Re: JDBC with SSL

On 12/05/2011 04:48 AM, Walter Hurry wrote:
> On Sun, 04 Dec 2011 20:09:09 +0100, Florent Guillaume wrote:
>
>> Hi,
>>
>> You have to install the certificate in the Java keystore using
>> "keytool". See
>> http://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html for
>> a quick overview.
>> A more detailed doc is at
>> http://docs.oracle.com/javaee/1.4/tutorial/doc/Security6.html
>>
>> Florent
>>
>> On Sun, Dec 4, 2011 at 5:40 PM, Walter Hurry<walterhurry(at)lavabit(dot)com>
>> wrote:
>>> First of all, I am sorry if this is the wrong place to ask. If it is,
>>> perhaps someone could direct me to the right arena.
>>>
>>> This is PostgreSQL 9.0.1 with PostgreSQL JDBC 9.1.901.
>>>
>>> I have successfully set up one of my databases to require SSL
>>> connections with a certificate, and installed a certificate into
>>> $HOME/.postgresql. That directory contains postgresql.crt,
>>> postgresql.key and root.crt.
>>>
>>> I can connect successfully using psql and libpq applications. The
>>> connection is also rejected properly if I move the certificate out of
>>> the way.
>>>
>>> Now I am trying to connect using JDBC and SSL from a Java application
>>> (JDBC is fine without SSL on another database). However, I am getting
>>> the following error:
>>>
>>> FATAL: connection requires a valid client certificate
>>>
>>> So it appears that somehow I need to "tell" Java where to find the
>>> client certificate. Any pointers as to how I do this please?
>>>
>>> By the way, since this is a self-signed certificate I have followed the
>>> instructions at<http://jdbc.postgresql.org/documentation/81/ssl-
>>> client.html>. These succeeded, but I am still getting the error.
>>>
>>> Thanks,
>>> Walter
> Thanks for the reply, Florent. I have followed the instructions yu
> mentioned carefully, and am now invoking the class with:
>
> java -Djava.security.manager -Djava.security.policy=clientpolicy
> <classname>
>
You don't need the SecurityManager enabled. You need the java.net.ssl
properties for keyStore, keyStorePassword and keyStoreType set to point
to your JECKS keystore, and need trustStore, trustStorePassword and
trustStoreType set to point to the keystore you imported the database's
certificate into, which is probably the same store in your case.

Alternately, you can use the custom certificate manager class posted on
this mailing list a while ago to manage key and trust store lookup from
your own stores at runtime.

--
Craig Ringer