I can't believe I'm the only person to run up against this problem. I've been googling for hours and have not had any luck. The Java security documentation doesn't seem to address PKCS12 certificates thoroughly.
I am trying to setup Java for user specific PKCS12 certificates. Among other things, this will be used so that, in Eclipse, I can access a Trac server that is authenticated via certificates. I am using the Trac Mylyn integration plugin for eclipse.
Here is the setup:
- user home directories are at /home
- multiuser mount at /central
- each user has a personal certificate at: ~/user.p12
- password for personal certificates is: pass1234
- the users password is stored in a 0400 file at ~/password.txt
- a read-only trust store for the ca is at: /central/ca.jks
- no password for the truststore
- JDK 1.6 installed at /central/jdk_1.6.0
- Eclipse 3.4 installed at /central/eclipse_3.4.0
- JAVA_HOME=/central/jdk_1.6.0
- JAVA_HOME is set to the JDK location because Eclipse needs this
- ECLIPSE_HOME=/central/eclipse_3.4.0
- JRE lives at $JAVA_HOME/jre
- each user has a ~/.java.policy file
- there is a trac server running at https://trac.internal/trac
- the trac server authenticates using certificates
Now, I want to be able to have each user simply modify some file that they own (like the ~/.java.policy file, for example), and be able to launch the central Eclipse application and access the Trac repository. Seems simple enough.
Right now, the only way I can get this to work is to edit the $ECLIPSE_HOME/eclipse.ini file and add
-Djavax.net.ssl.keyStore="/home/user/user.p12"
-Djavax.net.ssl.keyStoreType="PKCS12"
-Djavax.net.ssl.keyStorePassword="pass1234"
-Djavax.net.ssl.trustStore="/central/ca.jks"
Ok, that works, but there are two problems with it:
- Each user has to have their own ecipse install. (or can eclipse read that from a user file?)
- It is Eclipse specific, I'd ultimately like to have this as a Java configuration.
Also, I remember from some time back that you can edit the $JAVA_HOME/jre/lib/security/java.security file and add
keystore=/home/user/user.p12
keystore.type=PKCS12
keystore.password=pass1234
truststore=/central/ca.jks
But Eclipse doesn't seem to pick that up. Could it be because my JAVA_HOME points to a JDK, and not the JDK's nested JRE?
I've seen the Java PKCS#11 Reference that references the following properties: keyStoreURL="NONE" keyStoreType="PKCS11" keyStorePasswordURL=some_pin_url
There was another reference I saw that said you could edit the ~/.java.policy file to include:
keyStore "file:///home/user/user.p12", "PKCS12", "SunJSSE";
keyStorePasswordUrl "file:///home/user/password.txt";
But that doesn't get picked up either. Maybe it actually does work and its not getting read for the same reason the java.security file doesn't work, or maybe it just doesn't work at all.
Some system properties I've seen:
javax.net.ssl.keyStore="/home/user/user.p12"
javax.net.ssl.keyStoreType="PKCS12"
javax.net.ssl.keyStorePassword="password"
javax.net.ssl.keyStoreProvider="SunJSSE"
javax.net.ssl.trustStore="/home/user/ca.jks"
javax.net.ssl.trustStoreType="JKS"
javax.net.ssl.trustStorePassword=""
javax.net.ssl.trustStoreProvider="Sun"
So, right now, I guess I'm stuck with having each user to have their own Eclipse intall. I know it sounds like a complicated setup, but this shouldn't really have anything to do with Eclipse as far as the certificate setup... its really a Java setup for user specific certificates.
Any ideas?