views:

61

answers:

2

I just created a truststore with the java keytool (for server authentication of a server that does not have a CA cert). However I just noticed something strange. I am starting my client like this:

java -Djavax.net.ssl.trustStore=<PATHSTUFF>/client.keystore -classpath <STUFF> Client

(Note: there is NOT a password specified)

The above call works.


However when I try this:

java -classpath <STUFF> Client

It does not work. (Obviously it does not work it requires the truststore).


I was expecting to need to pass in this option (but I did not):

-Djavax.net.ssl.trustStorePassword=mypass

Question: Do you not need a password to access a truststore? Is the password just for modification? What about a keystore?

A: 

If you do not specify a truststore, the default one is used instead. I assume, you get an error, that you'll need to specify a truststore in order to trust the host you request? The default truststore resides in $JAVA_HOME/lib/security/jssecacerts.

oeogijjowefi
Hi bfoo, yeah I knew that is where it defaults however that does not answer my question. Clearly the default is not working and the one I specified is. My question is: In order to read a truststore do you need a password? Is there a default password?
sixtyfootersdude
+1  A: 

The password is used to protect the integrity of a keystore. if you don't provide any store password, you can still read the contents of the keystore. The command keytool -list demonstrates this behavior (use it with an empty password).

Pascal Thivent
Huh, wow, that is very interesting. This is the what it shows: `Enter keystore password: <press enter do not enter pword>``WARNING WARNING WARNING``The integrity of the information stored in your keystore``has NOT been verified! In order to verify its integrity,``you must provide your keystore password.``WARNING WARNING WARNING``
sixtyfootersdude
@sixtyfootersdude Yes, the integrity is not checked but, still, you can access the keystore.
Pascal Thivent