certificates alone from "JKS" format keystore and add it to the ewallet.p12 as an trusted entry, you can very well do that.

    One thing note here, make sure keys are generated using algorithm "RSA". Sample commands below,

    1. keytool -genkey -keyalg RSA -keystore test.jks
    2. keytool -export -file test.crt -keystore test.jks
    3. You could import the certifcate "test.crt" created in the previous step to ewallet.p12 using "Oracle wallet manager".

    Regards,
    Sinkar
    [From Ramesh Team]

    DB:3.51:Re: How To Use "Keytool" Generated Certificates In B2b sk

    Hi,

    There's an alternative approach that may help you to get the things going. "Orapki" is an utility that gets shiped along with Oracle Application server installation (path on windows $ORACLE_HOME/bin/orapki.bat) and you may use the same to generate wallet and certificate for your testing purpose.

    Here're the steps, first one will create an empty wallet and the second will add an self signed certifcate to it.

    1. C:\Oracle10g\midtier2\bin\orapki.bat wallet create -wallet . -pwd welcome1
    2. C:\Oracle10g\midtier2\bin\orapki.bat wallet add -wallet . -keysize 1024 -dn "CN=Sample" -self_signed -pwd welcome1 -validity 365

    Note: For some reasons the private keys attached to the wallet created using keytool are not visible or it may not be locatable.

    Regards,
    Sinkar
    [From Ramesh Team]

  • RELEVANCY SCORE 3.50

    DB:3.50:How To Access Browser Certificates Database From Applet? fs


    Hi,

    I'm implementing an applet for signing documents but I need to access to the clients public keys and certificates. I've seen it's easy to load certs from a keystore (JKS or PCKS12) but I wonder if it's possible to access to the browser database or to the Sun Java Plugin certificates database.

    Any suggestion will be appreciated.

    Thanks in advance
    Jorge

    DB:3.50:How To Access Browser Certificates Database From Applet? fs

    Hello,

    I have the same problem. I want to access te certificates from web browser database using the applet. Because you said it that it does not work I thought that perhaps I can access the certificates from Java Control Panel. Is this possible?

    Thanks.

  • RELEVANCY SCORE 3.50

    DB:3.50:Jks Java Key Store ps


    Hi all,

    I searched through this forum, but couldn't find an easy answer to the question if it's possible to load certificates, public keys, private keys etc. into the java keystore of Oracle's JVM?

    If it's possible and how can I achieve it?

    Thanks,
    Learco

    DB:3.50:Jks Java Key Store ps

    Hi,

    Thanks, that's interesting information. These articles are about Weblogic, but I want to use the JVM inside the Oracle database. Can I use the same commands?

    Regards,
    Learco

  • RELEVANCY SCORE 3.49

    DB:3.49:Trouble Using Keystore In Pkcs12 Format zz


    Has anyone had much luck using a Java keystore in PKCS12 format? I work at a company where we use this format to store SSL certificates. Unfortunately keytool doesn't seem to work well with it. I have a certificate chain in DER format, and I am trying to import the file into our keystore.

    keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
    Enter keystore password:
    ...snip...
    Trust this certificate? [no]: yes
    keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

    Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.

    Any help would be appreciated! Thanks.

    DB:3.49:Trouble Using Keystore In Pkcs12 Format zz

    I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.

    The cacerts file is located in $JAVA_HOME/jre/lib/security

    You can add certificates to it using keytool, for example:
    keytool -importcert -keystore cacerts -file certificate.cer -alias customername

  • RELEVANCY SCORE 3.48

    DB:3.48:Use A Different Keystore For Ca Certificates 88


    In our application, we want to distribute a keystore with trusted certificates that will differ from the ones stored in cacerts, since our application will connect to a small set of trusted servers.

    We considered just distributing the JRE and replacing the cacerts file with our own, but having control over the JRE may not be feasible.

    So, we need to be able to use our keystore file instead of cacerts to determine whether to trust certificates or not, while writing as little new code as possible.

    What would be the best way to use our keystore to determine trust of certificates instead of cacerts?

    DB:3.48:Use A Different Keystore For Ca Certificates 88

    Well, any case someone finds this thread someday, here's how I did it:

    SSLContext context = SSLContext.getInstance("SSL");
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    KeyStore keyStore = KeyStore.getInstance("JKS");
    keyStore.load(new BufferedInputStream(new FileInputStream(KEYSTORE_PATH)), null);
    trustManagerFactory.init(keyStore);
    context.init(null, trustManagerFactory.getTrustManagers(), null);Notice that I passed in null to the KeyStore.load method for the password. It's not necessary to have the password if you're just using the keystore to verify certificates.

  • RELEVANCY SCORE 3.47

    DB:3.47:Openssl Import In Keytool sc


    Hi. I am new in java. I am writing a project about a ssl connection. The problem that i face is with importing keys from openssl to keytool, and manage a specific certificate from a keystore with multiple certificates. When i run the server i get the following error. Any help appreciated.

    jks
    Error:Cannot recover key
    Exception in thread "main" java.lang.NullPointerException
    at server.main(server.java:181)

    DB:3.47:Openssl Import In Keytool sc

    aetos_aetos wrote:
    If someone does not understand, this is not the proper way to help him. Err ... since you have not posted the openssl commands that you used to generate the keys I don't know if what you used is capable of being imported directly into a keystore. What I do know is that the approach I posted works and works well. What I also know is that it is ridiculous to expect the forum members to guess what openssl commands you are using.

    I saw what you have proposed to me, but it does not work for me.Once more you are vague to the point of being ridiculous. What exactly did not work for you and what exactly was the symptom or error message. "it does not work" is woefully inadequate as a basis for diagnosing the problem.

    First I have everything in .der because that form i need for specific purpose.And I have explained that 'der' is not a dedicated key format. 'der' is a general encoding scheme for binary data.

    I do self-signed ca that make 2 trust server-client. sever-client are trusted by the ca (not self-signed).Which means what? This does not make sense to me.

    In keytool i do not find the proper way to import my ca. Everything are created by openssl and i want to import in keytool.Because you do not have the certificate in a format (and just saying that it is in 'der' format is not sufficient) that can be imported but since you don't show the openssl commands used it will be difficult for anyone to help. There may be some clever mind reader who does not need to see your openssl commands but I am not one of them.

    Best of luck - you are going to need it.

    Bye

  • RELEVANCY SCORE 3.45

    DB:3.45:Implementing Ws-Security Inweblogic 9.2 Server,Client Is Dotnet Application dp


    We are implementing WS-Security for a webservice that is deployed on the managed server of Weblogic 9.2.
    Inially 1-way SSL was implemented on it.
    We are in development phase , and need to know if my configuration is correct or not.

    Below is the configuration to create the client and server certificates using OPEN SSL:
    Creating private key and public certificate using openssl.
    C:\OpenSSL-Win32\binopenssl genrsa -out clientkey.pem 1024
    C:\OpenSSL-Win32\binopenssl req -new -key clientkey.pem -x509 -days 365 -out clientcert.pem
    Create keystore:
    keytool -keysize 2048 -genkey -alias wsalias -keyalg RSA -keystore wsstore
    Import private keys and certificates:
    java utils.ImportPrivateKey -keystore wsstore -storepass wspassword -storetype JKS -keypass serverkey -alias serverkey -certfile servercert.pem -keyfile serverkey.pem -keyfilepass serverkey
    java utils.ImportPrivateKey -keystore wsstore -storepass wspassword -storetype JKS -keypass clientkey -alias clientkey -certfile clientcert.pem -keyfile clientkey.pem -keyfilepass clientkey
    Inserting into cacerts file :
    C:\bea\jrockit_150_12\jre\lib\securitykeytool -import -alias serverkey -keystore cacerts -trustcacerts -file c:\work\certificates\06272011\servercert.pem
    keytool -import -alias clientkey -keystore cacerts -trustcacerts -file c:\work\certificates\06272011\clientcert.pem

    We gave the client private key, client certificate and server certificate to the client, and configured domain for ws-security as below in the admin console.
    ConfidentialityKeyAlias clientkey false
    ConfidentialityKeyPassword ****** true
    ConfidentialityKeyStore C:\Work\Certificates\06272011\wsstore false
    ConfidentialityKeyStorePassword ****** true
    IntegrityKeyAlias serverkey false
    IntegrityKeyPassword ****** true
    IntegrityKeyStore C:\Work\Certificates\06272011\wsstore false
    IntegrityKeyStorePassword ****** true

    The only change we made to the code is as below:
    Added below policy tags to the webservices java class:
    @WebService
    @WssConfiguration(value = "default_wss")
    @Policies({
    @Policy(uri="policy:Auth.xml"),
    @Policy(uri="policy:Sign.xml"),
    @Policy(uri="policy:Encrypt.xml")})

    We get the below exception on the client side:
    weblogic.xml.dom.marshal.MarshalException: weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

    Can anyone show light on - if the configuration on the server side accurate ? Is there any way that I can check that the server side implementation is correct ?

    Thanks
    Supriya

    DB:3.45:Implementing Ws-Security Inweblogic 9.2 Server,Client Is Dotnet Application dp

    Hi,
    is this problem got resolved?. If not then list the key from server keystore whether key is exist where client is passing to translate.

    Thanks
    Kumar

  • RELEVANCY SCORE 3.45

    DB:3.45:Accessing Browser Client Certificates (And Private Keys) From An Applet f8


    Hi all,
    for some serious reasons (no exploits, etc...) I would like my signed Java applet be able to access the client certificates (and their private keys). I've tried with

    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(new FileInputStream(System.getProperty("javax.net.ssl.keyStore")),
    System.getProperty("javax.net.ssl.keyStorePassword").toCharArray());with absolutely no luck (System.getProperty("javax.net.ssl.keyStore") returns null).

    Is there any way this can be done? Thanks in advance.

  • RELEVANCY SCORE 3.44

    DB:3.44:Using An Existing Cacerts File As An Ssl Keystore 3m


    I have an existing cacerts file populated with multiple certificates. I would like to use this file as my ssl keystore, so I put it in the j2ee/home/config directory, and put the following line in my secure-web-site.xml file:

    ssl-config keystore="./cacerts" keystore-password="changeit" needs-client-auth="true" /

    However, it's giving the following exception on starting the OC4J server:

    Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled.

    Since the cacerts file contains nearly 40 certificates, I'd rather not create a new keystore and export, then import, one by one.

    Can I use the existing cacerts file?

    Or am I missing the point?

    Jason

    DB:3.44:Using An Existing Cacerts File As An Ssl Keystore 3m

    A couple of questions, do all the certs correspond to your private key? Typically the certificate is used to identify the host on which your OC4J is running. For example:

    cn=myhost,ou=developement,o=oracle.com

    Your keystore would contain two certificates, the one that identifies the host, the other being the trusted certificate of the signing authority which issued you the certificate. The wallet could contain other CAs that you trust.

    So, are multitude of certificates trusted certificates (CAs)?

  • RELEVANCY SCORE 3.44

    DB:3.44:Ssl Using Java Keystore 8x


    Hi,

    I'm trying to get SSL working in WebLogic v7.0 (sp2) using a keystore I
    generated. However, when debug is turned on I'm getting this error:

    Critical Security 090112 Cannot require clients to have certificates
    without providing a KeyStore with trusted certificates.

    I don't have the "Client Certificate Enforced" box checked and can't figure
    out whats going on. I genereated my keystore using java's keytool and the
    keystore contains both the certificate (from verisign) and the root ca. I
    configured the keystore to point to my keystore and set the Root CA Key
    Store Location to be my keystore also.

    Anyone see this before ? Anyone get a jks to work with SSL ?

    Thanks for the help.
    Jerry

    DB:3.44:Ssl Using Java Keystore 8x


    Hi Jerry,

    So did the problem went away on licenced weblogic server?

    "Jerry Caponera" gcaponera@hotmail.com wrote:
    I have JSSE jars in the bea/jdk131_06/jre/lib/ext directory (on solaris).

    One thing I did find out today (after much digging) is that the eval
    versions of WebLogic only support certificates upto 512 bytes. The keystore
    I was using had a certifiate with 1024 bytes - so maybe that was hte
    issue.
    I won't know until I can updgrade the WebLogic license to support 1024
    bit
    certificates.

    "Rajesh Mirchandani" Reply@ToNewsgroup.Only wrote in message
    news:3E834C82.16D6DD03@ToNewsgroup.Only...
    Do you have any JSSE jars in the classpath ? Are you on AIX ? If yes,remove the
    ibmjsse.jar file.

