DelphiFAQ Home Search:

How to create SSL socket connection with a custom trusted key store

 

commentsThis article has not been rated yet. After reading, feel free to leave comments and rate it.

Question:

I dynamically add a trusted certificate to Tomcat's trustedKeyStore. How can I make them effective without restarting Tomcat? Basically, I want to force the JVM to re-read the list of trusted keys.

Answer:

You need to create your own custom SSLSocketFactory, which will use a customized SSLContext. In the example below, I created a custom SSLContext where I both specify the keystore and the trusted key store.
You may need to specify the custom trust manager only.

Replace
context.init(kms, tms, null);
with
context.init(null, tms, null);

  String TRUSTED_KEYSTORE = "/etc/ssl/trusted_keys.keystore";
  String trustStorePassword = "secret";
        
        
protected KeyManager[] getKeyManagers() throws IOException, GeneralSecurityException {
                
        String alg=KeyManagerFactory.getDefaultAlgorithm();
        KeyManagerFactory kmFact=KeyManagerFactory.getInstance(alg);
                
        FileInputStream fis=new FileInputStream(TRUSTED_KEYSTORE);
        KeyStore ks=KeyStore.getInstance("jks");
        ks.load(fis, trustStorePassword.toCharArray());
        fis.close();
        
        kmFact.init(ks, trustStorePassword.toCharArray());
        
        return kmFact.getKeyManagers();
}
                        
                        
protected TrustManager[] getTrustManagers() throws IOException, GeneralSecurityException {
                        
        String alg=TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmFact=TrustManagerFactory.getInstance(alg);
                        
        FileInputStream fis=new FileInputStream(TRUSTED_KEYSTORE);
        KeyStore ks=KeyStore.getInstance("jks");
        ks.load(fis, trustStorePassword.toCharArray());
        fis.close();
                                
        tmFact.init(ks);
                         
        return tmFact.getTrustManagers();
}
                        
                        
protected SSLSocketFactory getSSLSocketFactory() throws IOException, GeneralSecurityException {
                
        TrustManager[] tms=getTrustManagers();
                        
        KeyManager[] kms=getKeyManagers();
                
        SSLContext context=SSLContext.getInstance("SSL");
        context.init(null, tms, null);
                 
        return context.getSocketFactory();
}


//
// main code
//

SSLSocketFactory socketFactory = (SSLSocketFactory) getSSLSocketFactory();

clientSocket = (SSLSocket) socketFactory.createSocket(IP_Address, 443);

Content-type: text/html

Comments:

2015-02-01, 00:45:27
anonymous from Germany  
Artlices like this make life so much simpler.
2015-02-02, 06:49:22
anonymous from Lebanon  
Awesome! This works for we!I didn't know how to create my own keyotsre.cer and you give me the answer with this statement:keytool -export -alias tomcat -file keyotsre.cer -storepass passwordThank you,Lks http://teoxpqccflc.com [url= http://dorilvldar.c..ldar[/url] [link= http://qmhsmifjbvs...bvs[/link]
2015-02-12, 10:35:20
anonymous  
press hyperhydrosis http://drugustore.com passionate marriage happy http://viagrazz.net impact depending anyway http://levitrasss.net drug online shopping http://insurance-low.net insurance information
2015-02-12, 10:35:28
anonymous  
press hyperhydrosis http://drugustore.com passionate marriage happy http://viagrazz.net impact depending anyway http://levitrasss.net drug online shopping http://insurance-low.net insurance information
2015-02-13, 20:52:53
anonymous from Venezuela  
flaxseed omega http://viagrasss.com erection levels general wellbeing http://cilaisabc.com while ten times http://insurancehas..lefree.com add pain repeated sometimes http://pharamacy.com embraces

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: