Postgres Pro
Downloads
Home   >   mailing lists

Re: JDBC with SSL - Mailing list pgsql-jdbc

From Bruno Harbulot
Subject Re: JDBC with SSL
Date
Msg-id 4EDF9403.9060400@distributedmatter.net
Whole thread Raw
In response to Re: JDBC with SSL  (Craig Ringer <ringerc@ringerc.id.au>)
Responses Re: JDBC with SSL
List pgsql-jdbc
Tree view 
On 07/12/2011 05:06, Craig Ringer wrote:
> On 07/12/11 03:43, Walter Hurry wrote:
>> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>>
>>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>>> ------------------------------------------------------------- $ java
>>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>>>          -Djavax.net.ssl.keyStorePassword=changeit \
>>>>          -Djavax.net.ssl.keyStoreType="jks" \
>>>>
>>> I thought you could only use a JECKS store when including private keys?
>> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I
>> have the keyStoreType wrong?
>
> JKS and JECKS are two different key store formats. Keytool understands
> both. If my memory serves, JECKS is the encrypted keystore format,
> intended for storing private key data. I think you can use JECKS for
> both certificate and key data, but you can use JKS only for certificate
> data, NOT  for key data.

You can store certificates and/or private keys in both JKS and JECKS.

PKCS12 is somewhat different in that, to store a certificate (or a
certificate chain), it requires there to be a private key associated
with this certificate. Java isn't the only implementation with this
limitation, but I must admit I can't remember what the PKCS#12
specification itself says about it.


More details on JKS/JECKS, from:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation

> jceks" is an alternate proprietary keystore format to "jks" that uses much stronger encryption in the form of
Password-BasedEncryption with Triple-DES. 



The default keystore type with the Oracle security provider is JKS; you
can check this using KeyStore.getDefaultType().


If your initial key and certs where in PEM format (as used by psql), it
might be easier to build a PKCS#12 store with OpenSSL:

    openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
usercreds.p12


You can then use it with KeyStore type "PKCS12" (no #) from Java directly.
You could also convert this PKCS#12 file into a JKS/JECKS keystore using
keytool and its -importstore options (only in Java 6+).


Best wishes,

Bruno.

pgsql-jdbc by date:

Previous
From: pharoz
Date:
Subject: Re: Problems with Hibernate Discriminators and 9.0-801.jdbc4
Next
From: Bruno Harbulot
Date:
Subject: Re: JDBC with SSL