    Jerry Caponera wrote:

    Ok - I got that resolved. I changed the startup
    option -Dweblogic.security.SSL.trustedCAKeyStore to point to cacertsand
    now
    that error is gone. However, when I try to connect via a web browser,I
    get
    this error:

    Debug TLS 000000 Filtering JSSE SSLSocket
    Debug TLS 000000 SSLIOContextTable.addContext(ctx): 1369204
    Debug TLS 000000 SSLSocket will be Muxing
    Debug TLS 000000 SSLIOContextTable.findContext(is): 2269151
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 isMuxerActivated: false
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 7637465 readRecord()
    Debug TLS 000000 7637465 received SSL_20_RECORD
    Debug TLS 000000 HANDSHAKEMESSAGE: ClientHelloV2
    Debug TLS 000000 write HANDSHAKE offset = 0 length = 58
    Debug TLS 000000 write HANDSHAKE offset = 0 length = 1452
    Debug TLS 000000 write HANDSHAKE offset = 0 length = 4
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 isMuxerActivated: false
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 7637465 readRecord()
    Debug TLS 000000 7637465 received HANDSHAKE
    Debug TLS 000000 HANDSHAKEMESSAGE: ClientKeyExchange
    Debug TLS 000000 HANDSHAKEMESSAGE: ClientKeyExchange RSA
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 isMuxerActivated: false
    Debug TLS 000000 SSLFilter.isActivated: false
    Debug TLS 000000 7637465 readRecord()
    Debug TLS 000000 7637465 received CHANGE_CIPHER_SPEC
    Error kernel 000802 ExecuteRequest failed
    java.lang.NullPointerException
    java.lang.NullPointerException
    atcom.certicom.tls.record.handshake.HandshakeHandler.handleChangeCipherSpec(Un
    known Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
    Source)
    at com.certicom.tls.record.ReadHandler.readRecord(UnknownSource)
    at
    com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
    Source)
    atcom.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
    Source)
    atcom.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(U
    nknown Source)
    at
    weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:399)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)

    Anyone seen this before ?

    thanks.

    "Jerry Caponera" gcaponera@hotmail.com wrote in message
    news:3e821cd6@newsgroups.bea.com...
    Hi,

    I'm trying to get SSL working in WebLogic v7.0 (sp2) using a keystoreI
    generated. However, when debug is turned on I'm getting this error:

    Critical Security 090112 Cannot require clients to havecertificates
    without providing a KeyStore with trusted certificates.

    I don't have the "Client Certificate Enforced" box checked andcan't
    figure
    out whats going on. I genereated my keystore using java's keytooland
    the
    keystore contains both the certificate (from verisign) and theroot
    ca. I
    configured the keystore to point to my keystore and set the RootCA
    Key
    Store Location to be my keystore also.

    Anyone see this before ? Anyone get a jks to work with SSL ?

    Thanks for the help.
    Jerry
    --
    Rajesh Mirchandani
    Developer Relations Engineer
    BEA Support

  • RELEVANCY SCORE 3.39

    DB:3.39:Keystore Location Of Wtk2.2 p3


    Hi,

    WhenI use WTK2.2 to generate key pairs or import certificates, where is the keystore location that is being used to persist these data?

    The GUI doesn't seem to provide a way to export keys, looks like the only way is to do exporting through keytool specifying its keystore.

    Would be great if anyone knows an alternative too.

    Thanks
    Victor

    DB:3.39:Keystore Location Of Wtk2.2 p3

    Hi,

    WhenI use WTK2.2 to generate key pairs or import certificates, where is the keystore location that is being used to persist these data?

    The GUI doesn't seem to provide a way to export keys, looks like the only way is to do exporting through keytool specifying its keystore.

    Would be great if anyone knows an alternative too.

    Thanks
    Victor

  • RELEVANCY SCORE 3.39

    DB:3.39:Removing Default Certificate Mapping From The Keystore jk



    Dear all,

    I have a strange problem in bb. Am unable to remove browser from choosing default certifiate (a deleted certificate during ssl client authentication when no other certificates are present.

    1. Imported few keys/certificates using device manager (pfx).

    2. Accessed a SSL client authentication site. It prompted that there is no default certifate and do you wish to make one as default . for example i made "abc" as default.,

    3. From then on during each access it took "abc" as default and logged in only prompting for keystore password.

    3. Later i deleted all the keys in the keystore including "abc". Removed browser cache. Removed memory cache. Even hard restarted the phone

    4.Now when i accessed the same site it took "abc" as default key and asked for keystore password.How is this possible???

    5. I am very sure that there are no keys present in the phone. I checked for keys and certificate in the keystore. I wrote a piece of code to enumurate the keys with certificate from the keysote and there was none.

    What should be done to resolve this problem. Kindly guide me in this. Even pointers would be of great help.

    regards

    charley.

    DB:3.39:Removing Default Certificate Mapping From The Keystore jk


    Dear all,

    I have a strange problem in bb. Am unable to remove browser from choosing default certifiate (a deleted certificate during ssl client authentication when no other certificates are present.

    1. Imported few keys/certificates using device manager (pfx).

    2. Accessed a SSL client authentication site. It prompted that there is no default certifate and do you wish to make one as default . for example i made "abc" as default.,

    3. From then on during each access it took "abc" as default and logged in only prompting for keystore password.

    3. Later i deleted all the keys in the keystore including "abc". Removed browser cache. Removed memory cache. Even hard restarted the phone

    4.Now when i accessed the same site it took "abc" as default key and asked for keystore password.How is this possible???

    5. I am very sure that there are no keys present in the phone. I checked for keys and certificate in the keystore. I wrote a piece of code to enumurate the keys with certificate from the keysote and there was none.

    What should be done to resolve this problem. Kindly guide me in this. Even pointers would be of great help.

    regards

    charley.

  • RELEVANCY SCORE 3.38

    DB:3.38:Java Keystore,Private Key,Certificate,Intermediate And Root Ca Certificates z1


    Hi,

    I have generated the private key and Certificate Signing Request (CSR) using openssl, and received back the certificate, intermediate certificate and root certificate from the CA.

    The private Key has no password so i do not have to be available when the apache restarts etc.

    In reading the jboss documentation, it states that the Private Key and keystore password MUST be the same :

    http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html

    About 1/10th down the page.

    Is this correct ?.

    I have implemented a new keystore with the private key and certificates, intermediate and root, using the keytool command and still i get a browser reporting an issue with the site certificate.

    I have tried adding the certificates (site, intermediate, root) in all manner of combinations, and added them to the cacerts too, and still obtaining the same problem.

    When i tried to add to the specified keystore for jboss where i had previously added to cacerts, it stated that the root was already in the system-wide keystore.

    So are there multiple issues :

    1. Password for private key must be the same as the keystore ?
    2. The java system checks cacerts first before the defined keystore ?
    3. Is there a specific order required for adding certificates ?
    4. Should certificates be added to cacerts for intermediate and root, and only site certificate in jboss defined keystore ?
    5. I received divide by zero error when adding the private key since it has no password, hence can only private keys with password be used for java keystores ?

    Any guidance gratefully received.

    Thanks and regards,

    Richard.

    Edited by: 1002767 on 26-Apr-2013 07:42

    DB:3.38:Java Keystore,Private Key,Certificate,Intermediate And Root Ca Certificates z1

    Hi,

    I have generated the private key and Certificate Signing Request (CSR) using openssl, and received back the certificate, intermediate certificate and root certificate from the CA.

    The private Key has no password so i do not have to be available when the apache restarts etc.

    In reading the jboss documentation, it states that the Private Key and keystore password MUST be the same :

    http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html

    About 1/10th down the page.

    Is this correct ?.

    I have implemented a new keystore with the private key and certificates, intermediate and root, using the keytool command and still i get a browser reporting an issue with the site certificate.

    I have tried adding the certificates (site, intermediate, root) in all manner of combinations, and added them to the cacerts too, and still obtaining the same problem.

    When i tried to add to the specified keystore for jboss where i had previously added to cacerts, it stated that the root was already in the system-wide keystore.

    So are there multiple issues :

    1. Password for private key must be the same as the keystore ?
    2. The java system checks cacerts first before the defined keystore ?
    3. Is there a specific order required for adding certificates ?
    4. Should certificates be added to cacerts for intermediate and root, and only site certificate in jboss defined keystore ?
    5. I received divide by zero error when adding the private key since it has no password, hence can only private keys with password be used for java keystores ?

    Any guidance gratefully received.

    Thanks and regards,

    Richard.

    Edited by: 1002767 on 26-Apr-2013 07:42

  • RELEVANCY SCORE 3.37

    DB:3.37:Ikey 3000 Token 1j


    hello :), i'm writting an aplication, and i need to store new certificates on ikey 3000. I somehow don't know where to begin... A i have working code to log on token, and get some information from it, but i don'k know how can i change anything. I know how to load some info to KeyStore, there is also method store(), but i wasn't able to find anything, about adding new certificates or keys to KeyStore. Maybe someone can give me a clue, where to look or provide some sample code (some basic code is enought).

    I'm aware about tool named KeyTool from sun, but that is an external aplication. I need to write my aplication that will store certificates and keys to token. Or maybe is the way that i use keytool from my aplication (via java.lang.Runtime) ?

    I would be very greatfull for any help :).

    DB:3.37:Ikey 3000 Token 1j

    hello :), i'm writting an aplication, and i need to store new certificates on ikey 3000. I somehow don't know where to begin... A i have working code to log on token, and get some information from it, but i don'k know how can i change anything. I know how to load some info to KeyStore, there is also method store(), but i wasn't able to find anything, about adding new certificates or keys to KeyStore. Maybe someone can give me a clue, where to look or provide some sample code (some basic code is enought).

    I'm aware about tool named KeyTool from sun, but that is an external aplication. I need to write my aplication that will store certificates and keys to token. Or maybe is the way that i use keytool from my aplication (via java.lang.Runtime) ?

    I would be very greatfull for any help :).

  • RELEVANCY SCORE 3.37

    DB:3.37:Importing Certificates From Browsers xx


    I am trying to write an applet which will sign the contents in an HTML form
    before submitting it. I plan to use DSA/RSA. I expect the users to
    have their certificates installed in their browsers. How do I access
    these Certificates installed in the browsers? (IE and NS). Is there
    any way to export the certificates in the browser into JRE's keystore
    programmatically?
    Any help will be greatly appreciated.
    Regards,
    Anand.

  • RELEVANCY SCORE 3.34

    DB:3.34:Digital Certificates And Keystore 9p


    I have implemented the digital signature in my project.

    For that i have to add all the certificates in jre/lib/security/cacerts.

    Is it possible to store these certificates in database instead of keystore file (cacerts) ?

    if yes how to implement ?

    any code sample ??

    DB:3.34:Digital Certificates And Keystore 9p

    Yes, you can implement your own KeyStore class and access the keys any way you like. I found it simplest to serialize the keys and store them in a binary field in the database (not very storage efficient but easy to handle).

  • RELEVANCY SCORE 3.34

    DB:3.34:Need Help To Set Entries Into A Keystore fa


    Hi all,

    I am new to the world of Java Cryptography and will need help from you guys to resolve this one.

    I have used the keytool -genkey command to generate a pair of keys and the keystore. Next I used keytool -exportcert command to export the certificate created.

    Now I am trying to achieve the same programatically. Here are the steps that I have followed so far -

    // getting default KeyStore instance
    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

    // loading KeyStore
    System.out.println("Loading KeyStore...");
    keyStore.load(null, keyStorePassword.toCharArray());

    // creating KeyPairGenerator
    keyPairGenerator = KeyPairGenerator.getInstance(algorithm);

    // initialize KeyPairGenerator
    keyPairGenerator.initialize(keySize);

    // generating KeyPair
    keyPair = keyPairGenerator.generateKeyPair();

    // retrieving the Private Key from KeyPair
    privateKey = keyPair.getPrivate();

    // retrieving the Public Key from KeyPair
    publicKey = keyPair.getPublic();

    // storing the KeyPair into the KeyStore
    keyStore.setEntry(keyAlias, keyStoreEntry, keyStoreProtectionParam);

    // write the keyStore to a .keyStore fileI am stuck with the last line of setting the entry into the keystore. I am not sure how I should be creating an instance of the keyStoreEntry for the private key that has been generated earlier.

    Please let me know if the steps that I have outlined here are in the right direction of creating a new pair of public / private keys and exporting a certificate out of the newly created keystore.

    Thanks all!

    DB:3.34:Need Help To Set Entries Into A Keystore fa

    Rasmeet wrote:
    My other question is, do we have to rely on providers like BouncyCastle to generate a self-signed certificate in a keystore? If so, any reason why JDK does not support it?I don't know about doing it programmatically, but the following will generate a key/self signed cert in a keystore using keytool.
    keytool -genkey -alias test -keyalg RSA -keystore keystore0 \
    -dname "CN=Self Signed Cert,OU=Testing,O=FooBar Ltd,L=Naples,ST=na,C=IT" \
    -keypass mysecretpassword -storepass mysecretpassword

  • RELEVANCY SCORE 3.34

    DB:3.34:Domain-Slave Certificate-Based Authentication f7



    I am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4) in domain mode. The domain controller and slaves are running on separate servers.

    I'm trying to set up authentication through SSL certificates only between my domain controller and slaves, but then authentication is not working. I am using the self-signed certificates created by keytool.

    On the domain controller, I have the following keystores and keystore content:

    # /usr/java/jdk7/bin/keytool -list -keystore domain_controller.keystore.jks

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    master, Apr 24, 2013, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5

    # /usr/java/jdk7/bin/keytool -list -keystore truststore.keystore.jks

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    master, Apr 24, 2013, trustedCertEntry,
    Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5
    slave1, Apr 24, 2013, trustedCertEntry,
    Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10

    And the following in host.xml:
    security-realm name="ManagementRealm"
    server-identities
    ssl
    keystore alias="master" path="/my/path/to/domain_controller.keystore.jks" keystore-password="keystorepass"/
    /ssl
    /server-identities
    authentication
    truststore path="/my/path/to/truststore.keystore.jks" password="truststorepass"/
    /authentication
    /security-realm
    ...
    native-interface security-realm="ManagementRealm"
    socket interface="management" port="${jboss.management.native.port:9999}"/
    /native-interface

    The domain controller and management interface on port 9999 start fine.

    On the slave, I have the identical truststore as on the master (containing both certs), and I have the following keystore and content:

    # /usr/java/jdk7/bin/keytool -list -keystore as.keystore.jks

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    slave1, Apr 24, 2013, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10

    And the following configuration in host.xml:
    security-realm name="ManagementRealm"
    server-identities
    ssl
    keystore alias="slave1" path="/path/to/my/as.keystore.jks" keystore-password="keystorepass"/
    /ssl
    /server-identities
    authentication
    truststore path="/path/to/my/truststore.keystore.jks" password="truststorepass"/
    /authentication
    /security-realm
    ...
    management-interfaces
    native-interface security-realm="ManagementRealm"
    socket interface="management" port="${jboss.management.native.port:9999}"/
    /native-interface
    /management-interfaces
    ...
    domain-controller
    remote host="master" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/
    /domain-controller

    The slave is able to connect to port 9999 on the master, but then logs the following error:

    javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

    So I would assume that something is not set up correctly regarding the truststore, but I am not sure what....

    DB:3.34:Domain-Slave Certificate-Based Authentication f7


    Hi Clair,

    I too am running into a similar problem. Have posted a query on this forum for the same:

    How to create domain controlled jboss cluster between two jboss nodes and HTTPS enabled on both nodes.

    Can you please guide me as to how you solved the issue.

  • RELEVANCY SCORE 3.34

    DB:3.34:How To Access Internet Explorer Ie Keystore Using Cng mp


    I want to enumerate the certificates present in the IEKey Storeusing CNG (Crypto Next Generation) on Windows7. I am using NCryptEnumKeys but i am a bit confused regarding the concept of Keys here, Are these keys the Certificates present in the
    IE Key Store or some thing else. Please guide me in the right direction.
    Does MS_KEY_STORAGE_PROVIDER points to IE Keystore(like windows-my) keystore?

  • RELEVANCY SCORE 3.33

    DB:3.33:How To Get Certificates Stored In Ie Keystore sk


    Hi am using CNG for signing.

    I want to enumerate the certificates present in the IEKey Storeusing CNG (Crypto Next Generation) on Windows7. I am using NCryptEnumKeys but i am a bit confused regarding the concept of Keys here, Are these keys the Certificates present in the
    IE Key Store or some thing else. Please guide me in the right direction.
    Does MS_KEY_STORAGE_PROVIDER points to IE Keystore(like windows-my) keystore?
    Please guide me in this regard

    DB:3.33:How To Get Certificates Stored In Ie Keystore sk

    Investigate this approach. I have nottried it with CNG. It may not be the right PKCS 7 version.

    http://www.microsoft-questions.com/microsoft/Platform-SDK-Security/35240519/whats-the-format-of-the-result-of-cryptencryptmessage.aspx

    void HttpCrypto::fillSignparam( PCCERT_CONTEXT signingCert, CRYPT_SIGN_MESSAGE_PARA param )
    {
    param.cbSize= sizeof( CRYPT_SIGN_MESSAGE_PARA );
    param.dwMsgEncodingType= X509_ASN_ENCODING | PKCS_7_ASN_ENCODING;
    param.pSigningCert= signingCert; // PCCERT_CONTEXT

    param.HashAlgorithm.pszObjId= szOID_RSA_SHA1RSA; // szOID_OIWSEC_sha1; // szOID_RSA_SHA1RSA; or szOID_RSA_MD5
    param.HashAlgorithm.Parameters.cbData= 0;
    param.pvHashAuxInfo= NULL; // not currently used

    param.cMsgCert= 1; // DWORD
    param.rgpMsgCert= signingCert; // PCCERT_CONTEXT

    param.cMsgCrl= 0; // DWORD
    param.rgpMsgCrl= 0; // PCCRL_CONTEXT*

    param.cAuthAttr= 0; // sigAttributes.getCount(); // DWORD cAuthAttr; No attributes for now.
    param.rgAuthAttr= NULL; //sigAttributes.getPointer(); // PCRYPT_ATTRIBUTE

    param.cUnauthAttr= 0; // DWORD
    param.rgUnauthAttr= NULL; // PCRYPT_ATTRIBUTE

    param.dwFlags= 0;
    param.dwInnerContentType= 0;
    #ifdef CRYPT_SIGN_MESSAGE_PARA_HAS_CMS_FIELDS
    param.HashEncryptionAlgorithm= NULL;
    param.pvHashEncryptionAuxInfo= NULL;
    #endif
    }

    bool HttpCrypto::signMessage( PCCERT_CONTEXT signingCert, const std::string message, std::vectorunsigned char v1Pkcs7SignedMsg )
    {
    CRYPT_SIGN_MESSAGE_PARA param;
    fillSignparam( signingCert, param );

    BOOL detachedSignature= FALSE;

    const BYTE * ptrToData[1] = { (BYTE *) message.data() };
    DWORD sizeofData= message.size();

    DWORD cbSignedBlob= 0;
    if ( ::CryptSignMessage( param, detachedSignature, 1, ptrToData, sizeofData, 0, cbSignedBlob ) ) {
    v1Pkcs7SignedMsg.resize( cbSignedBlob );
    if ( ::CryptSignMessage( param, detachedSignature, 1, ptrToData, sizeofData, v1Pkcs7SignedMsg.data(), cbSignedBlob ) ) {
    v1Pkcs7SignedMsg.resize( cbSignedBlob );
    // Success path: Now we have the signedMsg.
    return true;
    }
    }

    return false;
    }

    //--------------------------------------------------------------------------

    bool HttpCrypto::signAndEncryptMessage( PCCERT_CONTEXT signingCert, PCCERT_CONTEXT encryptionCert, const std::string message,
    std::vectorunsigned char v1Pkcs7SignedEncryptedMsg )
    {
    CRYPT_SIGN_MESSAGE_PARA signParam;
    fillSignparam( signingCert, signParam );

    CRYPT_ENCRYPT_MESSAGE_PARA encryptParam;
    encryptParam.cbSize= sizeof( CRYPT_ENCRYPT_MESSAGE_PARA );
    encryptParam.dwMsgEncodingType= X509_ASN_ENCODING | PKCS_7_ASN_ENCODING;
    encryptParam.hCryptProv= NULL; // not used
    encryptParam.ContentEncryptionAlgorithm.pszObjId= szOID_OIWSEC_desCBC; // TODO investigate strong alg oids
    encryptParam.ContentEncryptionAlgorithm.Parameters.cbData= 0;
    encryptParam.ContentEncryptionAlgorithm.Parameters.pbData= NULL; // Generate a random IV
    encryptParam.pvEncryptionAuxInfo= NULL; // For RC2, RC4 or SP3 compatible
    encryptParam.dwFlags= 0; // CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG can be set to identify recipients by their Key Identifier and not their Issuer and Serial Number
    encryptParam.dwInnerContentType= 0;

    DWORD cbSignedBlob= 0;
    if ( ::CryptSignAndEncryptMessage( signParam, encryptParam, 1, encryptionCert, (BYTE *)message.data(), message.size(), 0, cbSignedBlob ) ) {
    v1Pkcs7SignedEncryptedMsg.resize( cbSignedBlob );
    if ( ::CryptSignAndEncryptMessage( signParam, encryptParam, 1, encryptionCert, (BYTE *)message.data(), message.size(), v1Pkcs7SignedEncryptedMsg.data(), cbSignedBlob ) ) {
    v1Pkcs7SignedEncryptedMsg.resize( cbSignedBlob );
    // Success path: Now we have the signedAndEncryptedMsg.
    return true;
    }
    }

    return false;
    }

    //--------------------------------------------------------------------------

  • RELEVANCY SCORE 3.33

    DB:3.33:Sunpkcs11 Keystore - Reload Certificates From Nss Db 78


    Hi,

    I'm using SunPKCS11 keystore to load certificates from NSS DB.
    While my application is runing, the certificate list in NSS DB is changed via NSS CLI, is there a way to make SunPKCS11 keystore to reload the changes from NSS DB?
    when i try to create new instance of SunPKCS11 keystore, i don't get the certificate changes - i still get the certificate list before the changes in NSS DB.

    Thanks,
    Alon

    DB:3.33:Sunpkcs11 Keystore - Reload Certificates From Nss Db 78

    I presume when you create a new instance of SunPKCS11 keystore, you're closing the old instance?

    Its possible that the NSS CLI has not flushed its changes to the NSS DB while you're trying to instantiate the KeyStore in the JVM. On Linux/UNIX, try executing the "sync" command from a shell-window to force buffers to be written to disk and then try to reload the KeyStore in the Java program.

    Its also possible that the JVM will not reload the SunPKCS11 Bridge configuration file until the JVM itself is restarted. One way to test this theory is to try to load the KeyStore from a second JVM even as the first one is running; if the second JVM sees the new certificate while the first cannot, this tells you that the JVM must re-read the Bridge configuration file to see the changes in the NSS DB.

  • RELEVANCY SCORE 3.33

    DB:3.33:Self Signed Certificate Incorrect Keystore Password? 8c


    Hi everybody,

    I'm starting to learn how to make self-signed certificates using keytool. I use the Keytool page to learn: http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
    However I'm having a problem with an error saying that my keystore password is incorrect?!

    Here is what I do:
    -------------------------------
    C:\Program Files\Java\jdk1.5.0_11\binkeytool -genkey -dname "cn=Paul Smith, ou=myOU, o=myO, c=US" -alias psmith -keypass kpassword -keystore psmisth.ks -storepass spassword -validity 360

    C:\Program Files\Java\jdk1.5.0_11\binkeytool -export -alias psmith -file psmith.cer
    Enter keystore password: kpassword
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

    C:\Program Files\Java\jdk1.5.0_11\binkeytool -list -v -keystore psmith.ks
    Enter keystore password: kpassword

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: psmith
    Creation date: 02-Aug-2011
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    [...]
    -----------------------------------

    I have tried to delete the .ks file and try again but nothing changed. I don't have any .keystore file in my folder.

    Why does it say that my password is incorrect?

    DB:3.33:Self Signed Certificate Incorrect Keystore Password? 8c

    Ok

    I stupidly looked at the keytool doc in the section "Exporting a Certificate Authenticating Your Public Key" which gives:
    keytool -export -alias mykey -file MJ.cerNow it works!
    Thx

  • RELEVANCY SCORE 3.33

    DB:3.33:How To Write Public Key In Certficate Using Apis p9


    hi

    I have generated key pair from KeyPairGenerator

    now i wnat to put keys into the keystore using APIs

    now for using setKeyEntry(..) api
    i need to make certificate of public key

    how can i store public and private in keystore using apis

    i dont wnat to use keytool.

