tags:

views:

42

answers:

1
Q: 

What's a good strategy for automatically incorporating self-signed certs into my truststore in Java?

We've built a JEE app in JBoss that exposes web services to external consumers. We want to secure these services so that we know who is making the web service invocations. We have a registration process that requires the consumers to upload their public key so that we can add it to our truststore. However it is currently a manual process of using the keytool from the command line to add them to the truststore.

This whole setup seems rather primitive. I don't like the idea of a truststore on the filesystem that is not part of the database. There must be an approach that lets you utilize the database to store the certs. Should I put the certs in a blob column, and roll my own custom TrustManager that pulls the public key out of the db and verifies the signature? Or is there some other generally implemented open-source solution to this problem?

A: 

Why don't you just store the PEM file in database? It can be a BLOB or a text column.

Google's web app registration is a good example,

http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html#register

Look at step 4: Upload a security certificate.

ZZ Coder  2009-12-15 05:07:44
I think it's more than the pem though... I want the cert to be trusted even though it is self-signed. Currently we have to do this via the keytool, which modifies the truststore locally, but then if I redeploy the app to another box the truststore doesn't come along if I forget. It's a truststore issue.
Kevin Pauli  2009-12-17 16:46:18
You have to trust all the certificate you store in your database. Your provisioning system should take care of that. It's not a scalable solution to store self-signed cert in truststore. If everyone uses self-signed cert, you end up having the whole DB in trust-store.
ZZ Coder  2009-12-17 19:30:15

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java