2

I have remote web-service which is secured with X.509 certificate.
I generated web-service client stuff (using jax-ws) but need to configure if for the certificate's usage.
How should I proceed?
I guess I should register certificate in my local trusted keystore and them set something like this:

System.setProperty("javax.net.ssl.keyStore", keyStore);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);

But it is not clear which data should be provided as the parameters.
Please do help.
Thanks.

kardanov
  • 575
  • 3
  • 13
  • 25

1 Answers1

3

The keystore properties defines the certificate that identifies you to the server:

System.setProperty("javax.net.ssl.keyStore", keyStore);

This is a java keystore with your x509 certificate. You may create it using tha java program keytool.

System.setProperty("javax.net.ssl.trustStore", trustStore);

This is a java keystore with the certificate(s) that identifies the web site. This is only used by your web service software to ensure that you are really talking to the correct web site.

System.setProperty("javax.net.ssl.keyStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStoreType", "JKS");

This just specifies that the format of the javax.net.ssl.keyStore and javax.net.ssl.trustStore is java keystore.

System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword); System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);

This is the password that was used to encrypt the java keystore when it was created.

sstendal
  • 3,148
  • 17
  • 22
  • 1
    Just to add to what @sstendal says, trustStore and keystore are physical files which contain your trusted certificates and private keys respectively. Your keystore should ideally contain your private keys and the certificates should go in your truststore. You need the root certification authority's (CA - the entity who endorses the server certificate; for eg. Verisign) certificate in your truststore for the SSL handshake to complete. – Drona Nov 12 '11 at 14:20
  • Thank you @sstendal for your answer. The things you described are pretty clear now. Can you also point me to some instruction how to organize the entire procedure since all I have is just a certificate in such format: `MIICGDCCAYWgAwIBAgIQMYx/1mo3y4RDkMC7Pf6tITAJBgUrDgMCHQUAMCIxIDAeBgNVBAMTF1JhZGlvT3B0IERldmVsb3B......` I mean, what should I add to keystore? Should I add it to both keystore and truststore if I just want to call remote WS? – kardanov Nov 14 '11 at 10:08
  • It looks like you have a base64 encoded certificate. You can create a pem-file by following the instructions here: http://www.herongyang.com/Cryptography/Certificate-Format-PEM-on-Certificates.html. The you should import it into a keystore by using keytool as explained here: http://www.herongyang.com/Cryptography/Certificate-Format-keytool-Import-in-DER-and-PEM.html. – sstendal Nov 14 '11 at 21:04
  • One more comment, you should add your own private certificate to the keystore. The truststore should contain the certificate that is owned by the party that also owns the web service. – sstendal Nov 14 '11 at 21:05
  • Thank you @sstendal So do I understand correct, that if I just want to access some WS protected with certificate, I should just add this certificate to my truststore the way described above? And then in Java code I need just to set up truststore and forget about keystore? – kardanov Nov 15 '11 at 08:00
  • That's correct. If you don't have a private certificate then it is enough to add the servers certificate to a truststore and set the javax.net.ssl.trustStore to point to that truststore file. – sstendal Nov 15 '11 at 19:31