    DB:3.33:How To Write Public Key In Certficate Using Apis p9

    If you don't want to use keytool on command line, you can use sun.security.tools.KeyTool class.

  • RELEVANCY SCORE 3.33

    DB:3.33:Re: Client Authentication Without Disclosing Password? dj


    Thanks for your help.

    I suppose if you wrote your own KeyManager or TrustManager you could handle it, as it's there in the KeyStore API.Ok.
    Anyway, why the JDK 1.5 later have been giving an option in the Java Control Panel,
    which allows a Java program to use certificates and keys in browser keystore?
    Is the browser keystore used only as a truststore?

    --yoshiki

    DB:3.33:Re: Client Authentication Without Disclosing Password? dj

    If these things were system properties, the applet wouldn't have to do anything, would it? They're not, they are applet params. The applet has to retrieve the param values via Applet.getParameter() and then try to call System.setProperty() with those names and values. May only work if the applet is signed.

    Maybe you could put the -D things into the jvm_arguments, I have no idea.

    If you don't want to change any code surely you're outa luck? you have to change something.

  • RELEVANCY SCORE 3.32

    DB:3.32:As2 Receiver Decryption-Failed Error At Partner Side pk


    Hi All,I have done File to AS2 Scenario and failing when testing.Actually from our PI perspective evering thing looks good EXCEPT Certificates in NWA and their Paths to configure in AS2 Adapter.The error from Seeburger Monitoring is as below: Message details: State -- Error on send, will not be retried Status Description -- decryption-failedReceipt (MDN) details: MDN Message ID -- null Payload State -- error Payload State Details --- decryption-failedMoreover, I have imorted partner certificates in Certificates and Keys: Key Storage of NWA.Example: Key Storage View --SreeKSV The View Entry Name --CertiPart (This is provided by the partner and imported here)Then I used the name for the field name in AS2 Receiver Adapter related to these settings: Server Certificate (Keystore) -- USERS/SreeKSV/CertiPart ---- is this correct way? Private Key for Cleint Authentication -- Empty And in the Out boundProcessing of Integrated Configuration settings as below: AS2 Sender Configuration: Signing Key ---- Our Regular Path used in Other scenarios as well AS2 Receiver Configuration: Encryption Certificate ---USERS/SreeKSV/CertiPart (Same as above Server Certificate (Keystore) )Now my Questions are:1. are all these settings wrong?2. Any new things to be done still in PI and / or NWA and or any where in the system?Please help me.Regards,Sreeni.

    DB:3.32:As2 Receiver Decryption-Failed Error At Partner Side pk

    Hi All,There was an issue with SSL Certificate and Encryption Certificate.Intially they send SSL we tried in both AS2 Receiver channel and RA but failed.Againwe requested, they send one more after two days, then i tried in both AS2 Receiver channel and RA but failed with new certificate. But again failed.Later cofigured one as SSL at AS2 Channel and other as Encryption in RA then working good.Regards,Sreeni.

  • RELEVANCY SCORE 3.32

    DB:3.32:Sslcontext: Tell Which Certificate To Use From Keystore With Multiple Keys 3c


    Hi,

    in my project I need to pass an SSLContext to an Axis Webservice-Client. This SSLContext should load a KeyStore-Key (client certificate) and use the server's certificate in trust-store. The client certificate is retrieved from an USB-device.

    keystore object is correctly instanciated and has multiple (3) certificates on it.
    I hope I made my point clear enough...

    Now I would like to tell the SSLContext to use certificate no. 2 as client certificate. How can I do that? here's the code snippet so far:

    try {

    KeyStore ks = null;
    String configName = "pkcs11.cfg";
    Provider p = new sun.security.pkcs11.SunPKCS11(configName);
    Security.addProvider(p);

    System.out.println(p.getName() + ", " + p.getVersion()); // this works

    char[] pin = "secret".toCharArray();
    ks = KeyStore.getInstance("PKCS11");
    ks.load(null, pin);

    //testing ks-object if properly loaded
    String alias = null;
    EnumerationString al = ks.aliases();
    while(al.hasMoreElements()) {
    alias = al.nextElement();
    System.out.println(alias);
    }
    //so far works - get listed all available certificats from the token

    }catch(Exception ex) {
    System.out.println(ex.getMessage());
    ex.printStackTrace();
    }


    try
    {

    KeyManagerFactory kmf =
    KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, null); // I set password to null .. because ks object already loaded an think no password required... ?

    TrustManagerFactory tmf =
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks); //actually the trust-certificate is on the token as well...

    // congifure a local SSLContext to use created keystores
    SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

    return sslContext;

    DB:3.32:Sslcontext: Tell Which Certificate To Use From Keystore With Multiple Keys 3c

    Yes, more accurately the section starting 'Custom KeyManager setup: Choosing an alias', or see the [JSSE Reference Guide|http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html].

  • RELEVANCY SCORE 3.32

    DB:3.32:Using An Existing Cacerts File As An Ssl Keystore 1d


    I have an existing cacerts file populated with multiple certificates. I would like to use this file as my ssl keystore, so I put it in the j2ee/home/config directory, and put the following line in my secure-web-site.xml file:

    ssl-config keystore="./cacerts" keystore-password="changeit" needs-client-auth="true" /

    However, it's giving the following exception on starting the OC4J server:

    Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled.

    Since the cacerts file contains nearly 40 certificates, I'd rather not create a new keystore and export, then import, one by one.

    Can I use the existing cacerts file?

    Or am I missing the point?

    DB:3.32:Using An Existing Cacerts File As An Ssl Keystore 1d

    I have an existing cacerts file populated with multiple certificates. I would like to use this file as my ssl keystore, so I put it in the j2ee/home/config directory, and put the following line in my secure-web-site.xml file:

    ssl-config keystore="./cacerts" keystore-password="changeit" needs-client-auth="true" /

    However, it's giving the following exception on starting the OC4J server:

    Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled.

    Since the cacerts file contains nearly 40 certificates, I'd rather not create a new keystore and export, then import, one by one.

    Can I use the existing cacerts file?

    Or am I missing the point?

  • RELEVANCY SCORE 3.32

    DB:3.32:Certificates And Keys: Key Storage 18



    Hi,

    Due a new critical integration scenario we have the following question in order to know Keystore capabilities.

    Is it any way to mark a PRIVATE KEY as not exportable in an view of NWA-Keystore?. This way, even an ADMINISTRATOR cannot export a private

    key out from the Keystore.

    Any thoughts will be highly appreciable

    Regards

    Ivn

    DB:3.32:Certificates And Keys: Key Storage 18


    Hi all,

    Unfortunately SAP has response to me saying it's not possible to cover with that requeriments.

    Regards

    Ivn

  • RELEVANCY SCORE 3.31

    DB:3.31:Error While Importing Ca Cert Into Kerstore ac


    Hi all,
    I am facing below error while importing CA cet or trusted cert into keystore:

    bash-3.00$ keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks
    Enter keystore password:
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    java.lang.Exception: Public keys in reply and keystore don't match
    at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
    at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
    at sun.security.tools.KeyTool.run(KeyTool.java:172)
    at sun.security.tools.KeyTool.main(KeyTool.java:166)
    bash-3.00$ keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks
    Enter keystore password:
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    java.lang.Exception: Public keys in reply and keystore don't match
    at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
    at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
    at sun.security.tools.KeyTool.run(KeyTool.java:172)
    at sun.security.tools.KeyTool.main(KeyTool.java:166)
    bash-3.00$ keytool -import -v -alias tcstestenv -file TCStest.cer -keystore keystore.jks
    Enter keystore password:
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    java.lang.Exception: Public keys in reply and keystore don't match
    at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
    at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
    at sun.security.tools.KeyTool.run(KeyTool.java:172)
    at sun.security.tools.KeyTool.main(KeyTool.java:166)

    Regards
    Sunitha

    DB:3.31:Error While Importing Ca Cert Into Kerstore ac

    Hello Sunitha,

    Could you solve this issue?

    Regards,
    Anuj

  • RELEVANCY SCORE 3.31

    DB:3.31:How To Reset Java Keystore After Loosing Password? 1a


    I am trying to create a new certificate using the keytool. However, I have lost my password and have no access to the keystore. How do I reset the password or start a new store. I don't mind loosing all the certificates in the keystore.

    DB:3.31:How To Reset Java Keystore After Loosing Password? 1a

    Thank you. It works now. I didn't know that keystore was saved there.

  • RELEVANCY SCORE 3.31

    DB:3.31:Vcloud Director Signed Ssl Certs cx



    I am using the vCD appliance version 1.5.1 and I am having trouble applying signed SSL certificates.

    I have followed this KB (http://kb.vmware.com/kb/1026309) over and over and I can not get the vCD appliance to stop looking at the keystore located in /opt/vmware/vcloud-director/etc/certificates. I did not create that keystore and I do not know the keystore password. I have restarted the appliance and ran the /opt/vmware/cloud-director/bin/configure script after each change.

    Has anyone experienced a similar issue? Is this maybe a limitation of the appliance?

    Thanks!

    DB:3.31:Vcloud Director Signed Ssl Certs cx


    Bump. Anyone know what the default keystore password might be? I can't get the appliance to point to any other keystore file.

  • RELEVANCY SCORE 3.31

    DB:3.31:Please Help...Jsse And Certificates And Private Keys 3x


    Hi,

    I am trying to connect a Java test client to a Java test server using a certificate I generated using openSSL. I put the contents of the .pem file in a keystore using keytool and now I have a keystore with this trusted certificate in it. I also put the certificate in the cacerts. The keystore does not contain the private key of this entity.
    How can I initialize the SSL Context using this certificate? I realize that I cannot do:
    ks.load(new FileInputStream(serverKeyFile), passphrase);

    kmf.init(ks, passphrase);
    ctx.init(kmf.getKeyManagers(), null, null);
    SSLServerSocketFactory ssf =
    ctx.getServerSocketFactory();
    since the private key is missing from this keystore. And I can't use getDefault(), either. Is there a way to put the private key that's in a .key file in this keystore? If not, how can I create an SSLServerSocketFactory object that will work correctly??

    I would appreciate any suggestions.

    Sachiko

    DB:3.31:Please Help...Jsse And Certificates And Private Keys 3x

    Did you solve this problem. I have the exactly same problem to be solved.
    Please email the solution to dskrishna@hotmail.com

  • RELEVANCY SCORE 3.31

    DB:3.31:Anonymous Ssl 91


    How would I use this in Java?

    If I don't specify a keystore, it attempts to load
    the default and fails...so there must be some way
    to do anonymous SSL (no client or server authentication,
    no certificates, no keystore).

    If anyone can help me out I'd greatly appreciate it.

    Thanks!

    DB:3.31:Anonymous Ssl 91

    Did you ever solve this problem? I have the same need and was wondering if you could send me your code. Thanks in advance.

  • RELEVANCY SCORE 3.31

    DB:3.31:Mutual Authentication On Tomcat 5 3p


    Hello,

    For the moment I'm experimenting with J2EE security with Tomcat 5.

    So far I was able to get BASIC authentication to work and also server Authentication (SSL with certificate).

    The next step I wanted to take was to configure Tomcat to use Mutual authentication but so far without success.

    Here are the steps I take:

    1. Create a client keystore with one certificates using the java keytool
    2. Create a server keystore with one certificate using the java keytool (my CN name is localhost and I also
    use this in my test URL: https://localhost:8443)
    3. Export the client certificate from the client keystore to a .cer certificate
    4. Export the server certificate fomr the server keystore to a .cer certifciate
    5. Import my .cer server certificate in my trust store (%JRE_HOME%\lib\security\cacerts)
    Now the client should trust the server's certificate.
    6. Import my .cer client certificate in my server's keystore
    This way the server should trust the client.
    7. In my server.xml file I have put clientAuth to true and used the -keystore parameter to point to the correct
    certificate.
    Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
    secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="c:/keys/serverKeys"
    keystorePass="password"/

    As a test I also imported the 2 .cer certificates (client + server) in my IE but I don't think this is needed.

    When I start tomcat and check if it is running http://localhost:8080 then this works, but when I want to use https://localhost:8443 I get the message that the page could not be displayed ...

    I'm trying for several days to solve this but without success ...

    Can someone help me please ?

    Many thanks !

    Best regards,

    Tom.

    DB:3.31:Mutual Authentication On Tomcat 5 3p

    With truststore file you mean cacerts.jks in %JAVA_HOME%/JRE/LIB/SECURITY ?

    To avoid misunderstanding, the only thing I try to do is to establish mutual authentication bewteen a client (IE) and a server (localhost) on the same machine (without using any java code) ?

