Re: JDBC with SSL
| От | Bruno Harbulot |
|---|---|
| Тема | Re: JDBC with SSL |
| Дата | |
| Msg-id | 4EDF9403.9060400@distributedmatter.net обсуждение исходный текст |
| Ответ на | Re: JDBC with SSL (Craig Ringer <ringerc@ringerc.id.au>) |
| Ответы |
Re: JDBC with SSL
|
| Список | pgsql-jdbc |
On 07/12/2011 05:06, Craig Ringer wrote: > On 07/12/11 03:43, Walter Hurry wrote: >> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote: >> >>> On 12/06/2011 02:46 AM, Walter Hurry wrote: >>>> ------------------------------------------------------------- $ java >>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \ >>>> -Djavax.net.ssl.keyStorePassword=changeit \ >>>> -Djavax.net.ssl.keyStoreType="jks" \ >>>> >>> I thought you could only use a JECKS store when including private keys? >> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I >> have the keyStoreType wrong? > > JKS and JECKS are two different key store formats. Keytool understands > both. If my memory serves, JECKS is the encrypted keystore format, > intended for storing private key data. I think you can use JECKS for > both certificate and key data, but you can use JKS only for certificate > data, NOT for key data. You can store certificates and/or private keys in both JKS and JECKS. PKCS12 is somewhat different in that, to store a certificate (or a certificate chain), it requires there to be a private key associated with this certificate. Java isn't the only implementation with this limitation, but I must admit I can't remember what the PKCS#12 specification itself says about it. More details on JKS/JECKS, from: http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation > jceks" is an alternate proprietary keystore format to "jks" that uses much stronger encryption in the form of Password-BasedEncryption with Triple-DES. The default keystore type with the Oracle security provider is JKS; you can check this using KeyStore.getDefaultType(). If your initial key and certs where in PEM format (as used by psql), it might be easier to build a PKCS#12 store with OpenSSL: openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercreds.p12 You can then use it with KeyStore type "PKCS12" (no #) from Java directly. You could also convert this PKCS#12 file into a JKS/JECKS keystore using keytool and its -importstore options (only in Java 6+). Best wishes, Bruno.
В списке pgsql-jdbc по дате отправления: