Archived

This forum has been archived. Please start a new discussion on GitHub.

sslconfig for Java IceSSL?

Hi,

my server application (written in Java) is to authenticate client connections done via IceSSL. But as there is more than one client I find the "default" approach:
Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.ThreadPerConnection=1
IceSSL.Client.Keystore=cpriv.jks
IceSSL.Client.Password=password
IceSSL.Client.Certs=spub.jks
IceSSL.Server.Keystore=spriv.jks
IceSSL.Server.Password=password
rather insufficient. Is it possible to point CA common for server and clients in IceSSL for Java, as it's possible in IceSSL for C++ via sslconfig.xml?

Thanks in advance.

Best,
Jakub Dziwisz.

Comments

  • benoit
    benoit Rennes, France
    Welcome to the forums! Before we can answer your question, could you please set your signature as described in this [thread=1697]thread[/thread]?

    Thanks!

    Benoit.
  • Benoit,
    I hope that now my sig is ok, TIA for your reply,
    best,
    Jakub
  • mes
    mes California
    Hi Jakub,

    IceSSL for Java is limited to the SSL capabilities offered by JDK 1.5. Can you be more specific about what you'd like to do?

    Take care,
    - Mark
  • Mark,

    thank you for your fast reply!

    I'd like to allow clients which certificates are signed by a specified CA to access the server. Of course, each client should have a different certificate.

    From what I understand it's quite straightforward in IceSSL for C++, but in IceSSL for Java I have to specify on server side both server and client certificate. Moreover, I have to know client's password. Therefore I cannot allow a group of clients authorize to the server. Am I correct?

    Regards,
    Jakub.
  • mes
    mes California
    dziwisz wrote:
    From what I understand it's quite straightforward in IceSSL for C++, but in IceSSL for Java I have to specify on server side both server and client certificate. Moreover, I have to know client's password. Therefore I cannot allow a group of clients authorize to the server. Am I correct?
    No, the server does not need to know the client's certificate and password. Don't be confused by the fact that, in the Ice examples, the client and server share the same configuration file; that is done simply for convenience.

    If you configure the server to request a certificate from the client, then the server must be able to verify that certificate, which means the server needs to trust the certificate of the CA that signed the client's certificate. You would need to add the CA certificate to the server's certificate store (specified by the IceSSL.Server.Certs property).

    Hope that helps,
    - Mark
  • mes wrote:
    No, the server does not need to know the client's certificate and password. Don't be confused by the fact that, in the Ice examples, the client and server share the same configuration file; that is done simply for convenience.

    If you configure the server to request a certificate from the client, then the server must be able to verify that certificate, which means the server needs to trust the certificate of the CA that signed the client's certificate. You would need to add the CA certificate to the server's certificate store (specified by the IceSSL.Server.Certs property).

    Thanks a lot, I should have read manual more carefully...
    Regards,
    Jakub