    Is that possible ?
    Do I need to configure anything in my web.xml ?

    Does there exist a step by step guideline to get it to work ?

    By javax.net.debug system property, you mean that this must be done in java code ?

  • RELEVANCY SCORE 3.30

    DB:3.30:Rmi Over Ssl 1f


    Hi all,

    I'm working on JDK1.4.2 and want to secure communication between my server and clients. I googled a lot but was not able to find clear answers.

    Here are the main points :

    1) Application launch:

    When launching the application, I saw lots of command line beginning like this:
    java -Djavax.net.ssl.trustStore=server.keystore -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=server if keyStorePassword is in the cmd line is it secure ? I guess I can use setProperty in the code but is it secure enough ?

    2) RMI example

    I've followed [Java Example|http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/samples/index.html]
    We can see that RMISSLServerSocketFactory loads the keystore. This keystore is a custom one as we call it explicitly so:
    How the client can find this keystore ?
    Then if the keystore contains several pairs of Private/Public Keys:
    What keys are taken for handshake, How can we specify one ?

    3)Certificates
    this third part is related to the previous one. The RMI Example is too simple and I was not able to find example with RMI where certificates enter in Authentification mechanism.

    Regards

    Erwan

    DB:3.30:Rmi Over Ssl 1f

    @ejp: the message description = certificate_unknown is on server side.I guess this is not a fatal exceptionIt is a fatal condition and it is a cause of handshake failures. Please provide the entire server-side ssl trace as I asked before.
    When the server has been retrieved on client side, the current clientimpl is serialisedNo it isn't. Its stub is serialized
    - on client side:
    there are a lot of RenewClean threads which start and die (when using eclipse debug mode it consumes about 50% of CPU (near nothing when jar are generated ??))This is distributed garbage collection. Part of RMI. Shouldn't take all that much CPU. Might be related to the below.
    - on server side:
    When a client shuts down, the server is always trying to connect somewhere soI have a lot of ConnectionException: Connection refused .... and sometimes, in this flow of ConnectionException one BindException.
    That's the server, or possibly DGC, still trying to connect to that client. Before the client shuts down it should tell the server to stop trying to call that clientImpl via another RMI call. The server should throw away all its references to that clientImpl when it executes that method.

  • RELEVANCY SCORE 3.30

    DB:3.30:Ssl Configuration Error: Cannot Convert Identity Certificate 37


    I have a problem using Custom Identity Keystore in Weblogic 10.3.5 installed under RedHat.

    I have received a pfx/p12 certificate. Successfully extracted PEM server certificate and keys and installed them in Apache for mod_ssl configuration (using XCA for extracting PEM for certificates and key).
    I am trying to use the same certificate and key for configuring WebLogic SSL.

    Using the PEM certificate and keys that are used for Apache configuration, created a JKS store using WebLogic utility:

    java utils.ImportPrivateKey -keystore CUSTOM_STORE.jks -storepass STOREPWD -storetype JKS -keypass KEYPWD -alias KEYALIAS -certfile server.crt -keyfile server.key -keyfilepass KEYPWD

    Configured Weblogic using administration console, setting a Custom Identity and Java Standard Trust that references my keystore in Keystores tab. Then modified the Private Key Alias and passphrase in SSL tab. All this settings for Administration Server.

    SSL in WebLogic does not start correctly with the following error:

    *23-mar-2012 10.55.45 CET Error WebLogicServer BEA-000297 Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate*
    *23-mar-2012 10.55.45 CET Error Server BEA-002618 An invalid attempt was made to configure a channel for unconfigured protocol "Cannot convert identity certificate".*

    I have successfully configured WebLogic SSL using an auto signed certificate, inserting the certificate in a custom JKS store.

    Does anyone have suggestions for understanding WebLogic error?
    Is there a different way of importing a pfx/p12 certificate in a Java Key Store for using in WebLogic server?

    Thanks in advance,
    Giuseppe

    DB:3.30:Ssl Configuration Error: Cannot Convert Identity Certificate 37

    Hit the same problem.

    Self signed Certificate used to work well for WLS 10.3.5.x on JDK 6, recently did the same configuration for WLS 10.3.6.x on JDK 7 and SSL won't start.

    Checking the logs, the same error.

    Checking "Use JSSE SSL" does fix the problem easily.

  • RELEVANCY SCORE 3.30

    DB:3.30:Is A Client Keystore Necessary? ak


    We are trying to avoid having a client keystore but we want to use SSL is that possible? e.g. can we some how accept server certificates without having to have it in a keystore?

    It does not matter if the server is trusted or not.

    I have browsed this forum and not found an answer.

    Please help!

    DB:3.30:Is A Client Keystore Necessary? ak

    Yes and no.

    Client doesn't need a specific certificate in a keystore. But the server's certificate should be issued by any CA in 'cacerts' file.

  • RELEVANCY SCORE 3.29

    DB:3.29:Importing Certificates 1f


    Hi,

    What I am looking for is a code based implementation of importing certificates into java's keystore. I am aware of the keytool commands to do it manually, but is it possible to say, receive a certificate from someone, and import it in the keystore through a code means? If anyone could provide me with some insight on this (and preferably where to look next for tutorials/code samples etc) it would be greatly apprecaited.

    Thanks,
    Daniel.

    DB:3.29:Importing Certificates 1f

    Hi,

    What I am looking for is a code based implementation of importing certificates into java's keystore. I am aware of the keytool commands to do it manually, but is it possible to say, receive a certificate from someone, and import it in the keystore through a code means? If anyone could provide me with some insight on this (and preferably where to look next for tutorials/code samples etc) it would be greatly apprecaited.

    Thanks,
    Daniel.

  • RELEVANCY SCORE 3.29

    DB:3.29:Using Keystore Instead Of Oracle Wallet To Configuring Ohs For Ssl. 3x


    Hi All,

    The document says "To configure Oracle HTTP Server for SSL, you need a wallet that contains the certificate for the server. Wallets store your credentials, such as certificate requests, certificates, and private keys".

    Is Oracle Wallet the only supported store for certificate for OHS ?.
    Can we use keystore instead ?. If so, how do we configure OHS to use keystore ?

    thanks

    DB:3.29:Using Keystore Instead Of Oracle Wallet To Configuring Ohs For Ssl. 3x

    To my knowledge it's only possible to use OWM, not keystore. I also did a search on Metalink, but it came up empty. OWM is shared by all components. If you're using Web Cache (which I hope you do), you also have to configure it to know the location of the Wallet.

    If possible, I would terminate SSL on the Load Balancer.

    More information in:
    * Application Server Admin Guide, chapter 13.5-, 14
    * HTTP Server Admin Guide, chapter 11
    * Metalink notes

    Regards,
    Martin Malmstrom

  • RELEVANCY SCORE 3.29

    DB:3.29:How To Access A Keystore Over A Network df


    Hi, everybody.
    I'm new to this field.
    I created a KeyStore having the access to it in my local machine without a problem.
    So, now I want to put that KeyStore in a remote machine and access it.
    Can, anybody tell me how to do that.
    And what are the secure ways of getting private keys in that KeyStore.
    Thank You.

    DB:3.29:How To Access A Keystore Over A Network df

    Duminda_Dharmakeerthi wrote:
    Thanks,
    I'm aware of it.
    But, here I want to know that is there a possibility of accessing a KeyStore within a network.Of course - FTP, HTTP, simple sockets, ssh etc etc etc.

    (This is for my own local network for a testing for my academic purpose.)
    Can you suggest another way to do this. (if any better)
    Thank You.

  • RELEVANCY SCORE 3.29

    DB:3.29:Help Keytool Encrypt And Decrypt File With Rsa Key Pair Stored In Keystore js


    Hi friends..

    Sorry i'm pretty new in using Java KeyTool..
    Please guide me, how to encrypt and decrypt file using Keys stored in the KeyStore..

    This is the list of my key store :

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    mykey1, Sep 30, 2010, PrivateKeyEntry,
    Certificate fingerprint (MD5): 34:4E:C9:77:82:35:8A:E0:EA:02:00:25:CE:AC:A5:61

    Thanks in advance..

  • RELEVANCY SCORE 3.29

    DB:3.29:Ssl: Importing Pem Files Into Keystore?... s9


    I have a Java application that is trying to connect to C++ server using an SSLSocket connection.

    I have all the details necessary for creating the SSLSocket object except... I have no idea how to load keys and certs into my KeyStore object.

    I have 2 certs (CA and Client) and a Client Private Key - ALL of which are in PEM file format.

    Any ideas how I would go about adding the PEM certs key to my KeyStore? I think I'll need to first convert from PEM format to some format that KeyTool will be able to read and then run KeyTool....

    Any info would be appreciated!

    C++ Server Encryption Details (OpenSSL)
    Encryption method used - TLSv1
    Using self-signed certificates
    Using both server and clients certificates
    Private keys of server and clients certificates are encrypted with a pass phrase for extra security

    Client Socket Connection Code:
    Socket mySocket = null;
    SSLSocketFactory sslFactory = null;
    SSLContext sslCtx = SSLContext.getInstance( "TLS" ); //TLS?
    KeyManagerFactory kMF = KeyManagerFactory.getInstance( "SunX509" ); //"SunX509"??
    KeyStore kS = KeyStore.getInstance( "JKS") ; //"JKS"??

    //Hard-coded password for decrypting Client Key
    char[] passWord= "myPassword".toCharArray();

    kS .load(new FileInputStream("InputFile"), passWord= ); //"InputFile" from PEM Files?
    kMF.init(kS, passWord);

    TrustManagerFactory tMF = TrustManagerFactory.getInstance("SunX509");
    tMF.init( ks );
    sslCtx.init(tMF.getKeyManagers(), tMF.getTrustManagers(), null);
    sslFactory = sslCtx.getSocketFactory();

    mySocket = factory.createSocket(inetAddress, commandPort);

    DB:3.29:Ssl: Importing Pem Files Into Keystore?... s9

    Disable SSLv2ClientHello. See the JSSE Reference Guide.

  • RELEVANCY SCORE 3.28

    DB:3.28:Java Keystore.Load For Windows-My Pops Up Insert Smart Card Window 8x


    Hi,
    I am trying to access/list the certificates from Windows-My using SunMSCAPI provider.

    I have multiple certificates in my personal store and I would like to get only the certificates based on alias or list all of them and I can filter them.
    The moment I call KeyStore.load(null, password), I get please insert smart card popup window for all the certificates excludingthe ones in the inserted smart card.
    Is there anyways to avoid this popup window? All I want is to get the certificates that matches the inserted smart card so that I can validate the certificates. Window popsup while loading the KeyStore.
    KeyStore keyStore = KeyStore.getInstance(Windows-MY, SunMSCAPI);
    keyStore.load(null, password);
    Thanks

    DB:3.28:Java Keystore.Load For Windows-My Pops Up Insert Smart Card Window 8x

    Hi,

    Were you able to figure out the issue and solution?

    Thanks,
    Somesh

  • RELEVANCY SCORE 3.27

    DB:3.27:Tomcat Connector For Ssl mj



    I have the following Certificates along with Keystore file

    all certificates imported successfully to the keystore file , and I have Tomcat 6 (midtier)

    I have tried many connectors , but no luck

    can any one please help me what is the connector in my case to put it in Server.XML ?

    and is the key store extension is restricted to any type ?

    DB:3.27:Tomcat Connector For Ssl mj


    I'm pretty sure I saw a ".com" in a screencapture of the mid-tier page you made...

  • RELEVANCY SCORE 3.26

    DB:3.26:Trusted Certificates Do Not Load In Wl 10.3.2 j3


    In Weblogic 10.3.1, when I started WL, it will load the trusted certificates automatically as below

    Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoTrust.jks.
    Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\JDK160~1\jre\lib\security\cacerts.

    But in WL 10.3.2, it does not. In my console under Server - Configuration - Keystores tab. In my case, the drop-down for keystore is "Demo Identity and Demo Trust"

    I checked and all the jks and cacerts are there. Mine is a fresh installation of WL 10.3.2

    Do you have any ideas?

    Thanks

    DB:3.26:Trusted Certificates Do Not Load In Wl 10.3.2 j3

    I enabled it and it loads the trusted certificates now. Thanks

  • RELEVANCY SCORE 3.26

    DB:3.26:Can Not Get Windows Intermediate Certificates j1


    Hi,

    I would like to get list of certificates stored in windows keystore as "Intermediate Certification Authorities". I tried this:
    KeyStore ks = KeyStore.getInstance("Windows-MY");
    ks.load(null, null);but the keystore is empty. When I try to get "Trusted Root Certification Authorities", i.e. I do this:
    KeyStore ks = KeyStore.getInstance("Windows-ROOT");
    ks.load(null, null);then the keystore is succesfully loaded and i can enumerate certificates( Trusted Root certs only..).

