Re: RMI over SSL on Max OS X 10.4 with Java 5

Subject: Re: RMI over SSL on Max OS X 10.4 with Java 5

Date: Mon, 30 Jan 2006 08:36:37 -0400

Delivered-to: email@hidden

User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Scott Kovatch wrote:

On Nov 3, 2005, at 9:38 PM, Michael Hall wrote:

On Nov 3, 2005, at 8:03 PM, Scott Kovatch wrote:

So, in your case, I would check to see that I'm on Mac OS X, and if so set those two properties. You could also check for that property first, because we do support file-based keystores, but don't use them by default. But, I wouldn't rely solely on that property being set.

I should of remembered the sometimes use of the keychain from a earlier list thread. I can see where there could be advantages in using the usual platform provided applications/utilities/whatever to manipulate your files if you choose to use them. But what is the advantage of having these the default over the more cross-platform alternatives?

It's a better user experience for the user. The idea is that we don't want to tell people that the if you need to get rid of a certificate or otherwise do something with it, you need to go to Terminal, and type 'cd ~/Library/....', or run a special, Java-only application to manage things. We want one place to store certificates in Mac OS X -- that's the keychain. Also, Safari will accept a certificate directly into your keychain, not your Java keystore. If Java needs to use that certificate, you're out of luck.

There are definitely scenarios in which you could build a keystore on one platform and then distribute it to all of your end users, and we support that in the plugin. But that's not the typical case. (Not that signed applets and SSL connections are typical to begin with...)

Scott

Well, that suggestion to check the apple keychain worked for me. Thanks! Here is the code I used in case anyone else is interested. Tom

private static final String BROWSER_KEYSTORE_PROP_NAME = "deployment.user.security.trusted.certs",
                                    JAVA_KEYSTORE_PROP_NAME = "javax.net.ssl.trustStore",
                                    JAVA_KEYSTORE_TYPE_PROP_NAME = "javax.net.ssl.trustStoreType",
                                    JAVA_KEYSTORE_PROVIDER_PROP_NAME = "javax.net.ssl.trustStoreProvider",
                                    APPLE_KEYSTORE_TYPE = "KeychainStore",
                                    APPLE_KEYSTORE_PROVIDER = "Apple",
                                    APPLE_OS_NAME = "mac os x",
                                    TRUSTED_CERT_LOCATION_GUESS = "/Application Data/Sun/Java/Deployment/security/trusted.certs",
                                    TRUSTED_CERT_LOCATION_GUESS_SLASH = "/";

    private static void activateSSL(){
        // If application is running with Java Web Start or as an Applet then this
        // deployment property may point to the location of the file containing the
        // user's trusted certificates.

        String keyStoreName = System.getProperty(BROWSER_KEYSTORE_PROP_NAME,"");
        boolean usedDeploymentProperty = true;

        // else we have to guess at the location of the trusted,certs file.
        // - may only work on Windows under Java 1.5
        if (keyStoreName.length() == 0) {
            usedDeploymentProperty = false;
            String fileSep = System.getProperty("file.separator","\\");
            String userHome = System.getProperty("user.home","");
            StringBuffer buf = new StringBuffer(100);
            buf.append(userHome);
            buf.append(TRUSTED_CERT_LOCATION_GUESS);

            int slashPos;

            while ((slashPos = buf.indexOf(TRUSTED_CERT_LOCATION_GUESS_SLASH)) > -1) {
                buf.replace(slashPos,slashPos+1,fileSep);
            }

            keyStoreName = buf.toString();
        }


        if (new File(keyStoreName).exists()) {
            System.setProperty(JAVA_KEYSTORE_PROP_NAME, keyStoreName);
            SchedulingClient.printMessage("Trusted Cert file location set to: " + keyStoreName);

        } else {
            String osName = System.getProperty("os.name","");
            SchedulingClient.printMessage("OS Name: " + osName);

            if (osName.equalsIgnoreCase(APPLE_OS_NAME) ||
                osName.startsWith(APPLE_OS_NAME))
            {
                SchedulingClient.printMessage("Detected Apple OS. Using Applet SSL parameters");
                System.setProperty(JAVA_KEYSTORE_TYPE_PROP_NAME,APPLE_KEYSTORE_TYPE);
                System.setProperty(JAVA_KEYSTORE_PROVIDER_PROP_NAME,APPLE_KEYSTORE_PROVIDER);

            } else {
                SchedulingClient.printMessage("Warning: Key Store: " + keyStoreName + " does NOT exist");
                SchedulingClient.printMessage("Key Store deployment property was " + (usedDeploymentProperty?"not blank":"blank"));
            }
        }

        // setSocketFactory throws an exception from applet in Mozilla Firefox: "factory already defined".
        // Works in IE 6.0 under Windows XP sp2 and works with Web Start under Windows and Mac OS X

        try {
            SchedulingClient.printMessage("Setting RMI Factory");
            java.rmi.server.RMISocketFactory.setSocketFactory(new SecureRMISocketFactory());
            SchedulingClient.printMessage("SSL initiated");
        } catch(Exception e) {
            SchedulingClient.printMessage("Unable to set socket factory: " +
                                           e.getClass().getName() +
                                           " " + e.getMessage());
            Debug.println(e);
            // keep going in case we already set the SecureRMISocketFactory within this VM
        }

    }

_______________________________________________ Do not post admin requests to the list. They will be ignored. Java-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/java-dev/email@hidden This email sent to email@hidden