Thanks a lot for these explanations, we're going to try this right now ; it
could be good to add this explanation in the SSl chapter in The Restlet in
Action" book (up to now only the server side aspect is processed)...
Best regards
Xavier
ps : yes , it was keytool -genkey, which is become genkey under my fingers
:)
2010/8/25 Bruno Harbulot <bruno.harbu...@manchester.ac.uk>
> On 25/08/10 13:53, Xavier Méhaut wrote:
> > Hi Bruno,
> > Actually our architecture is the following :
> > A PC runs a restlet server locally (withou a servlet container); the
> > resources served by this server call themselves other restlets which are
> > located into another restlet serveron another PC, but this restlet
> > server one is hosted in Tomcat with SSL setted.
> > The problem occurs when trying to call these remote restlets from the
> > first PC.
> > SSL is managed by tomcat and the certificate has been generated by java
> > keygen.
>
> Ah, this makes sense. When you say "the certificate has been generated
> by java keygen", presumably, you haven't sent the certificate request to
> a Certification Authority, so you're effectively using a self-signed
> certificate on your Tomcat server (presumably, you meant "keytool"
> instead of "keygen" too?).
> There's nothing wrong with that (although this could become an issue if
> you expect other clients to connect). However, for the client to be able
> to connect, you need to tell it to trust your server's certificate
> explicitly. This means that the trust store you're using on the client
> side needs to contain this self-signed certificate.
>
> The default trust store in Java is usually in
> $JAVA_HOME/lib/security/cacerts (and the default password is "changeme").
> I wouldn't necessarily modify that file, but you can take a copy of it
> and import the certificate you've generated on the server into it.
>
> * On the server:
>
> 1. Find the alias you need from the keystore (otherwise, the default
> will be "mykey":
> keytool -list -keystore keystore.jks
>
> You should see a list like this:
> Certificate fingerprint (MD5):
> 5B:91:3D:BB:A7:0D:04:F9:92:A0:79:0E:EA:30:45:6A
> the alias name, 25-Aug-2010, PrivateKeyEntry,
>
> 2. Export the certificate:
> keytool -exportcert -keystore keystore.jks -alias "the alias name"
> -file servercert.der
>
> (Note that you only export the certificate here, not the private key,
> which is not to be distributed.)
>
>
> * On the client:
>
> 1. It's not strictly required, but I would copy
> $JAVA_HOME/lib/security/cacerts to a file that doesn't affect the whole
> system, let's say "mycacerts.jks".
>
> 2. Import the server certificate into that store:
> keytool -importcert -keystore mycacerts.jks -trustcacerts -file
> servercert.der
>
> (Optionally, use '-alias "some alias name"' if you want it to be easier
> to identity later on in the list. I'd go for the host name there, but
> it's just an internal indication in the store.)
>
> 3. Configure your Restlet client to use that as a trust store.
>
> If you think it's a good idea to use this as a trust store across
> everything that runs within that JVM, you can use the
> javax.net.ssl.trustStore properties.
>
> Otherwise, you can set it on a per-connector basis, using the Context
> parameters:
> parameters.add("truststorePath", "<path>mycacerts.jks");
> parameters.add("truststorePassword", "password");
> // parameters.add("truststoreType", "JKS");
>
>
>
> Best wishes,
>
> Bruno.
>
> ------------------------------------------------------
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651208
>
>
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2651213
