Chapter 4

Section 4.2

Operating SSL

KeyStores and TrustStores

4.2KeyStores and TrustStores

As depicted in Figure 8, JSSE makes use of files called KeyStores and TrustStores. The KeyStore is used by the eWay for client authentication, while the TrustStore is used to authenticate a server in SSL authentication.

ƒA KeyStore consists of a database containing a private key and an associated certificate, or an associated certificate chain. The certificate chain consists of the client certificate and one or more certification authority (CA) certificates.

ƒA TrustStore contains only the certificates trusted by the client (a “trust” store). These certificates are CA root certificates, that is, self-signed certificates. The installation of the Logical Host includes a TrustStore file named cacerts.jks in the location:

<c:\JavaCAPS>\logicalhost\is\domains\<MyDomain>\config

where <c:\JavaCAPS> is the directory where the Sun Java Composite Application Platform Suite is installed and <MyDomain> is the name of your domain. This file is recommended as the TrustStore for the HTTPS eWay.

Both KeyStores and TrustStores are managed by means of a utility called keytool, which is a part of the Java SDK installation.

4.2.1Generating a KeyStore and TrustStore

This section explains steps on how to create both a KeyStore and a TrustStore (or import a certificate into an existing TrustStore such as the default Logical Host TrustStore in the location:

<c:\JavaCAPS>\logicalhost\is\domains\<MyDomain>\config\cacert

s.jks

where <c:\JavaCAPS> is the directory where the Sun Java Composite Application Platform Suite is installed and <MyDomain> is the name of your domain. The primary tool used is keytool, but openssl is also used as a reference for generating pkcs12 KeyStores.

For more information on openssl, and available downloads, visit the following Web site:

http://www.openssl.org.

4.2.2KeyStores

This section explains how to use KeyStores.

Creating a KeyStore in JKS Format

This section explains how to create a KeyStore using the JKS format as the database format for both the private key, and the associated certificate or certificate chain. By default, as specified in the java.security file, keytool uses JKS as the format of the key and certificate databases (KeyStore and TrustStores). A CA must sign the certificate

HTTPS eWay Adapter User’s Guide

29

Sun Microsystems, Inc.

Page 29
Image 29
Sun Microsystems 5.1.1 KeyStores and TrustStores, Generating a KeyStore and TrustStore, Creating a KeyStore in JKS Format