Thread: Client Certificate Authentication
I have a PostgreSQL database on a server. For security reasons, all client access from outside the server is restricted to certificate mode, i.e. the client sends SSL certificates rather than a password. Connecting with pgAdmin works well. Is there a way of creating a Java application that connects to this database with certificates? Any how-to guides, examples, or pointers on how to achieve this? Thanks in advance. -Gabriel
To my knowledge this has not been implemented.
On Fri, Mar 15, 2013 at 1:21 PM, "Gabriel E. Sánchez Martínez" <gabrielesanchez@gmail.com> wrote:
I have a PostgreSQL database on a server. For security reasons, all client access from outside the server is restricted to certificate mode, i.e. the client sends SSL certificates rather than a password. Connecting with pgAdmin works well. Is there a way of creating a Java application that connects to this database with certificates? Any how-to guides, examples, or pointers on how to achieve this?
Thanks in advance.
-Gabriel
--
Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-jdbc
On 15.03.2013 20:32, Dave Cramer wrote: > To my knowledge this has not been implemented. I haven't tried it myself, but I think it should work if you get all the t's crossed and i's dotted. See http://www.postgresql.org/message-id/4C0712E6.1050002@postnewspapers.com.au, for example. - Heikki
On 03/15/2013 01:32 PM, Dave Cramer wrote: > To my knowledge this has not been implemented. It should be possible with a custom SSLSocketFactory. See http://jdbc.postgresql.org/documentation/head/ssl-factory.html. (You'll need to load your client into a KeyStore, pass that KeyStore to SSLContext.init(), and use that context to create your factories.) HTH -- ======================================================================== Ian Pilcher arequipeno@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. ========================================================================
On 03/16/2013 01:21 AM, "Gabriel E. Sánchez Martínez" wrote:
I have a PostgreSQL database on a server. For security reasons, all client access from outside the server is restricted to certificate mode, i.e. the client sends SSL certificates rather than a password. Connecting with pgAdmin works well. Is there a way of creating a Java application that connects to this database with certificates? Any how-to guides, examples, or pointers on how to achieve this?In most cases you can set the JSEE keystore and truststore properties to get Java to use an existing keystore and truststore with your private key and the server's public certificate installed. In particular, see:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
The keystore must be in JECKS format. You can create it with keytool. Import the user's client certificate into it; you'll most likely have a pkcs#12 format cert (.p12 file) but you might instead have separate PEM format key and certs.
The truststore is optional and may be in JKS format if provided. If you don't provide a truststore the system wide SSL root certificate trust store for Java is used. That's fine unless your server is using a self-signed cert for the server, in which case you'll want to either add your private CA cert to the system truststore or specify your own truststore as a jvm system property.
If you cannot use the system properties for whatever reason then you need to provide your own SSLSocketFactory that uses the JSSE APIs to load a keystore and truststore.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services