    I googled that "When a security manager is installed, the following call requires SecurityPermission "authProvider.SunMSCAPI"."

    So I added this row into the java.policy file:
    permission java.security.SecurityPermission "authProvider.SunMSCAPI"but still I am not able to load them.

    I guess that I miss something very basic, because I cannot google anything about this problem, do you have any idea?

    DB:3.26:Can Not Get Windows Intermediate Certificates j1

    OK, I see.. In such case I do not understand why there is storage for intermediate certificates at all...?I don't know.

  • RELEVANCY SCORE 3.25

    DB:3.25:Public/Private Keys, And Certificates... How It Works? 1d


    Hi! I need a bit of light in one issue. I know that when I create a certificate using keytool -genkey, a public/private key pair is created along with a certificate, which are all stored in the .keystore or a file that you specify.

    Now, if I want that someone "sign" (or crypt) a file for me, I must give him(her) my public key (which I understand is IN the certificate), and keep my private key just for me.

    My question is, how do I send just my public key-certificate to someone, without sending my private key too. May be is a dumb question, but I don't understand very well how this work. I mean, if the key pair and the certificate are all stored in the keystore, if I send my keystore they will have all, but, I don't see anything else created by the keytool beside the keystore. To be more precise, I don't see any certificate that I can send.

    Any help, guidance, light, idea or anything will be highly appreciated.

    Thanks a lot!

    DB:3.25:Public/Private Keys, And Certificates... How It Works? 1d

    Ooooh OK. I was doing that, but was not sure if that was right. Thanks a lot!

  • RELEVANCY SCORE 3.25

    DB:3.25:Keys And Certificates In The Keystore 3j


    Hi,

    On an alias in the keystore, if I do isKeyEntry, I get true.

    On this alias, if I do (an error) getCertificate, I obtain a certificate. What is this certificate ? The alias is a key, not a certificate ?

    DB:3.25:Keys And Certificates In The Keystore 3j

    Hi,
    Quoting java.security.KeyStore.getCertificate() docs:

    If the given alias name identifies a trusted certificate entry, the certificate associated with that entry is returned. If the given alias name identifies a key entry, the first element of the certificate chain of that entry is returned, or null if that entry does not have a certificate chain.

    User-generated private keys usually have certificates associated with them. Only secret keys probably wouldn't.

  • RELEVANCY SCORE 3.25

    DB:3.25:Keystore And Cryptix Rsa Generated Keypair 8x


    I'd like to sore RSA keys in KeyStore. Problems begin where it's time to place public key as Certificate. Can anyone show the way to store such a key ?

    DB:3.25:Keystore And Cryptix Rsa Generated Keypair 8x

    BTW Cryptix still doesn't have implementation of getExternal() method for the publick and private RSA keys.

  • RELEVANCY SCORE 3.25

    DB:3.25:Where Is The System-Wide Ca Keystore 7s


    Hi All,

    I'm trying to add certificates to my keystore located at +$JRE_INSTALL$+/lib/security/cacerts on a Unix box (SunOS 5.10). I've verified that it's empty by running keytool -list -keystore cacerts in the same folder. In the same folder, I then ran keytool -importcert -trustcacerts -alias alias1 -storepass **** -file alias1.der -keystore cacerts*. I then got the message *{color:#800000}Certificate already exists in system-wide CA keystore under alias +duplicating_alias+...{color}*". What gives? How can I determine where this system-wide keystore is? How can I force the JRE to use the one in +$JRE_INSTALL$+/lib/security ?

    DB:3.25:Where Is The System-Wide Ca Keystore 7s

    Hi All,

    I'm trying to add certificates to my keystore located at +$JRE_INSTALL$+/lib/security/cacerts on a Unix box (SunOS 5.10). I've verified that it's empty by running keytool -list -keystore cacerts in the same folder. In the same folder, I then ran keytool -importcert -trustcacerts -alias alias1 -storepass **** -file alias1.der -keystore cacerts*. I then got the message *{color:#800000}Certificate already exists in system-wide CA keystore under alias +duplicating_alias+...{color}*". What gives? How can I determine where this system-wide keystore is? How can I force the JRE to use the one in +$JRE_INSTALL$+/lib/security ?

  • RELEVANCY SCORE 3.24

    DB:3.24:Java/C++ Secure Communication 97


    Hi,

    I'm working on a small project where client (C++) and server (Java) must communicate in a secure way. I'm not a specialist on JSSE but as far as I could find on tutorials and books, I have to create keys and certificates using the keytool shipped with JSDK. My doubt is how the C++ side will understand those keys and certificates if they are generated specifically for Java, I mean they are in a Java-aware format. Do I have to convert the keystore files to some other more generic and usual format? What would be this format?

    It would be great if you could point out a resource where I could learn more how to integrate Java and C++ in a secure fashion.

    Thank you very much

    Best Regards
    Cleverson Schmidt

    DB:3.24:Java/C++ Secure Communication 97

    hi,
    how JSSE operates with OpenSSL.Can you give me more information regarding this.

    Thanks,

  • RELEVANCY SCORE 3.24

    DB:3.24:Java Keystore 9c



    We have a PI 7.11 system. Currently configured to use ABAP STRUST for certificate storage. As per SAPs recomendation we are updating the configuration to use the JAVA Keystore for all certificates - ABAP and JAVA. I have some questions regarding the organisation of certificates in the keystore.

    For all outbound communications from the ABAP stack (RFC destinations to a Parter) the anonymous and client certificates shoudl be stored in the CLIENT_ICM_SSL_iinstallation# keystore.

    For all outbound communications from the JAVA stack (FTPS for example) the anonymous certificates should be stored in the TRUSTEDCAs keystore.

    *For all inbound communications the certificates should be stored in the ICM_SSL_iinstallation#port keystore

    Is this correct? I got some of this information from SAP Help, specifically http://help.sap.com/saphelp_nwpi711/helpdata/en/e9/a1dd44d2c83c43afb5ec8a4292f3e0/frameset.htm

    ANy additional information that you may have would be appreciated.

    DB:3.24:Java Keystore 9c


    Hi Robert,

    I see I was wrong. In PI 7.11 all keystore entries are done in Java stack.

    http://help.sap.com/saphelp_nwpi711/helpdata/en/23/d12940cbf2195de10000000a1550b0/frameset.htm

    "We recommend that you store CA certificates in the TrustedCAs view."

    The securite guide is the only official ressouce from SAP that I know.

    Edited by: Stefan Grube on Oct 6, 2011 12:17 PM

  • RELEVANCY SCORE 3.23

    DB:3.23:Weblogic, How To Reload Trust Keystore From Java Appliacation? ks


    I have application, which add and delete certificates from trust keystore from java code using the keytool command line (like "keytool -delete -keystore trust.jks -storepass password -alias test").
    But weblogic loaded certificates from this keystore only one tame - during startup.
    How can i reload trust keystore programmaticaly?

    I try same trick to restart https listener by set/reset "CustomTrustKeyStoreType" attribute using JMX:
    ctx = new InitialContext();
    MBeanServer server = (MBeanServer)ctx.lookup("java:comp/env/jmx/runtime");
    ObjectName objName = new ObjectName("com.bea:Name=" + serverName + ",Type=Server");
    String pathJKS = (String) server.getAttribute(objName, "CustomTrustKeyStoreFileName");
    System.out.println(pathJKS);
    server.setAttribute(objName, new javax.management.Attribute("CustomTrustKeyStoreFileName", null));but get error: javax.management.AttributeNotFoundException: Attribute is readonly.

    Any other ideas also are welcome.

    JDeveloper 11.1.1.5.0, Weblogic 10.3.5.0

    Some description purpose of this action. I realize the two-way ssl connection.
    At first I wanted to sign client certificates by self-signed "MyOwnCA" certificate, but there was a troubles with revoked certificates - i cant find how it realised in WebLogic. Therefore I have decided to put self-signed client certificates in trusted keystore. If certificate is compromised - it delete from keystore, without CRL processing.

    Edited by: VitalyCoder on 25.01.2012 9:49

    Edited by: VitalyCoder on 25.01.2012 12:00

    DB:3.23:Weblogic, How To Reload Trust Keystore From Java Appliacation? ks

    I found in console button "Restart SSL" (Environment Servers ServerName Control).
    How to use simular action programming from java, or if this impossible with t3 helping?

  • RELEVANCY SCORE 3.23

    DB:3.23:Doubt In Some Concepts x7


    Hi everyone,

    I have doubts with some security concepts, i've been reading documents, but i can clear this things up.... here's the thing....

    What exactly are a keystore, certificate and .pfx or p12 files?

    i understood that a pfx or p12 files are keystores whose have inside public and private keys.... but in my concept a certificate also have a public key and a private key..so i can say that keystores are certificates.... but i'm messing this concepts up, pretty sure of that....

    Could anyone help me?
    Thanks in Advance

    Edited by: cs.santos on Jun 16, 2009 12:28 PM

  • RELEVANCY SCORE 3.23

    DB:3.23:Bouncycastle Key Store 9x


    I am creating a CA.

    I have a self-signed certificate (selfsignedCAcert) generated using the BouncyCastle X509V3CertificateGenerator().

    I would now like to create a keystore to add more certificates later as well as include the self-signed certificate in it.

    The setCertificateEntry() method is simple:
    KeyStore ks = KeyStore.getInstance("PKCS12");ks.setCertificateEntry(alias, selfsignedCAcert);However, I would also like to store the corresponding PrivateKey in the keystore, which requires
    ks.setKeyEntry(alias, privkey, password.toCharArray(), Certificate[] chain);I have only my self signed certificate for the time being, containing RSA PublicKey, and signed with a DSA PrivateKey

    How do I generate such a keystore, store the self-signed as well as other certificates and finally call
    ks.store(stream, password);Any suggestions or code would be helpful.

    BTW, if anyone wants sample code for using X509V3CertificateGenerator(), I have it available.

    Thanks in advance.

    DB:3.23:Bouncycastle Key Store 9x

    i want tht code !!! can u plz send!!!
    thnx

  • RELEVANCY SCORE 3.23

    DB:3.23:Pki Certs And Ca Chains Not Recognized From Browser p8


    Hi, I have a client (with a support contract) who is having an issue where they have a Java application that is not recognizing their PKI certificates or CA chains that are loaded into their browser. Instead, in order for the application to find the certificates and chains, they have to load them into the Java Control panel. The setting in the control panel (Advanced - Security - General) are set to "Use certificates and keys in browser keystore".

    They are running this application on Solaris 10 Update 9, the browser is Firefox 3.6.9 (which we are trying to get them to upgrade to 3.6.16), and Java is 1.6.0_24. Is it possible that the application can be making an assumption of a different browser (i.e. InternetExplorer) and therefore not working?

    any help would be appreciated.

    thanks.

    Tim

    DB:3.23:Pki Certs And Ca Chains Not Recognized From Browser p8

    The behaviour you are seeing is as expected. Your assumption is that the browser will use a certificate from its own certificate store which is normally true for both Firefox and IE, however your application is using an applet that is using the certificate from the local java keystore instead of the browser's native certificate store.

  • RELEVANCY SCORE 3.22

    DB:3.22:Storing X509 Certificates In Mobile Certificate Keystore c9


    Hello, how do you store x509 certificates in a phone using j2me. does anybody have any sample code to retrieve a public key from an x409 certificate in j2me and validate the x509 certificate.

    Thank you

  • RELEVANCY SCORE 3.22

    DB:3.22:Pkcs#11 Provider Unable To Fetch Asymmetric Keys And Certificates f1


    Hi,

    I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.

    My code snippet and configuration file are:

    Java Code:

    java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
    sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
    System.out.println("Provider Name : " + pkcs11_provider.getName());
    java.security.Security.addProvider(pkcs11_provider);
    KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
    ks.load(null, "password".toCharArray());
    java.util.Enumeration obj_enumeration = ks.aliases();
    while (obj_enumeration.hasMoreElements()) {
    String str_certAlias = (String) obj_enumeration.nextElement();
    System.out.println("Alias : " + str_certAlias);
    }

    pkcs11.cfg:

    name = Eracom
    library = G:\Eracom\cryptoki.dll
    slot = 0
    attributes(*, CKO_PRIVATE_KEY, *) = {
    CKA_TOKEN = false
    CKA_SENSITIVE = false
    CKA_EXTRACTABLE = true
    CKA_DECRYPT = true
    CKA_SIGN = true
    CKA_SIGN_RECOVER = true
    CKA_UNWRAP = true
    }
    attributes(*, CKO_PUBLIC_KEY, *) = {
    CKA_ENCRYPT = true
    CKA_VERIFY = true
    CKA_VERIFY_RECOVER = true
    CKA_WRAP = true
    }

    I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)

    Any help to resolve my problem would be highly appreciated.

    Thanks in advance.

    DB:3.22:Pkcs#11 Provider Unable To Fetch Asymmetric Keys And Certificates f1

    Hi,

    I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.

    My code snippet and configuration file are:

    Java Code:

    java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
    sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
    System.out.println("Provider Name : " + pkcs11_provider.getName());
    java.security.Security.addProvider(pkcs11_provider);
    KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
    ks.load(null, "password".toCharArray());
    java.util.Enumeration obj_enumeration = ks.aliases();
    while (obj_enumeration.hasMoreElements()) {
    String str_certAlias = (String) obj_enumeration.nextElement();
    System.out.println("Alias : " + str_certAlias);
    }

    pkcs11.cfg:

    name = Eracom
    library = G:\Eracom\cryptoki.dll
    slot = 0
    attributes(*, CKO_PRIVATE_KEY, *) = {
    CKA_TOKEN = false
    CKA_SENSITIVE = false
    CKA_EXTRACTABLE = true
    CKA_DECRYPT = true
    CKA_SIGN = true
    CKA_SIGN_RECOVER = true
    CKA_UNWRAP = true
    }
    attributes(*, CKO_PUBLIC_KEY, *) = {
    CKA_ENCRYPT = true
    CKA_VERIFY = true
    CKA_VERIFY_RECOVER = true
    CKA_WRAP = true
    }

    I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)

    Any help to resolve my problem would be highly appreciated.

    Thanks in advance.

  • RELEVANCY SCORE 3.22

    DB:3.22:Signed Applets Certificates Keystore a7


    In the docs of Java Plug-in 1.4.2: http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/control_panel.html#signed it is said that all certificates of signed applets which jave been granted permissions for always are imported into certificate file jpicertsversion located in the user home/.java directory.

    But I suspect this is a bug in the doc, or that information is obsolete. I have imported with Java Plug-in GUI (Certificates Tab) several ones and that file doesn't appears.

    Any idea of which is really the keystore for these certificates in 1.4.2_07 version?

    Thanks in advance,

    Chemi.

    DB:3.22:Signed Applets Certificates Keystore a7

    http://forum.java.sun.com/thread.jsp?forum=63thread=409341
    4th post explaining how to set up your own policy with your own keystore

  • RELEVANCY SCORE 3.22

    DB:3.22:Import Openssh Key Pair Rsa To Java Keystore dj


    Hello all,

    I wrote a program that uploads files via SCP and authentication is done via openssh keys in rsa format eg rsa_id rsa_id.pub. And I can't seem to find any information on how to import that key to the java keystore. Any help would be great.

    Thanks in advance,

    E

    DB:3.22:Import Openssh Key Pair Rsa To Java Keystore dj

    I don't really understand why you think you need to load the rsa_id and rsa_id.pub files into a keystore. I assume that you have used SCP over SSH and since SSH uses the two key files to secure the download I don't see that you have to do anything with them. If you have added some separate verification stage then it should be using it's own key pair and not sharing with SSH.

    Having said that, the rsa_id file is in SSLeay format which contains both the private and the public key. Using openssl the private key can be extracted into PKCS8 format and the public key into X509 format. Check the openssl documentation for details. These can then be loaded into Java and added to a suitable keystore.

    There may be a more direct method by using the "not yet commons" Java openssl port. Google will find it.

  • RELEVANCY SCORE 3.22

    DB:3.22:Configuring Location Of Trust Store From Ao Dev Studio 9f



    Hi All,

    I have done SSL implemementation in AO Dev studio by following the steps given in the BMC run book automation guide. As per the default implementation, one can import the server certificate into the default keystore (cacerts) of the jdk and dev studio will pick the certificate from it.

    Now, I want to specify a different keystore for Dev studio to pick up the certificates from. Can

    DB:3.22:Configuring Location Of Trust Store From Ao Dev Studio 9f


    Thanks a lot Robin, for your quick reply this answered my query.

    Happy Holidays to you too!

    I hope I don't get stuck in any of the issues till you are back to assist

    Thanks again. Have fun!

    Regards,

    Annu

  • RELEVANCY SCORE 3.20

    DB:3.20:Windows Keystore Access In Java ? p1


    Hi,

    I'm making a java cryptographic applet to sign a file with a private key. I'm getting the private key (and its associated certificate) from JKS or P12 files.

    I would like now to get keys and certificates directly from the Windows KeyStore (Internet Explorer), but I don't know how to proceed.
    Does anybody have an idea ?

    I've found a library which seemed to do this : http://www.fawcette.com/javapro/2002_07/magazine/features/bboyter/default_pf.asp
    But the example application (EchoServer.java) don't work (EXCEPTION_ACCESS_VIOLATION ).
    Could anyone who has used this library help me ?
    Is there any other library which makes the same thing ?
    Is there a way to do this without adding native instructions ?

    Thanks for your help,

    --
    P.F.

    DB:3.20:Windows Keystore Access In Java ? p1

    Hi,

    I'm trying to do the same things that you : and I don't find any solutions.
    Have you find a solution since last year ?

    Bests regards,
    Olivier.

  • RELEVANCY SCORE 3.19

    DB:3.19:Jre 1.6_03 Apparently Unable To Use Browser Keystore (Ie6). sm


    Fellow Java friends,

    My corporation's home users connect to the network using the Citrix' java client through Citrix Access Gateway (an SSL proxy).

    The SSL tunnel between the VPN box and the client machine is established using a public CA's certificate, but one which is not trusted by any of the included certificates in the JRE's 'cacerts' file. We therefore have to rely on the JRE's ability to access the client machine's browser keystore (IE6) which contains the proper root certificate.

    However, JRE 1.6_03 seems to be unable to take advantage of the root certificate placed in the browser keystore. (We have the same problem with 1.5 and 1.4).

    Each time a (Windows XP) client attempts to establish an SSL connection, JRE refuses as the root is not trusted.

    I have then tried importing the certificate into 'cacerts' using the keytool after which everything runs just fine. No SSL errors - so the certificate per se is working properly.

    I have verified that the following security setting of the JRE is enabled: 'Use certificates and keys in browser keystore'.

    Any ideas would be most welcome as it is most impractical in our scenario for us to be in a position where we have to customize each client's 'cacerts' file. The file is by default located in an ntfs protected file space on windows clients (%programfiles%) (which is the case for 98% of our user mass) where the user does not have write access. It will be much less problematic to deploy a .cer file containing the proper root certificate which the user may then add to the browser keystore.

    I realize an obvious option would be for us to switch to a CA directly supported in the native 'cacerts' file included in the JRE, but I figure since SUN decided to build in browser keystore support in JRE, it really ought to work.

    Thank you.

    Dryson
    Systems Administrator
    (not Java developer)

    DB:3.19:Jre 1.6_03 Apparently Unable To Use Browser Keystore (Ie6). sm

    We are also having the same problem and wanted to know if anyone had a solution for this.

    Using the Keytool does solve the problem but not feasible to do that to all the client machines all over the states.

    Dryson, did you have a solution?

    Thanks.

  • RELEVANCY SCORE 3.19

    DB:3.19:Can Rhq Monitor A Keystore And Alert On Certificates About To Expire? 17



    Can RHQ monitor a keystore and alert on certificates about to expire?

    DB:3.19:Can Rhq Monitor A Keystore And Alert On Certificates About To Expire? 17


    You would have to create your own plugin to do the monitoring. The easiest would be to create a simple 'script' plugin and call a shell script that does the expiration check or returns, say, the days left on a certificate. Then you would create an alert to check this value.

    The script plugin is documented here: https://docs.jboss.org/author/display/RHQ/Plugins+-+Script ... Obviously you would need some sort of wrapper script to run that would return the number of days remaining.

    If you're good at writing Java, I would probably go that route instead because all the logic would be packaged into one file.

  • RELEVANCY SCORE 3.18

    DB:3.18:Weblogic 7.0 Ssl Certificate Issues z7



    Hi,
    I downloaded WL 7.0. I am trying to test SSL.

    1) I have generated a keystore=keys, (private key= wldefaultkeystore) using the
    Sun's keytool
    2) Imported trusted.crt from Weblgoic 7.0 installation that is present in mydomain
    directory.

    3) In weblogic console configuration, I pointed DefaultKeystore to keystore, privatekey
    to be wldefaultkeystore and Server Certificate file to be truseted.crt. ( I also
    tried exporting keystore keys to a file named keystore.cer and configured Server
    Certificate file to keystore.cer)

    I get the following exception..

    Oct 2, 2002 3:35:17 PM PDT Critical WebLogicServer 000304 Attempting
    to use full strength (domestic) certificates without a full strength (domestic)
    license.
    Oct 2, 2002 3:35:17 PM PDT Alert WebLogicServer 000297 Inconsistent security
    configuration, java.lang.Exception: Attempting to use full strength (domestic)
    certificates without a fu
    ll strength (domestic) license.
    java.lang.Exception: Attempting to use full strength (domestic) certificates without
    a full strength (domestic) license.
    at weblogic.t3.srvr.SSLListenThread.init(SSLListenThread.java:281)
    at weblogic.t3.srvr.SSLListenThread.init(SSLListenThread.java:122)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
    at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
    at weblogic.Server.main(Server.java:32)

    Is this a Weblgoic licensing issue or SSL Configuration issue?
    I think its licensing issue. If so, how can I test SSL with keystores with the
    demo license of WL 7.0

    Thanks for any help
    -Suresh

    DB:3.18:Weblogic 7.0 Ssl Certificate Issues z7

    hi,

    pretty strange to have the same problem after almost 6 years :)

    i had the same problem, probably with keytool you generated
    a high encryption certificate, but your license just allows an exportable SSL that is less "secure"

    to fix the problem you have to upgrade your license.bea, or generate a certificate that is Exportable/SSL

    bye

  • RELEVANCY SCORE 3.18

    DB:3.18:Does Anyone Know How To Delete Certificates That Are Used For Vpn Connections? cf


    We issue certificates for the VPN client on the iPad and the certificates are placed in the KeyStore and now we want to delete those certificates. But when you create/edit a VPN profile we see certificates but have no way to delete them?Because of changes in our VPN infrastructure there are old certificates that are no longer valid but are being used for the VPN certificate.If anyone can provide some assistance on how to delete those certs that are part of a keystore thank you in advance.

    DB:3.18:Does Anyone Know How To Delete Certificates That Are Used For Vpn Connections? cf

    We issue certificates for the VPN client on the iPad and the certificates are placed in the KeyStore and now we want to delete those certificates. But when you create/edit a VPN profile we see certificates but have no way to delete them?Because of changes in our VPN infrastructure there are old certificates that are no longer valid but are being used for the VPN certificate.If anyone can provide some assistance on how to delete those certs that are part of a keystore thank you in advance.

  • RELEVANCY SCORE 3.18

    DB:3.18:Keytool - Creating A Certificate Issued By '"Victor" ac


    I got the follwowing scenario:
    One Server (Victor), 2 Clients: Alice and Bob. I have a project in mind which needs the following archtiecture.

    Victor acts as a CA for all Clients (only two at the moment)

    The clients need their own private and public key. I want to te public key certified by Victor, so eg Alice can send Bob this Certificate.

    At the moment i got the following batch to create the 3 needed keystores:

    -----------------------
    REM @ECHO OFF

    echo Create RSA keys for Server (Victor)
    keytool -genkey -alias victor -keyalg RSA -dname "CN=victor" -keypass passwd -keystore keystore_victor -storepass passwd -storetype JCEKS

    echo Creating RSA keys for Clients (alice and bob)
    keytool -genkey -alias alice -keyalg RSA -dname "CN=alice" -keypass passwd -keystore keystore_alice -storepass passwd -storetype JCEKS
    keytool -genkey -alias bob -keyalg RSA -dname "CN=bob" -keypass passwd -keystore keystore_bob -storepass passwd -storetype JCEKS

    echo generating CSR for Clients
    keytool -certreq -keyalg RSA -alias alice -file alice.csr -keypass passwd -storetype JCEKS -keystore keystore_alice -storepass passwd
    keytool -certreq -keyalg RSA -alias bob -file bob.csr -keypass passwd -storetype JCEKS -keystore keystore_bob -storepass passwd

    echo copy the client certificates to keystore of server
    keytool -export -alias alice -file alice.cer -keystore keystore_alice -storepass passwd -storetype JCEKS
    keytool -export -alias bob -file bob.cer -keystore keystore_bob -storepass passwd -storetype JCEKS

    keytool -import -noprompt -alias alice -file alice.cer -keystore keystore_victor -storepass passwd -storetype JCEKS
    keytool -import -noprompt -alias bob -file bob.cer -keystore keystore_victor -storepass passwd -storetype JCEKS

    del alice.cer
    del bob.cer

    echo Copy Certificate from Victor to Alice and Bob
    keytool -export -alias victor -file victor.cer -keystore keystore_victor -storepass passwd -storetype JCEKS
    keytool -import -noprompt -alias victor -file victor.cer -keystore keystore_alice -storepass passwd -storetype JCEKS
    keytool -import -noprompt -alias victor -file victor.cer -keystore keystore_bob -storepass passwd -storetype JCEKS

    del victor.cer

    PAUSE
    ----------------------------

    But now the key pairs are all self signed and victor is only added as a trusted source. I also want a Certificate issued by Victor in my keystore.

    I hope it all makes sense for you guys (if not ask questions)

    Thanks
    Oliver

    DB:3.18:Keytool - Creating A Certificate Issued By '"Victor" ac

    If there isn't an available solution im willing to build it.

    I certainly would need some time but as i believe in my project im willing to invest it.

    You guys probably know the capability of the java security implementation better than me:

    It is possible to build a little CA, which is capable of issuing certificates?

  • RELEVANCY SCORE 3.18

    DB:3.18:Pgp Keyrings In Keystore sk



    Hello all,

    i have developed a SAP PI Module that encrypts and decrypts PGP messages. I deployed public and private keys inside the EAR file. However i would like to be able, for further maintenance, to store them in SAP PI KeyStore. Do you thinks is it possible to store PGP Keyrings in SAP PI Keystore? If yes, could you tell me how?

    Thanks in advance.

    Roger Allu i Vall

  • RELEVANCY SCORE 3.18

    DB:3.18:Ip-Ivr 8 With Https 89



    Hi to everybody

    I have a problem with https WebServices with self-signed certified.

    In NetBean i have realized a java class, after i add certificate to keystore. I send a Soap Request message and receive a Soap Response message

    It's work fine. Then I have upload my jar into IP-IVR, but i don't know how add self-signed certificate to keystore of JVM

    Any idea ??? It's possibile to do??

    Into cisco document I have read

    "
    Typically, the UCCX Engine's keystore would be invoked when script steps such as Get URL Document are
    connected to a HTTPS target. The default Java keystore contained preinstalled root certificates from
    well−known third party Certificate Authorities (CA). But, since the default Java keystore was protected by
    Remote Support Account/root access, customers and partners were not able to upload certificates to the
    keystore for SSL targets with self−signed certificates or other certificate chains that required

    manually−populating the keystore with a certificate."

    I have IP-IVR 8.0.2

     

    thank you

    Fabio

    DB:3.18:Ip-Ivr 8 With Https 89


    Open a Support Case with Cisco TAC..this is the only way to get the cert in the java trust store in a supported means..

  • RELEVANCY SCORE 3.17

    DB:3.17:Ws-Security: Fail To Configure Keystore And Identity Certificates 1j


    Hi,

    This is my first question here!

    I want to set a secure web service, following the guide "Web Services Security Guide" i set up the keystore and Identity Certificates with a keystore that contains two certificates created by me, I set the keys to be used as signature and encryption. Not define any method for authentication.

    I deployed the application to the server (oc4j_extended_101350) and up to this point apparently everything went well.

    I created a web service proxy to test the web service with jdeveleper, but when I call the web service method the server responds with the error:

    java.rmi.ServerException:
    start fault message:
    Internal Server Error
    : End fault message
    at oracle.j2ee.ws.client.StreamingSender._raiseFault (StreamingSender.java: 571)
    at oracle.j2ee.ws.client.StreamingSender._sendImpl (StreamingSender.java: 401)
    at oracle.j2ee.ws.client.StreamingSender._send (StreamingSender.java: 114)
    at clientmessageoc4jstda.proxy.runtime.MyWebService1SoapHttp_Stub.getHelloWorld (MyWebService1SoapHttp_Stub.java: 77)
    at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.getHelloWorld (MyWebService1SoapHttpPortClient.java: 42)
    at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.main (MyWebService1SoapHttpPortClient.java: 30)

    On the server the following error occurs:

    ERROR OWS-04005 error has occurred on port: () http://messagelevelsecurity/ MyWebService1SoapHttpPort: oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException.

    The client and server are not in the same directory.

    The class exposed by the web service is a simple Hello World.

    -----
    public class HelloWorld {
    public HelloWorld() {
    }

    public String getHelloWorld(){
    return "Hello World";
    }
    }
    -----

    Thanks in advance

    I apologize for my English

    DB:3.17:Ws-Security: Fail To Configure Keystore And Identity Certificates 1j

    I had to add : " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" to the client code and it started working !

  • RELEVANCY SCORE 3.17

    DB:3.17:How To Store Dsa/Rsa Keys For Digital Signature In A Ldap Keystore jf


    how to store DSA/RSA keys for digital signature in a LDAP keystore and then retreieve for verification.

    I need to digitally sign a user id string ( example : "abc123" ) , store the keys a LDAP keystore and then retrieve the key from LDAP keystore for verification.

    Any help is appreciated !

    Thanks

    DB:3.17:How To Store Dsa/Rsa Keys For Digital Signature In A Ldap Keystore jf

    how to store DSA/RSA keys for digital signature in a LDAP keystore and then retreieve for verification.

    I need to digitally sign a user id string ( example : "abc123" ) , store the keys a LDAP keystore and then retrieve the key from LDAP keystore for verification.

    Any help is appreciated !

    Thanks

  • RELEVANCY SCORE 3.17

    DB:3.17:List All Trusted Cas/Certs sz


    Hi,

    is it possible to retrieve a list of all certificates/CAs that are stored as trusted in the current jvm instance (i.e. the default keystore)? Yes, I know how to use keytool and I know how to load a specific keystore and extract this piece of information. However, I need to know if a certificate has been imported into the default keystore without knowing its location.

    DB:3.17:List All Trusted Cas/Certs sz

    I found it out myself. http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#X509TrustManager gives the answer.

  • RELEVANCY SCORE 3.17

    DB:3.17:Can An Applet Access The Browser's Keystore. jj


    I've read in the JDK 1.5 documentation that the Java Plug-in has access to the browser's keystore:

    http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html

    Can my applet actually retrieve private keys from the browser's keystore? I know pre-1.5 that the only way to make this work was to write native OS code to bridge the gap between the browser's keystore and the applet. Since the plug-in now seems to have access to the browser's keystore, is there a API available to the applet allowing it to retreive the contents of the browser's keystore? I want to use the private keys stored in the browser to sign documents in an applet: ask user to pick a certificate, ask for a password, retrieve private key, sign document, upload signed document to the server. Right now my implementation requires the user to provide a path to a .p12 file.

    DB:3.17:Can An Applet Access The Browser's Keystore. jj

    I've read in the JDK 1.5 documentation that the Java
    Plug-in has access to the browser's keystore:

    http://java.sun.com/j2se/1.5.0/docs/guide/deployment/d
    eployment-guide/keystores.html

    Can my applet actually retrieve private keys from the
    browser's keystore? I know pre-1.5 that the only way
    to make this work was to write native OS code to
    bridge the gap between the browser's keystore and the
    applet. Since the plug-in now seems to have access
    to the browser's keystore, is there a API available
    to the applet allowing it to retreive the contents of
    the browser's keystore? I want to use the private
    keys stored in the browser to sign documents in an
    applet: ask user to pick a certificate, ask for a
    password, retrieve private key, sign document, upload
    signed document to the server. Right now my
    implementation requires the user to provide a path to
    a .p12 file.reinstall applets

  • RELEVANCY SCORE 3.17

    DB:3.17:Error In Testing The Webservice From Wsnavigator mm


    Hi All,We are calling a third- party(client) webservice and the communication is secured using SSL using certificates. When tried to call the webservice from WS Navigator it is throwing the below error.Invalid transport binding settingsA keystore view with null alias do not exists!Do we need to import the client provided SSL Certificates into the KeyStore and test it from WSNavigator.Please provide your inputs to resolve the issue.Thanks,Ram

    DB:3.17:Error In Testing The Webservice From Wsnavigator mm

    Im able to use the wsnavigator and i can succesfully consume Unsecured services or basic ones.I have the issue on X509 Cert ones.Im already using SOAMANAGER, unsuccesfully.And Im using a CRM 7.0 EHP2 and PO 7.4 single stack java.Regards

  • RELEVANCY SCORE 3.17

    DB:3.17:Storing Secret Keys In Jceks Keystore kk


    Hi all,

    Is there any tool available that helps
    adminstrate the generation and storing
    of secret(symmetric) keys in a JCE keystore.

    thanks

    anand

    DB:3.17:Storing Secret Keys In Jceks Keystore kk

    Unfortunately not... The JCEKS keystore impl requires either a PrivateKey or a EncryptedPrivateKeyInfo byte array be passed in so that it can recover the key data on getKey().. This obliviates any real capability to store SecretKeys (Symmetric Keys)...

    You will have to create your own keystore to do that. I am not aware of any third party keystores that solve your problem either....

  • RELEVANCY SCORE 3.16

    DB:3.16:Signed Applets Certificates Keystore 1a


    In the docs of Java Plug-in 1.4.2: http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/control_panel.html#signed it is said that all certificates of signed applets which jave been granted permissions for always are imported into certificate file jpicertsversion located in the user home/.java directory.

    But I suspect this is a bug in the doc, or that information is obsolete. I have imported with Java Plug-in GUI (Certificates Tab) several ones and that file doesn't appears.

    Any idea of which is really the keystore for these certificates in 1.4.2_07 version?

    Thanks in advance,

    Chemi.

    DB:3.16:Signed Applets Certificates Keystore 1a

    In the docs of Java Plug-in 1.4.2: http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/control_panel.html#signed it is said that all certificates of signed applets which jave been granted permissions for always are imported into certificate file jpicertsversion located in the user home/.java directory.

    But I suspect this is a bug in the doc, or that information is obsolete. I have imported with Java Plug-in GUI (Certificates Tab) several ones and that file doesn't appears.

    Any idea of which is really the keystore for these certificates in 1.4.2_07 version?

    Thanks in advance,

    Chemi.

  • RELEVANCY SCORE 3.16

    DB:3.16:Error In Getting Private Key From Keystore zd


    Hi,

    I am using JKS java keystore. I have successfully added two private keys and associated certificates into the keystore. When I try to access my first private key using the method keystore.getKey(alias,password) I get the key successfully, but when I try to access the second key by using the same method, I get the following exception:

    java.security.UnrecoverableKeyException: excess private key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:314)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106)
    at java.security.KeyStore.getKey(KeyStore.java:250)

    Any ideas to fix this problem?

    Regards
    YK

    DB:3.16:Error In Getting Private Key From Keystore zd

    Hi there,

    my reply comes quite late, but might be of interest for people facing the same problem.

    I also just couldn't get a certain .pfx private/public keypair into my .jks keystore (while others worked just fine). First, the CA root cert had a 4096bit RSA-key, hence unsupported by Sun's crypto-provider - but I had 4096bit RSA-implementations available from other vendors.

    As it has been pointed out, there seems to be an issue with Sun's keystore implementation, and can be circumvented by using third party implementations like IAIK or BouncyCastle.

    Still I had to import it into a Sun keystore because of backward compatibility. I finally managed to do so be splitting up the import to several steps: first, import the private key only to your .jks (without the cert chain), then import the cert chain, and finally merge them together again programmatically and store the resulting key to your keystore

    Kind regards,
    Arno Huetter

  • RELEVANCY SCORE 3.16

    DB:3.16:Keystore Creation And Loading Through Code dj


    Question n.1: How can I create a keystore with a public/private keys pair programmatically?
    Question n.2: How can I load the private and public key contained in an existing keystore programmatically?

    DB:3.16:Keystore Creation And Loading Through Code dj

    http://java.sun.com/javase/6/docs/api/java/security/KeyStore.html